Authorization with OAuth          Rob Richards        October 22, 2009          cdatazone.org   http://xri.net/=rob.richards
Authentication• HTTP Authentication  • Basic  • Digest  • TLS/SSL• WS-Security• Developer Keys• 3rd Party Authentication  ...
OAuth   An Open Protocol       to allowSecure API Authorization
Oauth is not OpenID       Oauth      Is Like      OpenID
Data AuthorizationPlaxo
OAuth OAuthis like aValet Key
OAuth   OAuth   is like aHotel Keycard
M as ter K ey101       103    105   107102       104    106   108
Gues t K ey: Granting Acces s       101      103      105    107        102     104      106    108
Gues t K ey: R evoking Acces s       101       103      105    107        102      104      106    108
M as ter K ey M aintains Full Acces s           101       103      105       107           102       104      106       108
Oauth C lients
OAuth and Netf ix              ldeveloper.netf ix.com             l
Netf ix API   l
Netf ix API: Us er R es ources   l
Netf ix Applications ... and many more   l
Obtaining a C ons umer K ey / S ecret
Obtaining a C ons umer K ey / S ecret
3-Leg g ed OAuth“The OAuth Dance”
S tep 1: Obtaining a R eques t Tokenhttp://api.netfix.com/oauth/request_token            Signed Request           Request ...
S tep 1: Obtaining a R eques t Tokenhttp://api.netfix.com/oauth/request_token?oauth_callback=http%3A%2F%2Fwww.example.com%...
C alculating The S ig natureCalculate Base String<HTTP method>&<canonicalized URL path>&<parameters>GET&http%3A%2F%2Fapi.n...
C alculating The S ig nature• Parameters are collected, sorted and concatenated into a   normalized string  • Parameters i...
C alculating The S ig nature (Authorization Header)GET /oauth/request_token HTTP/1.1User-Agent: PECL::HTTP/1.6.4 (PHP/5.2....
C alculating The S ig natureCreate Secret<consumer secret>&<token secret>1234567890123456789012345&Sign Base String using ...
S tep 1: Obtaining a R eques t Token (R es pons e)oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_token_secret=EZ2mBk6rC2vZ&oau...
S tep 2: Us er Authentication              Determined by needs of Service Providerhttps://api-user.netfix.com/oauth/login?...
S tep 2: Us er AuthenticationDetermined by needs of Service Provider                  Callbackoauth_token=bqba9rku48yacfat...
S tep 2: Us er AuthenticationDetermined by needs of Service Provider
Oauth Trus tA Matter   Of  Trust
S tep 3: Obtaining an Acces s Tokenhttp://api.netfix.com/oauth/access_token            Signed Request           Access Tok...
S tep 3: Obtaining an Acces s Tokenhttp://api.netfix.com/oauth/access_token?oauth_consumer_key=1234567890123456789012345&o...
C alculating The S ig natureCalculate Base String<HTTP method>&<canonicalized URL path>&<parameters>GET&http%3A%2F%2Fapi.n...
C alculating The S ig natureCreate Secret<consumer secret>&<token secret>1234567890123456789012345&EZ2mBk6rC2vZSign Base S...
S tep 3: Obtaining an Acces s Token (R es pons e)oauth_token=5432109876543210987654321&user_id=123myuserid456&oauth_token_...
Acces s ing R es ourceshttp://api.netfix.com/<path to resource>            Signed Request               Resource
Acces s ing R es ourceshttp://api.netfix.com/users/123myuserid456/queues?oauth_consumer_key=1234567890123456789012345&oaut...
C alculating The S ig natureCreate Secret<consumer secret>&<token secret>1234567890123456789012345&543210987654321Sign Bas...
Acces s ing R es ources (R es pons e)<?xml version="1.0" standalone="yes"?><resource> <link href="http://api.netfix.com/us...
Acces s ing R es ources (R es pons e)
M anag ing Acces s Tokens
2-Leg g ed OAuth• No Dance Required• Only Consumer Key and Secret required• Application making requests on its own behalf•...
Ques tions ?Authorization with OAuth        Rob Richards  http://xri.net/=rob.richards     www.cdatazone.org
Upcoming SlideShare
Loading in...5
×

Authorization with oAuth

904

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
904
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
48
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Authorization with oAuth

  1. 1. Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
  2. 2. Authentication• HTTP Authentication • Basic • Digest • TLS/SSL• WS-Security• Developer Keys• 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
  3. 3. OAuth An Open Protocol to allowSecure API Authorization
  4. 4. Oauth is not OpenID Oauth Is Like OpenID
  5. 5. Data AuthorizationPlaxo
  6. 6. OAuth OAuthis like aValet Key
  7. 7. OAuth OAuth is like aHotel Keycard
  8. 8. M as ter K ey101 103 105 107102 104 106 108
  9. 9. Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
  10. 10. Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
  11. 11. M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
  12. 12. Oauth C lients
  13. 13. OAuth and Netf ix ldeveloper.netf ix.com l
  14. 14. Netf ix API l
  15. 15. Netf ix API: Us er R es ources l
  16. 16. Netf ix Applications ... and many more l
  17. 17. Obtaining a C ons umer K ey / S ecret
  18. 18. Obtaining a C ons umer K ey / S ecret
  19. 19. 3-Leg g ed OAuth“The OAuth Dance”
  20. 20. S tep 1: Obtaining a R eques t Tokenhttp://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
  21. 21. S tep 1: Obtaining a R eques t Tokenhttp://api.netfix.com/oauth/request_token?oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback&oauth_consumer_key=1234567890123456789012345&oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e&oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1255631744&oauth_version=1.0
  22. 22. C alculating The S ig natureCalculate Base String<HTTP method>&<canonicalized URL path>&<parameters>GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
  23. 23. C alculating The S ig nature• Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3)• The oauth_signature parameter MUST be excluded• Parameters are sorted by name, using lexicographical byte value ordering
  24. 24. C alculating The S ig nature (Authorization Header)GET /oauth/request_token HTTP/1.1User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10)Host: api.netfix.comAccept: */*Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
  25. 25. C alculating The S ig natureCreate Secret<consumer secret>&<token secret>1234567890123456789012345&Sign Base String using algorithm specifedHMAC(1234567890123456789012345&,<Base String>)Base64 encode then URL encode result:oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
  26. 26. S tep 1: Obtaining a R eques t Token (R es pons e)oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_token_secret=EZ2mBk6rC2vZ&oauth_callback_confrmed=true&login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
  27. 27. S tep 2: Us er Authentication Determined by needs of Service Providerhttps://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
  28. 28. S tep 2: Us er AuthenticationDetermined by needs of Service Provider Callbackoauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
  29. 29. S tep 2: Us er AuthenticationDetermined by needs of Service Provider
  30. 30. Oauth Trus tA Matter Of Trust
  31. 31. S tep 3: Obtaining an Acces s Tokenhttp://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
  32. 32. S tep 3: Obtaining an Acces s Tokenhttp://api.netfix.com/oauth/access_token?oauth_consumer_key=1234567890123456789012345&oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a&oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1255704433&oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg&oauth_version=1.0
  33. 33. C alculating The S ig natureCalculate Base String<HTTP method>&<canonicalized URL path>&<parameters>GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
  34. 34. C alculating The S ig natureCreate Secret<consumer secret>&<token secret>1234567890123456789012345&EZ2mBk6rC2vZSign Base String using algorithm specifedHMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>)Base64 encode then URL encode result:oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
  35. 35. S tep 3: Obtaining an Acces s Token (R es pons e)oauth_token=5432109876543210987654321&user_id=123myuserid456&oauth_token_secret=543210987654321
  36. 36. Acces s ing R es ourceshttp://api.netfix.com/<path to resource> Signed Request Resource
  37. 37. Acces s ing R es ourceshttp://api.netfix.com/users/123myuserid456/queues?oauth_consumer_key=1234567890123456789012345&oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2&oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1255712310&oauth_token=5432109876543210987654321&oauth_version=1.0&v=1.5
  38. 38. C alculating The S ig natureCreate Secret<consumer secret>&<token secret>1234567890123456789012345&543210987654321Sign Base String using algorithm specifedHMAC(1234567890123456789012345&543210987654321,<Base String>)Base64 encode then URL encode result:oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
  39. 39. Acces s ing R es ources (R es pons e)<?xml version="1.0" standalone="yes"?><resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /></resource>
  40. 40. Acces s ing R es ources (R es pons e)
  41. 41. M anag ing Acces s Tokens
  42. 42. 2-Leg g ed OAuth• No Dance Required• Only Consumer Key and Secret required• Application making requests on its own behalf• Direct Access / No Delegation• Replacement for HTTP Basic Authentication• Sign request just as if they were requests for Request Tokens
  43. 43. Ques tions ?Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×