Some OAuth love <3       by Nicolas Blanco     twitter.com/slainer68
WHY ?THE STORY
OAuth• 2006 by Blaine Cook (Twitter)• OpenID for API access• Delegation of access• IETF - final protocol in 2010
OAuth• 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdt...
OAuth - Resource   provider             YOU !
OAuth - Resource    owner
OAuth - workflow                    Temporary                    credentialstrolololdvd.com                               v...
OAuth - Authorization page
OAuth - Workflow   Authorized request token         Access token         Access token
OAuth - Signature• Must sign all requests • Base string • Consumer key • Consumer secret • The signature
OAuth - Base string   The HTTP Method is GET   The URL is http://vimeo.com/api/rest/v2/   The method is vimeo.people.getIn...
OAuth - Ruby • At least some Ruby! • ruby gem install oauth@callback_url = "http://www.dvdtrololol.com/oauth/callback"@con...
OAuth - signature• Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faradaybuilder.use Faraday:...
OAuth - Faraday middleware
OAuth2• The next evolution : OAuth2• Not backward-compatible• IETF Draft• Use it now!!!• Facebook OpenGraph - Google - Mic...
Why <3 OAuth2• Clients don’t need cryptography anymore (HTTPS)• Less complicated signatures• Better support for non-browse...
OAuth 2 - Debug with          Curl!curl -H "Authorization: BearerACCESS_TOKEN" https://gdata.youtube.com/feeds/api/users/d...
OAuth2 - Gemclient = OAuth2::Client.new(client_id, client_secret, :site => https://www.youtube.com/auth)client.auth_code.a...
OAuth2 - Faraday middlewaremodule Faraday  class Request::OAuth2 < Faraday::Middleware    def call(env)      env[:request_...
Omniauth love <3    • Rack standardized multi-provider       authentication    • Very flexibleRails.application.config.midd...
Omniauth - Authentication        Lifecycle• Setup phase• Request phase• Callback phase
Omniauth basic    strategymodule OmniAuth  module Strategies    class Developer      include OmniAuth::Strategy      optio...
Omniauth base OAuth     strategies• omniauth-oauth• omniauth-oauth2
Write a customOAuth2 strategy    Dailymotion ?
Omniauth default stack• omniauth-oauth2• multi-json• multi-xml• faraday
Omniauth custom OAuth2 strategyrequire omniauth/strategies/oauth2module OmniAuth  module Strategies    class Dailymotion <...
Omniauth custom OAuth2 strategy                 Give more info for free!      uid { raw_info[id] }            info do     ...
Omniauth in Rails            Lier un compte uniquement (pas d’auth)     = link_to "Link to Dailymotion", "/auth/dailymotio...
class ProfilesController < AuthenticatedController  def show  end  def link_provider    current_user.update_attributes_for...
Omniauth in Rails -       Authentication with Deviseclass Users::OmniauthCallbacksController < ApplicationController  def ...
Thank you !Follow me : twitter.com/slainer68
Upcoming SlideShare
Loading in …5
×

Some OAuth love

14,420 views
14,070 views

Published on

Some OAuth love in Ruby

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
14,420
On SlideShare
0
From Embeds
0
Number of Embeds
9,288
Actions
Shares
0
Downloads
25
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Some OAuth love

  1. 1. Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
  2. 2. WHY ?THE STORY
  3. 3. OAuth• 2006 by Blaine Cook (Twitter)• OpenID for API access• Delegation of access• IETF - final protocol in 2010
  4. 4. OAuth• 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
  5. 5. OAuth - Resource provider YOU !
  6. 6. OAuth - Resource owner
  7. 7. OAuth - workflow Temporary credentialstrolololdvd.com vimeo Redirection Authorization page
  8. 8. OAuth - Authorization page
  9. 9. OAuth - Workflow Authorized request token Access token Access token
  10. 10. OAuth - Signature• Must sign all requests • Base string • Consumer key • Consumer secret • The signature
  11. 11. OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce%3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
  12. 12. OAuth - Ruby • At least some Ruby! • ruby gem install oauth@callback_url = "http://www.dvdtrololol.com/oauth/callback"@consumer = OAuth::Consumer.new("key","secret", :site => "https://vimeo.com/auth")@request_token = @consumer.get_request_token(:oauth_callback =>@callback_url)session[:request_token] = @request_tokenredirect_to @request_token.authorize_url(:oauth_callback =>@callback_url)@access_token = @request_token.get_access_token@videos = @access_token.get(/videos.json)
  13. 13. OAuth - signature• Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faradaybuilder.use Faraday::Request::OAuth, {        :consumer_key => @consumer_key,        :consumer_secret => @consumer_secret,        :token => @atoken,        :token_secret => @asecret       }
  14. 14. OAuth - Faraday middleware
  15. 15. OAuth2• The next evolution : OAuth2• Not backward-compatible• IETF Draft• Use it now!!!• Facebook OpenGraph - Google - Microsoft
  16. 16. Why <3 OAuth2• Clients don’t need cryptography anymore (HTTPS)• Less complicated signatures• Better support for non-browser apps• Access tokens are short-lived• Clean separation between auth server and request server
  17. 17. OAuth 2 - Debug with Curl!curl -H "Authorization: BearerACCESS_TOKEN" https://gdata.youtube.com/feeds/api/users/default/uploads
  18. 18. OAuth2 - Gemclient = OAuth2::Client.new(client_id, client_secret, :site => https://www.youtube.com/auth)client.auth_code.authorize_url(:redirect_uri => http://www.dvdtrololol.com/oauth2/callback)# => "https://example.org/oauth/authorization?response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback"token = client.auth_code.get_token(authorization_code_value, :redirect_uri => http://www.dvdtrololol.com/oauth2/callback)videos = token.get(/videos.json)
  19. 19. OAuth2 - Faraday middlewaremodule Faraday  class Request::OAuth2 < Faraday::Middleware    def call(env)      env[:request_headers][Authorization] = "Bearer#{@access_token.token}"      @app.call(env)    end    def initialize(app, access_token)      @app, @access_token = app, access_token    end  endend
  20. 20. Omniauth love <3 • Rack standardized multi-provider authentication • Very flexibleRails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV[TWITTER_KEY], ENV[TWITTER_SECRET]end
  21. 21. Omniauth - Authentication Lifecycle• Setup phase• Request phase• Callback phase
  22. 22. Omniauth basic strategymodule OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end endend
  23. 23. Omniauth base OAuth strategies• omniauth-oauth• omniauth-oauth2
  24. 24. Write a customOAuth2 strategy Dailymotion ?
  25. 25. Omniauth default stack• omniauth-oauth2• multi-json• multi-xml• faraday
  26. 26. Omniauth custom OAuth2 strategyrequire omniauth/strategies/oauth2module OmniAuth  module Strategies    class Dailymotion < OmniAuth::Strategies::OAuth2      DEFAULT_SCOPE = email userinfo            option :name, "dailymotion"            option :client_options, {        :site => https://api.dailymotion.com,        :authorize_url => /oauth/authorize,        :token_url => /oauth/token      } # ...
  27. 27. Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info[id] }            info do        prune!({          screenname => raw_info[screenname],          url => raw_info[url],          email => raw_info[email],          fullname => raw_info[fullname],          description => raw_info[description],          gender => raw_info[gender]        })      end            def raw_info        @raw_info ||= access_token.get(/me, :params => { :fields =>%w(id,url,email,fullname,description,gender).join(",") }).parsed      end
  28. 28. Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion"match /auth/:provider/callback, to: profiles#link_provider
  29. 29. class ProfilesController < AuthenticatedController  def show  end  def link_provider    current_user.update_attributes_for_provider(params[:provider],auth_hash.credentials)    redirect_to profile_path, notice: "Successfully linked to provider"  end  protected  def auth_hash    request.env[omniauth.auth]  endendclass User # ... def update_attributes_for_provider(provider, credentials)    credentials.each do |key, val|      send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")    end    save  endend
  30. 30. Omniauth in Rails - Authentication with Deviseclass Users::OmniauthCallbacksController < ApplicationController  def create    @user = User.find_or_create_for_provider(params[:provider],auth_hash)    sign_in_and_redirect(@user, :event => :authentication)  endend
  31. 31. Thank you !Follow me : twitter.com/slainer68

×