• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  • 2. Web 2.0 means sharing data, through API
  • 3. Users want to access their data using many services
  • 4. Developers want to satisfy their users (and make it easy for them)
  • 5. Service providers need to keep their users data secure
  • 6. welcome the password antipattern
  • 7. Image from http://www.codinghorror.com/blog/archives/001072.html
  • 8. Passwords are precious
  • 9. Stop asking them Stop the antipattern
  • 10. How to delegate access?
  • 11. Your valet key for the web
  • 12. a play in 3 acts (to exchange authorization)
  • 13. Actors on the scene User Consumer Service Provider
  • 14. Prologue Where the Consumer presents himself to the Service Provider
  • 15. Consumer (to Service Provider): here i am, this is what i do
  • 16. consumer service provider Consumer key Consumer secret
  • 17. First act Where the Consumer obtains an unauthorized Request Token
  • 18. Consumer (to Service Provider): give me a request token
  • 19. consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 20. Service Provider (to consumer): here is the request token (you can use it only once!)
  • 21. service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  • 22. Second act Where the User authorizes the Request Token
  • 23. Consumer (to the User): Please go to the Service Provider and authorize this request
  • 24. consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  • 25. Service Provider (to the User): Do you authorize consumer to access your data?
  • 26. User (to the Service Provider): YES! (or maybe NO :-) )
  • 27. Service Provider (to the User): You can go back to the consumer
  • 28. service providerservice provider user user consumer oauth_token (request token)
  • 29. Third act Where the Consumer exchanges the Request Token for an Access Token
  • 30. Consumer (to the Service Provider): Please give me the acces token for the user
  • 31. consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 32. Service Provider (to the Consumer): here is the access token for the user
  • 33. service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  • 34. Epilogue Where the consumer accesses the resources
  • 35. Consumer (to the Service Provider): Here i am again on behalf of the user
  • 36. consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 37. The details...
  • 38. OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  • 39. Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  • 40. Signature base string a consistent reproducible concatenation of the request elements into a single string
  • 41. Other security measures Nonces Timestamps
  • 42. Service setup OAuth discovery (XRDS)
  • 43. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 44. Benefits Granular authorization Easy grant and revoke Tracking of use
  • 45. Many open/free libraries use them, contribute to them
  • 46. Challenges
  • 47. UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  • 48. UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  • 49. Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  • 50. Beyond the browser Mobile devices Installable applications
  • 51. The sequel OAuth over XMPP
  • 52. <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  • 53. The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  • 54. Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
  • 55. Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com