OAuth4 (and OAuth4R)

Slide 1: Auth Presentation to Singapore Ruby Brigade at SMU, School of Information System 29 November 2007 Chew Choon Keat sharedcopy.com http://ﬂickr.com/photos/lachlanhardy/1400641336/

Slide 2: Why OAuth • Web 2.0 • APIs • Mashups

Slide 3: Giving away access • Mint “an impressive personal ﬁnance application”

Slide 4: • Mint Terms of Service

Slide 5: http://ﬂickr.com/photos/brianoberkirch/1092087510/

Slide 6: Giving away access • "Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay." - oauth.net

Slide 7: Alternatives: Hidden Public • Random URLs • Security by obscurity

Slide 8: Alternatives: Proprietary • Google AuthSub • AOL OpenAuth • Yahoo BBAuth • Upcoming API • Flickr API • Amazon Web Services API

Slide 9: What is OAuth • “An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.”

Slide 10: OAuth Flow • Registration (server to server) • Request Token • Authorization • Access Token http://ﬂickr.com/photos/petromyzon/26252991/

Slide 11: End User http://ﬂickr.com/photos/andreasnilsson1976/433173596/

Slide 12: Protected Resource http://ﬂickr.com/photos/annettepedrosian/2071523294/

Slide 13: Service Provider http://ﬂickr.com/photos/spectrasensors/322545693/

Slide 14: Consumer http://ﬂickr.com/photos/inﬁdelic/147930477/

Slide 15: Tokens http://ﬂickr.com/photos/kt/364996966/

Slide 16: Protected Resources Consumer Service Provider End User

Slide 17: Consumer Registration Consumer Protected Resources Service Provider “Let’s work together here are my details” End User http://ﬂickr.com/photos/marcroberts/1484118790/

Slide 18: Consumer Registration Service Provider Protected Resources Consumer End User

Slide 19: Consumer Registration Service Provider Protected Resources Consumer “These are our secrets. Use it every time you talk to me” End User http://ﬂickr.com/photos/9458565@N07/760773574/

Slide 20: Consumer Registration Service Provider Protected Resources Consumer End User

Slide 21: Use Case Consumer Protected Resources Service Provider End User “Print my pictures from SP”

Slide 22: Get Request Tokens Consumer Protected Resources Service Provider “I have someone who needs you” End User

Slide 23: Get Request Tokens Service Provider Protected Resources Consumer “Pass this to him, and bring him to me” End User http://ﬂickr.com/photos/9458565@N07/760773574/

Slide 24: Get Authorization Consumer Protected Resources Service Provider “Go to there. Bring this along” End User

Slide 25: Get Authorization Service Provider Protected Resources Consumer “Hi, remember me?” End User

Slide 26: Get Authorization Service Provider Protected Resources Consumer “Silver coin! You need Consumer to do things for you?” End User

Slide 27: Get Authorization Service Provider Protected Resources Consumer “Yes” End User

Slide 28: Get Authorization Service Provider Protected Resources Consumer “Your wish is my command. Return there” End User

Slide 29: Get Access Token Protected Resources Consumer Service Provider End User “Its done!”

Slide 30: Get Access Token Consumer Protected Resources Service Provider “He said ok? Gimme the keys” End User

Slide 31: Get Access Token Service Provider Protected Resources Consumer “Ignore that silly silver coin... Use this from now and I will always treat you as he” End User http://ﬂickr.com/photos/azuric/150520121/

Slide 32: Get Access Token Consumer Protected Resources Service Provider End User

Slide 33: Use Access Token Consumer Protected Resources Service Provider “Gimme MY pictures” End User

Slide 34: Using Access Token Service Provider Protected Resources Consumer End User

Slide 35: Using Access Token • Whenever Consumer calls SP’s API • GET /photos.xml • bring consumer key, access token • sign with consumer secret & access secret • Service Provider veriﬁes signature • treats request as End User

Slide 36: Using Access Token • User at Service Provider website can choose to invalidate the access for Consumer at any time

Slide 37: Desktop Flow

Slide 38: Desktop Flow http://ﬂickr.com/photos/factoryjoe/sets/72157601300877805/detail/

Slide 45: Introducing OAuth4R • Forget the protocol, just ﬁll in the blanks • Provides code generators to allow Rails website to support OAuth easily • Generated scaffolds does the OAuth dance out of the box • Only need developers to link tokens to their Users

Slide 46: OAuth4R svn checkout http://oauth4r.googlecode.com/svn/trunk/example_apps • “Provider” site contains • users • users’ contacts • “Consumer” site contains • only users

Slide 47: OAuth4R: Provider cd example_apps/oauth_provider rake db:create:all rake db:migrate ./script/server -p 5001 • Users controller at http://localhost:5001/users • with primitive login implemented • Users’ Addressbook controller at http://localhost:5001/contacts • with primitive permissions based on user’s login

Slide 48: OAuth4R: Consumer cd ../oauth_consumer/ rake db:create:all rake db:migrate ./script/server -p 5000 • Users controller at http://localhost:5000/users • even more primitive login implementation • For this demo, create a new user, “Tommy”

Slide 49: OAuth4R: Provider cd ../oauth_provider/ ./script/generate oauth_provider GetContact rake db:migrate patch -p0 < TODO.patch ./script/server -p 5001 • Generate a “scaffold controller” • Controller does the OAuth dance • Modify to linkup with your own user models

Slide 50: • Modifying generated OAuth controller • oauth_user = User.ﬁnd(session..)

Slide 51: • Modify your User model to has_many oauth_user • Modify controller guarding Protected Resources to requires_oauth

Slide 52: OAuth4R: Consumer cd ../oauth_consumer/ ./script/generate oauth_consumer UseGetContact rake db:migrate patch -p0 < TODO1.patch ./script/server -p 5000 • Generate a “scaffold controller” • Controller can do OAuth dance with one service provider • Modify to linkup with your User models

Slide 53: • Modify generated OAuth controller • oauth_user = User.ﬁnd(session..)

Slide 54: • Modify user to has_many oauth_user • Add a link to kick-start OAuth authorization link_to .. new_use_get_contact_path

Slide 55: Registering Consumer • Go to http://localhost:5000/use_get_contacts • Copy “Callback URL”

Slide 56: Registering Consumer • http://localhost:5001/get_contacts/new • Paste “Callback URL” & click Register • Update config/use_get_contacts.oauth.yml

Slide 57: User Authorization • Go to http://localhost:5000/users • Click on “Tommy > Show” to login • Click on "Establish OAuth..."

Slide 58: User Authorization • Click “Create” and you’ll arrive at provider site (http://localhost:5001) to Login • Authorization prompt will appear • Click “Yes” & you’ll be redirected back to consumer site (http://localhost:5000)

Slide 59: All done, then what? • Scripts accessing APIs on behalf of End User • This demo uses a simple ActiveResource

Slide 60: All done, then what? $ ruby script/fetch_contacts.rb /example_apps/oauth_consumer/vendor/rails/ activeresource/lib/active_resource/connection.rb: 124:in `handle_response': Failed with 500 Internal Server Error (ActiveResource::ServerError) • OAuth blocks our unauthenticated access • We need to modify our API callers slightly patch -p0 < TODO2.patch

Slide 61: Modify ActiveResource • Add acts_as_oauth_resource • underlying http connection will be automatically padded with OAuth credentials

Slide 62: Backend API Access? • Wrap ActiveResource activity inside with_oauth code blocks

Slide 63: Done $ ruby script/fetch_contacts.rb --- - !ruby/object:Contact attributes: name: Dick updated_at: 2007-11-29 08:11:35 Z id: 1 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: &id001 {} - !ruby/object:Contact attributes: name: Harry updated_at: 2007-11-29 08:11:35 Z id: 2 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: *id001

Slide 64: Ruby Links • OAuth4R http://oauth4r.googlecode.com/ • OAuth Rails Plugin http://oauth-plugin.googlecode.com/ http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider • OAuth Gem sudo gem install oauth • OAuth (was Twitter) http://oauth.googlecode.com/svn/code/ruby/ • Google Group: oauth-ruby http://groups.google.com/group/oauth-ruby

Slide 65: Thank you!

Slideshare.net (beta)