+ Follow

Chirp 2010: Too many secrets, but never enough: OAuth at Twitter

by Taylor Singletary

11,396 views

Slides from the session given by @raffi and @episod at Chirp. Additional links and slides included.

Accessibility

View text version

Upload Details

Uploaded via SlideShare as Apple Keynote

Usage Rights

File a copyright complaint

8 Embeds 116

http://www.slideshare.net	63
http://www.labnol.org	39
http://sarahintampa.tumblr.com	5
http://localhost	4
http://www.linkedin.com	2
http://cliqset.com	1
http://www.lmodules.com	1
http://www.twylah.com	1

More...

Statistics

Likes: 19
Downloads: 85
Comments: 10
Embed Views: 116
Views on SlideShare: 11,280
Total Views: 11,396

Chirp 2010: Too many secrets, but never enough: OAuth at Twitter Presentation Transcript

Too many secrets but never enough. by Raffi Krikorian & Taylor Singletary Questions? http://bit.ly/chirpoauth #chirpoauth

OAuth is a dance.

OAuth Libraries don’t always work right or won’t bend to your will easily. Sometimes you’ve got to get your hands dirty and fix them.

All OAuth requests are similar at their core. The rules really don’t change.

The signature base string.

httpMethod + "&" + url_encode( base_uri ) + "&" + sorted_query_params.each { | k, v | url_encode ( k ) + "%3D" + url_encode ( v ) }.join("%26")

Signing requests.

Signing an OAuth request is easier than you think. Take that signature base string, then sign it using HMAC-SHA1 and the proper signing key

The proper signing key is a pain point. The access token step, and any resource requests on a user’s behalf utilizes OAuth tokens and secrets to create a composite signing key.

Two-legged OAuth requests are requests that don’t require a user or oauth_token. Asking for a request token is actually a two-legged OAuth request.

The algorithm for determining what your “signing key” is url_encode( consumer_secret ) + "&" + url_encode( oauth_token_secret || nil )

The algorithm for determining what your “signing key” is With an oauth_token_secret signing_key = “abcd&efgh” Without an oauth_token_secret signing_key = “abcd&”

the OAuth 1.0A Request Cycle

xAuth & OAuth Echo

xAuth in Ruby def get_access_token_with_xauth(login, password) consumer = initiate_oauth_consumer_object options = {} options[:x_auth_username] = login options[:x_auth_password] = password options[:x_auth_mode] = "client_auth" url = "https://api.twitter.com/oauth/access_token" response = consumer.token_request(:post, url, nil, {}, options) @access_token = OAuth::AccessToken.from_hash(consumer, response) end

Working with OAuth Libraries Most OAuth Libraries are similar

Advice • Learn how to specify HTTP headers explicitly in your OAuth implementation • Master the core components of your OAuth libraries. Follow the code path through so you understand the proper places to introduce different behavior.

Truth & Reconciliation

When things go wrong.

the OAuth Dancer ( hold me closer )

the OAuth Dancer • Nearly complete solution for testing REST-based API requests with OAuth 1.0A authentication. • Examine the signature base string, authorization headers, and oodles more debug information about requests. • Supports xAuth and two-legged OAuth. • Out-of-band (PIN) support coming soon. • Under perpetual development. OAuth 2.0 support on the way. • Very useful for creating comparative examples, testing internal OAuth implementations, and more. http://bit.ly/oauth-dancer

What’s on the horizon? Q&A

Some links OAuth Zero to Hero About OAuth Echo Beginner’s Guide to OAuth Twitter xAuth OAuth Dancer

Marko Kukovec, Razvojni inženir at Inova IT If you want to convert '.key' presentation file to '.pdf' or '.ppt' you can use online service at http://www.zamzar.com/ for this. 9 months ago

Are you sure you want to

Iroiso Ikpokonte at Iroiso Ikpokonte Read this as soon as you can. 1 year ago

MrKappa Finally, there is no means for me to explain to the end user what information or access is granted to the end user when joining accounts.

This creates a few big problems, policy makers have to decide on a catch all solution which either favors its users or people developing for it. Second, I have no means as a developer to explain what the connection is for. I am given a section when registering an application to explain what it is, and even that is absent from the 'connect' splash page.

I would really prefer it if there was a permission matrix which allows a developer to specifically delare which functionalities are reqested for usage. And in turn that same permission matrix can be used to explain to the end user before they connect, exactly what connecting is all about.

No Client wants to authenticate with a third party application if it is going to start re tweeting to everybody else, or posting their test scores without their permission, or erasing thier followers, or sending DMS on thier behalf. I (as a tweeter) want to know what a strange 3rd party account website wants access to my account for. The problem seems to be partially resolved on a website like the Huffington past when it says they will post to your timeline, but I think it should be clearer, as in the future, I would hope there would be a real means to access the users email address, and a clear indication to the end user that its something being requested, and I as a developer have the option to provide a brief description as to what the connection is about, plus expanding the app registration to a fuller matrix, beyond the read and write dual option it currently is. 2 years ago

MrKappa Slide 13 is useful, it should be on the Twitter instruction page. 2 years ago

MrKappa When providing directions, keep people guessing, it's a sure way to make the standard fail... Give them 3 generic keys, tell them to hash with the 'secret one', give the others cute names like consumer. Force them to encrypt with public keys like 'Anonymous', reveal the algorithm in the get vars, advise POST over https, but allow GET over http, claim it's the future...

Guys, this is clearly the worst attempt at a standard I have ever seen, sorry...

It's not a standard, it's an advisory, and nobody seems to understand it's purpose, especially anyone writing the 'Help' manuals... 2 years ago

MrKappa What's on the horizion? a scraper... 2 years ago

MrKappa If you think anyone in thier right mind is going to make it past that insanely complex instruction set written in the 'Help' manual, you could be losing out to FB which was quite literally a plain english 1 hour hour walk through.

Whoever was paid to write that 'Help' manual, has no interest in helping anyone... 2 years ago

MrKappa Hey, I'm sorry, but what should be plain english is obsfucated beyond all belief...

Step 1, Step 2, Step 3 is actually, 'well, let me start with why this base 54 encoded string should be passed over POST, of course we'll take it over HTTP and GET but f#!k you, listen to why this SHA-1 HASH has anything to do with security...'

Sorry guys, I can't see why anything which is free, as in no cost to use should be this difficult to understand. It's a joke... 2 years ago

Junda Ong, Mobile Lead at Hoiio Just to be certain, are you saying OAuth is too complex, compared to xAuth? 2 years ago

etorrie Somewhat difficult to understand without speaker notes.. 3 years ago