Your SlideShare is downloading. ×
Some OAuth love
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Some OAuth love

12,582
views

Published on

Some OAuth love in Ruby

Some OAuth love in Ruby

Published in: Technology, Business

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
12,582
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
23
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
  • 2. WHY ?THE STORY
  • 3. OAuth• 2006 by Blaine Cook (Twitter)• OpenID for API access• Delegation of access• IETF - final protocol in 2010
  • 4. OAuth• 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
  • 5. OAuth - Resource provider YOU !
  • 6. OAuth - Resource owner
  • 7. OAuth - workflow Temporary credentialstrolololdvd.com vimeo Redirection Authorization page
  • 8. OAuth - Authorization page
  • 9. OAuth - Workflow Authorized request token Access token Access token
  • 10. OAuth - Signature• Must sign all requests • Base string • Consumer key • Consumer secret • The signature
  • 11. OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce%3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
  • 12. OAuth - Ruby • At least some Ruby! • ruby gem install oauth@callback_url = "http://www.dvdtrololol.com/oauth/callback"@consumer = OAuth::Consumer.new("key","secret", :site => "https://vimeo.com/auth")@request_token = @consumer.get_request_token(:oauth_callback =>@callback_url)session[:request_token] = @request_tokenredirect_to @request_token.authorize_url(:oauth_callback =>@callback_url)@access_token = @request_token.get_access_token@videos = @access_token.get(/videos.json)
  • 13. OAuth - signature• Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faradaybuilder.use Faraday::Request::OAuth, {        :consumer_key => @consumer_key,        :consumer_secret => @consumer_secret,        :token => @atoken,        :token_secret => @asecret       }
  • 14. OAuth - Faraday middleware
  • 15. OAuth2• The next evolution : OAuth2• Not backward-compatible• IETF Draft• Use it now!!!• Facebook OpenGraph - Google - Microsoft
  • 16. Why <3 OAuth2• Clients don’t need cryptography anymore (HTTPS)• Less complicated signatures• Better support for non-browser apps• Access tokens are short-lived• Clean separation between auth server and request server
  • 17. OAuth 2 - Debug with Curl!curl -H "Authorization: BearerACCESS_TOKEN" https://gdata.youtube.com/feeds/api/users/default/uploads
  • 18. OAuth2 - Gemclient = OAuth2::Client.new(client_id, client_secret, :site => https://www.youtube.com/auth)client.auth_code.authorize_url(:redirect_uri => http://www.dvdtrololol.com/oauth2/callback)# => "https://example.org/oauth/authorization?response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback"token = client.auth_code.get_token(authorization_code_value, :redirect_uri => http://www.dvdtrololol.com/oauth2/callback)videos = token.get(/videos.json)
  • 19. OAuth2 - Faraday middlewaremodule Faraday  class Request::OAuth2 < Faraday::Middleware    def call(env)      env[:request_headers][Authorization] = "Bearer#{@access_token.token}"      @app.call(env)    end    def initialize(app, access_token)      @app, @access_token = app, access_token    end  endend
  • 20. Omniauth love <3 • Rack standardized multi-provider authentication • Very flexibleRails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV[TWITTER_KEY], ENV[TWITTER_SECRET]end
  • 21. Omniauth - Authentication Lifecycle• Setup phase• Request phase• Callback phase
  • 22. Omniauth basic strategymodule OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end endend
  • 23. Omniauth base OAuth strategies• omniauth-oauth• omniauth-oauth2
  • 24. Write a customOAuth2 strategy Dailymotion ?
  • 25. Omniauth default stack• omniauth-oauth2• multi-json• multi-xml• faraday
  • 26. Omniauth custom OAuth2 strategyrequire omniauth/strategies/oauth2module OmniAuth  module Strategies    class Dailymotion < OmniAuth::Strategies::OAuth2      DEFAULT_SCOPE = email userinfo            option :name, "dailymotion"            option :client_options, {        :site => https://api.dailymotion.com,        :authorize_url => /oauth/authorize,        :token_url => /oauth/token      } # ...
  • 27. Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info[id] }            info do        prune!({          screenname => raw_info[screenname],          url => raw_info[url],          email => raw_info[email],          fullname => raw_info[fullname],          description => raw_info[description],          gender => raw_info[gender]        })      end            def raw_info        @raw_info ||= access_token.get(/me, :params => { :fields =>%w(id,url,email,fullname,description,gender).join(",") }).parsed      end
  • 28. Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion"match /auth/:provider/callback, to: profiles#link_provider
  • 29. class ProfilesController < AuthenticatedController  def show  end  def link_provider    current_user.update_attributes_for_provider(params[:provider],auth_hash.credentials)    redirect_to profile_path, notice: "Successfully linked to provider"  end  protected  def auth_hash    request.env[omniauth.auth]  endendclass User # ... def update_attributes_for_provider(provider, credentials)    credentials.each do |key, val|      send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")    end    save  endend
  • 30. Omniauth in Rails - Authentication with Deviseclass Users::OmniauthCallbacksController < ApplicationController  def create    @user = User.find_or_create_for_provider(params[:provider],auth_hash)    sign_in_and_redirect(@user, :event => :authentication)  endend
  • 31. Thank you !Follow me : twitter.com/slainer68