SlideShare a Scribd company logo

Securing your Web API with OAuth

Download as ODP, PDF
Mohan Krishnan
Mohan Krishnan

A talk given by me at http://foss.org.my/meetups/kl?searchterm=++December+2008+Meetup++ Attribution contained within the slides

Technology
1 of 29
Securing your Web API with OAuth ,[object Object],[object Object],[object Object]
Questions for you ,[object Object],[object Object],[object Object],[object Object],[object Object]
What is OAuth? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
VS
http://www.flickr.com/photos/leelefever/133949029/
OpenID vs OAuth ,[object Object],[object Object],[object Object],[object Object]
OpenID vs OAuth ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Love triangle End user Service provider Consumer
WTF ?!
“ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
OAuth interaction demo ,[object Object],[object Object]
OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
OAuth dance steps ,[object Object]
 
OAuth roles ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object]
OAuth roles ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
OAuth security http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/
OAuth security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
OAuth usage environments ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Why bother? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
State of OAuth ,[object Object],[object Object],[object Object],[object Object],[object Object]
Implementations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thanks

Recommended

Stochastic renewable energy resources integrated multi-objective optimal powe...
Stochastic renewable energy resources integrated multi-objective optimal powe...Stochastic renewable energy resources integrated multi-objective optimal powe...
Stochastic renewable energy resources integrated multi-objective optimal powe...TELKOMNIKA JOURNAL
 
INTERNSHIP REPORT
INTERNSHIP REPORTINTERNSHIP REPORT
INTERNSHIP REPORTMuhammad Talha Bashir
 
GalaxyCon Raleigh 2022 Program Guide
GalaxyCon Raleigh 2022 Program GuideGalaxyCon Raleigh 2022 Program Guide
GalaxyCon Raleigh 2022 Program GuideSandy Martin
 
Hospital management system in java
Hospital management system in javaHospital management system in java
Hospital management system in javaVarun Yadav
 
Webhooks in FME Server, Cityworks & GIS Applications
Webhooks in FME Server, Cityworks & GIS ApplicationsWebhooks in FME Server, Cityworks & GIS Applications
Webhooks in FME Server, Cityworks & GIS ApplicationsSafe Software
 
Hospital Management System (2nd Task)
Hospital Management System (2nd Task)Hospital Management System (2nd Task)
Hospital Management System (2nd Task)SN Chakraborty
 
OAuth: The API Gatekeeper
OAuth: The API GatekeeperOAuth: The API Gatekeeper
OAuth: The API GatekeeperApigee | Google Cloud
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 

Recommended

Stochastic renewable energy resources integrated multi-objective optimal powe...
Stochastic renewable energy resources integrated multi-objective optimal powe...Stochastic renewable energy resources integrated multi-objective optimal powe...
Stochastic renewable energy resources integrated multi-objective optimal powe...TELKOMNIKA JOURNAL
 
INTERNSHIP REPORT
INTERNSHIP REPORTINTERNSHIP REPORT
INTERNSHIP REPORTMuhammad Talha Bashir
 
GalaxyCon Raleigh 2022 Program Guide
GalaxyCon Raleigh 2022 Program GuideGalaxyCon Raleigh 2022 Program Guide
GalaxyCon Raleigh 2022 Program GuideSandy Martin
 
Hospital management system in java
Hospital management system in javaHospital management system in java
Hospital management system in javaVarun Yadav
 
Webhooks in FME Server, Cityworks & GIS Applications
Webhooks in FME Server, Cityworks & GIS ApplicationsWebhooks in FME Server, Cityworks & GIS Applications
Webhooks in FME Server, Cityworks & GIS ApplicationsSafe Software
 
Hospital Management System (2nd Task)
Hospital Management System (2nd Task)Hospital Management System (2nd Task)
Hospital Management System (2nd Task)SN Chakraborty
 
OAuth: The API Gatekeeper
OAuth: The API GatekeeperOAuth: The API Gatekeeper
OAuth: The API GatekeeperApigee | Google Cloud
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Andrew Badera
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven SecurityApigee | Google Cloud
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseCA API Management
 
Design Matters
Design MattersDesign Matters
Design Matterscjmichal
 
OAuth 2.0 - Because API
OAuth 2.0 - Because APIOAuth 2.0 - Because API
OAuth 2.0 - Because APITheodor Tonum
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityLayer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityCA API Management
 
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...CA API Management
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudCA API Management
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Open API Ecosystem Overview: December 2010
Open API Ecosystem Overview: December 2010Open API Ecosystem Overview: December 2010
Open API Ecosystem Overview: December 2010John Musser
 
Whitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-ServicesWhitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-ServicesJaewoo Ahn
 
Kernal
KernalKernal
KernalRamasubbu .P
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationZeev Shetach
 
Operating system kernal
Operating system kernalOperating system kernal
Operating system kernalSumit Rajpal
 
KERNAL ARCHITECTURE
KERNAL ARCHITECTUREKERNAL ARCHITECTURE
KERNAL ARCHITECTURElakshmipanat
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API GatewayRakesh Gujjarlapudi
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 

More Related Content

Viewers also liked

Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Andrew Badera
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseCA API Management
 
Design Matters
Design MattersDesign Matters
Design Matterscjmichal
 
OAuth 2.0 - Because API
OAuth 2.0 - Because APIOAuth 2.0 - Because API
OAuth 2.0 - Because APITheodor Tonum
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityLayer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityCA API Management
 
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...CA API Management
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudCA API Management
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Open API Ecosystem Overview: December 2010
Open API Ecosystem Overview: December 2010Open API Ecosystem Overview: December 2010
Open API Ecosystem Overview: December 2010John Musser
 
Whitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-ServicesWhitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-ServicesJaewoo Ahn
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationZeev Shetach
 
Operating system kernal
Operating system kernalOperating system kernal
Operating system kernalSumit Rajpal
 
KERNAL ARCHITECTURE
KERNAL ARCHITECTUREKERNAL ARCHITECTURE
KERNAL ARCHITECTURElakshmipanat
 

Viewers also liked (20)

Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009Twitter API & OAuth 101 TVUG October 2009
Twitter API & OAuth 101 TVUG October 2009
 
Data Driven Security
Data Driven SecurityData Driven Security
Data Driven Security
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
 
Design Matters
Design MattersDesign Matters
Design Matters
 
OAuth 2.0 - Because API
OAuth 2.0 - Because APIOAuth 2.0 - Because API
OAuth 2.0 - Because API
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityLayer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth Security
 
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the Cloud
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
Open API Ecosystem Overview: December 2010
Open API Ecosystem Overview: December 2010Open API Ecosystem Overview: December 2010
Open API Ecosystem Overview: December 2010
 
Whitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-ServicesWhitebase : Assault Carrier for Micro-Services
Whitebase : Assault Carrier for Micro-Services
 
Kernal
KernalKernal
Kernal
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentation
 
Operating system kernal
Operating system kernalOperating system kernal
Operating system kernal
 
KERNAL ARCHITECTURE
KERNAL ARCHITECTUREKERNAL ARCHITECTURE
KERNAL ARCHITECTURE
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
 

Similar to Securing your Web API with OAuth

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 

Similar to Securing your Web API with OAuth (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Api security
Api security Api security
Api security
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
O auth
O authO auth
O auth
 
OAuth
OAuthOAuth
OAuth
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
OAuth
OAuthOAuth
OAuth
 
Oauth
OauthOauth
Oauth
 
Oauth
OauthOauth
Oauth
 
OAuth
OAuthOAuth
OAuth
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth2 Presentaion
OAuth2 PresentaionOAuth2 Presentaion
OAuth2 Presentaion
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 

More from Mohan Krishnan

How I learned to stop worrying and love to deploy
How I learned to stop worrying and love to deployHow I learned to stop worrying and love to deploy
How I learned to stop worrying and love to deployMohan Krishnan
 
Startup Engineering culture - "What matters & what does not"
Startup Engineering culture - "What matters & what does not"Startup Engineering culture - "What matters & what does not"
Startup Engineering culture - "What matters & what does not"Mohan Krishnan
 
Tomboy Web Sync Explained
Tomboy Web Sync ExplainedTomboy Web Sync Explained
Tomboy Web Sync ExplainedMohan Krishnan
 
Introduction To Open Web Protocols
Introduction To Open Web ProtocolsIntroduction To Open Web Protocols
Introduction To Open Web ProtocolsMohan Krishnan
 
Open Data, Visualization & Usability for Online News Delivery
Open Data, Visualization & Usability for Online News DeliveryOpen Data, Visualization & Usability for Online News Delivery
Open Data, Visualization & Usability for Online News DeliveryMohan Krishnan
 

More from Mohan Krishnan (7)

Real world dev ops
Real world dev opsReal world dev ops
Real world dev ops
 
How I learned to stop worrying and love to deploy
How I learned to stop worrying and love to deployHow I learned to stop worrying and love to deploy
How I learned to stop worrying and love to deploy
 
Startup Engineering culture - "What matters & what does not"
Startup Engineering culture - "What matters & what does not"Startup Engineering culture - "What matters & what does not"
Startup Engineering culture - "What matters & what does not"
 
Tomboy Web Sync Explained
Tomboy Web Sync ExplainedTomboy Web Sync Explained
Tomboy Web Sync Explained
 
Introduction To Open Web Protocols
Introduction To Open Web ProtocolsIntroduction To Open Web Protocols
Introduction To Open Web Protocols
 
AtomPub, beyond blogs
AtomPub, beyond blogsAtomPub, beyond blogs
AtomPub, beyond blogs
 
Open Data, Visualization & Usability for Online News Delivery
Open Data, Visualization & Usability for Online News DeliveryOpen Data, Visualization & Usability for Online News Delivery
Open Data, Visualization & Usability for Online News Delivery
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Securing your Web API with OAuth

  • 1.
  • 2.
  • 3.
  • 4. Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
  • 5. VS
  • 7.
  • 8.
  • 9. Love triangle End user Service provider Consumer
  • 11. “ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
  • 12.
  • 13. OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
  • 14. OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
  • 15.
  • 16.  
  • 17.
  • 18.
  • 19.
  • 21.
  • 22. Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
  • 23. Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
  • 24.
  • 25.
  • 26. Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
  • 27.
  • 28.