SlideShare a Scribd company logo
OAuth
Practical Implementation
Pownce and OAuth

• Pownce launched (June 2007)
• developers wanted an API
• became involved with OAuth (Aug 2007)
• public read-only API (Oct 2007)
• full API with OAuth (Mar 2008)
• 200+ apps built on Pownce API
Me and OAuth


• an author of the specification
• wrote first library (Python)
• maintain Python library
• maintain Pownce API OAuth implementation
What is OAuth?
A simple open standard for secure API
           authentication.


            http://oauth.net
The (API) Love Triangle

                     End User



Web Service                     3rd Party App
“Service Provider”              “Consumer Application”

                                       Pownce AIM bot
Specifically OAuth is...

 • Authentication
   Need to log in to access parts of a website
   ex: bookmark a link, post a photo, add a friend, view
   a private message

 • Token-based Authentication
   Logged-in user has a unique token used to access
   data from the site
Just like...

• Flickr Auth
• Google’s AuthSub
• Yahoo’s BBAuth
• Facebook Auth
• and others...
                     http://flickr.com/photos/bees/2504039638/
Who is involved?
Who is it for?

• Serviceauthorizationhavecertain functions
          Providers -      an web API that
  needs                for
• Consumers -encourages) OAuth that
               want to use an API
  requires (or
Goals:


Be Simple
• standard for website API authentication
• consistent for developers
• easy for end users to understand *

* this is hard
Goals:


Be Secure
• secure for end users
• easy to implement security features for
website developers
• 3rd party developers don’t have access to
passwords
• balance security with ease of use
Goals:


Be Open
• any website can implement OAuth
• any 3rd party developer can use OAuth
• open source client libraries
• community-designed technical specifications
Goals:


Be Flexible
• authentication method agnostic
• users don’t need a username and password
• can use OpenID (or not!)
• whatever auth works best for the service
• 3rd party developers don’t handle auth
Is OAuth different from
      OpenID?

            Yes.




       (short answer)
Is OAuth different from
      OpenID?
 OpenID - user identification by provider
      URL, login on provider site.
OAuth - API authorization and permissions,
 any form of user identification, login on
              provider site.

            (medium answer)
Is OAuth different from
      OpenID?
 http://www.pointy-stick.com/blog/2008/03/13/
 explanation-difference-between-openid-and-oauth/




                (long answer)
What the end user sees...

       Web Consumer

       Ma.gnolia and Nsyght
   I’d like to search my Ma.gnolia
     bookmarks via social search
             engine Nsyght.
OMG! Need to log in!
Login with service provider
         service provider’s site!




                      alternative login method
                      not username/password
Authorize
Done!
Web flow
                Request Token!

  Nsyght                           Ma.gnolia
                    API calls
   asks for
request token
                                    returns
                                 request token

     ...
Authorize!

    user sent        http redirect
to ma.gnolia with
request token in
      URL                               user logs in
                                     and/or authorizes
                                          nsyght
redirected back
          ...
    to nsyght
with (authorized)
                                     ...
 request token

    Nsyght                                 Ma.gnolia
Access Token!

ask for access      API calls
  token with
  authorized                     request token
request token                    exchanged for
                                  access token

nsyght stores
access token



     Nsyght                      Ma.gnolia
use the access token...




                   by Blaine Cook
What the end user sees...

    Desktop Consumer

      Pownce and PownceAIM
   I’d like to get alerts about new
         Pownce notes via AIM.
OMG! Need to log in!
Login with service provider


                  service provider’s site!
Authorize

        click “Okay!”
Authorized!
 Return to
desktop app.
Desktop flow
                Request Token!

PownceAIM                           Pownce
                    API calls
   asks for
request token
                                    returns
                                 request token

     ...
Authorize!

   user sent       user follows link
to Pownce with
request token in
     URL                              user logs in
                                   and/or authorizes
                                     PownceAIM
   user tells
         ...
  PownceAIM
  that auth is
                                       ...
   complete

 PownceAIM                                   Pownce
Access Token!

 ask for access       API calls
   token with
   authorized                      request token
 request token                     exchanged for
                                    access token

PownceAIM stores
  access token



   PownceAIM                        Pownce
Basic Authorization Process
           1. Obtain request token

           2. User authorizes
           request token

           3. Exchange request token
           for access token

           4. Use access token to
           obtain protected resources
OAuth Setup

• Service provider gives documentation of
  authorization URLs and methods

• Consumer registers an application with the
  service provider
Service Provider
     Documentation
• Request token endpoint
• Authorization endpoint
• Access token endpoint
• Accepted request method(s) (GET, POST,
  PUT, etc...)
• Signature method(s)
• Extra parameters (non-oauth)
• Any specific notes about OAuth for that
  provider
Pownce API Documentation




https://pownce.pbwiki.com/API%20Documentation2-0#VerifyAuth
Register a Consumer
        Application

• Consumer gives service provider data
  about the application (name, creator, url
  etc...)

• Service provider assigns the application a
  consumer key and consumer secret
Registering a
                                               Fire Eagle Application




      consumer app
       sign up page
https://fireeagle.yahoo.net/developer/create
Registering a Fire Eagle Application
                         Done!



oooh!




          https://fireeagle.yahoo.net/developer/manage
OAuth Objects -
         Consumer
consumer key
 • assigned during consumer registration
 • passed as a request parameter

consumer secret
 • assigned during consumer registration
 • used for signing (e.g. HMAC-SHA1)
OAuth Objects -
  Consumer
OAuth Objects - Token
token key
    • unique string granted by service provider
    • passed as a request parameter
    • same variable name (oauth_token_key) for
    both request and access type tokens
token secret
    • also granted by service provider
    • same variable name (oauth_token_secret)
    for both request and access type tokens
OAuth Objects - Token
OAuth Parameters
• oauth_consumer_key
• oauth_token
• oauth_signature
• oauth_signature_method
• oauth_timestamp
• oauth_nonce
• oauth_version
Where is this
  information passed?
         (in order of preference)

• HTTP Authorization header
• HTTP POST request body (form params)
• URL query string parameters
Timestamp and Nonce
oauth_timestamp
   •    seconds since Unix epoch (unless otherwise specified
        by service provider)
   •    must be equal or greater than previous request

oauth_nonce
    •   random string per timestamp / request
    •   attempt to stop replay attacks
Signing Requests
oauth_signature_method
   •    HMAC-SHA1
   •    RSA-SHA1
   •    PLAINTEXT

oauth_signature
   •   string constructed according to the chosen signature
       method
Signing Requests
Signature Methods
             HMAC-SHA1
  • construct thewith a ‘&’: base string by joining
                  signature
    the following
   1. http request method (e.g. GET)
   2. http url (endpoint url)
   3. normalized request parameters (sorted by
      name)
  • key = encoded consumer secret and token
    secret separated by an ‘&’
Signature Methods
          HMAC-SHA1
Signature Methods
               HMAC-SHA1
Example base string:
 GET
 &http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml
 &oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j
 %26oauth_nonce%3DD81FBEDC-1050-40EE-
 B899-21A1E07C4EC5
 %26oauth_signature_method%3DHMAC-SHA1
 %26oauth_timestamp%3D1211254098
 %26oauth_token%3D0qic7f318nj42ogm
 %26oauth_version%3D1.0
Example signature:
 oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;
Signature Methods

             PLAINTEXT

  • should be used over a secure channel (SSL)
  • no base string
  • url-encoded consumer ‘&’ and token
                           secret
    secret separated by an
Signature Methods

               PLAINTEXT




Ex:
   oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
Signature Methods

               RSA-SHA1

  • sign signature base string private key and
          with Consumer’s RSA
    the
  • verify with Consumer’s RSA public key
  • same signature base string as HMAC-SHA1
  • still in development for most OAuth libraries
Big Fatty Example
PownceAIM and Pownce




warning: screen shots might not match text.
PownceAIM                                               Pownce
                                        API call
          asks for
       request token
                            Authorization: OAuth realm=quot;http://api.pownce.com/quot;,
                            oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;,
                            oauth_signature_method=quot;HMAC-SHA1quot;,
                            oauth_signature=quot;7A4blmAxXMDPmCQuTBR4CocpdNo%3Dquot;,
                            oauth_timestamp=quot;1211257266quot;,
                            oauth_nonce=quot;9BD703ED-EBA0-4B79-B9F2-AA09C9945D4Bquot;,
                            oauth_version=quot;1.0quot;

                                                               returns
                                                            request token
oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8
PownceAIM                                             Pownce
                         user follows link
   user sent                                        user logs in
to Pownce with                                   and/or authorizes
request token in                                   PownceAIM
     URL

 http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8
let’s pretend the user is logged in to the Pownce site



                                 click “Okay!”
PownceAIM
               cue to PownceAIM that
               request token has been
 user tells
PownceAIM            authorized
that auth is
 complete
PownceAIM                                          Pownce
                            API calls
 ask for access      Authorization: OAuth realm=quot;http://api.pownce.com/quot;,
   token with        oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;,
   authorized        oauth_token=quot;3fjay66o4x78j4c8quot;,
                     oauth_signature_method=quot;HMAC-SHA1quot;,
 request token       oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;,
                     oauth_timestamp=quot;1211258114quot;,
                     oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;,
                     oauth_version=quot;1.0quot;
                                                    request token
PownceAIM stores                                    exchanged for
  access token                                       access token
   oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2
PownceAIM                                                           Pownce
                                            API calls

      ask for                         Authorization: OAuth realm=quot;http://api.pownce.com/quot;,
protected resource                    oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;,
                                      oauth_token=quot;oixvd0538vmw3hm2quot;,
    (note list)                       oauth_signature_method=quot;HMAC-SHA1quot;,
                                      oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;,
                                      oauth_timestamp=quot;1211258746quot;,
                                      oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;,
                                      oauth_version=quot;1.0quot;

 <?xml version=quot;1.0quot; encoding=quot;utf-8quot;?>
                                                                       return API
 <notes>
   <note>
                                                                          data
      <body>Check out my website Leah!</body>
      <permalink>http://pownce.com/iamcal/notes/2211344/</permalink>
      <sender>
        <user>
           <username>iamcal</username>
          ...
Managing Tokens


• request token expiration
• access token expiration
• end user token management
Token Management




http://pownce.com/settings/applications
HTTP Errors
• 400 Bad Request
 • unsupported parameter
 • unsupported signature method
 • missing required parameter
 • duplicate OAuth parameter
• 401 Unauthorized
 • invalid consumer key
 • invalid / expired token
 • invalid signature (signature does not match)
 • invalid / used nonce
Common Errors
• signature does not match
 • providers can show expected base string
• token is invalid
 • expired? wrong type of token?
• request token unauthorized
 • user needs to login to authorize the
     request token
Testing Tools


• web-based test server and client by Andy
  Smith (http://term.ie/oauth/example)
• Endpointr, mac desktop app by Jon Crosby
Issues

• service provider documentation
• files
• granular permissions
• timestamp and nonce verification
• vague tokentokens consumers check
               expiration,
  for expired
Current Status
• OAuth Core 1.0 Final (Dec 2007)
• OAuth Discovery 1.0 Draft 2
• Libraries: • coldfusion
             • csharp
             • java
             • javascript
             • maven
             • obj-c
             • obj-c1
             • perl
             • php
             • python
             • ruby
Service Provider
     Implementations
• 88 Miles
• Google Contacts API
• Ma.gnolia
• Pownce
• Thmbnl
• Yahoo! Fire Eagle
http://wiki.oauth.net/ServiceProviders
More Info

• main site: http://oauth.net
• spec: http://oauth.net/core/1.0
• code: http://code.google.com/p/oauth
• mailing list: http://groups.google.com/group/oauth
• wiki: http://wiki.oauth.net
• Pownce API: http://pownce.com/api
Thanks!




     ugly logo!

More Related Content

What's hot

OAuth
OAuthOAuth
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
Torsten Lodderstedt
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 

What's hot (20)

OAuth
OAuthOAuth
OAuth
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 

Viewers also liked

OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.
Lorenzo Cassulo
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
Bastian Hofmann
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
kulor
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
Functional Imperative
 
Informatica push down optimization implementation
Informatica push down optimization implementationInformatica push down optimization implementation
Informatica push down optimization implementation
divjeev
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
Apigee | Google Cloud
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
Apigee | Google Cloud
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
ConFoo
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
Mehdi Medjaoui
 
MongoDB - The database strikes back
MongoDB - The database strikes back MongoDB - The database strikes back
MongoDB - The database strikes back
Steven Cooper
 
NEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful APINEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful API
Andrew Curioso
 
Tomboy Web Sync Explained
Tomboy Web Sync ExplainedTomboy Web Sync Explained
Tomboy Web Sync Explained
Mohan Krishnan
 
Angular meteor for angular devs
Angular meteor for angular devsAngular meteor for angular devs
Angular meteor for angular devs
Arc & Codementor
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
Andrea Chiodoni
 
IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
Van Staub, MBA
 

Viewers also liked (20)

OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.OpenStack: leggero, aperto e basato sul web.
OpenStack: leggero, aperto e basato sul web.
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
Single Sign on e OpenID
Single Sign on e OpenIDSingle Sign on e OpenID
Single Sign on e OpenID
 
Oauth
OauthOauth
Oauth
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Informatica push down optimization implementation
Informatica push down optimization implementationInformatica push down optimization implementation
Informatica push down optimization implementation
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and Authorization
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
MongoDB - The database strikes back
MongoDB - The database strikes back MongoDB - The database strikes back
MongoDB - The database strikes back
 
NEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful APINEPHP '12: Create a RESTful API
NEPHP '12: Create a RESTful API
 
Tomboy Web Sync Explained
Tomboy Web Sync ExplainedTomboy Web Sync Explained
Tomboy Web Sync Explained
 
Angular meteor for angular devs
Angular meteor for angular devsAngular meteor for angular devs
Angular meteor for angular devs
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
 

Similar to Implementing OAuth

OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
OAuth
OAuthOAuth
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
Abdullah Mamun
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
apidays
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuth
Mohan Kumar Tadikimalla
 
Maintest3
Maintest3Maintest3
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
Cory Forsyth
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 

Similar to Implementing OAuth (20)

OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuth
 
Maintest3
Maintest3Maintest3
Maintest3
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 

Recently uploaded

Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 

Recently uploaded (20)

Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 

Implementing OAuth

  • 2. Pownce and OAuth • Pownce launched (June 2007) • developers wanted an API • became involved with OAuth (Aug 2007) • public read-only API (Oct 2007) • full API with OAuth (Mar 2008) • 200+ apps built on Pownce API
  • 3. Me and OAuth • an author of the specification • wrote first library (Python) • maintain Python library • maintain Pownce API OAuth implementation
  • 4. What is OAuth? A simple open standard for secure API authentication. http://oauth.net
  • 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application” Pownce AIM bot
  • 6. Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 7. Just like... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others... http://flickr.com/photos/bees/2504039638/
  • 9. Who is it for? • Serviceauthorizationhavecertain functions Providers - an web API that needs for • Consumers -encourages) OAuth that want to use an API requires (or
  • 10. Goals: Be Simple • standard for website API authentication • consistent for developers • easy for end users to understand * * this is hard
  • 11. Goals: Be Secure • secure for end users • easy to implement security features for website developers • 3rd party developers don’t have access to passwords • balance security with ease of use
  • 12. Goals: Be Open • any website can implement OAuth • any 3rd party developer can use OAuth • open source client libraries • community-designed technical specifications
  • 13. Goals: Be Flexible • authentication method agnostic • users don’t need a username and password • can use OpenID (or not!) • whatever auth works best for the service • 3rd party developers don’t handle auth
  • 14. Is OAuth different from OpenID? Yes. (short answer)
  • 15. Is OAuth different from OpenID? OpenID - user identification by provider URL, login on provider site. OAuth - API authorization and permissions, any form of user identification, login on provider site. (medium answer)
  • 16. Is OAuth different from OpenID? http://www.pointy-stick.com/blog/2008/03/13/ explanation-difference-between-openid-and-oauth/ (long answer)
  • 17. What the end user sees... Web Consumer Ma.gnolia and Nsyght I’d like to search my Ma.gnolia bookmarks via social search engine Nsyght.
  • 18. OMG! Need to log in!
  • 19. Login with service provider service provider’s site! alternative login method not username/password
  • 21. Done!
  • 22. Web flow Request Token! Nsyght Ma.gnolia API calls asks for request token returns request token ...
  • 23. Authorize! user sent http redirect to ma.gnolia with request token in URL user logs in and/or authorizes nsyght redirected back ... to nsyght with (authorized) ... request token Nsyght Ma.gnolia
  • 24. Access Token! ask for access API calls token with authorized request token request token exchanged for access token nsyght stores access token Nsyght Ma.gnolia
  • 25. use the access token... by Blaine Cook
  • 26. What the end user sees... Desktop Consumer Pownce and PownceAIM I’d like to get alerts about new Pownce notes via AIM.
  • 27. OMG! Need to log in!
  • 28. Login with service provider service provider’s site!
  • 29. Authorize click “Okay!”
  • 31. Desktop flow Request Token! PownceAIM Pownce API calls asks for request token returns request token ...
  • 32. Authorize! user sent user follows link to Pownce with request token in URL user logs in and/or authorizes PownceAIM user tells ... PownceAIM that auth is ... complete PownceAIM Pownce
  • 33. Access Token! ask for access API calls token with authorized request token request token exchanged for access token PownceAIM stores access token PownceAIM Pownce
  • 34. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 35. OAuth Setup • Service provider gives documentation of authorization URLs and methods • Consumer registers an application with the service provider
  • 36. Service Provider Documentation • Request token endpoint • Authorization endpoint • Access token endpoint • Accepted request method(s) (GET, POST, PUT, etc...) • Signature method(s) • Extra parameters (non-oauth) • Any specific notes about OAuth for that provider
  • 38. Register a Consumer Application • Consumer gives service provider data about the application (name, creator, url etc...) • Service provider assigns the application a consumer key and consumer secret
  • 39. Registering a Fire Eagle Application consumer app sign up page https://fireeagle.yahoo.net/developer/create
  • 40. Registering a Fire Eagle Application Done! oooh! https://fireeagle.yahoo.net/developer/manage
  • 41. OAuth Objects - Consumer consumer key • assigned during consumer registration • passed as a request parameter consumer secret • assigned during consumer registration • used for signing (e.g. HMAC-SHA1)
  • 42. OAuth Objects - Consumer
  • 43. OAuth Objects - Token token key • unique string granted by service provider • passed as a request parameter • same variable name (oauth_token_key) for both request and access type tokens token secret • also granted by service provider • same variable name (oauth_token_secret) for both request and access type tokens
  • 45. OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce • oauth_version
  • 46. Where is this information passed? (in order of preference) • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
  • 47. Timestamp and Nonce oauth_timestamp • seconds since Unix epoch (unless otherwise specified by service provider) • must be equal or greater than previous request oauth_nonce • random string per timestamp / request • attempt to stop replay attacks
  • 48. Signing Requests oauth_signature_method • HMAC-SHA1 • RSA-SHA1 • PLAINTEXT oauth_signature • string constructed according to the chosen signature method
  • 50. Signature Methods HMAC-SHA1 • construct thewith a ‘&’: base string by joining signature the following 1. http request method (e.g. GET) 2. http url (endpoint url) 3. normalized request parameters (sorted by name) • key = encoded consumer secret and token secret separated by an ‘&’
  • 51. Signature Methods HMAC-SHA1
  • 52. Signature Methods HMAC-SHA1 Example base string: GET &http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml &oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j %26oauth_nonce%3DD81FBEDC-1050-40EE- B899-21A1E07C4EC5 %26oauth_signature_method%3DHMAC-SHA1 %26oauth_timestamp%3D1211254098 %26oauth_token%3D0qic7f318nj42ogm %26oauth_version%3D1.0 Example signature: oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;
  • 53. Signature Methods PLAINTEXT • should be used over a secure channel (SSL) • no base string • url-encoded consumer ‘&’ and token secret secret separated by an
  • 54. Signature Methods PLAINTEXT Ex: oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
  • 55. Signature Methods RSA-SHA1 • sign signature base string private key and with Consumer’s RSA the • verify with Consumer’s RSA public key • same signature base string as HMAC-SHA1 • still in development for most OAuth libraries
  • 56. Big Fatty Example PownceAIM and Pownce warning: screen shots might not match text.
  • 57. PownceAIM Pownce API call asks for request token Authorization: OAuth realm=quot;http://api.pownce.com/quot;, oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;7A4blmAxXMDPmCQuTBR4CocpdNo%3Dquot;, oauth_timestamp=quot;1211257266quot;, oauth_nonce=quot;9BD703ED-EBA0-4B79-B9F2-AA09C9945D4Bquot;, oauth_version=quot;1.0quot; returns request token oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8
  • 58. PownceAIM Pownce user follows link user sent user logs in to Pownce with and/or authorizes request token in PownceAIM URL http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8
  • 59. let’s pretend the user is logged in to the Pownce site click “Okay!”
  • 60. PownceAIM cue to PownceAIM that request token has been user tells PownceAIM authorized that auth is complete
  • 61. PownceAIM Pownce API calls ask for access Authorization: OAuth realm=quot;http://api.pownce.com/quot;, token with oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, authorized oauth_token=quot;3fjay66o4x78j4c8quot;, oauth_signature_method=quot;HMAC-SHA1quot;, request token oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;, oauth_timestamp=quot;1211258114quot;, oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;, oauth_version=quot;1.0quot; request token PownceAIM stores exchanged for access token access token oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2
  • 62. PownceAIM Pownce API calls ask for Authorization: OAuth realm=quot;http://api.pownce.com/quot;, protected resource oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_token=quot;oixvd0538vmw3hm2quot;, (note list) oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;, oauth_timestamp=quot;1211258746quot;, oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;, oauth_version=quot;1.0quot; <?xml version=quot;1.0quot; encoding=quot;utf-8quot;?> return API <notes> <note> data <body>Check out my website Leah!</body> <permalink>http://pownce.com/iamcal/notes/2211344/</permalink> <sender> <user> <username>iamcal</username> ...
  • 63. Managing Tokens • request token expiration • access token expiration • end user token management
  • 65. HTTP Errors • 400 Bad Request • unsupported parameter • unsupported signature method • missing required parameter • duplicate OAuth parameter • 401 Unauthorized • invalid consumer key • invalid / expired token • invalid signature (signature does not match) • invalid / used nonce
  • 66. Common Errors • signature does not match • providers can show expected base string • token is invalid • expired? wrong type of token? • request token unauthorized • user needs to login to authorize the request token
  • 67. Testing Tools • web-based test server and client by Andy Smith (http://term.ie/oauth/example) • Endpointr, mac desktop app by Jon Crosby
  • 68. Issues • service provider documentation • files • granular permissions • timestamp and nonce verification • vague tokentokens consumers check expiration, for expired
  • 69. Current Status • OAuth Core 1.0 Final (Dec 2007) • OAuth Discovery 1.0 Draft 2 • Libraries: • coldfusion • csharp • java • javascript • maven • obj-c • obj-c1 • perl • php • python • ruby
  • 70. Service Provider Implementations • 88 Miles • Google Contacts API • Ma.gnolia • Pownce • Thmbnl • Yahoo! Fire Eagle http://wiki.oauth.net/ServiceProviders
  • 71. More Info • main site: http://oauth.net • spec: http://oauth.net/core/1.0 • code: http://code.google.com/p/oauth • mailing list: http://groups.google.com/group/oauth • wiki: http://wiki.oauth.net • Pownce API: http://pownce.com/api
  • 72. Thanks! ugly logo!