Integrating services with OAuth
Loading...
Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.
8 Favorites, 1 Group & 1 Event
-
ritou
favorited this 6 months ago
-
Lorenzo Cassulo, Project Manager at 15multimedia, favorited this 8 months ago
-
Ian Crowther, Web Developer at Yamaha, favorited this 9 months ago
-
Chris Messina, Open, social web advocate at Diso Project/OpenID Foundation/Citizen Agency, favorited this 11 months ago
-
Rabble ., hacker at yahoo brickhouse, favorited this 12 months ago
-
usethekey
favorited this 2 years ago
-
-
Web2 Expo added this to the event Web 2.0 Expo Europe 2008
-
Fernando Egido, Head of Channels at Caja Navarra, favorited this 2 years ago
-
jinky32
favorited this 2 years ago
Integrating services with OAuth - Presentation Transcript
- Integrating services with Luca Mearelli Web2Expo - Berlin 2008
- Web 2.0 means sharing data, through API
- Users want to access their data using many services
- Developers want to satisfy their users (and make it easy for them)
- Service providers need to keep their users data secure
- welcome the password antipattern
- Image from http://www.codinghorror.com/blog/archives/001072.html
- Passwords are precious
- Stop asking them Stop the antipattern
- How to delegate access?
- Your valet key for the web
- a play in 3 acts (to exchange authorization)
- Actors on the scene User Consumer Service Provider
- Prologue Where the Consumer presents himself to the Service Provider
- Consumer (to Service Provider): here i am, this is what i do
- consumer service provider Consumer key Consumer secret
- First act Where the Consumer obtains an unauthorized Request Token
- Consumer (to Service Provider): give me a request token
- consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
- Service Provider (to consumer): here is the request token (you can use it only once!)
- service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
- Second act Where the User authorizes the Request Token
- Consumer (to the User): Please go to the Service Provider and authorize this request
- consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
- Service Provider (to the User): Do you authorize consumer to access your data?
- User (to the Service Provider): YES! (or maybe NO :-) )
- Service Provider (to the User): You can go back to the consumer
- service providerservice provider user user consumer oauth_token (request token)
- Third act Where the Consumer exchanges the Request Token for an Access Token
- Consumer (to the Service Provider): Please give me the acces token for the user
- consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
- Service Provider (to the Consumer): here is the access token for the user
- service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
- Epilogue Where the consumer accesses the resources
- Consumer (to the Service Provider): Here i am again on behalf of the user
- consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
- The details...
- OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
- Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
- Signature base string a consistent reproducible concatenation of the request elements into a single string
- Other security measures Nonces Timestamps
- Service setup OAuth discovery (XRDS)
- <?xml version=\"1.0\" encoding=\"UTF-8\"?> <XRDS xmlns=\"xri://$xrds\"> <XRD xml:id=\"oauth\" xmlns:simple=\"http://xrds-simple.net/core/1.0\" xmlns=\"xri://$XRD*($v*2.0)\" version=\"2.0\"> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=\"10\"> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=\"10\"> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=\"xri://$XRD*($v*2.0)\" version=\"2.0\"> <Type>xri://$xrds*simple</Type> <Service priority=\"10\"> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
- Benefits Granular authorization Easy grant and revoke Tracking of use
- Many open/free libraries use them, contribute to them
- Challenges
- UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
- UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
- Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
- Beyond the browser Mobile devices Installable applications
- The sequel OAuth over XMPP
- <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
- The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
- Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
- Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com
More info about this document
Go to text version
- Total Views 2285
- 2210 on SlideShare
- Comments 0
- Favorites 8
- Downloads 60
Most viewed embeds
All embeds
- Upload Info
- Also on LinkedIn
- Uploaded via SlideShare
- Uploaded as Adobe PDF
0 comments
Post a comment