Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth4 (and OAuth4R)

10,924 views

Published on

Published in: Design, Technology, Business

OAuth4 (and OAuth4R)

  1. 1. Auth Presentation to Singapore Ruby Brigade at SMU, School of Information System 29 November 2007 Chew Choon Keat sharedcopy.com http://flickr.com/photos/lachlanhardy/1400641336/
  2. 2. Why OAuth • Web 2.0 • APIs • Mashups
  3. 3. Giving away access • Mint “an impressive personal finance application”
  4. 4. • Mint Terms of Service
  5. 5. http://flickr.com/photos/brianoberkirch/1092087510/
  6. 6. Giving away access • quot;Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay.quot; - oauth.net
  7. 7. Alternatives: Hidden Public • Random URLs • Security by obscurity
  8. 8. Alternatives: Proprietary • Google AuthSub • AOL OpenAuth • Yahoo BBAuth • Upcoming API • Flickr API • Amazon Web Services API
  9. 9. What is OAuth • “An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.”
  10. 10. OAuth Flow • Registration (server to server) • Request Token • Authorization • Access Token http://flickr.com/photos/petromyzon/26252991/
  11. 11. End User http://flickr.com/photos/andreasnilsson1976/433173596/
  12. 12. Protected Resource http://flickr.com/photos/annettepedrosian/2071523294/
  13. 13. Service Provider http://flickr.com/photos/spectrasensors/322545693/
  14. 14. Consumer http://flickr.com/photos/infidelic/147930477/
  15. 15. Tokens http://flickr.com/photos/kt/364996966/
  16. 16. Protected Resources Consumer Service Provider End User
  17. 17. Consumer Registration Consumer Protected Resources Service Provider “Let’s work together here are my details” End User http://flickr.com/photos/marcroberts/1484118790/
  18. 18. Consumer Registration Service Provider Protected Resources Consumer End User
  19. 19. Consumer Registration Service Provider Protected Resources Consumer “These are our secrets. Use it every time you talk to me” End User http://flickr.com/photos/9458565@N07/760773574/
  20. 20. Consumer Registration Service Provider Protected Resources Consumer End User
  21. 21. Use Case Consumer Protected Resources Service Provider End User “Print my pictures from SP”
  22. 22. Get Request Tokens Consumer Protected Resources Service Provider “I have someone who needs you” End User
  23. 23. Get Request Tokens Service Provider Protected Resources Consumer “Pass this to him, and bring him to me” End User http://flickr.com/photos/9458565@N07/760773574/
  24. 24. Get Authorization Consumer Protected Resources Service Provider “Go to there. Bring this along” End User
  25. 25. Get Authorization Service Provider Protected Resources Consumer “Hi, remember me?” End User
  26. 26. Get Authorization Service Provider Protected Resources Consumer “Silver coin! You need Consumer to do things for you?” End User
  27. 27. Get Authorization Service Provider Protected Resources Consumer “Yes” End User
  28. 28. Get Authorization Service Provider Protected Resources Consumer “Your wish is my command. Return there” End User
  29. 29. Get Access Token Protected Resources Consumer Service Provider End User “Its done!”
  30. 30. Get Access Token Consumer Protected Resources Service Provider “He said ok? Gimme the keys” End User
  31. 31. Get Access Token Service Provider Protected Resources Consumer “Ignore that silly silver coin... Use this from now and I will always treat you as he” End User http://flickr.com/photos/azuric/150520121/
  32. 32. Get Access Token Consumer Protected Resources Service Provider End User
  33. 33. Use Access Token Consumer Protected Resources Service Provider “Gimme MY pictures” End User
  34. 34. Using Access Token Service Provider Protected Resources Consumer End User
  35. 35. Using Access Token • Whenever Consumer calls SP’s API • GET /photos.xml • bring consumer key, access token • sign with consumer secret & access secret • Service Provider verifies signature • treats request as End User
  36. 36. Using Access Token • User at Service Provider website can choose to invalidate the access for Consumer at any time
  37. 37. Desktop Flow
  38. 38. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  39. 39. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  40. 40. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  41. 41. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  42. 42. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  43. 43. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  44. 44. Desktop Flow http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
  45. 45. Introducing OAuth4R • Forget the protocol, just fill in the blanks • Provides code generators to allow Rails website to support OAuth easily • Generated scaffolds does the OAuth dance out of the box • Only need developers to link tokens to their Users
  46. 46. OAuth4R svn checkout http://oauth4r.googlecode.com/svn/trunk/example_apps • “Provider” site contains • users • users’ contacts • “Consumer” site contains • only users
  47. 47. OAuth4R: Provider cd example_apps/oauth_provider rake db:create:all rake db:migrate ./script/server -p 5001 • Users controller at http://localhost:5001/users • with primitive login implemented • Users’ Addressbook controller at http://localhost:5001/contacts • with primitive permissions based on user’s login
  48. 48. OAuth4R: Consumer cd ../oauth_consumer/ rake db:create:all rake db:migrate ./script/server -p 5000 • Users controller at http://localhost:5000/users • even more primitive login implementation • For this demo, create a new user, “Tommy”
  49. 49. OAuth4R: Provider cd ../oauth_provider/ ./script/generate oauth_provider GetContact rake db:migrate patch -p0 < TODO.patch ./script/server -p 5001 • Generate a “scaffold controller” • Controller does the OAuth dance • Modify to linkup with your own user models
  50. 50. • Modifying generated OAuth controller • oauth_user = User.find(session..)
  51. 51. • Modify your User model to has_many oauth_user • Modify controller guarding Protected Resources to requires_oauth
  52. 52. OAuth4R: Consumer cd ../oauth_consumer/ ./script/generate oauth_consumer UseGetContact rake db:migrate patch -p0 < TODO1.patch ./script/server -p 5000 • Generate a “scaffold controller” • Controller can do OAuth dance with one service provider • Modify to linkup with your User models
  53. 53. • Modify generated OAuth controller • oauth_user = User.find(session..)
  54. 54. • Modify user to has_many oauth_user • Add a link to kick-start OAuth authorization link_to .. new_use_get_contact_path
  55. 55. Registering Consumer • Go to http://localhost:5000/use_get_contacts • Copy “Callback URL”
  56. 56. Registering Consumer • http://localhost:5001/get_contacts/new • Paste “Callback URL” & click Register • Update config/use_get_contacts.oauth.yml
  57. 57. User Authorization • Go to http://localhost:5000/users • Click on “Tommy > Show” to login • Click on quot;Establish OAuth...quot;
  58. 58. User Authorization • Click “Create” and you’ll arrive at provider site (http://localhost:5001) to Login • Authorization prompt will appear • Click “Yes” & you’ll be redirected back to consumer site (http://localhost:5000)
  59. 59. All done, then what? • Scripts accessing APIs on behalf of End User • This demo uses a simple ActiveResource
  60. 60. All done, then what? $ ruby script/fetch_contacts.rb /example_apps/oauth_consumer/vendor/rails/ activeresource/lib/active_resource/connection.rb: 124:in `handle_response': Failed with 500 Internal Server Error (ActiveResource::ServerError) • OAuth blocks our unauthenticated access • We need to modify our API callers slightly patch -p0 < TODO2.patch
  61. 61. Modify ActiveResource • Add acts_as_oauth_resource • underlying http connection will be automatically padded with OAuth credentials
  62. 62. Backend API Access? • Wrap ActiveResource activity inside with_oauth code blocks
  63. 63. Done $ ruby script/fetch_contacts.rb --- - !ruby/object:Contact attributes: name: Dick updated_at: 2007-11-29 08:11:35 Z id: 1 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: &id001 {} - !ruby/object:Contact attributes: name: Harry updated_at: 2007-11-29 08:11:35 Z id: 2 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: *id001
  64. 64. Ruby Links • OAuth4R http://oauth4r.googlecode.com/ • OAuth Rails Plugin http://oauth-plugin.googlecode.com/ http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider • OAuth Gem sudo gem install oauth • OAuth (was Twitter) http://oauth.googlecode.com/svn/code/ruby/ • Google Group: oauth-ruby http://groups.google.com/group/oauth-ruby
  65. 65. Thank you!

×