Introduction to OAuth 1.0a
ver 0.3
Satoru Takeuchi
<satoru.takeuchi@gmail.com>
Introduction
● This document intends to be used for preparation for reading the
specification of OAuth 1.0a [1]
○ OAuth 1....
Agenda
● What is it
● Advantages
● Processing flow
What is it
● The authorization way that a web service (Provider) permits third-party
services (Consumers) to use its funct...
Advantages
● Can reduce security risks compare with password authentication
○ Don’t need to give Consumer unnecessary info...
Processing flow
● Describe the processing flow as the following order
a. Overview of all processes
b. When each process is...
Processing flow: overview
User Consumer Provider
1) Register itself as Consumer
2) Authorize Consumer
3) Authenticate “Aut...
When each process is used
User Consumer Provider
1) Register itself as Consumer
2) Authorize Consumer
3) Authenticate “Aut...
When each process is used
User Consumer Provider
1) Register itself as Consumer
2) Authorize Consumer
3) Authenticate “Aut...
When each process is used
User Consumer Provider
1) Register itself as Consumer
2) Authorize Consumer
3) Authenticate “Aut...
When each process is used
User Consumer Provider
1) Register itself as Consumer
2) Authorize Consumer
3) Authenticate “Aut...
The summary of each process
● Describe the following processes
a. Register a service as Consumer
b. Authorize Consumer
c. ...
Register a service as Consumer
Consumer Provider
1) Visit Registration URI
2) List of functions exported to Consumers
3) D...
Register a service as Consumer
1. Consumer: Visit Provider’s registration URI
2. Consumer: Give the list of function expor...
Prepare to authorize Consumer
Consumer Provider
1) Make and sign a request
2) Send the signed request
3) Authenticate Cons...
Prepare to authorize Consumer
1. Consumer: Make a request from the following information
○ consumer_key
○ etc
2. Consumer:...
Authorize Consumer
User Consumer Provider
4) Give ID/password
1) Redirect to Provider’s authorization URI with callback UR...
Authorize Consumer
1. Consumer: Make a request with the following information
○ request key
○ Callback: URI to which shoul...
Authenticate “Authorized” Consumer
Consumer Provider
1) Make and sign a request
2) Send the signed request
3) Authenticate...
Authenticate “authorized” Consumer
1. Consumer: Make a request from the following information
○ consumer_key
○ request tok...
Use Provider’s functions
User Consumer Provider
2) Make and sign a request
1) Use Consumer’s function
3) Send the signed r...
Use Provider’s functions
1. User: Use Consumer’s function requires Provider’s function
2. Consumer: Make a request from th...
References
● [1] OAuth Core 1.0 Revision A
○ http://oauth.net/core/1.0a
● [2] Zero to Hero ~ The Linkedin OAuth Dance by T...
Upcoming SlideShare
Loading in …5
×

Introduction to OAuth 1.0a

920 views
762 views

Published on

Introduction to OAuth 1.0a. Intend to be a preparation for reading OAuth Core 1.0 Revision A.

Changelog:
- 0.2: Add figures
- 0.3: Some minor fixes for improving readability. In addition, add the reference which explains how to use ruby's oauth library.

Published in: Software
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
920
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
3
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Introduction to OAuth 1.0a

  1. 1. Introduction to OAuth 1.0a ver 0.3 Satoru Takeuchi <satoru.takeuchi@gmail.com>
  2. 2. Introduction ● This document intends to be used for preparation for reading the specification of OAuth 1.0a [1] ○ OAuth 1.0a is *very complex* (at least for me) and hard to understand ○ Although there is simpler OAuth2.0, OAuth1.0a still be used by many web services ● Omit some of features for simplicity ○ e.g. Out-of-bound authentication ● Please let me know if you have any comments
  3. 3. Agenda ● What is it ● Advantages ● Processing flow
  4. 4. What is it ● The authorization way that a web service (Provider) permits third-party services (Consumers) to use its functions on behalf of its users (Users) ● Basic terms Name Meaning Typical example Provider An arbitrary web service Famous SNS services like Facebook and Twitter Consumer A service requires Provider’s function to implement its function Facebook clients and Twitter clients User User of both Provider and Consumer You
  5. 5. Advantages ● Can reduce security risks compare with password authentication ○ Don’t need to give Consumer unnecessary information and authorization password authentication OAuth The information which User gives Consumers User ID and password The tokens only used for using the subset of Provider’s function Authorized Provider’s functions All functions The subset of Provider’s functions that Consumer requests and user permits
  6. 6. Processing flow ● Describe the processing flow as the following order a. Overview of all processes b. When each process is used c. The summary of each process ■ Sequence diagram ■ The explanation for each sequence
  7. 7. Processing flow: overview User Consumer Provider 1) Register itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions5) Rescind Customer’s Authorization 6) Unregister itself
  8. 8. When each process is used User Consumer Provider 1) Register itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions5) Rescind Customer’s Authorization 6) Unregister itself Used once per starting service of a Consumer Used once per stopping service of a Consumer
  9. 9. When each process is used User Consumer Provider 1) Register itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer Used once per a User stops using a Consumer
  10. 10. When each process is used User Consumer Provider 1) Register itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer, or previous authentication timed out
  11. 11. When each process is used User Consumer Provider 1) Register itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions5) Rescind Customer’s Authorization 6) Unregister itself Used once per a Consumer uses a Provider’s function
  12. 12. The summary of each process ● Describe the following processes a. Register a service as Consumer b. Authorize Consumer c. Authenticate “Authorized” Consumer d. Use Provider’s function ● Don’t describe other processes a. How these processes are done depend on each Provider very much
  13. 13. Register a service as Consumer Consumer Provider 1) Visit Registration URI 2) List of functions exported to Consumers 3) Declare functions to use on behalf of Users 4) The information for authenticating Consumer
  14. 14. Register a service as Consumer 1. Consumer: Visit Provider’s registration URI 2. Consumer: Give the list of function exported to Consumers 3. Consumer: Declare what kind of functions will it use, from the list of functions which Provider offers 4. Provider: Give Consumer the following tokens ○ consumer_key: Used for identifying Consumer ○ consumer_secret: Used for authenticating Consumer
  15. 15. Prepare to authorize Consumer Consumer Provider 1) Make and sign a request 2) Send the signed request 3) Authenticate Consumer4) Give the information needed by authorization request
  16. 16. Prepare to authorize Consumer 1. Consumer: Make a request from the following information ○ consumer_key ○ etc 2. Consumer: Sign the request with consumer_secret 3. Consumer: Send the request to Provider’s request token URI ○ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give the following information to Consumer ○ request token: Used for identifying the authorizing request ○ request token secret: Used for the authorizing request
  17. 17. Authorize Consumer User Consumer Provider 4) Give ID/password 1) Redirect to Provider’s authorization URI with callback URI 5) Ask for authorizing Consumer to use the list of functions 2) Redirected 3) Request ID/password 6) Answer “Yes” 7) Redirect to callback URI with information for identifying “Authorized” Consumer 8) Redirected
  18. 18. Authorize Consumer 1. Consumer: Make a request with the following information ○ request key ○ Callback: URI to which should be redirected after authorization ○ etc 2. Consumer: Sign the request with request token secret 3. Consumer: Redirect User to Provider’s authorization URI ○ How to get this URI depends on each Provider 4. Provider: Authenticate User, typically with ID and password 5. Provider: Ask for User whether authorize Consumer to use a subset of Provider’s functions on behalf of User 6. Provider: Give Consumer the following token ○ oauth_verifier: Used for identifying authorized Consumer 7. Provider: Redirect User to callback URI
  19. 19. Authenticate “Authorized” Consumer Consumer Provider 1) Make and sign a request 2) Send the signed request 3) Authenticate Consumer4) Give the information needed by using Provider’s functions
  20. 20. Authenticate “authorized” Consumer 1. Consumer: Make a request from the following information ○ consumer_key ○ request token ○ oauth_verifier ○ etc 2. Consumer: Sign the request with the key constructed from consumer_secret and request token secret 3. Consumer: Send the request to Provider’s access Token URI ○ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give Consumer the following tokens ○ access token: Used for identifying authorized Consumer ○ access token secret: Used for authenticating “authorized” Consumer
  21. 21. Use Provider’s functions User Consumer Provider 2) Make and sign a request 1) Use Consumer’s function 3) Send the signed request to Provider’s API URI 4) Authenticate Consumer 5) Execute a requested function 6) Return the result 7) Return the result
  22. 22. Use Provider’s functions 1. User: Use Consumer’s function requires Provider’s function 2. Consumer: Make a request from the following information ○ API’s parameters ○ access token ○ etc 3. Consumer: Sign the request with the key constructed from consumer_secret and access token secret 4. Consumer: Send the request to Provider’s API URI 5. Provider: Authenticate Consumer 6. Provider: Execute a requested function 7. Provider: Give the result of the API call to Consumer 8. Consumer: Achieve its function with the result
  23. 23. References ● [1] OAuth Core 1.0 Revision A ○ http://oauth.net/core/1.0a ● [2] Zero to Hero ~ The Linkedin OAuth Dance by Taylor Singletary ○ http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero ● [3] OAuth Ruby example ○ http://wiki.openstreetmap.org/wiki/OAuth_ruby_examples

×