Integrating services with




        Luca Mearelli
    Web2Expo - Berlin 2008
Web 2.0 means
sharing data,
   through API
Users want to
   access their data
using many services
Developers want to
      satisfy their users
(and make it easy for them)
Service providers need to
keep their users data secure
welcome
the password antipattern
Image from http://www.codinghorror.com/blog/archives/001072.html
Passwords are precious
Stop asking them
    Stop the antipattern
How to delegate access?
Your valet key for the web
a play in 3 acts
(to exchange authorization)
Actors on the scene
               User
       Consumer
Service Provider
Prologue
 Where the Consumer presents
himself to the Service Provider
Consumer (to Service Provider):
here i am, this is what i do
consumer   service provider




Consumer key
Consumer secret
First act
  Where the Consumer obtains
an unauthorized Request Token
Consumer (to Service Provider):
give me a request token
consumer   service provider


oauth_consumer_key
oauth_signature_method
oauth_signature
oauth_timestamp
oauth_nonce
oauth_...
Service Provider (to consumer):
here is the request token
       (you can use it only once!)
service provider   consumer




oauth_token (request token)
oauth_token_secret
[additional parameters]
Second act
Where the User authorizes
       the Request Token
Consumer (to the User):
Please go to the Service Provider
    and authorize this request
consumer   user   service provider




oauth_token (request token)
oauth_callback
[additional parameters]
Service Provider (to the User):
Do you authorize consumer
        to access your data?
User (to the Service Provider):
                         YES!
           (or maybe NO :-) )
Service Provider (to the User):
You can go back to the consumer
service providerservice provider
                         user      user consumer




oauth_token (request token)
Third act
Where the Consumer exchanges
            the Request Token
           for an Access Token
Consumer (to the Service Provider):
Please give me the acces token
                       for the user
consumer   service provider

oauth_consumer_key
oauth_token (request token)
oauth_signature_method
oauth_signature
oauth_t...
Service Provider (to the Consumer):
here is the access token for the user
service provider   consumer




oauth_token (access token)
oauth_token_secret
[additional parameters]
Epilogue
 Where the consumer
accesses the resources
Consumer (to the Service Provider):
           Here i am again
           on behalf of the user
consumer   service provider

oauth_consumer_key
oauth_token (access token)
oauth_signature_method
oauth_signature
oauth_ti...
The details...
OAuth parameters exchange
      HTTP Authorization header
                HTTP Post body
         URL query parameters
Request signing algorithm
                   PLAINTEXT
                  HMAC-SHA1
                   RSA-SHA1
Signature base string
a consistent reproducible concatenation of
  the request elements into a single string
Other security measures
                    Nonces
                Timestamps
Service setup
OAuth discovery (XRDS)
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?>
<XRDS xmlns=quot;xri://$xrdsquot;>
  <XRD xml:id=quot;oauthquot; xm...
Benefits
Granular authorization
Easy grant and revoke
       Tracking of use
Many open/free libraries
    use them, contribute to them
Challenges
UI/UX for the Service Provider
 Provide basic informations to the user
                  Ease the user’s choice
     Link ...
UI/UX for the Consumer
   Explain what’s happening
            Educate the user
      Use the right language
Security considerations
             Confidentiality of Requests
           Spoofing, Proxying, Phishing
                   ...
Beyond the browser
            Mobile devices
   Installable applications
The sequel
OAuth over XMPP
<iq from='travelbot@findmenow.tld/bot'
    id='sub1'
    to='feeds.worldgps.tld'
    type='set'>
  <pubsub xmlns='http://j...
The morale
   Integrating services can be done
without asking or storing the user’s
 credentials while at the same time
  ...
Links!
http://oauth.net
http://oauth.net/core/1.0/
http://code.google.com/p/oauth/
http://groups.google.com/group/oauth/
h...
Thanks for listening!!
                     Luca Mearelli
           http://spazidigitali.com
       l.mearelli@spazidigit...
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Integrating services with OAuth
Upcoming SlideShare
Loading in...5
×

Integrating services with OAuth

7,308

Published on

Published in: Technology, Business
1 Comment
15 Likes
Statistics
Notes
No Downloads
Views
Total Views
7,308
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
337
Comments
1
Likes
15
Embeds 0
No embeds

No notes for slide

Integrating services with OAuth

  1. 1. Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  2. 2. Web 2.0 means sharing data, through API
  3. 3. Users want to access their data using many services
  4. 4. Developers want to satisfy their users (and make it easy for them)
  5. 5. Service providers need to keep their users data secure
  6. 6. welcome the password antipattern
  7. 7. Image from http://www.codinghorror.com/blog/archives/001072.html
  8. 8. Passwords are precious
  9. 9. Stop asking them Stop the antipattern
  10. 10. How to delegate access?
  11. 11. Your valet key for the web
  12. 12. a play in 3 acts (to exchange authorization)
  13. 13. Actors on the scene User Consumer Service Provider
  14. 14. Prologue Where the Consumer presents himself to the Service Provider
  15. 15. Consumer (to Service Provider): here i am, this is what i do
  16. 16. consumer service provider Consumer key Consumer secret
  17. 17. First act Where the Consumer obtains an unauthorized Request Token
  18. 18. Consumer (to Service Provider): give me a request token
  19. 19. consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  20. 20. Service Provider (to consumer): here is the request token (you can use it only once!)
  21. 21. service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  22. 22. Second act Where the User authorizes the Request Token
  23. 23. Consumer (to the User): Please go to the Service Provider and authorize this request
  24. 24. consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  25. 25. Service Provider (to the User): Do you authorize consumer to access your data?
  26. 26. User (to the Service Provider): YES! (or maybe NO :-) )
  27. 27. Service Provider (to the User): You can go back to the consumer
  28. 28. service providerservice provider user user consumer oauth_token (request token)
  29. 29. Third act Where the Consumer exchanges the Request Token for an Access Token
  30. 30. Consumer (to the Service Provider): Please give me the acces token for the user
  31. 31. consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  32. 32. Service Provider (to the Consumer): here is the access token for the user
  33. 33. service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  34. 34. Epilogue Where the consumer accesses the resources
  35. 35. Consumer (to the Service Provider): Here i am again on behalf of the user
  36. 36. consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  37. 37. The details...
  38. 38. OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  39. 39. Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  40. 40. Signature base string a consistent reproducible concatenation of the request elements into a single string
  41. 41. Other security measures Nonces Timestamps
  42. 42. Service setup OAuth discovery (XRDS)
  43. 43. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  44. 44. Benefits Granular authorization Easy grant and revoke Tracking of use
  45. 45. Many open/free libraries use them, contribute to them
  46. 46. Challenges
  47. 47. UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  48. 48. UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  49. 49. Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  50. 50. Beyond the browser Mobile devices Installable applications
  51. 51. The sequel OAuth over XMPP
  52. 52. <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  53. 53. The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  54. 54. Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
  55. 55. Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×