Your SlideShare is downloading. ×
0
Too many secrets but never
enough.
by Raffi Krikorian & Taylor Singletary

Questions? http://bit.ly/chirpoauth

          ...
OAuth is a dance.
OAuth Libraries don’t always
work right or won’t bend to your
will easily.




Sometimes you’ve got to get your
hands dirt...
All OAuth requests are similar at
their core. The rules really don’t
change.
The signature base string.
httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
    url_encode ( k ) + "%3D" +
    u...
httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
    url_encode ( k ) + "%3D" +
    u...
Signing requests.
Signing an OAuth request is easier
than you think.

Take that signature base string,
then sign it using HMAC-SHA1
and the ...
The proper signing key is a pain
point.

The access token step, and any
resource requests on a user’s behalf
utilizes OAut...
Two-legged OAuth requests are
requests that don’t require a user or
oauth_token.

Asking for a request token is
actually a...
The algorithm for determining
what your “signing key” is


url_encode( consumer_secret )
+
    "&" +

url_encode(
oauth_to...
The algorithm for determining
what your “signing key” is

With an oauth_token_secret
  signing_key = “abcd&efgh”

Without ...
the OAuth 1.0A Request Cycle
xAuth & OAuth Echo
xAuth in Ruby
def get_access_token_with_xauth(login, password)
  consumer = initiate_oauth_consumer_object
  options = {}
...
Working with OAuth Libraries




Most OAuth Libraries are similar
Advice
• Learn how to specify HTTP headers explicitly in your
OAuth implementation

• Master the core components of your O...
Truth & Reconciliation
When things go wrong.
the OAuth Dancer




( hold me closer )
the OAuth Dancer
• Nearly complete solution for testing REST-based API
requests with OAuth 1.0A authentication.
• Examine ...
What’s on the horizon? Q&A
Some links

  OAuth Zero to Hero
   About OAuth Echo
Beginner’s Guide to OAuth
      Twitter xAuth
      OAuth Dancer
Chirp 2010: Too many secrets, but never enough: OAuth at Twitter
Chirp 2010: Too many secrets, but never enough: OAuth at Twitter
Upcoming SlideShare
Loading in...5
×

Chirp 2010: Too many secrets, but never enough: OAuth at Twitter

11,097

Published on

Slides from the session given by @raffi and @episod at Chirp. Additional links and slides included.

Published in: Technology
10 Comments
20 Likes
Statistics
Notes
  • If you want to convert '.key' presentation file to '.pdf' or '.ppt' you can use online service at http://www.zamzar.com/ for this.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Read this as soon as you can.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Finally, there is no means for me to explain to the end user what information or access is granted to the end user when joining accounts.

    This creates a few big problems, policy makers have to decide on a catch all solution which either favors its users or people developing for it. Second, I have no means as a developer to explain what the connection is for. I am given a section when registering an application to explain what it is, and even that is absent from the 'connect' splash page.

    I would really prefer it if there was a permission matrix which allows a developer to specifically delare which functionalities are reqested for usage. And in turn that same permission matrix can be used to explain to the end user before they connect, exactly what connecting is all about.

    No Client wants to authenticate with a third party application if it is going to start re tweeting to everybody else, or posting their test scores without their permission, or erasing thier followers, or sending DMS on thier behalf. I (as a tweeter) want to know what a strange 3rd party account website wants access to my account for. The problem seems to be partially resolved on a website like the Huffington past when it says they will post to your timeline, but I think it should be clearer, as in the future, I would hope there would be a real means to access the users email address, and a clear indication to the end user that its something being requested, and I as a developer have the option to provide a brief description as to what the connection is about, plus expanding the app registration to a fuller matrix, beyond the read and write dual option it currently is.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Slide 13 is useful, it should be on the Twitter instruction page.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • When providing directions, keep people guessing, it's a sure way to make the standard fail... Give them 3 generic keys, tell them to hash with the 'secret one', give the others cute names like consumer. Force them to encrypt with public keys like 'Anonymous', reveal the algorithm in the get vars, advise POST over https, but allow GET over http, claim it's the future...

    Guys, this is clearly the worst attempt at a standard I have ever seen, sorry...

    It's not a standard, it's an advisory, and nobody seems to understand it's purpose, especially anyone writing the 'Help' manuals...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
11,097
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
93
Comments
10
Likes
20
Embeds 0
No embeds

No notes for slide


























  • Transcript of "Chirp 2010: Too many secrets, but never enough: OAuth at Twitter"

    1. 1. Too many secrets but never enough. by Raffi Krikorian & Taylor Singletary Questions? http://bit.ly/chirpoauth #chirpoauth
    2. 2. OAuth is a dance.
    3. 3. OAuth Libraries don’t always work right or won’t bend to your will easily. Sometimes you’ve got to get your hands dirty and fix them.
    4. 4. All OAuth requests are similar at their core. The rules really don’t change.
    5. 5. The signature base string.
    6. 6. httpMethod + "&" + url_encode( base_uri ) + "&" + sorted_query_params.each { | k, v | url_encode ( k ) + "%3D" + url_encode ( v ) }.join("%26")
    7. 7. httpMethod + "&" + url_encode( base_uri ) + "&" + sorted_query_params.each { | k, v | url_encode ( k ) + "%3D" + url_encode ( v ) }.join("%26")
    8. 8. Signing requests.
    9. 9. Signing an OAuth request is easier than you think. Take that signature base string, then sign it using HMAC-SHA1 and the proper signing key
    10. 10. The proper signing key is a pain point. The access token step, and any resource requests on a user’s behalf utilizes OAuth tokens and secrets to create a composite signing key.
    11. 11. Two-legged OAuth requests are requests that don’t require a user or oauth_token. Asking for a request token is actually a two-legged OAuth request.
    12. 12. The algorithm for determining what your “signing key” is url_encode( consumer_secret ) + "&" + url_encode( oauth_token_secret || nil )
    13. 13. The algorithm for determining what your “signing key” is With an oauth_token_secret signing_key = “abcd&efgh” Without an oauth_token_secret signing_key = “abcd&”
    14. 14. the OAuth 1.0A Request Cycle
    15. 15. xAuth & OAuth Echo
    16. 16. xAuth in Ruby def get_access_token_with_xauth(login, password) consumer = initiate_oauth_consumer_object options = {} options[:x_auth_username] = login options[:x_auth_password] = password options[:x_auth_mode] = "client_auth" url = "https://api.twitter.com/oauth/access_token" response = consumer.token_request(:post, url, nil, {}, options) @access_token = OAuth::AccessToken.from_hash(consumer, response) end
    17. 17. Working with OAuth Libraries Most OAuth Libraries are similar
    18. 18. Advice • Learn how to specify HTTP headers explicitly in your OAuth implementation • Master the core components of your OAuth libraries. Follow the code path through so you understand the proper places to introduce different behavior.
    19. 19. Truth & Reconciliation
    20. 20. When things go wrong.
    21. 21. the OAuth Dancer ( hold me closer )
    22. 22. the OAuth Dancer • Nearly complete solution for testing REST-based API requests with OAuth 1.0A authentication. • Examine the signature base string, authorization headers, and oodles more debug information about requests. • Supports xAuth and two-legged OAuth. • Out-of-band (PIN) support coming soon. • Under perpetual development. OAuth 2.0 support on the way. • Very useful for creating comparative examples, testing internal OAuth implementations, and more. http://bit.ly/oauth-dancer
    23. 23. What’s on the horizon? Q&A
    24. 24. Some links OAuth Zero to Hero About OAuth Echo Beginner’s Guide to OAuth Twitter xAuth OAuth Dancer
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×