OAuth: demystified (hopefully)

6,001 views

Published on

My presentation outlining and explaining the core concepts behind OAuth, presented to the online ColdFusion Meetup June 9th 2011 and at Scotch on the Rocks, 3rd March 2011

Published in: Technology
  • Awesome Presentation. Loved it. Only thing is, I'm still confused! I want my client app talk to my provider app. Both have API's. Where do I create the app? client or provider? and I don't have a redirect URL. I just have the API's for the client and provider. What url would I put in?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

OAuth: demystified (hopefully)

  1. 1. OAuth: demystified (hopefully)Matt Gifford aka coldfumonkehhttp://www.mattgifford.co.uk
  2. 2. Matt Gifford aka coldfumonkeh
  3. 3. Matt Gifford aka coldfumonkehColdFusion / RIA
  4. 4. Matt Gifford aka coldfumonkehColdFusion / RIAAuthor
  5. 5. Matt Gifford aka coldfumonkehColdFusion / RIAAuthorCoffee Lover
  6. 6. Matt Giffordaka coldfumonkehColdFusion / RIAAuthorCoffee Loverblog atmattgifford.co.uk
  7. 7. Matt Gifford aka coldfumonkehColdFusion / RIAAuthorCoffee Loverblog atmattgifford.co.uktweet @coldfumonkeh
  8. 8. Matt Gifford aka coldfumonkehColdFusion / RIAAuthorCoffee Loverblog atmattgifford.co.uktweet @coldfumonkehwork at Fuzzy Orange
  9. 9. Why Are We Here? Very good question..
  10. 10. Access and Privacy
  11. 11. Have You Ever... dealt with user authentication?
  12. 12. Have You Ever... shared data through an external API?
  13. 13. Have You Ever... received spam emails asking for personal details?
  14. 14. Have You Ever... been spanked by an air stewardess holding a wet kipper whilst she called you ‘Betsie’?
  15. 15. Have You Ever... been spanked by an air stewardess holding a wet kipper whilst she called you ‘Betsie’?
  16. 16. As A Developer You...(should) want to keep your clients / users happy
  17. 17. As A Developer You... (should) aim to make integration, UX and UI as easy as possible for users
  18. 18. As A Developer You...(should) make sure that user’s data is secure and protected wherever possible
  19. 19. Privacy is Freedom
  20. 20. I need your clothes, bootsand your email address
  21. 21. The password anti-pattern
  22. 22. Access Via Email
  23. 23. Ruh-Roh, Shaggy...
  24. 24. Nothing To See Here
  25. 25. Comfortable With This?
  26. 26. Your Email = You
  27. 27. Privacy is Freedom
  28. 28. Ideally, we shouldn’t have to give these out orask for them...
  29. 29. Email addresses and passwords are valuable
  30. 30. So... how can we stop asking for this information?
  31. 31. So...how can we delegate access to obtain restricted information without bringing down a world of pain upon ourselves?
  32. 32. What is OAuth?
  33. 33. What is OAuth? A simple open standard for secure API authentication
  34. 34. Who Can Use It?Service Providers offering a web service or APIthat requires authentication to access restricteddata for a number of functions / methods
  35. 35. Who Can Use It?Consumers who wish to access that particularAPI or web service and wish to use astandardised method of authentication
  36. 36. Who HasImplemented OAuth?
  37. 37. Who HasImplemented OAuth? Twitter, Google, Meetup.com, Netflix, TripIt, Yahoo!, Evernote, Vimeo ... and many more
  38. 38. But What About...
  39. 39. Sharing a single Identity with numerous consumers
  40. 40. Sharing a single Share data Identity with without sharing numerous your identity consumers
  41. 41. Let’s Get Stuck In delegated authorisation using tokens
  42. 42. The Love Triangle End User Consumer Service Provider
  43. 43. As Easy As This
  44. 44. The OAuth ‘Dance’
  45. 45. The Dancers Fred - the end user Twitter - the Service Provider LinkedIn - the Consumer
  46. 46. The Steps consumer provider asks for a request token
  47. 47. The Steps consumer provider asks for a request token creates and returns a new request token
  48. 48. The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url
  49. 49. The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves auth
  50. 50. The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token
  51. 51. The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token consumer wants to trade request token for access
  52. 52. The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token consumer wants to trade request token for access provisional request token traded for access token
  53. 53. The Steps consumer provider asks for a request token creates and returns a new request token redirects user to provider with token in url user selects preferences and approves authredirected back to consumer with request token consumer wants to trade request token for access provisional request token consumer saves the traded for access token access token for the user
  54. 54. Breaking It Down Even More
  55. 55. 1 - Show Intent “LinkedIn is pretty cool. I want people to read more from me... I want them to read my status updates from Twitter. Can you access my updates for me, please?” “I certainly can, but I need to ask Twitter for permission before I can continue. Hold on..”
  56. 56. 2 - Request a Token “Hey Twitter, you overloaded piece of awesomeness. Please can I have a Request Token?” “LinkedIn, you corporate beast! Of course you can. Your Request Token is 9iKot2y5UQTDlS2V and your secret is 1Hv0pzNXMXdEfBd.”
  57. 57. 3 - Authorize The Request “OK, Fred. Right, can you go to Twitter and authorize the Request Token 9iKot2y5UQTDlS2V, please? Once that’s done, I’ll be able to access your status updates.” “OK”
  58. 58. 3 - Authorize The Request “Hey Twitter. I want to authorize the Request Token 9iKot2y5UQTDlS2V” “To confirm, you want to authorize LinkedIn to access your status updates. You’re happy with that?”
  59. 59. 3 - Authorize The Request “That’s just what I wanted, yes.” “Sweet! Tell LinkedIn you authorized it with me.”
  60. 60. 3 - Authorize The Request “Right.. Twitter knows I want you to do stuff for me. Everything’s set for you.” “Nice work, Fred. I’ll go and speak to Twitter now.”
  61. 61. 4 - Exchange the Token “Please can I exchange Request Token 9iKot2y5UQTDlS2V for an Access Token?” “No worries. Your Access Token is 94S3sJVmuuxSPiZz and your Secret is 4Fc8bwdKNGSM0iNe.”
  62. 62. 5 - Get Restricted Data “Awesome. Now I have those details, please can you give me the status updates that are owned by Access Token 94S3sJVmuuxSPiZz?” “Of course. Here you go...”
  63. 63. Quite Simple When YouPut It Like That I know, right?
  64. 64. LinkedIn didn’t need toknow Fred’s Twitteraccount details His identity was kept secret; it wasn’t important to access the data. What was important was his permission to proceed.
  65. 65. Even Simpler (kind of)
  66. 66. Even Simpler (kind of)1 - Obtain a Request Token
  67. 67. Even Simpler (kind of)1 - Obtain a Request Token2 - User authorizes the Request Token
  68. 68. Even Simpler (kind of)1 - Obtain a Request Token2 - User authorizes the Request Token3 - Exchange Request Token for Access token
  69. 69. Even Simpler (kind of)1 - Obtain a Request Token2 - User authorizes the Request Token3 - Exchange Request Token for Access token4 - Use Access Token to obtain the protected resources
  70. 70. What Does The UserExperience?
  71. 71. The OAuth ‘Dance’with different systems web applications desktop applications out of band applications
  72. 72. The Set Up where documentation is the best thing you can wish for
  73. 73. Registering a Consumer application
  74. 74. The Consumer the Consumer Key and Consumer Secret
  75. 75. The Tokens the Token Key and Token Secret
  76. 76. Let’s Get Stuck In making a request
  77. 77. An Example Requestyou need:HTTP MethodRequest URI (endpoint)oauth_callbackoauth_consumer_keyoauth_nonceoauth_signature_methodoauth_timestampoauth_version
  78. 78. Parametersoauth_*
  79. 79. Parametersoauth_consumer_keyoauth_consumer_secret
  80. 80. Parametersoauth_consumer_key="dpf43f3p2l4k3l03"oauth_token="nnch734d00sl2jdk"
  81. 81. Parametersoauth_nonce="kllo9940pd9333jh"oauth_timestamp="1191242096"
  82. 82. Parametersoauth_signature_method="HMAC-SHA1"oauth_version="1.0"oauth_signature="tRMTYa%2FWM%3D"
  83. 83. Signature Base Stringthe key to the authentication
  84. 84. What is the signature?a consistent reproducible concatenation of the request elements into a single string
  85. 85. Cryptographic Signature Signature Base String Consumer Secret
  86. 86. Cryptographic Signature Signature Base String Consumer Secret Signature
  87. 87. Cryptographic Signature Signature Base String Consumer Secret Signature sig=yourSignatureStr
  88. 88. Cryptographic Signature Signature Base String Consumer Secret Signature base=foobar&sig=yourSignatureStr
  89. 89. Parametersoauth_signature_method="HMAC-SHA1"oauth_version="1.0"oauth_signature="tRMTYa%2FWM%3D"
  90. 90. Request ExampleGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80
  91. 91. Request Example With OAuthGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
  92. 92. HTTP Request MethodGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
  93. 93. Request URIGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
  94. 94. Request ParametersGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringGET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
  95. 95. HTTP Request ExampleGET /1/statuses/mentions.json?count=5 HTTP/1.1Host: api.twitter.com:80Authorization: OAuth realm="" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"Signature Base StringHMAC-SHA1(GET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.json?count%3D5%26%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal)
  96. 96. An AuthorisationIn Action with monkehTweets
  97. 97. Flavours
  98. 98. Flavours OAuth
  99. 99. Flavours OAuth xAuth
  100. 100. Flavours OAuth xAuth OAuth Echo
  101. 101. Flavours OAuth xAuth OAuth Echo and other variations
  102. 102. Benefits to OAuth
  103. 103. Benefits to OAutha standardised protocol that is becoming widely implemented by many providers
  104. 104. Benefits to OAutha standardised protocol that is becoming widely implemented by many providers user has control over access and can easily revoke consumers and application privileges
  105. 105. Benefits to OAutha standardised protocol that is becoming widely implemented by many providers user has control over access and can easily revoke consumers and application privileges ability to track usage and statistics due to the access tokens
  106. 106. Benefits to OAutha standardised protocol that is becoming widely implemented by many providers user has control over access and can easily revoke consumers and application privileges ability to track usage and statistics due to the access tokensmany open-source libraries and clients available to use
  107. 107. Benefits to OAuth no personal information has been passed around
  108. 108. Issues with OAuth
  109. 109. Issues with OAuth documentation could be much better
  110. 110. Issues with OAuth documentation could be much better harder to implement that basic authentication
  111. 111. Issues with OAuth documentation could be much better harder to implement that basic authentication variations on the principle already exist
  112. 112. Issues with OAuth documentation could be much better harder to implement that basic authentication variations on the principle already exist does not solve brute force attacks or phishing
  113. 113. Want To Be A Service Provider? who doesn’t!
  114. 114. Want To Be A Service Provider? http://oauth.riaforge.org
  115. 115. http://oauth.riaforge.org
  116. 116. As A Developer You... (can) make integration, UX and UI as easy as possible for users by not-overcomplicating the process and thecontent, keeping it simple and worded succinctly to help them understand the process without scaring them
  117. 117. As A Developer You... (can) make sure that user’s data is secure and protected wherever possibleby ensuring that you only store what you need to store, and keep them safe and protected at all times
  118. 118. As A Developer You... (can) keep your clients / users happy by ensuring that you make it simple, straight forward and secure for them
  119. 119. Privacy is Freedom
  120. 120. Links & Stuff http://oauth.net http://oauth.net/core/1.0 http://oauth.riaforge.org http://monkehtweet.riaforge.org
  121. 121. OAuth: demystified (hopefully)Matt Gifford aka coldfumonkehhttp://www.mattgifford.co.uk

×