SlideShare a Scribd company logo

Integrating OAuth Services

Luca Mearelli
Luca Mearelli

1. The document discusses the OAuth protocol which allows secure authorization for consumers to access user data from service providers without having to share the user's credentials. 2. OAuth uses a three-step process where a consumer first requests a request token, then directs the user to authorize access, and finally exchanges the request token for an access token to access the user's data on the service provider. 3. The document provides details on OAuth parameters, signing requests, security considerations, and implementing OAuth for mobile and XMPP applications. It emphasizes that OAuth allows integration of services while maintaining user control over authorization and access to their data.

TechnologyBusiness
1 of 64
Download to read offline
Integrating services with Luca Mearelli Web2Expo - Berlin 2008
Web 2.0 means sharing data, through API
Users want to access their data using many services
Developers want to satisfy their users (and make it easy for them)
Service providers need to keep their users data secure
welcome the password antipattern
Image from http://www.codinghorror.com/blog/archives/001072.html
Passwords are precious
Stop asking them Stop the antipattern
How to delegate access?
Your valet key for the web
a play in 3 acts (to exchange authorization)
Actors on the scene User Consumer Service Provider
Prologue Where the Consumer presents himself to the Service Provider
Consumer (to Service Provider): here i am, this is what i do
consumer service provider Consumer key Consumer secret
First act Where the Consumer obtains an unauthorized Request Token
Consumer (to Service Provider): give me a request token
consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
Service Provider (to consumer): here is the request token (you can use it only once!)
service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
Second act Where the User authorizes the Request Token
Consumer (to the User): Please go to the Service Provider and authorize this request
consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
Service Provider (to the User): Do you authorize consumer to access your data?
User (to the Service Provider): YES! (or maybe NO :-) )
Service Provider (to the User): You can go back to the consumer
service providerservice provider user user consumer oauth_token (request token)
Third act Where the Consumer exchanges the Request Token for an Access Token
Consumer (to the Service Provider): Please give me the acces token for the user
consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Service Provider (to the Consumer): here is the access token for the user
service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
Epilogue Where the consumer accesses the resources
Consumer (to the Service Provider): Here i am again on behalf of the user
consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
The details...
OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
Signature base string a consistent reproducible concatenation of the request elements into a single string
Other security measures Nonces Timestamps
Service setup OAuth discovery (XRDS)
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
Benefits Granular authorization Easy grant and revoke Tracking of use
Many open/free libraries use them, contribute to them
Challenges
UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
Beyond the browser Mobile devices Installable applications
The sequel OAuth over XMPP
<iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com

Recommended

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magicguestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the worldTimo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mixDieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksTom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 

Recommended

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magicguestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the worldTimo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mixDieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksTom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
O auth
O authO auth
O authfaisalqau
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxKasaTiga
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 

More Related Content

Viewers also liked

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 

Viewers also liked (6)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 

Similar to Integrating OAuth Services

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxKasaTiga
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 

Similar to Integrating OAuth Services (20)

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
O auth
O authO auth
O auth
 
OAuth
OAuthOAuth
OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsx
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth2
OAuth2OAuth2
OAuth2
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 

More from Luca Mearelli

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two ProblemsLuca Mearelli
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographicLuca Mearelli
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del webLuca Mearelli
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To BatchLuca Mearelli
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your AppLuca Mearelli
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With PythonLuca Mearelli
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On RailsLuca Mearelli
 

More from Luca Mearelli (11)

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two Problems
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographic
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del web
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To Batch
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your App
 
WorseSoftware
WorseSoftwareWorseSoftware
WorseSoftware
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With Python
 
Open Web
Open WebOpen Web
Open Web
 
Capistrano2
Capistrano2Capistrano2
Capistrano2
 
Wikierp
WikierpWikierp
Wikierp
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On Rails
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Integrating OAuth Services

  • 1. Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  • 2. Web 2.0 means sharing data, through API
  • 3. Users want to access their data using many services
  • 4. Developers want to satisfy their users (and make it easy for them)
  • 5. Service providers need to keep their users data secure
  • 7.
  • 8.
  • 9.
  • 12. Stop asking them Stop the antipattern
  • 13. How to delegate access?
  • 14. Your valet key for the web
  • 15. a play in 3 acts (to exchange authorization)
  • 16. Actors on the scene User Consumer Service Provider
  • 17. Prologue Where the Consumer presents himself to the Service Provider
  • 18. Consumer (to Service Provider): here i am, this is what i do
  • 19. consumer service provider Consumer key Consumer secret
  • 20.
  • 21. First act Where the Consumer obtains an unauthorized Request Token
  • 22. Consumer (to Service Provider): give me a request token
  • 23. consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 24. Service Provider (to consumer): here is the request token (you can use it only once!)
  • 25. service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  • 26.
  • 27. Second act Where the User authorizes the Request Token
  • 28. Consumer (to the User): Please go to the Service Provider and authorize this request
  • 29. consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  • 30. Service Provider (to the User): Do you authorize consumer to access your data?
  • 31.
  • 32. User (to the Service Provider): YES! (or maybe NO :-) )
  • 33. Service Provider (to the User): You can go back to the consumer
  • 34. service providerservice provider user user consumer oauth_token (request token)
  • 35. Third act Where the Consumer exchanges the Request Token for an Access Token
  • 36. Consumer (to the Service Provider): Please give me the acces token for the user
  • 37. consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 38. Service Provider (to the Consumer): here is the access token for the user
  • 39. service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  • 40.
  • 41. Epilogue Where the consumer accesses the resources
  • 42. Consumer (to the Service Provider): Here i am again on behalf of the user
  • 43. consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 44.
  • 46. OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  • 47. Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  • 48. Signature base string a consistent reproducible concatenation of the request elements into a single string
  • 49. Other security measures Nonces Timestamps
  • 51. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 52. Benefits Granular authorization Easy grant and revoke Tracking of use
  • 53. Many open/free libraries use them, contribute to them
  • 55. UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  • 56. UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  • 57. Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  • 58. Beyond the browser Mobile devices Installable applications
  • 59.
  • 61. <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  • 62. The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  • 64. Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com