Leah Culver

 Six Apart
OAuth
  and
OEmbed

 Dec 2009
‣   Pownce
‣   Six Apart
‣   OAuth co-author
‣   OAuth Python library
‣   OEmbed co-author
A simple open standard for secure API
           authentication.


          http://oauth.net
The (API) Love Triangle
                     End User



Web Service                     3rd Party App
“Service Provider” ...
Specifically OAuth is...
   Authentication
   Need to log in to access parts of a website
   ex: post a message, add a fri...
Just like...

‣   Flickr Auth
‣   Google’s AuthSub
‣   Yahoo’s BBAuth
‣   Facebook Auth
‣   and others...
Who is involved?
Who is involved?
Goals


Be Simple
‣ standard for website API authentication
‣ consistent for developers
‣ easy for end users to understand...
Goals


Be Secure
‣ secure for end users
‣ easy to implement security features
‣ 3rd party developers don’t have access
to...
Goals


Be Open
‣ any website can implement OAuth
‣ any 3rd party developer can use OAuth
‣ open source client libraries
‣...
Goals


Be Flexible

 ‣ authentication method agnostic
 ‣ don’t need a username and password
 ‣ can use OpenID
 ‣ 3rd part...
OAuth Setup
OAuth Setup

‣ Service provider gives
  documentation of endpoint URLs
  and signature method

‣ Consumer registers an app...
OAuth Setup
OAuth Setup
OAuth Flow
1. Obtain request token




Request                     Response
oauth_consumer_key          oauth_token
oauth_signature_m...
2. User authorizes request token




Request                      Response
oauth_token (optional)       oauth_token
      ...
2. User authorizes request token
3. Exchange request token for access token



Request
oauth_consumer_key           Response
oauth_token                  o...
4. Use access token to obtain protected resources




Request                    Response
oauth_consumer_key         ... p...
Basic Authorization Process
            1. Obtain request token

            2. User authorizes
            request token
...
Where is this information
       passed?

‣ HTTP Authorization header
‣ HTTP POST request body (form
  parameters)
‣ URL q...
Timestamp and nonce
oauth_timestamp
‣ seconds since Unix epoch
‣ must be greater than last request

oauth_nonce
‣ “number ...
Signature methods
oauth_signature_method
‣ HMAC-SHA1
‣ RSA-SHA1
‣ PLAINTEXT

oauth_signature
‣ string constructed based on...
HTTP Errors
400 Bad Request
 ‣ unsupported parameter
 ‣ unsupported signature method
 ‣ missing required parameter
 ‣ dupl...
Security considerations
‣ PLAINTEXT needs to be encrypted
‣ Secrecy of consumer secret
  (desktop consumers)
‣ Phishing at...
Session fixation attack

Attacker gets victim to authorize
attacker’s request token.


April 2009
http://oauth.net/advisor...
1.0a
‣ Consumer must specify
  oauth_callback during the request
  token phase
‣ Service provider returns
  oauth_callback...
Current status

‣   1.0 final (Dec 2007)
‣   1.0a (24 June 2009)
‣   IETF draft phase
‣   2.0 coming soon!
‣   Lots of cli...
Questions?
OEmbed

API format for converting a
URL into an embed code.


   http://oembed.com
Who is involved?
Goals

‣ Embed content from any site
‣ Standard API for embeds
‣ Support many photo/video
  providers
Embed types
‣   photo
‣   video
‣   rich
‣   link (can be used if content is not
    embeddable)
Request params
‣   URL
‣   format (XML, JSON)
‣   maxwidth
‣   maxheight
Response params
‣ type (photo, video, rich or link)
Response params
photo
‣ url (img src)
‣ width
‣ height
video / rich
‣ html (embed)
‣ width
‣ height
Response params
‣   version (always 1.0)
‣   author_name
‣   author_url
‣   provider_name
‣   provider_url
‣   cache_age
‣...
plus any addional parameters...
YouTube
Request
  http://www.youtube.com/oembed?url=http
  %3A//youtube.com/watch%3Fv
  %3DM3r2XDceM6A&format=json
Response

{

   "version": "1.0",

   "type": "video",

   "provider_name": "YouTube",

   "provider_url": "http://youtube...
Discovery

‣ white-lists
‣ HTML head item
 <link rel="alternate" type="text/xml+oembed"
 href="http://www.youtube.com/oemb...
Proposed discovery

‣ HTTP HEAD requests
‣ URL templates
 e.g. url.to.resource.json
Issues

‣   trust (white-lists and iFrames)
‣   discovery
‣   multiple requests (for discovery)
‣   REST-based as opposed ...
Current status

‣ Supported by lots of providers!
‣ Not as many consumers
‣ Need an embed code from a URL?
Questions?
OAuth and OEmbed
Upcoming SlideShare
Loading in...5
×

OAuth and OEmbed

4,544

Published on

Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.

Published in: Technology, Design

OAuth and OEmbed

  1. 1. Leah Culver Six Apart
  2. 2. OAuth and OEmbed Dec 2009
  3. 3. ‣ Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
  4. 4. A simple open standard for secure API authentication. http://oauth.net
  5. 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
  6. 6. Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  7. 7. Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
  8. 8. Who is involved?
  9. 9. Who is involved?
  10. 10. Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
  11. 11. Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
  12. 12. Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
  13. 13. Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
  14. 14. OAuth Setup
  15. 15. OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
  16. 16. OAuth Setup
  17. 17. OAuth Setup
  18. 18. OAuth Flow
  19. 19. 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  20. 20. 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  21. 21. 2. User authorizes request token
  22. 22. 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  23. 23. 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  24. 24. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  25. 25. Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
  26. 26. Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
  27. 27. Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
  28. 28. HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
  29. 29. Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
  30. 30. Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
  31. 31. 1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
  32. 32. Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
  33. 33. Questions?
  34. 34. OEmbed API format for converting a URL into an embed code. http://oembed.com
  35. 35. Who is involved?
  36. 36. Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
  37. 37. Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
  38. 38. Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
  39. 39. Response params ‣ type (photo, video, rich or link)
  40. 40. Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
  41. 41. Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
  42. 42. plus any addional parameters...
  43. 43. YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  44. 44. Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  45. 45. Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  46. 46. Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
  47. 47. Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
  48. 48. Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?
  49. 49. Questions?

×