Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 8 (more)

Advanced OAuth Wrangling

From kellan, 3 months ago

4049 views  |  0 comments  |  8 favorites  |  43 downloads  |  3 embeds (Stats)
 

Tags

oauth xtech bestpractices authentication webdevelopment open flickr

 
 

Groups / Events

 

 
Embed
options

More Info

This slideshow is Public
Total Views: 4049
on Slideshare: 3943
from embeds: 106

Slideshow transcript

Slide 1: Advanced OAuth Wrangling Kellan Elliott-McCrea XTech 2008: The Web on the Move

Slide 2: Assumptions

Slide 3: Advanced, simple, and flexible. (choose two)

Slide 4: OAuth? http://oauth.net/core/1.0

Slide 5: OAuth is .... ... a protocol for developing password less APIs.

Slide 6: OAuth is .... ... a way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.

Slide 7: OAuth is .... ... an open, freely-implementable and generic methodology for API authorization.

Slide 8: OAuth is .... ... “your valet key for the Web.”

Slide 9: OAuth is .... ... not OpenID.

Slide 10: OAuth is .... ... not OpenID. (OpenID does authentication, OAuth does authorization)

Slide 11: Emerging Standard • OAuth Core 1.0 released Dec 4th, 2007 • 12 months of open development on mailing lists • Supported by Google,Yahoo, MySpace, Digg, Twitter, Magnolia, Pownce, Dopplr, Get Satisfaction, Mediamatic, Hyves, etc. (not all APIs launched yet) • Authorization protocol for Google’s OpenSocial, and Yahoo’s Y!OS. • Open source libraries in PHP, Python, Perl, Ruby, Java, Javascript, Objective-C, C#, ActionScript, ColdFusion

Slide 12: So what does it do?

Slide 13: A little history.

Slide 14: In the beginning.... .... there was Twitter .... and there was Ma.gnolia

Slide 15: API.execute($username, $password)

Slide 16: API.execute($username, $password) API.execute(http://myid.example.org/)

Slide 17: Delegated Token Auth FlickrAuth, Google AuthSub,Yahoo’s BBAuth, Facebook Auth, Amazon AWS, etc...

Slide 18: Username and password are replaced with a token and token secret that are unique to the user, the application, and the service provider

Slide 19: The Love Triangle End User Service Provider Consumer Application (fake applications by EHL) http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html

Slide 20: Two technologies: 1. OAuth auth flow (aka token dance) 2. Normalized request signing

Slide 21: Some quick vocab • Service provider: a website that provide access via OAuth. (i.e. the API) • User: a person who has an account with the SP. • Consumer: a website or application that uses OAuth to access the SP on the User’s behalf • Consumer key and secret: Consumers are generally issued keys and secrets by the SP to uniquely identify them. (i.e. API key, and shared secret) • Protected resource: any data or API controlled by the SP that requires authentication to access. • Authorization URL: a web page hosted by the SP where the User is prompted to authorize or deny the Consumer

Slide 27: Request signing

Slide 28: Design Goals for Request Signing • Prove that the Consumer is in possession of Consumer Secret, and Token Secret • Protect against request forgery, and man-in-the-middle attacks. • Protect against replay attacks. • Lowest common denominator implementable. (no XML, no SSL, no PKI) • Compatible with existing delegated auth APIs. • Does NOT protect against eavesdropping. (Use SSL/TLS)

Slide 29: base64encode(hmac_sha1(33tr&77uq, GET&http%3A%2F%2Fapi.example.com% 2Fsecrets&oauth_consumer_key% 3Dtr33%26oauth_nonce%3D34567% 26oauth_timestamp%3D1210171725% 26oauth_token%3Dqu77))

Slide 30: http://api.example.com/secrets? oauth_consumer_key=tr33& oauth_token=qu77& oauth_timestamp=1210171725& oauth_nonce=34567& oauth_signature=Gcg%2F323lvAs& oauth_signature_method=HMAC-SHA1

Slide 31: OAuth is .... ... delegated token auth which uses the the “token dance” to mint user-consumer-service provider specific credentials, verified with request signing.

Slide 32: OAuth is .... ... plumbing..

Slide 33: Hows everyone doing?

Slide 34: OAuth Flexibility Cookbook

Slide 35: If Not Forbidden

Slide 36: Recipe #1: Expiring Tokens

Slide 37: Request an expiring token from the authorization url point http://api.example.com/auth? oauth_token=request_342342& expire_in=3days

Slide 39: Behind the scenes, the consumer request the access token and receives: oauth_token=qu77& oauth_token_secret=77qu& user_name=kellan& expires_on=1210478083

Slide 40: HTTP/1.0 401 Unauthorized Expired Token.

Slide 41: Don’t fear the nonce (and timestamp)

Slide 42: Recipe #2: Custom authorization and permission levels

Slide 43: Request an expiring token from the authorization end point http://api.example.com/auth? oauth_token=request_342342& requested_perm=write

Slide 44: Permissions http://api/auth?oauth_token=rt2323&requested_perm=write http://api/auth?oauth_token=rt2323&requested_perm=read http://api/auth?oauth_token=rt2323&requested_perm=delete Scope http://api/auth?oauth_token=rt2323&scope=http://example.com/photos/write http://api/auth?oauth_token=rt2323&scope=http://www.google.com/m8/feeds/read Rights http://api/auth?oauth_token=rt2323&rights=read-buddy-list,send-im Role http://api/auth?oauth_token=rt2323&role=contributor

Slide 46: Recipe #3: OAuth on the Desktop

Slide 52: Behind the scenes: oauth_token=qu77& oauth_token_secret=77qu& user_name=kellan& granted_permission=write

Slide 53: Umm, really? 1. Once you’ve distributed your secret, is it a secret? 2. The user experience sucks!

Slide 54: OAuth on the desktop: 2-factor authentication and the Ritual Coffee attack.

Slide 55: OAuth on the desktop: 2-factor authentication and the Ritual Coffee attack. this is why OAuth defines both a Consumer Key/Secret pair and the Token/Secret pair

Slide 56: so make sure your authorization page is CSRF safe

Slide 57: OAuth on the Desktop: “Worst possible user experience except for all the others”

Slide 58: Recipe #4: “Two legged APIs”

Slide 59: 3 legged 2 legged FireEagle.setLocation FireEagle.nearby Twitter.privateTimeline Twitter.friendsTimeline Flickr.upload Flickr.search Flickr.search

Slide 60: Solution #1: use a constant instead of the access token and access secret. http://api.example.com/secrets? base64encode(hmac_sha1 oauth_consumer_key=tr33& (33tr&DUMMY_SECRET, GET&http%3A oauth_token=DUMMY_TOKEN& %2F%2Fapi.example.com% oauth_timestamp=1210171725& 2Fsecrets&oauth_consumer_key% oauth_nonce=34567& 3Dtr33%26oauth_nonce%3D34567% oauth_signature=Gcg%2F323lvAs& 26oauth_timestamp%3D1210171725% oauth_signature_method=HMAC- 26oauth_token%3DDUMMY_TOKEN)) SHA1

Slide 61: Solution #2: FireEagle issues an “application access token” that can be used to sign application scoped APIs.

Slide 62: Recipe #5: At Scale Avoid hitting the database, and distributing secrets

Slide 63: Avoid hitting the database. Tokens need not be opaque.

Slide 64: Better Tokens $token = base64encode(encrypt( $super_secret, “$consumer_key; $user_id; $expiration_date; $permissions;” ));

Slide 65: Avoid distributing the secret

Slide 66: HMAC-SHA1 signatures are symmetric $oauth_signature = base64encode(hmac_sha1( “$consumer_secret&$token_secret”, $signature_base_string))

Slide 67: Alternate signing algorithm: RSA-SHA1 (asymmetric)

Slide 68: Building the signature with RSA-SHA1 $oauth_signature = base64encode(openssl_sign( openssl_get_privatekey($cert), $signature_base_string)) Checking the RSA-SHA1 signature $sig = base64encode(openssl_sign( openssl_get_publickey($cert), $signature_base_string)); $sig == $oauth_sig

Slide 69: Recipe #6: No encryption! I only want the token dance

Slide 70: What if your API clients had to run inside of Excel?

Slide 71: What if your API clients had to run inside of Excel? Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL

Slide 72: What if your API clients had to run inside of Excel? Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL Use the PLAINTEXT signing algorithm

Slide 73: Recipe #7: Mobile OAuth/ OAuth on the device

Slide 74: Multi-media device is very small desktop Text

Slide 75: This is a web browser

Slide 76: http://ericasadun.com/ftp/TUAW/findme/

Slide 77: Devices

Slide 79: Recipe #8: Identity-less services? (your access token is your only identifier)

Slide 80: Extending the Core

Slide 81: http://groups.google.com/ group/oauth-extensions

Slide 82: In Process • Body signing • Discovery • Gadgets • Key Rotation • Language Preference • http://oauth.googlecode.com/svn/spec/

Slide 83: Potential extensions and future directions • Response signing • XMLSig signing algorithm • OAuth over Jabber - what needs to be signed? • OAuth on a chip - expect to see devices shipping in the next 6 months with OAuth stacks

Slide 84: Photo Credits http://flickr.com/photos/laughingsquid/249911160/ http://flickr.com/photos/therealdevildoll/2238476894/ http://flickr.com/photos/stevegarfield/369172004/ http://flickr.com/photos/mbiddulph/1269991677/ http://flickr.com/photos/chromogenic/1053204718/ http://flickr.com/photos/darwinbell/428581415/ http://flickr.com/photos/85182154@N00/45736898/ http://flickr.com/photos/tracylee/30892867/ http://flickr.com/photos/evapro/305689596/ http://flickr.com/photos/earthandeden/395466458/ http://flickr.com/photos/thomashawk/136611116/ http://flickr.com/photos/altammar_q8/2352893870/

Slide 85: Questions? Flickr will be offering OAuth by June 1st. (also we’re hiring)

© 2008 SlideShare Inc. All Rights Reserved.
App07 is serving you.