Integrating services with OAuth
Upcoming SlideShare
Loading in...5
×
 

Integrating services with OAuth

on

  • 10,079 views

 

Statistics

Views

Total Views
10,079
Views on SlideShare
9,835
Embed Views
244

Actions

Likes
15
Downloads
331
Comments
1

16 Embeds 244

http://www.web2expo.com 105
http://spazidigitali.com 41
http://en.oreilly.com 33
http://www.slideshare.net 28
http://luca.im.dev 22
http://blog.slideshare.net 4
http://www.centrestage.de 2
http://www.lostfocus.de 1
http://mayank.name 1
http://luca.im 1
http://www.selbstverstaendlich.de 1
http://it.toolbox.com 1
http://www.frogpond.de 1
http://www.elsua.net 1
http://www.spazidigitali.com 1
http://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Integrating services with OAuth Integrating services with OAuth Presentation Transcript

  • Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  • Web 2.0 means sharing data, through API
  • Users want to access their data using many services
  • Developers want to satisfy their users (and make it easy for them)
  • Service providers need to keep their users data secure
  • welcome the password antipattern
  • Image from http://www.codinghorror.com/blog/archives/001072.html
  • Passwords are precious
  • Stop asking them Stop the antipattern
  • How to delegate access?
  • Your valet key for the web
  • a play in 3 acts (to exchange authorization)
  • Actors on the scene User Consumer Service Provider
  • Prologue Where the Consumer presents himself to the Service Provider
  • Consumer (to Service Provider): here i am, this is what i do
  • consumer service provider Consumer key Consumer secret
  • First act Where the Consumer obtains an unauthorized Request Token
  • Consumer (to Service Provider): give me a request token
  • consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • Service Provider (to consumer): here is the request token (you can use it only once!)
  • service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  • Second act Where the User authorizes the Request Token
  • Consumer (to the User): Please go to the Service Provider and authorize this request
  • consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  • Service Provider (to the User): Do you authorize consumer to access your data?
  • User (to the Service Provider): YES! (or maybe NO :-) )
  • Service Provider (to the User): You can go back to the consumer
  • service providerservice provider user user consumer oauth_token (request token)
  • Third act Where the Consumer exchanges the Request Token for an Access Token
  • Consumer (to the Service Provider): Please give me the acces token for the user
  • consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • Service Provider (to the Consumer): here is the access token for the user
  • service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  • Epilogue Where the consumer accesses the resources
  • Consumer (to the Service Provider): Here i am again on behalf of the user
  • consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • The details...
  • OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  • Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  • Signature base string a consistent reproducible concatenation of the request elements into a single string
  • Other security measures Nonces Timestamps
  • Service setup OAuth discovery (XRDS)
  • <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • Benefits Granular authorization Easy grant and revoke Tracking of use
  • Many open/free libraries use them, contribute to them
  • Challenges
  • UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  • UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  • Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  • Beyond the browser Mobile devices Installable applications
  • The sequel OAuth over XMPP
  • <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  • The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  • Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
  • Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com