BUILDING AND USING SECURE  WEB SERVICES WITH OAUTH   Skillswap Goes Portable, November 25, 2008 Bruce Boughton [email_addr...
web services are about data  let’s think about data...
DATA SHOULD BE PORTABLE (even your private data) <ul><li>The Internet is awash with data </li></ul><ul><li>(put there by o...
why?
CONTROL YOUR DATA Don't get locked into one vendor
Mash|ups < data > MORE INTERESTING http://pipes.yahoo.com/bruceboughton/skillswapmashup
RE-PURPOSE YOUR DATA in different contexts
INTERPRET IT ACCESS IT <ul><li>Data is  portable  if you can easily </li></ul> 
Data should be available in STANDARD DATA FORMATS <xml/> POSH  JSON μ f
How can users let third parties ACCESS THEIR PRIVATE DATA? <ul><li>User data is moving to the cloud </li></ul>
 
 
40-60% OF TWEETS VIA API* Blaine Cook co-authored OAuth <ul><li>Why pick on Twitter? </li></ul>
 
http://kecute.wordpress.com/2007/11/05/cat-computer-geek/
we need an  easy , user-friendly   standard   for  third party api security
 
GOOGLE CONTACTS DEMO <ul><li>http://lab.madgex.com/oauth-net/googlecontacts/ </li></ul>
YOU CHOOSE  who you  share  YOUR DATA  with <ul><li>OAuth puts the user back in control </li></ul>
NO NEED  to give out your  PASSWORD <ul><li>OAuth is secure </li></ul>
FIRE EAGLE LOCATION DEMO <ul><li>http://whereami.lab.madgex.com/ </li></ul>
Supports   FINE-GRAINED  privacy controls <ul><li>Lightweight and open for extension </li></ul>
Google Yahoo OpenSocial  Netflix MySpace Pownce Ma.gnolia SmugMug GetSatisfaction and more... <ul><li>Big name adoption </...
one thing:  OAuth != OpenID (but they do play nicely)
OpenID is authentication OAUTH IS ACCESS CONTROL
let’s get technical
Protected resources are exposed by  service providers and used by  consumer applications on behalf of  users
e.g.  My physical location is exposed by the  Fire Eagle API and used by the  Madgex Lab demo on  my   behalf
Consumer identity asserted using  CONSUMER KEY  and  SECRET
Consumer   gets an  ACCESS TOKEN (tied to a user, usually re-usable) <ul><li>To fetch a protected resource </li></ul>
Consumer asks  USER TO LOG IN  and  AUTHORIZE  request <ul><li>To get an access token </li></ul>
Requests are  SIGNED  and include  a  TIMESTAMP  and  NONCE
This is just  PLAIN OLD HTTP with added super powers
don’t worry, there are plenty of  open source libraries
Ruby .NET Python PHP Java JavaScript Objective-C and more... http://oauth.net/code
do we have time for  some code? OAuth.net library http://lab.madgex.com/oauth-net
<ul><li>Configuring the Fire Eagle service </li></ul><ul><li>(without discovery) </li></ul>
<ul><li>Requesting the user’s location </li></ul>
<ul><li>Handling authorization </li></ul><ul><li>(if we didn’t already have an access token) </li></ul>
<ul><li>Using the protected resource </li></ul>
QUESTIONS? OR BEER. Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/
Upcoming SlideShare
Loading in …5
×

Building and using web services with OAuth

4,031 views

Published on

My talk from Skillswap goes Portable, giving an introduction to OAuth

Published in: Education, Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total views
4,031
On SlideShare
0
From Embeds
0
Number of Embeds
51
Actions
Shares
0
Downloads
66
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Building and using web services with OAuth

  1. 1. BUILDING AND USING SECURE WEB SERVICES WITH OAUTH Skillswap Goes Portable, November 25, 2008 Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/
  2. 2. web services are about data let’s think about data...
  3. 3. DATA SHOULD BE PORTABLE (even your private data) <ul><li>The Internet is awash with data </li></ul><ul><li>(put there by our users) </li></ul>
  4. 4. why?
  5. 5. CONTROL YOUR DATA Don't get locked into one vendor
  6. 6. Mash|ups < data > MORE INTERESTING http://pipes.yahoo.com/bruceboughton/skillswapmashup
  7. 7. RE-PURPOSE YOUR DATA in different contexts
  8. 8. INTERPRET IT ACCESS IT <ul><li>Data is portable if you can easily </li></ul> 
  9. 9. Data should be available in STANDARD DATA FORMATS <xml/> POSH  JSON μ f
  10. 10. How can users let third parties ACCESS THEIR PRIVATE DATA? <ul><li>User data is moving to the cloud </li></ul>
  11. 13. 40-60% OF TWEETS VIA API* Blaine Cook co-authored OAuth <ul><li>Why pick on Twitter? </li></ul>
  12. 15. http://kecute.wordpress.com/2007/11/05/cat-computer-geek/
  13. 16. we need an easy , user-friendly standard for third party api security
  14. 18. GOOGLE CONTACTS DEMO <ul><li>http://lab.madgex.com/oauth-net/googlecontacts/ </li></ul>
  15. 19. YOU CHOOSE who you share YOUR DATA with <ul><li>OAuth puts the user back in control </li></ul>
  16. 20. NO NEED to give out your PASSWORD <ul><li>OAuth is secure </li></ul>
  17. 21. FIRE EAGLE LOCATION DEMO <ul><li>http://whereami.lab.madgex.com/ </li></ul>
  18. 22. Supports FINE-GRAINED privacy controls <ul><li>Lightweight and open for extension </li></ul>
  19. 23. Google Yahoo OpenSocial Netflix MySpace Pownce Ma.gnolia SmugMug GetSatisfaction and more... <ul><li>Big name adoption </li></ul>
  20. 24. one thing: OAuth != OpenID (but they do play nicely)
  21. 25. OpenID is authentication OAUTH IS ACCESS CONTROL
  22. 26. let’s get technical
  23. 27. Protected resources are exposed by service providers and used by consumer applications on behalf of users
  24. 28. e.g. My physical location is exposed by the Fire Eagle API and used by the Madgex Lab demo on my behalf
  25. 29. Consumer identity asserted using CONSUMER KEY and SECRET
  26. 30. Consumer gets an ACCESS TOKEN (tied to a user, usually re-usable) <ul><li>To fetch a protected resource </li></ul>
  27. 31. Consumer asks USER TO LOG IN and AUTHORIZE request <ul><li>To get an access token </li></ul>
  28. 32. Requests are SIGNED and include a TIMESTAMP and NONCE
  29. 33. This is just PLAIN OLD HTTP with added super powers
  30. 34. don’t worry, there are plenty of open source libraries
  31. 35. Ruby .NET Python PHP Java JavaScript Objective-C and more... http://oauth.net/code
  32. 36. do we have time for some code? OAuth.net library http://lab.madgex.com/oauth-net
  33. 37. <ul><li>Configuring the Fire Eagle service </li></ul><ul><li>(without discovery) </li></ul>
  34. 38. <ul><li>Requesting the user’s location </li></ul>
  35. 39. <ul><li>Handling authorization </li></ul><ul><li>(if we didn’t already have an access token) </li></ul>
  36. 40. <ul><li>Using the protected resource </li></ul>
  37. 41. QUESTIONS? OR BEER. Bruce Boughton [email_address] http://bruceboughton.me.uk http://lab.madgex.com/

×