• Save
OAuth and OEmbed
Upcoming SlideShare
Loading in...5

OAuth and OEmbed



Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.

Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.



Total Views
Views on SlideShare
Embed Views



3 Embeds 36

http://localhost 18
http://www.slideshare.net 16
http://makethepitch.tigerlab.com 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

OAuth and OEmbed OAuth and OEmbed Presentation Transcript

  • Leah Culver Six Apart
  • OAuth and OEmbed Dec 2009
  • ‣ Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
  • A simple open standard for secure API authentication. http://oauth.net
  • The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
  • Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  • Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
  • Who is involved?
  • Who is involved?
  • Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
  • Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
  • Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
  • Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
  • OAuth Setup
  • OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
  • OAuth Setup
  • OAuth Setup
  • OAuth Flow
  • 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  • 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  • 2. User authorizes request token
  • 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  • 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
  • Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
  • Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
  • HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
  • Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
  • Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
  • 1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
  • Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
  • Questions?
  • OEmbed API format for converting a URL into an embed code. http://oembed.com
  • Who is involved?
  • Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
  • Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
  • Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
  • Response params ‣ type (photo, video, rich or link)
  • Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
  • Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
  • plus any addional parameters...
  • YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  • Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  • Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  • Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
  • Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
  • Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?
  • Questions?