Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth

9,285 views

Published on

Published in: Technology, Design

OAuth

  1. 1. Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
  2. 2. Community Driven
  3. 3. Extraction of Existing Patterns
  4. 4. http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
  5. 5. Web-Native
  6. 6. So how does it work?
  7. 7. The User
  8. 8. Jane
  9. 9. Her Protected Resources Jane
  10. 10. Jane
  11. 11. Jane A Service Provider
  12. 12. Jane
  13. 13. Jane And a Consumer
  14. 14. Jane
  15. 15. The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
  16. 16. Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
  17. 17. Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
  18. 18. Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
  19. 19. Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
  20. 20. Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
  21. 21. Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
  22. 22. Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
  23. 23. Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
  24. 24. Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
  25. 25. Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
  26. 26. Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
  27. 27. OAuth Request Example
  28. 28. The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
  29. 29. The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
  30. 30. How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
  31. 31. Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  32. 32. HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  33. 33. Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  34. 34. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  35. 35. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
  36. 36. Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.

×