OAuth: Trust Issues

OAuth: A Question of Trust

About Me • Lorna Jane Mitchell • Twitter: @lornajane • Web: http://lornajane.net 2

If OAuth is the answer, what was the question?

OAuth username: lornajane password: qwerty 4

OAuth Hi, I’m lornajane 5

Two Kinds of OAuth • OAuth 1 • in use on many systems • many steps: ’the oauth dance’ • encryption overhead (so use a lib) • OAuth 2 • requires SSL • fewer steps • recognises trust • recommended for new systems 6

OAuth 2: Performance over Paranoia

OAuth2 Relationships 8

OAuth2 Relationships 9

Before We BeginRegister for an API key and capture: • application name • callback URL(s) to use • descriptione.g. http://joind.in/user/apikey 10

OAuth2 Endpoints Application Website API Client api key registration auth endpoint callback URL user grant/revoke access resource endpoint resources 11

Establishing TrustWe need an authorisation grant for the assistant to be able to accessuser data 12

Authorisation Grants

Authorisation Grant: Many ChoicesHow we authorise a third party: • authorisation code • implicit • resource owner credentials • client credentials • ... potentially further extensions 14

Authorisation CodeUse for: server-side appsFlow: we send user to application to grant access, recieve a code inreturn. Then exchange code for access tokenFeatures: user never sees access token 15

Authorisation Code Process client_id redirect_url type scope state 16

Authorisation Code ProcessUser must be able to visit the site and revoke later 17

Authorisation Code Process code code state 18

Authorisation Code Process client_key client_secret code code access token access_token 19

Implicit GrantUse for: client-side appsFlow: we send user to application to grant access, recieve an accesstoken in returnFeatures: super-simple 20

Implicit Process client_id redirect_url type scope state 21

Implicit ProcessUser must be able to visit the site and revoke later 22

Implicit Process access token access_token state 23

Resource Owner CredentialsUse for: trusted consumers, such as same-provider apps or a script theuser writes themselvesFlow: user gives username and password to app, app exchanges foraccess token and does not storeFeatures: saves sending user to the main site and back 24

Resource Owner Credentials Process username, username, password password 25

Resource Owner Credentials Process access token 26

Client CredentialsUse for: privileged consumersFlow: client credentials act as an authorsation grant, access token isreturnedFeatures: ideal for applications with more than per-user-data accessrights 27

Client Credentials Process hai access token 28

How to Choose Grant TypeWhat will be consuming this data?It isn’t unusual for applications to support some or all of these grant types 29

You have an access token, now what?

Using Access TokensWith the access token, include it in an Authorization header:Authorization: OAuth db141c50adb74b22 31

Using Access TokensWith the access token, include it in an Authorization header:Authorization: OAuth db141c50adb74b22Everything you already knew about web APIs now applies as normal 31

Refresh TokensSome applications will give you two tokens • access token (shorter expiry) • refresh token (longer expiry)The refresh token is an authorisation grant in its own right, to be usedwhen the access token has expired 32

What about access control?

ScopeConsumers will request a given set of permissions, usually called scopeUsers usually only get to accept, or not 34

HTTPS (a vital OAuth2 ingredient)

HTTPSHTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport LayerSecurity)Basically, we encrypt the pipe! 36

OAuth 1

About OAuth 1In a nutshell: • Had its own encryption: needed a library/extension • Involved many steps, therefore many request/response roundtrips • leading to the phrase ’oauth dance’ • Solved exactly the same problem • Had a single oauth endpoint 38

OAuth 1 Process • Step 0: Register as a consumer • Step 1: Get a request token • Step 2: Send the user to authenticate • Step 3: Swap their veriﬁcation for an access token • Step 4: Consume data 39

OAuth Today

OAuth Today • New project? Use OAuth 2 • OAuth 1 is complicated and needs PECL extension • OAuth 2 requires SSL, and decision-making 41

Resources and Further Reading • OAuth2 Spec: http://tools.ietf.org/html/draft-ietf-oauth-v2 • Great introductory article: http://hueniverse.com/2010/05/introducing-oauth-2-0/ • Images from http://thenounproject.org 42

Thanks!

Thanks https://joind.in/6232 @lornajane http://lornajane.net 44

OAuth: Trust Issues

by Lorna Mitchell on Jun 08, 2012

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1,186

Statistics

OAuth: Trust Issues Presentation Transcript