OAuth: demystified (hopefully)

OAuth: demystified (hopefully)Matt Gifford aka coldfumonkehhttp://www.mattgifford.co.uk

Matt Gifford aka coldfumonkeh

Matt Gifford aka coldfumonkehColdFusion / RIA

Matt Gifford aka coldfumonkehColdFusion / RIAAuthor

Matt Gifford aka coldfumonkehColdFusion / RIAAuthorCoffee Lover

Matt Giffordaka coldfumonkehColdFusion / RIAAuthorCoffee Loverblog atmattgifford.co.uk

Matt Gifford aka coldfumonkehColdFusion / RIAAuthorCoffee Loverblog atmattgifford.co.uktweet @coldfumonkeh

Matt Gifford aka coldfumonkehColdFusion / RIAAuthorCoffee Loverblog atmattgifford.co.uktweet @coldfumonkehwork at Fuzzy Orange

Why Are We Here? Very good question..

Access and Privacy

Have You Ever... dealt with user authentication?

Have You Ever... shared data through an external API?

Have You Ever... received spam emails asking for personal details?

Have You Ever... been spanked by an air stewardess holding a wet kipper whilst she called you ‘Betsie’?

As A Developer You...(should) want to keep your clients / users happy

As A Developer You... (should) aim to make integration, UX and UI as easy as possible for users

As A Developer You...(should) make sure that user’s data is secure and protected wherever possible

Privacy is Freedom

I need your clothes, bootsand your email address

The password anti-pattern

Access Via Email

Ruh-Roh, Shaggy...

Nothing To See Here

Comfortable With This?

Your Email = You

Privacy is Freedom

Ideally, we shouldn’t have to give these out orask for them...

Email addresses and passwords are valuable

So... how can we stop asking for this information?

So...how can we delegate access to obtain restricted information without bringing down a world of pain upon ourselves?

What is OAuth?

What is OAuth? A simple open standard for secure API authentication

Who Can Use It?Service Providers offering a web service or APIthat requires authentication to access restricteddata for a number of functions / methods

Who Can Use It?Consumers who wish to access that particularAPI or web service and wish to use astandardised method of authentication

Who HasImplemented OAuth?

Who HasImplemented OAuth? Twitter, Google, Meetup.com, Netflix, TripIt, Yahoo!, Evernote, Vimeo ... and many more

But What About...

Sharing a single Identity with numerous consumers

Sharing a single Share data Identity with without sharing numerous your identity consumers

Let’s Get Stuck In delegated authorisation using tokens

The Love Triangle End User Consumer Service Provider

As Easy As This

The OAuth ‘Dance’

The Dancers Fred - the end user Twitter - the Service Provider LinkedIn - the Consumer

The Steps consumer provider asks for a request token

The Steps consumer provider asks for a request token creates and returns a new request token

The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url

The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves auth

The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token

The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token consumer wants to trade request token for access

The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token consumer wants to trade request token for access provisional request token traded for access token

The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token consumer wants to trade request token for access provisional request token consumer saves the traded for access token access token for the user

Breaking It Down Even More

1 - Show Intent “LinkedIn is pretty cool. I want people to read more from me... I want them to read my status updates from Twitter. Can you access my updates for me, please?” “I certainly can, but I need to ask Twitter for permission before I can continue. Hold on..”

2 - Request a Token “Hey Twitter, you overloaded piece of awesomeness. Please can I have a Request Token?” “LinkedIn, you corporate beast! Of course you can. Your Request Token is 9iKot2y5UQTDlS2V and your secret is 1Hv0pzNXMXdEfBd.”

3 - Authorize The Request “OK, Fred. Right, can you go to Twitter and authorize the Request Token 9iKot2y5UQTDlS2V, please? Once that’s done, I’ll be able to access your status updates.” “OK”

3 - Authorize The Request “Hey Twitter. I want to authorize the Request Token 9iKot2y5UQTDlS2V” “To confirm, you want to authorize LinkedIn to access your status updates. You’re happy with that?”

3 - Authorize The Request “That’s just what I wanted, yes.” “Sweet! Tell LinkedIn you authorized it with me.”

3 - Authorize The Request “Right.. Twitter knows I want you to do stuff for me. Everything’s set for you.” “Nice work, Fred. I’ll go and speak to Twitter now.”

4 - Exchange the Token “Please can I exchange Request Token 9iKot2y5UQTDlS2V for an Access Token?” “No worries. Your Access Token is 94S3sJVmuuxSPiZz and your Secret is 4Fc8bwdKNGSM0iNe.”

5 - Get Restricted Data “Awesome. Now I have those details, please can you give me the status updates that are owned by Access Token 94S3sJVmuuxSPiZz?” “Of course. Here you go...”

Quite Simple When YouPut It Like That I know, right?

LinkedIn didn’t need toknow Fred’s Twitteraccount details His identity was kept secret; it wasn’t important to access the data. What was important was his permission to proceed.

Even Simpler (kind of)

Even Simpler (kind of)1 - Obtain a Request Token

Even Simpler (kind of)1 - Obtain a Request Token2 - User authorizes the Request Token

Even Simpler (kind of)1 - Obtain a Request Token2 - User authorizes the Request Token3 - Exchange Request Token for Access token

Even Simpler (kind of)1 - Obtain a Request Token2 - User authorizes the Request Token3 - Exchange Request Token for Access token4 - Use Access Token to obtain the protected resources

What Does The UserExperience?

The OAuth ‘Dance’with different systems web applications desktop applications out of band applications

The Set Up where documentation is the best thing you can wish for

Registering a Consumer application

The Consumer the Consumer Key and Consumer Secret

The Tokens the Token Key and Token Secret

Let’s Get Stuck In making a request

An Example Requestyou need:HTTP MethodRequest URI (endpoint)oauth_callbackoauth_consumer_keyoauth_nonceoauth_signature_methodoauth_timestampoauth_version

Parametersoauth_*

Parametersoauth_consumer_keyoauth_consumer_secret

Parametersoauth_consumer_key="dpf43f3p2l4k3l03"oauth_token="nnch734d00sl2jdk"

Parametersoauth_nonce="kllo9940pd9333jh"oauth_timestamp="1191242096"

Parametersoauth_signature_method="HMAC-SHA1"oauth_version="1.0"oauth_signature="tRMTYa%2FWM%3D"

Signature Base Stringthe key to the authentication

What is the signature?a consistent reproducible concatenation of the request elements into a single string

Cryptographic Signature Signature Base String Consumer Secret

Cryptographic Signature Signature Base String Consumer Secret Signature

Cryptographic Signature Signature Base String Consumer Secret Signature sig=yourSignatureStr

Cryptographic Signature Signature Base String Consumer Secret Signature base=foobar&sig=yourSignatureStr

Parametersoauth_signature_method="HMAC-SHA1"oauth_version="1.0"oauth_signature="tRMTYa%2FWM%3D"

Request ExampleGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80

Request Example With OAuthGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

HTTP Request MethodGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

Request URIGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

Request ParametersGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

HTTP Request ExampleGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringHMAC-SHA1(GET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal)

An AuthorisationIn Action with monkehTweets

Flavours

Flavours OAuth

Flavours OAuth xAuth

Flavours OAuth xAuth OAuth Echo

Flavours OAuth xAuth OAuth Echo and other variations

Benefits to OAuth

Benefits to OAutha standardised protocol that is becoming widely implemented by many providers

Benefits to OAutha standardised protocol that is becoming widely implemented by many providers user has control over access and can easily revoke consumers and application privileges

Benefits to OAutha standardised protocol that is becoming widely implemented by many providers user has control over access and can easily revoke consumers and application privileges ability to track usage and statistics due to the access tokens

Benefits to OAutha standardised protocol that is becoming widely implemented by many providers user has control over access and can easily revoke consumers and application privileges ability to track usage and statistics due to the access tokensmany open-source libraries and clients available to use

Benefits to OAuth no personal information has been passed around

Issues with OAuth

Issues with OAuth documentation could be much better

Issues with OAuth documentation could be much better harder to implement that basic authentication

Issues with OAuth documentation could be much better harder to implement that basic authentication variations on the principle already exist

Issues with OAuth documentation could be much better harder to implement that basic authentication variations on the principle already exist does not solve brute force attacks or phishing

Want To Be A Service Provider? who doesn’t!

Want To Be A Service Provider? http://oauth.riaforge.org

http://oauth.riaforge.org

As A Developer You... (can) make integration, UX and UI as easy as possible for users by not-overcomplicating the process and thecontent, keeping it simple and worded succinctly to help them understand the process without scaring them

As A Developer You... (can) make sure that user’s data is secure and protected wherever possibleby ensuring that you only store what you need to store, and keep them safe and protected at all times

As A Developer You... (can) keep your clients / users happy by ensuring that you make it simple, straight forward and secure for them

Privacy is Freedom

Links & Stuff http://oauth.net http://oauth.net/core/1.0 http://oauth.riaforge.org http://monkehtweet.riaforge.org

OAuth: demystified (hopefully)Matt Gifford aka coldfumonkehhttp://www.mattgifford.co.uk

OAuth: demystified (hopefully)

by Matt Gifford

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 38

Statistics

OAuth: demystified (hopefully) Presentation Transcript