SlideShare a Scribd company logo

OAuth簡介

F
firestoke

OAuth protocol, a security mechanism for different web sites to retrieve data.

1 of 12
Download to read offline
OAuth Protocol 簡介 by david
目的 ➲ An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. ➲ 為了提供讓第三方軟體取得網路服務的被保護使用者資料 ➲ 共同公開標準的 API 取得授權流程 User Consumer Service Provider
取得授權流程
OAuth App Sample: Twitter
如何產生認證簽署 (Signature) ➲ HMAC-SHA1 ● var sig = b64_hmac_sha1(key, baseString); ● RFC2104 ➲ RSA-SHA1 ● RFC3447 section 8.2 ➲ PLAINTEXT ● 建議只有在 SSL 加密時才使用
Signature Key via HMAC-SHA1 ➲ Format: ● [consumer secret]&[token secret] ● token secret 即使是空值, & 符號仍然要保留 ➲ Example: ● 8vHfFq5mPB46AUjO7PtWGgFJcpAI1VfEyNA5F6Hh&
Signature Base String via HMAC- SHA1 ➲ Format: ● [http method]&[request url]&[request parameter string] ● request query string 必須要照字母排序 ● request url 及 request parameter string 都必須經過編碼 (javascript: encodeURIComponent) ➲ Request Parameter String Example: ● oauth_consumer_key=5rxRZZUSI2T00KIyLIMQAA &oauth_nonce=2998391270622 &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1267410026 &oath_version=1.0 ➲ Example: ● GET&http%3A%2F%2Ftwitter.com%2Foauth %2Frequest_token&oauth_consumer_key %3D5rxRZZUSI2T00KIyLIMQAA%26oauth_nonce %3D2998391270622%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1267410026%26oauth_version %3D1.0
OAuth Requset Example (request token) ➲ Authorization: OAuth oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTS MK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
Demo http://localhost/prototype/test_oauth.jsp
OAuth Authorize Page: Twitter http://twitter.com/oauth/authorize/? oauth_token=[received token value]
參考資料 ➲ OAuth 1.0 Spec - http://oauth.net/core/1.0/ ➲ OAuth Library - http://oauth.net/code/ ● Java ● Javascript ● PHP ● Ruby ● ... ➲ MHAC-SHA1 [RFC2104] http://tools.ietf.org/html/rfc2104
Thank You!

Recommended

REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017
Cloud Native Day Tel Aviv
 
Rest is bad
Rest is badRest is bad
Rest is bad
Kfir Bloch
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Proxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trendsProxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trends
Proxies Rent
 
對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談
Jerry
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Engage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data CollectionEngage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data CollectionWebtrends
 
Android webservices
Android webservicesAndroid webservices
Android webservicesKrazy Koder
 

Recommended

REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017
Cloud Native Day Tel Aviv
 
Rest is bad
Rest is badRest is bad
Rest is bad
Kfir Bloch
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Proxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trendsProxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trends
Proxies Rent
 
對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談
Jerry
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Engage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data CollectionEngage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data CollectionWebtrends
 
Android webservices
Android webservicesAndroid webservices
Android webservicesKrazy Koder
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
Django and Nginx reverse proxy cache
Django and Nginx reverse proxy cacheDjango and Nginx reverse proxy cache
Django and Nginx reverse proxy cache
Anton Pirker
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.Carlos Catanejo
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
codeandyou forums
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Phishsense
PhishsensePhishsense
Phishsense
Lorenzo Eccher
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
VMware Tanzu
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear DesBear Li
 
SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談
tsunghaolee
 
CSS架構如何加速功能開發
CSS架構如何加速功能開發CSS架構如何加速功能開發
CSS架構如何加速功能開發
Oliver Lin
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思
Adam Wang
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 

More Related Content

What's hot

02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
Django and Nginx reverse proxy cache
Django and Nginx reverse proxy cacheDjango and Nginx reverse proxy cache
Django and Nginx reverse proxy cache
Anton Pirker
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
codeandyou forums
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Phishsense
PhishsensePhishsense
Phishsense
Lorenzo Eccher
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
VMware Tanzu
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 

What's hot (15)

02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
Django and Nginx reverse proxy cache
Django and Nginx reverse proxy cacheDjango and Nginx reverse proxy cache
Django and Nginx reverse proxy cache
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Phishsense
PhishsensePhishsense
Phishsense
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 

Viewers also liked

GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear DesBear Li
 
SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談
tsunghaolee
 
CSS架構如何加速功能開發
CSS架構如何加速功能開發CSS架構如何加速功能開發
CSS架構如何加速功能開發
Oliver Lin
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思
Adam Wang
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 

Viewers also liked (6)

GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear
 
SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談
 
CSS架構如何加速功能開發
CSS架構如何加速功能開發CSS架構如何加速功能開發
CSS架構如何加速功能開發
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
 

Similar to OAuth簡介

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
Ismael Costa
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
Torsten Lodderstedt
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
Clément OUDOT
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Securing APIs
Securing APIsSecuring APIs
Securing APIsWSO2
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 

Similar to OAuth簡介 (20)

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 

Recently uploaded

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

OAuth簡介

  • 2. 目的 ➲ An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. ➲ 為了提供讓第三方軟體取得網路服務的被保護使用者資料 ➲ 共同公開標準的 API 取得授權流程 User Consumer Service Provider
  • 5. 如何產生認證簽署 (Signature) ➲ HMAC-SHA1 ● var sig = b64_hmac_sha1(key, baseString); ● RFC2104 ➲ RSA-SHA1 ● RFC3447 section 8.2 ➲ PLAINTEXT ● 建議只有在 SSL 加密時才使用
  • 6. Signature Key via HMAC-SHA1 ➲ Format: ● [consumer secret]&[token secret] ● token secret 即使是空值, & 符號仍然要保留 ➲ Example: ● 8vHfFq5mPB46AUjO7PtWGgFJcpAI1VfEyNA5F6Hh&
  • 7. Signature Base String via HMAC- SHA1 ➲ Format: ● [http method]&[request url]&[request parameter string] ● request query string 必須要照字母排序 ● request url 及 request parameter string 都必須經過編碼 (javascript: encodeURIComponent) ➲ Request Parameter String Example: ● oauth_consumer_key=5rxRZZUSI2T00KIyLIMQAA &oauth_nonce=2998391270622 &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1267410026 &oath_version=1.0 ➲ Example: ● GET&http%3A%2F%2Ftwitter.com%2Foauth %2Frequest_token&oauth_consumer_key %3D5rxRZZUSI2T00KIyLIMQAA%26oauth_nonce %3D2998391270622%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1267410026%26oauth_version %3D1.0
  • 8. OAuth Requset Example (request token) ➲ Authorization: OAuth oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTS MK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
  • 10. OAuth Authorize Page: Twitter http://twitter.com/oauth/authorize/? oauth_token=[received token value]
  • 11. 參考資料 ➲ OAuth 1.0 Spec - http://oauth.net/core/1.0/ ➲ OAuth Library - http://oauth.net/code/ ● Java ● Javascript ● PHP ● Ruby ● ... ➲ MHAC-SHA1 [RFC2104] http://tools.ietf.org/html/rfc2104