#dd12 OAuth for Domino Developers

5,330 views
4,955 views

Published on

Published in: Technology
2 Comments
10 Likes
Statistics
Notes
No Downloads
Views
Total views
5,330
On SlideShare
0
From Embeds
0
Number of Embeds
531
Actions
Shares
0
Downloads
0
Comments
2
Likes
10
Embeds 0
No embeds

No notes for slide

#dd12 OAuth for Domino Developers

  1. 1. OAuth for the Domino DeveloperJulian Robichaux panagenda
  2. 2. Too Many Logins• Every website has its own login• How many different web accounts do you have? – 5, 10, 20... ??? – I have 4 different accounts on IBM.com!• Very annoying, and bad security – You re-use passwords or write them down 2
  3. 3. Single-Sign On• Why isn’t there a global single-sign on (SSO)?• It would be great to have one account that logs in to everything – Google wants that. So does Facebook.• Problems: – If someone hacks the “master” account, they can log in everywhere – Websites want user information for marketing 3
  4. 4. The Password Problem• What if we share logins on multiple websites?• Where do you login? – If you “give” your password to one website so it can validate your account on a different website, that is a big security problem – If you are already logged in to one website, how does another website know who you are? 4
  5. 5. A Real World Example sort of...
  6. 6. Tony has a very cool disco. 6
  7. 7. Tony has a list of friends.Only the people on Tony’s list can come into the disco. 7
  8. 8. Frank has a very cool bar. 8
  9. 9. Frank also has a list of friends, andonly the people on Frank’s list can come into his bar. 9
  10. 10. Tony wants Frank’s cool customers to come dance at his disco. 10
  11. 11. He asks for Frank’s list, so he knows who Frank’s friends are. 11
  12. 12. Frank says, “NO, you can’t have my list.” 12
  13. 13. Frank says, “NO, you can’t have my list.” “I have a better idea.” 13
  14. 14. We will use this special ticket (it’s called a “token”). 14
  15. 15. If you give this Token to someone andthey come back with my signature, that means they are on my list. 15
  16. 16. Natalie wants to go to Tony’s disco. 16
  17. 17. Hi. I’m Frank’s friend!!She is not on Tony’s list, but she is a friend of Frank’s. 17
  18. 18. Okay,have Frank sign that. Tony gives her a blank token and asks her to get it signed by Frank. 18
  19. 19. Natalie brings Frank the token. Frank knows it is from Tony’s disco because it is the same token he and Tony agreed upon. 19
  20. 20. 01-01-12 19:00Frank knows Natalie, so he signs the token and he puts a time stamp on it. 20
  21. 21. 01-01-12 19:00Natalie brings the token back to Tony. He knows it’s his token, and it’s Frank’s signature. 21
  22. 22. 01-01-12 19:00So Tony lets Natalie in, and she dances all night. 22
  23. 23. End of Our Story
  24. 24. What Did We Learn?• Tony and Frank did NOT have to share their list of customers (logins)• All they needed was a token and a signature – Frank knew what the token looks like – Tony knew what the signature looks like• Natalie never had to give her personal information (name & password) to Tony 24
  25. 25. Why the Timestamp?• The timestamp means the token is good NOW• That way you can’t re-use a token from yesterday, or last week, or whatever the time-out period is• It also shows that Natalie was STILL on Frank’s friend list 01-01-12 19:00 25
  26. 26. What About OAuth?• This is very similar to how “3-Legged” OAuth works 26
  27. 27. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token
  28. 28. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website
  29. 29. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website
  30. 30. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider
  31. 31. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider
  32. 32. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider #4: Log in to the Service Provider, Request Token is now Authorized 01-01-12 19:00
  33. 33. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider #4: Log in to the Service Provider, Request Token is now Authorized 01-01-12 19:00 #5: Okay, you’re authenticated
  34. 34. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider #4: Log in to the Service Provider, Request Token is now Authorized 01-01-12 19:00 #5: Okay, you’re authenticated if access #6: Get an Access Token to user info is allowed
  35. 35. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider #4: Log in to the Service Provider, Request Token is now Authorized 01-01-12 19:00 #5: Okay, you’re authenticated if access #6: Get an Access Token to user info is allowed
  36. 36. 3-Legged OAuthUser Consumer Service Provider (website you want to visit) (where your account lives) #1: Create a Request Token #2: Go to a website #3: Receive the Request Token, get redirected to the Service Provider #4: Log in to the Service Provider, Request Token is now Authorized 01-01-12 19:00 #5: Okay, you’re authenticated if access #6: Get an Access Token to user info is We are authorized. Let’s work. allowed
  37. 37. OAuth Goals• Do NOT send or share passwords• Access should be limited – How much user data can be seen? – How long does the access last?• Access can be revoked 37
  38. 38. Data Transmission• How do the tokens get passed from client to server?• Depends on the server. Options include: – URL query string parameters – POST requests – Cookies• You should always use HTTPS 38
  39. 39. OAuth Security• Token signatures and shared secrets – Trust the cryptography• Two different kinds of tokens (request and access)• NONCE’s (Number used ONCE) and timestamps to prevent replay attacks• User information is not shared (unless that’s part of what’s being authorized) 39
  40. 40. Who Uses OAuth?• OAuth Core 1.0 • Google • Facebook • Created in 2006 • Twitter • Published December 2007 • Flickr • Finalized April 2010 • Yahoo (RFC 5849) • Amazon AWS• OAuth 2.0 • TripIt • Currently being • Instagram standardized • Evernote • Some sites are • And more... already using it 40
  41. 41. What’s in OAuth 2.0?• Based on more use-cases and lessons learned• Better for mobile app developers – It’s hard to do OAuth redirection on mobile – New “2-Legged” OAuth models are easier• Simplified signature process• Refreshable tokens• Easier to scale on the server side 41
  42. 42. OAuth on Lotus Domino• Great code already written by Niklas Heidloff and Phillippe Riand from IBM geniuses• Free! Open-source! On OpenNTF.org – Old version: http://socialenabler.openntf.org• New version in the XPages Extension Library – http://extlib.openntf.org 42
  43. 43. In The Toolkit• ExtLib plugins – Contain code and wrappers for using OAuth• WebSecurityStore.ntf template – Set up and store OAuth tokens• XPagesSBT.nsf database – Examples for accessing Dropbox, Facebook, Twitter, LotusLive, and more! 43
  44. 44. Setting Up The Toolkit• Detailed instructions in “Appendix A” of these slides• Basic overview: – Lotus Domino server 8.5.3 or higher – Create an UpdateSite for the ExtLib plugins – Create and configure WebSecurityStore.nsf – Look at the examples in XPagesSBT.nsf 44
  45. 45. An Example: Dropbox! 45
  46. 46. Resources and Links• http://oauth.net• http://hueniverse.com/oauth• http://hueniverse.com/2009/11/planning-for-oauth-2-0• http://www.slideshare.net/briandavidcampbell/is-that-a-token-in-your- phone-in-your-pocket-or-are-you-just-glad-to-see-me-oauth-20-and- mobile-devices• https://www.pingidentity.com/resource-center/oauth-essentials.cfm• https://www.dropbox.com/developers/start• http://cgeers.com/2011/12/29/dropbox-rest-api-part-1-authentication• http://tripit.github.com/api/doc/v1• http://blog.andydenmark.com/2009/03/how-to-build-oauth- consumer.html 46
  47. 47. Lotus-Specific• http://extlib.openntf.org• Niklas Heidloff’s demo of an older version of the Social Business Toolkit: http://www.youtube.com/watch?v=UAmgqP20Okw• Lotusphere 2012 sessions AD104 & AD105• Matt White’s example of connecting to Facebook with OAuth: http://mattwhite.me/blog/2010/10/20/how-to-get- sso-for-facebook-working-with-xpages.html 47
  48. 48. You can read this later Appendix ASetting up the XPages Extension Library to access Dropbox
  49. 49. Step 1: Download ExtLib• http://extlib.openntf.org 49 49
  50. 50. Step 2: Set Up ExtLib• Make sure you’re running Domino 8.5.3+• Follow the excellent instructions at: http://www- 10.lotus.com/ldd/ddwiki.nsf/dx/XPages_Extension_Library_Deployment – Create an Update Site database – Import plugins – Add notes.ini variable – Restart HTTP task 50
  51. 51. Step 3: WebSecurityStore.ntf• Copy WebSecurityStore.ntf to the Domino data directory• Sign the NTF with an administrator ID• Create a WebSecurityStore.nsf database from the template – Use the exact name WebSecurityStore.nsf – Use the root Domino data directory (not a subdirectory) 51
  52. 52. sign thetemplate in DDE 52
  53. 53. no subdirectory; must be namedWebSecurityStore.nsf OAuth Token Store Template (WebSecurityStore.ntf)
  54. 54. Step 4: Get a Dropbox App ID• Go to http://www.dropbox.com/developers – “My Apps” – Accept license agreement – “Create an App”• Fill out information for your custom App ID – Used for generating tokens for your app – Access type must be “Full Dropbox” for this 54
  55. 55. you will need these laterimportant: use“Full Dropbox” 55
  56. 56. Step 5: Add a Token• Open http://your.server/websecuritystore.nsf/KeysApplic ations.xsp• Click the “Add Token” button: – App ID=XPagesSBT, Service Name=Dropbox – Add your Dropbox Consumer Key and Secret – Use redirection URLs from Dropbox: https://www.dropbox.com/developers/reference/api 56
  57. 57. App ID = XPagesSBT Service Name = Dropbox Key Type = HMAC-SHA1 Uri values fromhttps://www.dropbox.com/developers/reference/api 57
  58. 58. Step 6: XPagesSBT.nsf• Copy the XPagesSBT.nsf database to your Domino server (name and location do not matter) – It is in the zip of ExtLib files you downloaded from OpenNTF• Sign it with an administrator ID 58
  59. 59. Step 7: Try It Out!• Go to: http://your.server/XPagesSBT.nsf/DropboxFiles.xsp• You should be prompted to log in to Dropbox... – Log in – Authorize the XPages app – View your Dropbox files in XPages 59
  60. 60. 60
  61. 61. 61
  62. 62. 62
  63. 63. Watch the OAuth Dance• If you want to see what’s going on with your OAuth tokens when you log in• Open http://your.server/XPagesSBT.nsf/DropboxOauth.xsp – Shows token information read in from WebSecurityStore.nsf – Add, delete, and renew tokens 63
  64. 64. 64
  65. 65. Overriding Defaults• Default name & location for WebSecurityStore.nsf is in the faces-config.xml file of XPagesSBT.nsf• Default app ID & service name for Dropbox is also in faces-config.xml of XPagesSBT.nsf• If you change your consumer keys or secrets in WebSecurityStore.nsf, you might need to restart the server and browser to make sure all the old information goes away 65
  66. 66. 66
  67. 67. XPages ExtLib Book• More information on using the OAuth custom controls and plugins in the “XPages Extension Library” book at IbmPressBooks.com 67
  68. 68. Thank You! Julian Robichauxjrobichaux@panagenda.com
  69. 69. Grazie agli sponsor per aver reso possibile i Dominopoint Days 2012! Main Sponsor Vad sponsor Platinum sponsor Gold sponsor 69

×