A simple open standard for secure API
The (API) Love Triangle
Web Service 3rd Party App
“Service Provider” “Consumer Application”
Specifically OAuth is...
Need to log in to access parts of a website
ex: post a message, add a friend, view private
Logged-in user has a unique token used to
access data from the site
‣ Flickr Auth
‣ Google’s AuthSub
‣ Yahoo’s BBAuth
‣ Facebook Auth
‣ and others...
‣ PLAINTEXT needs to be encrypted
‣ Secrecy of consumer secret
‣ Phishing attacks
‣ Repeat authorizations
‣ and more...
Session fixation attack
Attacker gets victim to authorize
attacker’s request token.
‣ Consumer must specify
oauth_callback during the request
‣ Service provider returns
request token and oauth_verifier
after user verification
‣ oauth_verifier used when
exchanging request token for
‣ 1.0 final (Dec 2007)
‣ 1.0a (24 June 2009)
‣ IETF draft phase
‣ 2.0 coming soon!
‣ Lots of client libraries
‣ HTML head item
<link rel="alternate" type="text/xml+oembed"
Ewok Moonwalks & Molests Al Roker on
Today Show" />
‣ HTTP HEAD requests
‣ URL templates
‣ trust (white-lists and iFrames)
‣ multiple requests (for discovery)
‣ REST-based as opposed to inline
‣ Supported by lots of providers!
‣ Not as many consumers
‣ Need an embed code from a URL?