OAuth
Practical Implementation
Pownce and OAuth

• Pownce launched (June 2007)
• developers wanted an API
• became involved with OAuth (Aug 2007)
• publi...
Me and OAuth


• an author of the specification
• wrote first library (Python)
• maintain Python library
• maintain Pownce...
What is OAuth?
A simple open standard for secure API
           authentication.


            http://oauth.net
The (API) Love Triangle

                     End User



Web Service                     3rd Party App
“Service Provider”...
Specifically OAuth is...

 • Authentication
   Need to log in to access parts of a website
   ex: bookmark a link, post a ...
Just like...

• Flickr Auth
• Google’s AuthSub
• Yahoo’s BBAuth
• Facebook Auth
• and others...
                     http:...
Who is involved?
Who is it for?

• Serviceauthorizationhavecertain functions
          Providers -      an web API that
  needs            ...
Goals:


Be Simple
• standard for website API authentication
• consistent for developers
• easy for end users to understan...
Goals:


Be Secure
• secure for end users
• easy to implement security features for
website developers
• 3rd party develop...
Goals:


Be Open
• any website can implement OAuth
• any 3rd party developer can use OAuth
• open source client libraries
...
Goals:


Be Flexible
• authentication method agnostic
• users don’t need a username and password
• can use OpenID (or not!...
Is OAuth different from
      OpenID?

            Yes.




       (short answer)
Is OAuth different from
      OpenID?
 OpenID - user identification by provider
      URL, login on provider site.
OAuth -...
Is OAuth different from
      OpenID?
 http://www.pointy-stick.com/blog/2008/03/13/
 explanation-difference-between-openid...
What the end user sees...

       Web Consumer

       Ma.gnolia and Nsyght
   I’d like to search my Ma.gnolia
     bookma...
OMG! Need to log in!
Login with service provider
         service provider’s site!




                      alternative login method
         ...
Authorize
Done!
Web flow
                Request Token!

  Nsyght                           Ma.gnolia
                    API calls
   ask...
Authorize!

    user sent        http redirect
to ma.gnolia with
request token in
      URL                               ...
Access Token!

ask for access      API calls
  token with
  authorized                     request token
request token    ...
use the access token...




                   by Blaine Cook
What the end user sees...

    Desktop Consumer

      Pownce and PownceAIM
   I’d like to get alerts about new
         P...
OMG! Need to log in!
Login with service provider


                  service provider’s site!
Authorize

        click “Okay!”
Authorized!
 Return to
desktop app.
Desktop flow
                Request Token!

PownceAIM                           Pownce
                    API calls
   a...
Authorize!

   user sent       user follows link
to Pownce with
request token in
     URL                              use...
Access Token!

 ask for access       API calls
   token with
   authorized                      request token
 request tok...
Basic Authorization Process
           1. Obtain request token

           2. User authorizes
           request token

  ...
OAuth Setup

• Service provider gives documentation of
  authorization URLs and methods

• Consumer registers an applicati...
Service Provider
     Documentation
• Request token endpoint
• Authorization endpoint
• Access token endpoint
• Accepted r...
Pownce API Documentation




https://pownce.pbwiki.com/API%20Documentation2-0#VerifyAuth
Register a Consumer
        Application

• Consumer gives service provider data
  about the application (name, creator, ur...
Registering a
                                               Fire Eagle Application




      consumer app
       sign up ...
Registering a Fire Eagle Application
                         Done!



oooh!




          https://fireeagle.yahoo.net/dev...
OAuth Objects -
         Consumer
consumer key
 • assigned during consumer registration
 • passed as a request parameter

...
OAuth Objects -
  Consumer
OAuth Objects - Token
token key
    • unique string granted by service provider
    • passed as a request parameter
    • ...
OAuth Objects - Token
OAuth Parameters
• oauth_consumer_key
• oauth_token
• oauth_signature
• oauth_signature_method
• oauth_timestamp
• oauth_n...
Where is this
  information passed?
         (in order of preference)

• HTTP Authorization header
• HTTP POST request bod...
Timestamp and Nonce
oauth_timestamp
   •    seconds since Unix epoch (unless otherwise specified
        by service provid...
Signing Requests
oauth_signature_method
   •    HMAC-SHA1
   •    RSA-SHA1
   •    PLAINTEXT

oauth_signature
   •   strin...
Signing Requests
Signature Methods
             HMAC-SHA1
  • construct thewith a ‘&’: base string by joining
                  signature
 ...
Signature Methods
          HMAC-SHA1
Signature Methods
               HMAC-SHA1
Example base string:
 GET
 &http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml
 &o...
Signature Methods

             PLAINTEXT

  • should be used over a secure channel (SSL)
  • no base string
  • url-encod...
Signature Methods

               PLAINTEXT




Ex:
   oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
Signature Methods

               RSA-SHA1

  • sign signature base string private key and
          with Consumer’s RSA
 ...
Big Fatty Example
PownceAIM and Pownce




warning: screen shots might not match text.
PownceAIM                                               Pownce
                                        API call
          ...
PownceAIM                                             Pownce
                         user follows link
   user sent      ...
let’s pretend the user is logged in to the Pownce site



                                 click “Okay!”
PownceAIM
               cue to PownceAIM that
               request token has been
 user tells
PownceAIM            auth...
PownceAIM                                          Pownce
                            API calls
 ask for access      Autho...
PownceAIM                                                           Pownce
                                            API...
Managing Tokens


• request token expiration
• access token expiration
• end user token management
Token Management




http://pownce.com/settings/applications
HTTP Errors
• 400 Bad Request
 • unsupported parameter
 • unsupported signature method
 • missing required parameter
 • du...
Common Errors
• signature does not match
 • providers can show expected base string
• token is invalid
 • expired? wrong t...
Testing Tools


• web-based test server and client by Andy
  Smith (http://term.ie/oauth/example)
• Endpointr, mac desktop...
Issues

• service provider documentation
• files
• granular permissions
• timestamp and nonce verification
• vague tokento...
Current Status
• OAuth Core 1.0 Final (Dec 2007)
• OAuth Discovery 1.0 Draft 2
• Libraries: • coldfusion
             • cs...
Service Provider
     Implementations
• 88 Miles
• Google Contacts API
• Ma.gnolia
• Pownce
• Thmbnl
• Yahoo! Fire Eagle
h...
More Info

• main site: http://oauth.net
• spec: http://oauth.net/core/1.0
• code: http://code.google.com/p/oauth
• mailin...
Thanks!




     ugly logo!
Upcoming SlideShare
Loading in...5
×

Implementing OAuth

43,757

Published on

Workshop on OAuth from MeshU 2008 in Toronto. The basics of OAuth API authentication are covered in this talk as well as some implementation examples.

Published in: Technology
2 Comments
72 Likes
Statistics
Notes
No Downloads
Views
Total Views
43,757
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
1,035
Comments
2
Likes
72
Embeds 0
No embeds

No notes for slide

Implementing OAuth

  1. 1. OAuth Practical Implementation
  2. 2. Pownce and OAuth • Pownce launched (June 2007) • developers wanted an API • became involved with OAuth (Aug 2007) • public read-only API (Oct 2007) • full API with OAuth (Mar 2008) • 200+ apps built on Pownce API
  3. 3. Me and OAuth • an author of the specification • wrote first library (Python) • maintain Python library • maintain Pownce API OAuth implementation
  4. 4. What is OAuth? A simple open standard for secure API authentication. http://oauth.net
  5. 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application” Pownce AIM bot
  6. 6. Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
  7. 7. Just like... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others... http://flickr.com/photos/bees/2504039638/
  8. 8. Who is involved?
  9. 9. Who is it for? • Serviceauthorizationhavecertain functions Providers - an web API that needs for • Consumers -encourages) OAuth that want to use an API requires (or
  10. 10. Goals: Be Simple • standard for website API authentication • consistent for developers • easy for end users to understand * * this is hard
  11. 11. Goals: Be Secure • secure for end users • easy to implement security features for website developers • 3rd party developers don’t have access to passwords • balance security with ease of use
  12. 12. Goals: Be Open • any website can implement OAuth • any 3rd party developer can use OAuth • open source client libraries • community-designed technical specifications
  13. 13. Goals: Be Flexible • authentication method agnostic • users don’t need a username and password • can use OpenID (or not!) • whatever auth works best for the service • 3rd party developers don’t handle auth
  14. 14. Is OAuth different from OpenID? Yes. (short answer)
  15. 15. Is OAuth different from OpenID? OpenID - user identification by provider URL, login on provider site. OAuth - API authorization and permissions, any form of user identification, login on provider site. (medium answer)
  16. 16. Is OAuth different from OpenID? http://www.pointy-stick.com/blog/2008/03/13/ explanation-difference-between-openid-and-oauth/ (long answer)
  17. 17. What the end user sees... Web Consumer Ma.gnolia and Nsyght I’d like to search my Ma.gnolia bookmarks via social search engine Nsyght.
  18. 18. OMG! Need to log in!
  19. 19. Login with service provider service provider’s site! alternative login method not username/password
  20. 20. Authorize
  21. 21. Done!
  22. 22. Web flow Request Token! Nsyght Ma.gnolia API calls asks for request token returns request token ...
  23. 23. Authorize! user sent http redirect to ma.gnolia with request token in URL user logs in and/or authorizes nsyght redirected back ... to nsyght with (authorized) ... request token Nsyght Ma.gnolia
  24. 24. Access Token! ask for access API calls token with authorized request token request token exchanged for access token nsyght stores access token Nsyght Ma.gnolia
  25. 25. use the access token... by Blaine Cook
  26. 26. What the end user sees... Desktop Consumer Pownce and PownceAIM I’d like to get alerts about new Pownce notes via AIM.
  27. 27. OMG! Need to log in!
  28. 28. Login with service provider service provider’s site!
  29. 29. Authorize click “Okay!”
  30. 30. Authorized! Return to desktop app.
  31. 31. Desktop flow Request Token! PownceAIM Pownce API calls asks for request token returns request token ...
  32. 32. Authorize! user sent user follows link to Pownce with request token in URL user logs in and/or authorizes PownceAIM user tells ... PownceAIM that auth is ... complete PownceAIM Pownce
  33. 33. Access Token! ask for access API calls token with authorized request token request token exchanged for access token PownceAIM stores access token PownceAIM Pownce
  34. 34. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  35. 35. OAuth Setup • Service provider gives documentation of authorization URLs and methods • Consumer registers an application with the service provider
  36. 36. Service Provider Documentation • Request token endpoint • Authorization endpoint • Access token endpoint • Accepted request method(s) (GET, POST, PUT, etc...) • Signature method(s) • Extra parameters (non-oauth) • Any specific notes about OAuth for that provider
  37. 37. Pownce API Documentation https://pownce.pbwiki.com/API%20Documentation2-0#VerifyAuth
  38. 38. Register a Consumer Application • Consumer gives service provider data about the application (name, creator, url etc...) • Service provider assigns the application a consumer key and consumer secret
  39. 39. Registering a Fire Eagle Application consumer app sign up page https://fireeagle.yahoo.net/developer/create
  40. 40. Registering a Fire Eagle Application Done! oooh! https://fireeagle.yahoo.net/developer/manage
  41. 41. OAuth Objects - Consumer consumer key • assigned during consumer registration • passed as a request parameter consumer secret • assigned during consumer registration • used for signing (e.g. HMAC-SHA1)
  42. 42. OAuth Objects - Consumer
  43. 43. OAuth Objects - Token token key • unique string granted by service provider • passed as a request parameter • same variable name (oauth_token_key) for both request and access type tokens token secret • also granted by service provider • same variable name (oauth_token_secret) for both request and access type tokens
  44. 44. OAuth Objects - Token
  45. 45. OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce • oauth_version
  46. 46. Where is this information passed? (in order of preference) • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
  47. 47. Timestamp and Nonce oauth_timestamp • seconds since Unix epoch (unless otherwise specified by service provider) • must be equal or greater than previous request oauth_nonce • random string per timestamp / request • attempt to stop replay attacks
  48. 48. Signing Requests oauth_signature_method • HMAC-SHA1 • RSA-SHA1 • PLAINTEXT oauth_signature • string constructed according to the chosen signature method
  49. 49. Signing Requests
  50. 50. Signature Methods HMAC-SHA1 • construct thewith a ‘&’: base string by joining signature the following 1. http request method (e.g. GET) 2. http url (endpoint url) 3. normalized request parameters (sorted by name) • key = encoded consumer secret and token secret separated by an ‘&’
  51. 51. Signature Methods HMAC-SHA1
  52. 52. Signature Methods HMAC-SHA1 Example base string: GET &http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml &oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j %26oauth_nonce%3DD81FBEDC-1050-40EE- B899-21A1E07C4EC5 %26oauth_signature_method%3DHMAC-SHA1 %26oauth_timestamp%3D1211254098 %26oauth_token%3D0qic7f318nj42ogm %26oauth_version%3D1.0 Example signature: oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;
  53. 53. Signature Methods PLAINTEXT • should be used over a secure channel (SSL) • no base string • url-encoded consumer ‘&’ and token secret secret separated by an
  54. 54. Signature Methods PLAINTEXT Ex: oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
  55. 55. Signature Methods RSA-SHA1 • sign signature base string private key and with Consumer’s RSA the • verify with Consumer’s RSA public key • same signature base string as HMAC-SHA1 • still in development for most OAuth libraries
  56. 56. Big Fatty Example PownceAIM and Pownce warning: screen shots might not match text.
  57. 57. PownceAIM Pownce API call asks for request token Authorization: OAuth realm=quot;http://api.pownce.com/quot;, oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;7A4blmAxXMDPmCQuTBR4CocpdNo%3Dquot;, oauth_timestamp=quot;1211257266quot;, oauth_nonce=quot;9BD703ED-EBA0-4B79-B9F2-AA09C9945D4Bquot;, oauth_version=quot;1.0quot; returns request token oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8
  58. 58. PownceAIM Pownce user follows link user sent user logs in to Pownce with and/or authorizes request token in PownceAIM URL http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8
  59. 59. let’s pretend the user is logged in to the Pownce site click “Okay!”
  60. 60. PownceAIM cue to PownceAIM that request token has been user tells PownceAIM authorized that auth is complete
  61. 61. PownceAIM Pownce API calls ask for access Authorization: OAuth realm=quot;http://api.pownce.com/quot;, token with oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, authorized oauth_token=quot;3fjay66o4x78j4c8quot;, oauth_signature_method=quot;HMAC-SHA1quot;, request token oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;, oauth_timestamp=quot;1211258114quot;, oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;, oauth_version=quot;1.0quot; request token PownceAIM stores exchanged for access token access token oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2
  62. 62. PownceAIM Pownce API calls ask for Authorization: OAuth realm=quot;http://api.pownce.com/quot;, protected resource oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_token=quot;oixvd0538vmw3hm2quot;, (note list) oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;, oauth_timestamp=quot;1211258746quot;, oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;, oauth_version=quot;1.0quot; <?xml version=quot;1.0quot; encoding=quot;utf-8quot;?> return API <notes> <note> data <body>Check out my website Leah!</body> <permalink>http://pownce.com/iamcal/notes/2211344/</permalink> <sender> <user> <username>iamcal</username> ...
  63. 63. Managing Tokens • request token expiration • access token expiration • end user token management
  64. 64. Token Management http://pownce.com/settings/applications
  65. 65. HTTP Errors • 400 Bad Request • unsupported parameter • unsupported signature method • missing required parameter • duplicate OAuth parameter • 401 Unauthorized • invalid consumer key • invalid / expired token • invalid signature (signature does not match) • invalid / used nonce
  66. 66. Common Errors • signature does not match • providers can show expected base string • token is invalid • expired? wrong type of token? • request token unauthorized • user needs to login to authorize the request token
  67. 67. Testing Tools • web-based test server and client by Andy Smith (http://term.ie/oauth/example) • Endpointr, mac desktop app by Jon Crosby
  68. 68. Issues • service provider documentation • files • granular permissions • timestamp and nonce verification • vague tokentokens consumers check expiration, for expired
  69. 69. Current Status • OAuth Core 1.0 Final (Dec 2007) • OAuth Discovery 1.0 Draft 2 • Libraries: • coldfusion • csharp • java • javascript • maven • obj-c • obj-c1 • perl • php • python • ruby
  70. 70. Service Provider Implementations • 88 Miles • Google Contacts API • Ma.gnolia • Pownce • Thmbnl • Yahoo! Fire Eagle http://wiki.oauth.net/ServiceProviders
  71. 71. More Info • main site: http://oauth.net • spec: http://oauth.net/core/1.0 • code: http://code.google.com/p/oauth • mailing list: http://groups.google.com/group/oauth • wiki: http://wiki.oauth.net • Pownce API: http://pownce.com/api
  72. 72. Thanks! ugly logo!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×