Ever cringe when you're asked to enter your email address and password to a third party service? This talk will cover how to build and consume services which protect users privacy with OAuth and other techniques.
Ever cringe when you’re asked to enter your email address and password to a third party service? Even worse when we build systems which collect people’s credentials. It’s the password anti-pattern.
Privacy and security are important, but when it comes to real running apps, it works wins over it’s secure.
This has two main themes.
* How to use tokens and other tricks to protect the privacy of your users.
* While examples will be from a ruby on rails application, this talk is more on general web development practices for privacy.
There is no totally secure or private system out there, especially when we build social web applications. But there are many things which can be done to improve privacy. For each application you have to look at what the threat model is for leaking personal information. Everything from how your user passwords are stored to what happens if a hacker gets a full dump of your database.
* What happens when a user’s email is compromised by a third party service?
* How to provide simple sharing with casual privacy.
* What is ‘good enough’ crypto.
* Understanding the difference between Authorization and Authentication.
This talk is based on experience designing and architecting Yahoo! Fire Eagle, a location sharing service which was the first implementation of both OAuth and Ruby on Rails at yahoo.
56. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
57. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
redirect user to provider
with token in url
58. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
redirect user to provider
with token in url
user selects preferences
and approves auth
59. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
redirect user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
60. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
redirect user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
consumer wants to trade
request token for access
61. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
redirect user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
consumer wants to trade
request token for access
provisional request token
traded for access token
62. Token Dance
consumer provider
requesting the
request token
creates and returns
a new request token
redirect user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
consumer wants to trade
request token for access
provisional request token
consumer saves the traded for access token
access token for the user
63. Token Dance
web applications
desktop applications
out of band applications
like mobile and embedded
Privacy. It’s a tricky idea. It’s really to try and protect the interests and information of our users. As they want.
Or sometimes what we do is provide the perception of privacy. This is what a privacy policy is, Nobody reads it, so what it really does is provide the perception that there is privacy.
Many users don’t want to appear in public at all, or they want to be able to delete their users and associated information. Perhaps they don’t want everybody to know they’re in the furries flickr group.
Some people value privacy over all else. They might wear a burka or use tor.
People use the internet for many things. What ever application you’re building, could unwittingly become a space for free speech. What happens if the government asks for your database? What if it’s legal in your country, but illegal in another?
For example, it’s illegal to insult or mock the Pope in Italy. If you can publish photos on your website, then the Italian government could demand to know the identity of the poster. If they posted this image from italy they’d be committing a crime.
Another example, in Argentina, their national hero is Diego Maradona a soccer star. It’s illegal to publish real or photoshoped porn with Maradona in it. Protected speech in one country is illegal speech in others.
Here in the US for example there’s a great tradition of free speech with some rather odd limitations. For example you can’t say, i want to shoot the president....
Unless you’re talking about somebody else’s president. No problem wanting to kill the cuban or iranian president.
Show a picture of the mouse. The most common example of free speech limits in the US are mostly commercial limits.
Beyond problems with corporations and governments, you’ve got the hacker problem. They really want to get at our users and systems. In all of our work we’ve got to think about what kinds of attacks we might face in production.
Right now we use email as the primary way of logging in to systems. It’s the core of the identity system online right now.
The majority of people use a single email account for everything. The protection of this email is very important.
When somebody has access to your email, they’ve got access to everything.
With email accounts we can reclaim passwords for online banking systems.
With this access we can eventually take money out of a users bank accounts. A users email account is the real key to paypal and online banking.
One of the reasons there are so many problems with spam, and phishing sites is that hackers really want to get at users email accounts.
We use email for all of our internal documents which used to be on a desktop. Now they are in the cloud, and email is guarding them.
So with email being so important, so essential to a user’s life online, to their bank accounts and internal company documents.
WHY do we build things like this. We teach users to share their passwords!
Fail, really, we as web developers, as a community, are failing out users.
But there is salvation, a way out. We don’t have to persist with this nightmare.
In reality, there are a ton of authorization systems which don’t use email addresses and passwords.
Each one does more or less the same thing in slightly different ways.
What are these token things we talk about? There’re little things we use to represent access, kind of like a subway token.
Well kind of like coins, but each token is unique
More like symbols, which can be used to represent something without it being the thing.
The trick with all the delegated token authorization systems is that they DON’T pass the password with teach request. They use a token, and a secret. The secret is used in the signature but not passed over the wire.
It’s more this kind of signature. Crypto. HMAC or RSA SHA1.
So what does this look like, well we use the token and the hash key secret.
We use the combination of the token and then the secret as the has key to sign the token, well not just the token, but the whole request.
Then that signature is created as a param which can be passed in the requests.
So you end up something like this. The token, and the signature is passed over the wire. The secret is kept on both ends to verify the signature.
So this delegated token authorization. There are 20 different types. Each one is sufficiently different that you have to build up the libraries from scratch. Each auth system needs a library in every language.
There is now one delegated token auth system to rule them all. Based on all the best practices of the past.
The original idea of OAuth would be that it’s super simple, clear, everybody could read the standard and understand. It was nice and clear. Little by little in the standards process the standards people from IETF and W3C got involved. Now the spec is full of diagrams like this!
All this is to say that OAuth is like a love triangle. That is to say that the relationship between he provider, end user, and consumer is a love triangle. Each part communicates with both of the other parts.
Normally oauth has three legs, the user, the provider, and the consumer. But it’s possible to use oauth to remove the user from the equation. Creating 2 legged oauth.
In 2 legged oauth there is the same libraries and toke signing between the consumer and the provider. Yahoo for example uses this model to control access to web services which are accessed on application’s own behalf. There doesn’t have to be a user. OAuth’s standardized signing / anti replay attacks are useful for many APIS.
Great, but what’s it like for the user? Very simple. Here we’re going to walk through a MovableType client application getting the user to authorize Fire Eagle to share the user’s location.
So when we click the connect link, we’re taking to fire eagle, which asks us to login.
Then once we’re logged in we get a confirmation page.
The request is made with a provisional request token, which tells us among other things what application is being authorized. The user then can see that application that they are going to authorize.
It’s possible at this stage for the provider to ask for preferences to constrain the permissions of the application. For example, can publish but not delete. This is very important because it’s something you couldn’t do if you handed over the user name and password to the client application. It’d be full control or nothing.
And after preferences, the user can choose to approve or deny the authorization of the application to their protected resources.
After a user hits confirm, they’re redirected back to the consumer based on the callback url assigned, and as far as the user is concerned the association is setup.
For the user the whole process is 4 clicks. Behind these simple 4 clicks is a token dance between the consumer, provider, and end user.
the application asks for a request token
the application asks for a request token
la aplicación inicia el
intercambio del
request token
the application asks for a request token
la aplicación inicia el
intercambio del
request token
the application asks for a request token
la aplicación inicia el
intercambio del
request token
the application asks for a request token
la aplicación inicia el
intercambio del
request token
the application asks for a request token
la aplicación inicia el
intercambio del
request token
the application asks for a request token
la aplicación inicia el
intercambio del
request token
the application asks for a request token
That was the token dance for web applications. There is a similar but slightly different process for desktop and out of band applications like browserless mobile phones and embedded systems like an arduino.
All of the oauth params start with the oauth_* prefix.
As we saw before, there are keys (tokens) and secrets. The consumer application or library itself has a token secret part, in addition to a user’s access token and secret. The key is passed with each request, and the consumer secret is used for signing every request.
The tokens are just random strings which should be unique.
Then we require that each request have a timestamp and nonce. The timestamp is an integer which needs to increment. The nonce is a unique number/string which can’t be reused with the same timestamp. The combination of these, and the signing prevents replay attacks.
The last couple define the signing method, this could be public key, but usually it’s HMAC-SHA1. Then the version of oauth, which despite the current standard being 1.0a the standard says you should still say 1.0. Then the actual signature of the request.
OAuth signing and authorization can go over
Hay mucho formas de hacer una request de OAuth.
Hay mucho formas de hacer una request de OAuth.
Hay mucho formas de hacer una request de OAuth.
también puede poner todo los params en el HTTP POST.
por que tenemos liberias para hacer todo los detalles en todo los lenguajes. El primero implementación de OAuth fue en Ruby para aplicaciones de rails. Ahora todo los plataformas tiene apoyo para OAuth.
por que tenemos liberias para hacer todo los detalles en todo los lenguajes. El primero implementación de OAuth fue en Ruby para aplicaciones de rails. Ahora todo los plataformas tiene apoyo para OAuth.
En nuestra caso, tenemos un muy buen gems para OAuth.
So you simply add the plugin to your rails app.
It adds a ton of files to your system to handle all the oauth process. You’re going to want to customize the templates.
Add the routes to make all the oauth requests make sense. These urls are set, there is a discovery process by which you can use alternate oauth urls but it’s best if you can to just keep them standard.
The last thing you need to do is add before filters requiring authorization for the the actions and resources you need to protect.
In terms of OAuth, that’s it. It’s simple to create a basic provider and consumer.
So that’s enough to get over to using oauth in your apis. Getting to oauth is important, but it’s not the end of building systems which respect privacy.
Remember how i was talking about the nonce and timestamp? Well Nonce in British slang is a pedophile, but it’s got another meaning. It’s a one time number. The OAuth spec says you have to provide a nonce and timestamp, but they don’t require that you check them.
what you want to do is make sure that the timestamp always the same or higher by some amount, and that the nonce for that timestamp & consumer hasn’t been used before. You don’t have to store all past nonces.
Don’t even store your auth credentials in the same databases as you’re using for the rest of your application. Use metal, or a proxy to authorize the requests, then pass that through to your apis. This is kind of similar to what google and yahoo do where the authentication and authorization systems are divided off from the production application itself.
While it’s recommended to use HMAC-SHA1, it’s possible to use other forms of signing. Google for example uses RSA public / private keys for it’s oauth. If a provider passes everything over ssl it’s possible to use the unsigned PLAINTEXT signing method. :)
Sometimes you need the data for a single use. Don’t do a login at at all, just store the keys in the cookie, once the user leaves and the tokens disappear.
One thing you can do is use the authorization and tokens to make a wall between your user profiles and their associated data. That way you can only get foreign key when a user or authorized application is actively using the service. Wesabe and Fire Eagle both use this style system.