OAuth and OEmbed

5,009 views
4,806 views

Published on

Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.

Published in: Technology, Design

OAuth and OEmbed

  1. 1. Leah Culver Six Apart
  2. 2. OAuth and OEmbed Dec 2009
  3. 3. ‣ Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
  4. 4. A simple open standard for secure API authentication. http://oauth.net
  5. 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
  6. 6. Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  7. 7. Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
  8. 8. Who is involved?
  9. 9. Who is involved?
  10. 10. Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
  11. 11. Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
  12. 12. Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
  13. 13. Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
  14. 14. OAuth Setup
  15. 15. OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
  16. 16. OAuth Setup
  17. 17. OAuth Setup
  18. 18. OAuth Flow
  19. 19. 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  20. 20. 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  21. 21. 2. User authorizes request token
  22. 22. 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  23. 23. 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  24. 24. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  25. 25. Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
  26. 26. Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
  27. 27. Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
  28. 28. HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
  29. 29. Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
  30. 30. Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
  31. 31. 1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
  32. 32. Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
  33. 33. Questions?
  34. 34. OEmbed API format for converting a URL into an embed code. http://oembed.com
  35. 35. Who is involved?
  36. 36. Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
  37. 37. Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
  38. 38. Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
  39. 39. Response params ‣ type (photo, video, rich or link)
  40. 40. Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
  41. 41. Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
  42. 42. plus any addional parameters...
  43. 43. YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  44. 44. Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  45. 45. Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  46. 46. Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
  47. 47. Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
  48. 48. Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?
  49. 49. Questions?

×