SlideShare a Scribd company logo

Introduction to OAuth

Paul Osman
Paul Osman
Technology
1 of 49
Download to read offline
OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
the problem
password anti-pattern
Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
Terminology has changed a lot. These slides are old school.
some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
Step 1. Attacker initiates OAuth authorization
Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
Step 5. $$$
The Result Inconsistent implementations. Different fixes for older providers. Be aware.
OAuth 1.0a Protocol Overview
Endpoint URIs Request Token URL User Authorization URL Access Token URL
Request a Request Token
Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
Exchange authorized Request Token for Access Token
Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
Accessing a Protected Resource
Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
OAuth 2.0
Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
User Delegation Flows User-Agent Flow Web Server Flow Device Flow
Direct credentials Flows Username and Password Flow Client Credentials Flow
Autonomous flows: Assertion Flow
OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
Progress
OAuth 2.0 is currently in its 5th version of an IETF Draft.
There are implementations in the wild including Facebook, 37 Signals and Github.
There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
So things are looking good, but as always when working with something this new...
Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
thank you! Paul Osman paul@eval.ca

Recommended

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 

Recommended

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization RequestsTorsten Lodderstedt
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization RequestsTorsten Lodderstedt
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingOWASP Kyiv
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Cultural diff
Cultural diffCultural diff
Cultural diffJessWalker1
 
30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overviewrcoiner
 

More Related Content

What's hot

OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingOWASP Kyiv
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 

What's hot (19)

OAuth2
OAuth2OAuth2
OAuth2
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 

Viewers also liked

30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式t828vp
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overviewrcoiner
 
Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]mattone84
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfBOSC 2010
 
Hemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisHemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisBOSC 2010
 
Cocre art meeting ceuta
Cocre art meeting ceutaCocre art meeting ceuta
Cocre art meeting ceutaCVO-SSH
 
Bonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBOSC 2010
 
안드로이드스터디 6
안드로이드스터디 6안드로이드스터디 6
안드로이드스터디 6jangpd007
 
Yahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundYahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundDevan McCoy
 
Closing Panel: Jane Comeault
Closing Panel: Jane ComeaultClosing Panel: Jane Comeault
Closing Panel: Jane ComeaultIzabela Popova
 
4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliothekenErna Winters
 
Identityworks
IdentityworksIdentityworks
Identityworksjacksm
 

Viewers also liked (20)

Cultural diff
Cultural diffCultural diff
Cultural diff
 
30種快樂的方式
30種快樂的方式30種快樂的方式
30種快樂的方式
 
Isoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General OverviewIsoiec Guide 65 Ias Ac 370 General Overview
Isoiec Guide 65 Ias Ac 370 General Overview
 
Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]Infrastrutture prioritarie __calabria[1]
Infrastrutture prioritarie __calabria[1]
 
Robinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdfRobinson bosc2010 bio_hdf
Robinson bosc2010 bio_hdf
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Hemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatisHemmerich bosc2010 isga_ergatis
Hemmerich bosc2010 isga_ergatis
 
Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011 Teaser Fontein visie huisgroepen 2010/2011
Teaser Fontein visie huisgroepen 2010/2011
 
Cocre art meeting ceuta
Cocre art meeting ceutaCocre art meeting ceuta
Cocre art meeting ceuta
 
Bonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_rubyBonnal bosc2010 bio_ruby
Bonnal bosc2010 bio_ruby
 
안드로이드스터디 6
안드로이드스터디 6안드로이드스터디 6
안드로이드스터디 6
 
Marcellus Shale
Marcellus ShaleMarcellus Shale
Marcellus Shale
 
Yahoo mobile & broadcast surround
Yahoo mobile & broadcast surroundYahoo mobile & broadcast surround
Yahoo mobile & broadcast surround
 
Utube
UtubeUtube
Utube
 
NRTEE: Pierre Lundahl
NRTEE: Pierre LundahlNRTEE: Pierre Lundahl
NRTEE: Pierre Lundahl
 
Closing Panel: Jane Comeault
Closing Panel: Jane ComeaultClosing Panel: Jane Comeault
Closing Panel: Jane Comeault
 
4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken4 scenarios voor de toekomst van bibliotheken
4 scenarios voor de toekomst van bibliotheken
 
NRTEE: Kirsten Vice
NRTEE: Kirsten ViceNRTEE: Kirsten Vice
NRTEE: Kirsten Vice
 
Louise Cohen | PROJECTS
Louise Cohen | PROJECTSLouise Cohen | PROJECTS
Louise Cohen | PROJECTS
 
Identityworks
IdentityworksIdentityworks
Identityworks
 

Similar to Introduction to OAuth

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect ProtocolClément OUDOT
 

Similar to Introduction to OAuth (20)

OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
WSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2Con USA 2015: Securing your APIs: Patterns and More
WSO2Con USA 2015: Securing your APIs: Patterns and More
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Introduction to OAuth

  • 1. OAuth: Open Standard for Sharing #OpenWebTO - June 1st, 2010
  • 3.
  • 4.
  • 6.
  • 7. Sharing without passwords. Sites exchange user authorized tokens. Tokens can be revoked. Tokens can be scoped. Tokens can be time-limited.
  • 8.
  • 9. Terminology has changed a lot. These slides are old school.
  • 10.
  • 11. some history 12/07 - OAuth 1.0 06/08 - OAuth 1.0a 11/09 - OAuth WRAP 03/10 - OAuth 2.0 Draft 1 04/10 - RFC 5849 05/10 - OpenID Connect
  • 12. OAuth 1.0a addresses a session fixation vulnerability discovered in the original spec.
  • 13. Step 1. Attacker initiates OAuth authorization
  • 14. Step 2. Tricks victim into visiting authorization URI specially crafted for nefarious purposes (attacker specifies the callback).
  • 15. Step 3. User enters their credentials at the authorization page, unwittingly authorizing the attacker's request token. User is redirected to a URI determined by the attacker.
  • 16. Step 4. Attacker completes the OAuth workflow. Has access to the victim's protected resources.
  • 18. The Result Inconsistent implementations. Different fixes for older providers. Be aware.
  • 20.
  • 21. Endpoint URIs Request Token URL User Authorization URL Access Token URL
  • 23. Example: Twitter Request: POST /oauth/request HTTP/1.1 Host: local.eval.ca:8000 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D" Response: oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
  • 24. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F" Response: oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
  • 25. Redirect user to Authorization URI Twitter: http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
  • 26. Handle Callback Twitter: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 FreshBooks: http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
  • 27. Exchange authorized Request Token for Access Token
  • 28. Example: Twitter Request: Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D" Response: oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
  • 29. Example: FreshBooks Request: Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" Response: oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
  • 31. Example: Twitter Request: POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D" status=Ohai. Response: { a lot of JSON }
  • 32. Example: FreshBooks Request: POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" /> Response: <response status="ok"> A bunch of XML </response>
  • 33. Common Questions What about Desktop & Mobile applications? What the heck is OAuth WRAP? What does OAuth have to do with OpenID? What is up with OAuth 2?
  • 35. Problems with OAuth 1.0 Complex cryptographic requirements Poor user experience for desktop / mobile Performance at scale
  • 36. OAuth 2.0 OAuth 2.0 defines authorization flows. User Delegation Flows Direct Credentials Flows Autonomous Flows
  • 37. User Delegation Flows User-Agent Flow Web Server Flow Device Flow
  • 38. Direct credentials Flows Username and Password Flow Client Credentials Flow
  • 39. Autonomous flows: Assertion Flow
  • 40. OAuth 2.0 Bearer tokens over SSL Simpler signatures Short lived tokens with refresh tokens Authorization server and resource server
  • 42. OAuth 2.0 is currently in its 5th version of an IETF Draft.
  • 43. There are implementations in the wild including Facebook, 37 Signals and Github.
  • 44. There are Objective C, Python and Ruby libraries available with varying degrees of completeness.
  • 45. So things are looking good, but as always when working with something this new...
  • 46.
  • 47. Resources http://oauth.net/ http://tools.ietf.org/html/rfc5849 http://hueniverse.com/oauth/ http://tools.ietf.org/html/draft-ietf-oauth-v2-07
  • 48.
  • 49. thank you! Paul Osman paul@eval.ca