OAUTH Don Park 3-Feb-2009
Terms Provider Consumer User
API Call PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold
API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_con...
API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_con...
How are the access token and token secret acquired?
How are the access token and token secret acquired? The provider sends your the access token and secret In the clear! HTTP...
The last OAUTH-specific URL: the access token URL direction: Provider to Consumer Given: the request token Returned: the a...
The next OAUTH-specific URL: the user permission URL Direction: User to provider Given: the request token Post: Bless the ...
The first OAUTH-specific URL: the request token URL Direction: Consumer to Provider Given: the consumer key Post: Bless th...
How to does the consumer acquire a  consumer key and secret from the provider? Last parts of the puzzle
How to does the consumer acquire a  consumer key and secret from the provider? Last parts of the puzzle Out of scope! The ...
Help is on the way OAUTH DISCOVERY (draft spec) XRDS document location in the headers Date: Wed, 04 Feb 2009 01:06:17 GMT ...
xrds.xml <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <XRDS xmlns=&quot;xri://$xrds&quot;> <XRD xml:id=&quot...
http://code.google.com/p/oauth-plugin/ Rails OAUTH plugin class SandwichApiController < ApplicationController before_filte...
Upcoming SlideShare
Loading in …5
×

Oauth Ruby

1,220 views

Published on

Published in: Technology, Design
  • If you look here: http://oauth.net/core/1.0/#signing_process

    You'll see that the secret's are sent over the wire from the provider to the consumer. But they don't go the other direction. What would be the point of sending both over the wire to authorize requests. If you were going to send both, you could just send one. The security comes in the separation.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You're wrong here. You send the key's (tokens) but not the secrets over the wire. You use the secrets in the signing. Sure https is a good idea, but if you're sending the secrets then you're doing it wrong.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Oauth Ruby

  1. 1. OAUTH Don Park 3-Feb-2009
  2. 2. Terms Provider Consumer User
  3. 3. API Call PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold
  4. 4. API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence
  5. 5. API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence Signature generation: Variables + token_secret
  6. 6. How are the access token and token secret acquired?
  7. 7. How are the access token and token secret acquired? The provider sends your the access token and secret In the clear! HTTPS is required
  8. 8. The last OAUTH-specific URL: the access token URL direction: Provider to Consumer Given: the request token Returned: the access token and secret if the access token has been blessed http://icecendor.com/oauth/access&oauth_token=req132 icecondor-android-app:///&oauth_token=access1234 &oauth_token_secret=xfz123 HTTP 302 redirect to:
  9. 9. The next OAUTH-specific URL: the user permission URL Direction: User to provider Given: the request token Post: Bless the token http://icecendor.com/oauth/authorize&oauth_token=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
  10. 10. The first OAUTH-specific URL: the request token URL Direction: Consumer to Provider Given: the consumer key Post: Bless the token http://icecendor.com/oauth/request& oauth_consumer_key=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
  11. 11. How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle
  12. 12. How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle Out of scope! The spec doesn't say. Use an out-of-band method. Example: Receive the consumer key and secret in an email, and hard-code the values into the consumer app. Also, the request token URL, the authorization URL, and the access token URLs are not standardized and have to be communicated out-of-band.
  13. 13. Help is on the way OAUTH DISCOVERY (draft spec) XRDS document location in the headers Date: Wed, 04 Feb 2009 01:06:17 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.6 X-Runtime: 3125ms Etag: &quot;aafe6ca507f518d040c9868cddaad9ef&quot; X-XRDS-Location: http://icecondor.com/xrds.xml Cache-Contro: private, max-age=0, must-revalidate
  14. 14. xrds.xml <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <XRDS xmlns=&quot;xri://$xrds&quot;> <XRD xml:id=&quot;oauth&quot; xmlns:simple=&quot;http://xrds-simple.net/core/1.0&quot; xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Expires>2009-12-31T23:59:59Z</Expires> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/request </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI> https://icecondor.com/oauth/authorize </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/access </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID> 0685bd9184jfhq22 </LocalID> </Service> </XRD> <XRD xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  15. 15. http://code.google.com/p/oauth-plugin/ Rails OAUTH plugin class SandwichApiController < ApplicationController before_filter :oauth_required,:only=>[:dispense] def dispense end end

×