Your SlideShare is downloading. ×
Securing your Web API with OAuth
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing your Web API with OAuth

19,654
views

Published on

A talk given by me at http://foss.org.my/meetups/kl?searchterm=++December+2008+Meetup++ …

A talk given by me at http://foss.org.my/meetups/kl?searchterm=++December+2008+Meetup++

Attribution contained within the slides

Published in: Technology

1 Comment
15 Likes
Statistics
Notes
  • Hi,
    can i get sample code for flickr authentication using Dotnetopen auth as you did for facebook authentication in http://oauth.kg23.com

    Thanks in advance
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
19,654
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
388
Comments
1
Likes
15
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Securing your Web API with OAuth
      • Mohanaraj Gopala Krishnan
      • MYOSS Meetup 4 Dec 2008
      • mohangk.org/blog
    • 2. Questions for you
      • Experience with OAuth?
        • Developed, read spec, heard of ?
      • Application that exposes a Web API ?
        • Authentication ?
      • Experience using BBAuth, Authsub, Flickr Auth etc. ?
    • 3. What is OAuth?
      • A simple open standard for Web API authorization
      • End Users
        • Share information between online services without disclosing passwords
      • Web service (Service providers)
        • Allow for secure access to your API in a user controlled, secure manner
      • 3rd Party application (Consumers)
        • A standard authorization scheme for the web
    • 4. Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
    • 5. VS
    • 6. http://www.flickr.com/photos/leelefever/133949029/
    • 7. OpenID vs OAuth
      • Goals are different
        • OpenID is about sharing a single identity with different consumers
        • OAuth is about sharing your data with different consumers without sharing your identity
      • Not mutually exclusive
    • 8. OpenID vs OAuth
      • Commonality
        • Open protocols - community driven
        • Involves 3 parties
        • Involves moving the users between consumer and service provider
        • Involves laying a claim that is verified by the service/identity provider
          • OpenID - “I own this URL”
          • OAuth - “I own this resource”
    • 9. Love triangle End user Service provider Consumer
    • 10. WTF ?!
    • 11. “ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
    • 12. OAuth interaction demo
      • Simple demo
        • http://oauth.kg23.com /
    • 13. OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
    • 14. OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
    • 15. OAuth dance steps
      • http://www.googlecodesamples.com/oauth_playground/
    • 16.  
    • 17. OAuth roles
      • Service provider
        • Implement three service endpoints
          • Get request token
          • Authenticate request token
          • Exchange request token for access token
        • Provides a form of authentication
        • Validates following requests (post OAuth dance)
        • Provides a mechanism to maintain authorization
        • Additional API services
          • e.g. Access token lifecycle management - revocation, extension
    • 18.
      • Service providers need to allow for end users to manage their authorizations
    • 19. OAuth roles
      • Consumer
        • Acquire consumer key / consumer secret
        • Communication with service provider
          • Over HTTP - header, POST, GET query
        • Signing requests
          • HMAC-SHA1,RSA-SHA1,PLAINTEXT
        • Keep track of access tokens
          • Store association of users to access token
          • Service providers have different policy as to token lifetime-e.g. Goog vs Y!
          • Must be treated as securely as passwords
    • 20. OAuth security http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/
    • 21. OAuth security
      • Signing - allows for security beyond HTTP basic auth
        • No secret over the wire beyond the dance
        • Request is verifiable - untampered
      • Nonce & timestamps - mitigate replay attacks
      • Delegation of credentials instead of direct credentials
      • HTTPS still required for mitigating MITM - but if not too critical, request signing should suffice
    • 22. Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
    • 23. Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
    • 24. OAuth usage environments
      • Web application
        • Standard case
      • Gadgets
        • contained within a larger consumer - OAuth Gadget extension
      • 2-legged OAuth
        • No user involved - the consumer has been put in a position of trust - e.g. Google domain administrator or accessing public data
        • Extension implemented by Goog - Only HMAC-SHA1, no oauth_token, additional - xoauth_requestor_id - user to imitate, must be explicitly enabled
      • Desktop apps / JS apps
        • Consumer secret can be easily compromised - trust levels
        • Doesn’t compromise authorization
    • 25. Why bother?
      • Large adoption - Goog, Y!, MySpace
      • Interop - Leverage the services
      • Can be used as a replacement for HTTP basic auth
        • SSL might not be always necessary
      • Part of the Open web stack
        • Atompub + OpenID + OAuth + XRDS +OpenSocial
    • 26. Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
    • 27. State of OAuth
      • OAuth Core 1.0, IETF Draft
      • Different use environments being worked out via extensions
      • Library support - extensive, but varying quality
      • OpenID + OAuth hybrid models
      • Usability funkiness
    • 28. Implementations
      • Libraries
        • oauth.net/code
        • http://github.com/search?q=oauth&x=0&y=0
      • Server implementations
        • PHP - http://code.google.com/p/oauth-php/
        • Ruby - http://github.com/pelle/oauth/tree/master
    • 29. Thanks