(FOR THE WIN)
OAuth FTW
How OAuth and portable data can
revolutionize your web app
Chris Messina October 10, 2008
Future of Web Apps London, England

OAuth |ō| |ôˌθ|
Noun.
An open protocol that allows secure
API authorization in a simple and
standard method from desktop, web
and mobile applications.

The story of OAuth starts with OpenID.


factoryjoe.com

factoryjoe.com
?!
X

!


factoryjoe.com
? X
Can has OpenID?

X
(APPLICATION PROGRAMMING INTERFACE)
B-b-but what about API apps?

?

!?!

How much are your username
and password worth?

wayn.com

imeem.com

 PC Load Letter?! What the f...!

The Password Anti-pattern!

Passwords are not confetti.

Please stop throwing them around.

Especially if they’re not yours.


OAuth replaces the need for
usernames and passwords with
tokens and a hashing signature.

let’s take a look

Brightkite > pings Fire Eagle for Request Token
Fire Eagle > returns authorization realm

Brightkite > requests that user authorize Brightkite
Fire Eagle > user authenticates through Yahoo! accounts

Fire Eagle > user grants authorization to Brightkite
Fire Eagle > Fire Eagle redirects user to callback URL

Brightkite > asks FE to exchange Request Token for Access Token
Fire Eagle > checks signature; if valid, returns Access Token
...subsequent requests are signed with this Access Token

users can manage access...

...and change access

or can revoke access later without having
to change their primary account password
(i.e. if they lose their phone or their computer gets stolen)

?

discovery

Identity -› Discovery -› Authorization

OpenID -› XRDS-Simple -› OAuth Endpoint
(EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)

Identity -› Discovery -› [Authentication] -› Authorization

http://will.norris.name
<meta http-equiv=\"X-XRDS-Location\" content=\"http://will.norris.name/?xrds\" />

OpenID XRDS
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<xrds:XRDS
xmlns:xrds=\"xri://$xrds\"
xmlns:openid=\"http://openid.net/xmlns/1.0\"
xmlns=\"xri://$xrd*($v*2.0)\">
<XRD>
<Service priority=\"0\">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type>
<URI>https://pip.verisignlabs.com/server</URI>
<LocalID>https://recordond.pip.verisignlabs.com/</LocalID>
</Service>
</XRD>
</xrds:XRDS>

XRDS-Simple for
Portable Contacts
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<xrds:XRDS
xmlns:xrds=\"xri://$xrds\"
xmlns:openid=\"http://openid.net/xmlns/1.0\"
xmlns=\"xri://$xrd*($v*2.0)\">
<XRD version=\"2.0\">
<Type>xri://$xrds*simple</Type>
<Service>
<Type>http://portablecontacts.net/spec/1.0</Type>
<URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI>
</Service>
<Service priority=\"0\">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>http://www.myopenid.com/server</URI>
<LocalID>http://brian.myopenid.com/</LocalID>
</Service>
</XRD>
</xrds:XRDS>

XRDS-Simple for
Portable Contacts
<XRD version=\"2.0\">
<Type>xri://$xrds*simple</Type>
<Service>
<Type>http://portablecontacts.net/spec/1.0</Type>
<URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI>
</Service>
<Service priority=\"0\">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/...
<Type>http://openid.net/srv/ax/1.0</Type>
...

XRDS-Simple for
Portable Contacts
<XRD version=\"2.0\">
<Type>xri://$xrds*simple</Type>
<Service>
<Type>http://portablecontacts.net/spec/1.0</Type>
<URI>http://soocial.com/contacts.xml</URI>
</Service>
<Service priority=\"0\">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/...
<Type>http://openid.net/srv/ax/1.0</Type>
...

adoption

•OpenSocial •Meetup.com
•MySpace •Ma.gnolia
•Google •Get Satisfaction
•Yahoo! (Fire Eagle) •Agree2
•Netflix •SoundCloud
•SmugMug •88Miles
•Photobucket •Pownce
•Plaxo •Brightkite
•Soocial.com •Praized
http://wiki.oauth.net/ServiceProviders

code

•C# •OCaml
•Coldfusion •Perl
•Java •PHP
•Javascript •CakePHP
•Jifty •Python
•.NET •Ruby
•Objective-C •...interest in XMPP
http://oauth.net/code

the pitch

fin.
oauth.net
me -› factoryjoe.com