Oauth Ruby

  • 1,038 views
Uploaded on

 

More in: Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • If you look here: http://oauth.net/core/1.0/#signing_process

    You'll see that the secret's are sent over the wire from the provider to the consumer. But they don't go the other direction. What would be the point of sending both over the wire to authorize requests. If you were going to send both, you could just send one. The security comes in the separation.
    Are you sure you want to
    Your message goes here
  • You're wrong here. You send the key's (tokens) but not the secrets over the wire. You use the secrets in the signing. Sure https is a good idea, but if you're sending the secrets then you're doing it wrong.
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
1,038
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
2
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OAUTH Don Park 3-Feb-2009
  • 2. Terms Provider Consumer User
  • 3. API Call PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold
  • 4. API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence
  • 5. API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence Signature generation: Variables + token_secret
  • 6. How are the access token and token secret acquired?
  • 7. How are the access token and token secret acquired? The provider sends your the access token and secret In the clear! HTTPS is required
  • 8. The last OAUTH-specific URL: the access token URL direction: Provider to Consumer Given: the request token Returned: the access token and secret if the access token has been blessed http://icecendor.com/oauth/access&oauth_token=req132 icecondor-android-app:///&oauth_token=access1234 &oauth_token_secret=xfz123 HTTP 302 redirect to:
  • 9. The next OAUTH-specific URL: the user permission URL Direction: User to provider Given: the request token Post: Bless the token http://icecendor.com/oauth/authorize&oauth_token=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
  • 10. The first OAUTH-specific URL: the request token URL Direction: Consumer to Provider Given: the consumer key Post: Bless the token http://icecendor.com/oauth/request& oauth_consumer_key=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
  • 11. How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle
  • 12. How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle Out of scope! The spec doesn't say. Use an out-of-band method. Example: Receive the consumer key and secret in an email, and hard-code the values into the consumer app. Also, the request token URL, the authorization URL, and the access token URLs are not standardized and have to be communicated out-of-band.
  • 13. Help is on the way OAUTH DISCOVERY (draft spec) XRDS document location in the headers Date: Wed, 04 Feb 2009 01:06:17 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.6 X-Runtime: 3125ms Etag: "aafe6ca507f518d040c9868cddaad9ef" X-XRDS-Location: http://icecondor.com/xrds.xml Cache-Contro: private, max-age=0, must-revalidate
  • 14. xrds.xml <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <XRDS xmlns=&quot;xri://$xrds&quot;> <XRD xml:id=&quot;oauth&quot; xmlns:simple=&quot;http://xrds-simple.net/core/1.0&quot; xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Expires>2009-12-31T23:59:59Z</Expires> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/request </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI> https://icecondor.com/oauth/authorize </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/access </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID> 0685bd9184jfhq22 </LocalID> </Service> </XRD> <XRD xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 15. http://code.google.com/p/oauth-plugin/ Rails OAUTH plugin class SandwichApiController < ApplicationController before_filter :oauth_required,:only=>[:dispense] def dispense end end