0
OAuth: Open Standard for Sharing
       #OpenWebTO - June 1st, 2010
the problem
password anti-pattern
Sharing without passwords.
Sites exchange user authorized tokens.
Tokens can be revoked.
Tokens can be scoped.
Tokens can ...
Terminology has changed a lot.
 These slides are old school.
some history
  12/07 - OAuth 1.0
  06/08 - OAuth 1.0a
  11/09 - OAuth WRAP
  03/10 - OAuth 2.0 Draft 1
  04/10 - RFC 5849
...
OAuth 1.0a addresses a session fixation vulnerability discovered in the
                           original spec.
Step 1. Attacker initiates OAuth authorization
Step 2. Tricks victim into visiting authorization URI specially crafted for
          nefarious purposes (attacker specifie...
Step 3. User enters their credentials at the authorization page,
unwittingly authorizing the attacker's request token. Use...
Step 4. Attacker completes the OAuth workflow. Has access to the victim's
                          protected resources.
Step 5. $$$
The Result
  Inconsistent implementations.

  Different fixes for older providers.
  Be aware.
OAuth 1.0a Protocol Overview
Endpoint URIs
  Request Token URL

  User Authorization URL
  Access Token URL
Request a Request Token
Example: Twitter
                                                    Request:

POST /oauth/request HTTP/1.1
Host: local.ev...
Example: FreshBooks
                                                    Request:

Authorization: OAuth realm="", oauth_non...
Redirect user to Authorization URI
                                               Twitter:

http://twitter.com/oauth/autho...
Handle Callback
                                                    Twitter:

http://yourapp.com/oauth/callback?oauth_toke...
Exchange authorized Request
   Token for Access Token
Example: Twitter
                                                    Request:

Authorization: OAuth realm="", oauth_nonce=...
Example: FreshBooks
                                                    Request:

Authorization: OAuth realm="", oauth_non...
Accessing a Protected Resource
Example: Twitter
                                                  Request:

   POST /1/statuses/update.json HTTP/1.1
   ....
Example: FreshBooks
                                                  Request:

   POST /api/2.1/xml-in HTTP/1.1
   ...
  ...
Common Questions
What about Desktop & Mobile applications?

     What the heck is OAuth WRAP?
What does OAuth have to do w...
OAuth 2.0
Problems with OAuth 1.0
     Complex cryptographic requirements
   Poor user experience for desktop / mobile

            ...
OAuth 2.0
OAuth 2.0 defines authorization flows.

         User Delegation Flows
        Direct Credentials Flows
          ...
User Delegation Flows
       User-Agent Flow
       Web Server Flow

         Device Flow
Direct credentials Flows
      Username and Password Flow
        Client Credentials Flow
Autonomous flows:
      Assertion Flow
OAuth 2.0
        Bearer tokens over SSL
          Simpler signatures
 Short lived tokens with refresh tokens
Authorizatio...
Progress
OAuth 2.0 is currently in its 5th version of an IETF Draft.
There are implementations in the wild including Facebook, 37 Signals
                            and Github.
There are Objective C, Python and Ruby libraries available with varying
                       degrees of completeness.
So things are looking good, but as always when working with something
                               this new...
Resources
  http://oauth.net/
  http://tools.ietf.org/html/rfc5849
  http://hueniverse.com/oauth/

  http://tools.ietf.org...
thank you!
  Paul Osman

  paul@eval.ca
Introduction to OAuth
Introduction to OAuth
Introduction to OAuth
Introduction to OAuth
Introduction to OAuth
Introduction to OAuth
Introduction to OAuth
Introduction to OAuth
Upcoming SlideShare
Loading in...5
×

Introduction to OAuth

6,324

Published on

Published in: Technology
1 Comment
8 Likes
Statistics
Notes
No Downloads
Views
Total Views
6,324
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
171
Comments
1
Likes
8
Embeds 0
No embeds

No notes for slide

Transcript of "Introduction to OAuth"

  1. 1. OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
  2. 2. the problem
  3. 3. password anti-pattern
  4. 4. Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
  5. 5. Terminology has changed a lot. These slides are old school.
  6. 6. some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
  7. 7. OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
  8. 8. Step 1. Attacker initiates OAuth authorization
  9. 9. Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
  10. 10. Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
  11. 11. Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
  12. 12. Step 5. $$$
  13. 13. The Result Inconsistent implementations. Different fixes for older providers. Be aware.
  14. 14. OAuth 1.0a Protocol Overview
  15. 15. Endpoint URIs Request Token URL User Authorization URL Access Token URL
  16. 16. Request a Request Token
  17. 17. Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
  18. 18. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
  19. 19. Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
  20. 20. Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
  21. 21. Exchange authorized Request Token for Access Token
  22. 22. Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
  23. 23. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
  24. 24. Accessing a Protected Resource
  25. 25. Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
  26. 26. Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
  27. 27. Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
  28. 28. OAuth 2.0
  29. 29. Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
  30. 30. OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
  31. 31. User Delegation Flows User-Agent Flow Web Server Flow Device Flow
  32. 32. Direct credentials Flows Username and Password Flow Client Credentials Flow
  33. 33. Autonomous flows: Assertion Flow
  34. 34. OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
  35. 35. Progress
  36. 36. OAuth 2.0 is currently in its 5th version of an IETF Draft.
  37. 37. There are implementations in the wild including Facebook, 37 Signals and Github.
  38. 38. There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
  39. 39. So things are looking good, but as always when working with something this new...
  40. 40. Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
  41. 41. thank you! Paul Osman paul@eval.ca
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×