My presentation outlining and explaining the core concepts behind OAuth, presented to the online ColdFusion Meetup June 9th 2011 and at Scotch on the Rocks, 3rd March 2011
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
The Future of Social Media: 50+ Expects Share Their 2014 PredictionsBusiness 2 Community
In 2013, we saw a significant rise in video and photo sharing as Instagram, Snapchat and similar platforms helped make "selfie" the word of the year. Twitter also held their much anticipated IPO and "experts" claimed that Facebook was dead. Here is a look at 50+ social media predictions for 2014.
[POMP 2013] Primož Inkret - Kako zgraditi vrhunsko CM strategijo v 13 korakihPM, poslovni mediji
Kreativnost je vez med potrebami podjetja in ciljne skupine
Specialist za razvoj sodobnih komunikacijskih orodij in spletnih rešitev. Po presoji vodilnih strokovnjakov s področja interneta in multimedijev eden najboljših spletnih urednikov na svetu.
Primož Inkret je na podlagi razumevanja vloge komunikacijskih aktivnosti z zornega kota poslovne strategije zasnoval številne nove medije, med drugim tudi prvo slovensko interaktivno spletno revijo Egoist. Leta 2010 je bil za zasnovo in urejanje interaktivnih spletnih revij Pazi nase (Zavarovalnica Triglav) in Carzine (Porsche Slovenija) imenovan za najboljšega urednika na svetu.
Strokovno znanje pri svojem delu črpa iz dolgoletnih izkušenj s področij marketinga in trženja, odnosov z javnostmi in urednikovanja ter znanj pridobljenih na mednarodnih strokovnih konferencah s področja vsebinskega marketinga in korporativnega založništva. Poglobljeno poznavanje klasičnih in novih medijev ter poslovnih strategij podjetji so osnove na katerih pripravlja zahtevne koncepte za korporativne medije, ki ustrezno in kreativno povezujejo potrebe podjetja in ciljne skupine.
Primož Inkret je soustanovitelj in partner specializirane komunikacijske agencije PM, poslovni mediji, ki s strateško rabo orodji vsebinskega marketinga podjetjem zagotavlja dolgoročne rezultate. Je specialist za razvoj sodobnih komunikacijskih orodij, spletnih rešitev in medijev prihodnosti. Je ustanovni član svetovnega združenja izdajateljev korporativnih medijev, ustanovitelj slovenskega združenja korporativnih medijev in ustanovitelj mednarodne strokovne konference s področja vsebinskega marketinga POMP Forum. Strokovne in novinarske prispevke z njegovim podpisom lahko najdemo v medijih kot so Marketing Magazin, Finance in Podjetnik. O komunikacijskem pristopu vsebinskega marketing je predaval tudi na Univerzi v Ljubljani.
Seven cities with policies and practices that will help strengthen our free enterprise system. This report is part of the Enterprising Cities and States project that takes an in-depth look at the free enterprise policies that are being implemented to promote economic growth at the state and local levels.
Mobile app that motivates not miss or drop classes in a fitness club.
Download on the AppStore.
https://itunes.apple.com/us/app/runduck-fitness-motivator/id847477384?l=ru&ls=1&mt=8
Landing: www.run-duck.com
What is the future of entitlement reform? On Sept 24, the US Chamber of Commerce Foundation Business Horizon program "Entitlements: Why We Can't Wait" explored our options for the future of spending and entitlements.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
The Future of Social Media: 50+ Expects Share Their 2014 PredictionsBusiness 2 Community
In 2013, we saw a significant rise in video and photo sharing as Instagram, Snapchat and similar platforms helped make "selfie" the word of the year. Twitter also held their much anticipated IPO and "experts" claimed that Facebook was dead. Here is a look at 50+ social media predictions for 2014.
[POMP 2013] Primož Inkret - Kako zgraditi vrhunsko CM strategijo v 13 korakihPM, poslovni mediji
Kreativnost je vez med potrebami podjetja in ciljne skupine
Specialist za razvoj sodobnih komunikacijskih orodij in spletnih rešitev. Po presoji vodilnih strokovnjakov s področja interneta in multimedijev eden najboljših spletnih urednikov na svetu.
Primož Inkret je na podlagi razumevanja vloge komunikacijskih aktivnosti z zornega kota poslovne strategije zasnoval številne nove medije, med drugim tudi prvo slovensko interaktivno spletno revijo Egoist. Leta 2010 je bil za zasnovo in urejanje interaktivnih spletnih revij Pazi nase (Zavarovalnica Triglav) in Carzine (Porsche Slovenija) imenovan za najboljšega urednika na svetu.
Strokovno znanje pri svojem delu črpa iz dolgoletnih izkušenj s področij marketinga in trženja, odnosov z javnostmi in urednikovanja ter znanj pridobljenih na mednarodnih strokovnih konferencah s področja vsebinskega marketinga in korporativnega založništva. Poglobljeno poznavanje klasičnih in novih medijev ter poslovnih strategij podjetji so osnove na katerih pripravlja zahtevne koncepte za korporativne medije, ki ustrezno in kreativno povezujejo potrebe podjetja in ciljne skupine.
Primož Inkret je soustanovitelj in partner specializirane komunikacijske agencije PM, poslovni mediji, ki s strateško rabo orodji vsebinskega marketinga podjetjem zagotavlja dolgoročne rezultate. Je specialist za razvoj sodobnih komunikacijskih orodij, spletnih rešitev in medijev prihodnosti. Je ustanovni član svetovnega združenja izdajateljev korporativnih medijev, ustanovitelj slovenskega združenja korporativnih medijev in ustanovitelj mednarodne strokovne konference s področja vsebinskega marketinga POMP Forum. Strokovne in novinarske prispevke z njegovim podpisom lahko najdemo v medijih kot so Marketing Magazin, Finance in Podjetnik. O komunikacijskem pristopu vsebinskega marketing je predaval tudi na Univerzi v Ljubljani.
Seven cities with policies and practices that will help strengthen our free enterprise system. This report is part of the Enterprising Cities and States project that takes an in-depth look at the free enterprise policies that are being implemented to promote economic growth at the state and local levels.
Mobile app that motivates not miss or drop classes in a fitness club.
Download on the AppStore.
https://itunes.apple.com/us/app/runduck-fitness-motivator/id847477384?l=ru&ls=1&mt=8
Landing: www.run-duck.com
What is the future of entitlement reform? On Sept 24, the US Chamber of Commerce Foundation Business Horizon program "Entitlements: Why We Can't Wait" explored our options for the future of spending and entitlements.
1.3.16 Система для организации рабочих мест Igor Golovin
Система для организации рабочих мест удобна в эксплуатации и обслуживании, подходит к разному типу помещений и позволяет производить быструю модификацию силовых и слаботочных сетей.
WordCamp Boston 2015: Agile Contracts for WordPress Consultantsmtoppa
Before going out on my own to start Poka Yoke Design this June, I worked at PromptWorks, where we signed over 30 Time & Materials (T&M) contracts with clients over the past 2 years, from local businesses to nationally known media companies. This is in contrast to traditional Fixed Scope, Fixed Cost (FS-FC) contracts.
Prospective clients typically have an initial preference for FS-FC contracts: they’re familiar, and at first glance, seem to guarantee the client will get what they want (by spelling out business requirements in detail), and place the business risk on the contractor. However, traditional contracts fail to recognize that web application development is more like an R&D project than a construction project. In the fast paced world of the web, business requirements can grow and change rapidly, technical challenges and opportunities can arise, and both parties benefit from being able to respond to these changes in a teamwork fashion, instead of spending time on lengthy contract re-negotiations.
In this talk we’ll explore what goes into a T&M contract, how to persuade a prospective client to sign one, and how to live up to the expectations you create in the persuasion process, to deliver a successful project.
1.3.18 Организация ввода и распределения электроэнергии до 1 кВIgor Golovin
Решения для ГРЩ всё чаще и чаще применяются при реализации задач энергоснабжения предприятий, которые сегодня наиболее востребованы на отечественном рынке. Уникальные особенности системы и опыт специалистов компании позволяют значительно сократить временные затраты на разработку и реализацию проектов по энергоснабжению предприятий. Вся продукция, используемая в ГРЩ, проходит необходимую проверку на базе собственного испытательного центра или сторонних (аккредитованных) учреждений, и на сегодняшний день полностью соответствует как базовому ГОСТу 51321 для систем распределения, так и жестким требованиям электротехнического рынка РФ и СНГ.
1.3.16 Система для организации рабочих мест Igor Golovin
Система для организации рабочих мест удобна в эксплуатации и обслуживании, подходит к разному типу помещений и позволяет производить быструю модификацию силовых и слаботочных сетей.
WordCamp Boston 2015: Agile Contracts for WordPress Consultantsmtoppa
Before going out on my own to start Poka Yoke Design this June, I worked at PromptWorks, where we signed over 30 Time & Materials (T&M) contracts with clients over the past 2 years, from local businesses to nationally known media companies. This is in contrast to traditional Fixed Scope, Fixed Cost (FS-FC) contracts.
Prospective clients typically have an initial preference for FS-FC contracts: they’re familiar, and at first glance, seem to guarantee the client will get what they want (by spelling out business requirements in detail), and place the business risk on the contractor. However, traditional contracts fail to recognize that web application development is more like an R&D project than a construction project. In the fast paced world of the web, business requirements can grow and change rapidly, technical challenges and opportunities can arise, and both parties benefit from being able to respond to these changes in a teamwork fashion, instead of spending time on lengthy contract re-negotiations.
In this talk we’ll explore what goes into a T&M contract, how to persuade a prospective client to sign one, and how to live up to the expectations you create in the persuasion process, to deliver a successful project.
1.3.18 Организация ввода и распределения электроэнергии до 1 кВIgor Golovin
Решения для ГРЩ всё чаще и чаще применяются при реализации задач энергоснабжения предприятий, которые сегодня наиболее востребованы на отечественном рынке. Уникальные особенности системы и опыт специалистов компании позволяют значительно сократить временные затраты на разработку и реализацию проектов по энергоснабжению предприятий. Вся продукция, используемая в ГРЩ, проходит необходимую проверку на базе собственного испытательного центра или сторонних (аккредитованных) учреждений, и на сегодняшний день полностью соответствует как базовому ГОСТу 51321 для систем распределения, так и жестким требованиям электротехнического рынка РФ и СНГ.
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
Data synchronization and offline capabilities are key to creating successful mobile applications and there are many factors to consider.
– What data format should you use?
– How do you manage security?
– How do you efficiently manage syncing data to hundreds of applications independently?
In this session, you’ll learn about various factors that drive answers to these questions. You’ll also learn from live code and interactive demonstrations how to use SSL and OAUTH2 to securely synchronize JSON data with a remote REST service and how to use synchronization tokens to efficiently keep your clients up to date. There will be client examples included for both the iOS and Android platforms, but you’ll be able to apply these concepts to any client, regardless of your platform.
Ember Authentication and Authorization with ToriiCory Forsyth
This talk was originally given on November 7 2015 at the Global Ember Meetup, demonstrating the usage of the Torii authentication library for Ember (https://github.com/vestorly/torii). It shows how Torii works, how Torii simplifies OAuth redirect-basd web flows in Ember, and how to use Torii for authentication.
This presentation was given at Web Directions South in 2008. It is a developers guide to building sites using OpenID, OAuth and webservices - no code, but enough to point you in the right direction
Get Grulping with JavaScript Task RunnersMatt Gifford
Session given at Scotch on the Rocks 2014, 6th June 2014
This session will introduce the attendees to Grunt and Gulp, two incredibly powerful JavaScript task runners. It will help clarify what they are, why you need them and how you could use them in your projects, including how to introduce them into your development workflow and cycle.
This covers:
What Gulp and Grunt are
Running Tasks - how they can be used
Plugins, extensions and enhancements
Building them into your workflow
The differences between the two task runners
Swing when you're winning - an introduction to Ruby and SinatraMatt Gifford
Session originally given at Scotch on the Rocks 2013 in Edinburgh.
In this session we will explore how to build a RESTful-based application using the Sinatra framework, built on top of the Ruby programming language. We will explore installing Ruby, creating our first Sinatra application, the use of route definitions to handle multiple METHOD request types, including GET and POST requests, data persistence in a SQLite database, and how to return data in multiple formats including JSON and HTML. The RESTful approach and ease of use offered by Sinatra make it a great choice for underlying API requests which you can implement and call from any programming language of your choice.
Slides from the presentation given at Future of Web Design 2012 in London, 14th-16th May.
Session description:
"Are you new to jQuery? Maybe you’ve been using it for a while? Regardless of your skillset or previous experience, join Matt Gifford, developer, author, speaker and lover of jQuery, as he reviews why you should be using it, how not to use it, and some vital tips to assist your jQuery development as well as some common pitfalls to watch out for."
Official description from the conference:
"Evolution. It’s a wonderful thing, and something that needs to occur for natural progression and the continuing advancement of ideas. As we see the modern trends, development paradigms and design practices evolve into different areas utilising newer technologies, should we really be saying goodbye to our old ways in favour of the new approach?
Join Matt Gifford as he invites you to partake in a presentation with an emphasis on attendee input (with rewards) in a discussion to help understand what makes the web great, how we communicate in the modern world, and as a result whether or not we should leave the big screen behind entirely in favour of new formats."
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
41. What is OAuth?
A simple open standard for secure API
authentication
42.
43. Who Can Use It?
Service Providers offering a web service or API
that requires authentication to access restricted
data for a number of functions / methods
44. Who Can Use It?
Consumers who wish to access that particular
API or web service and wish to use a
standardised method of authentication
61. The Dancers
Fred - the end user
Twitter - the Service Provider
LinkedIn - the Consumer
62. The Steps
consumer provider
asks for a request token
63. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
64. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
redirects user to provider
with token in url
65. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
redirects user to provider
with token in url
user selects preferences
and approves auth
66. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
redirects user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
67. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
redirects user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
consumer wants to trade
request token for access
68. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
redirects user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
consumer wants to trade
request token for access
provisional request token
traded for access token
69. The Steps
consumer provider
asks for a request token
creates and returns
a new request token
redirects user to provider
with token in url
user selects preferences
and approves auth
redirected back to consumer
with request token
consumer wants to trade
request token for access
provisional request token
consumer saves the traded for access token
access token for the user
72. 1 - Show Intent
“LinkedIn is pretty cool. I want
people to read more from me... I
want them to read my status
updates from Twitter. Can you
access my updates for me, please?”
“I certainly can, but I need to ask
Twitter for permission before I can
continue. Hold on..”
73. 2 - Request a Token
“Hey Twitter, you overloaded piece
of awesomeness. Please can I have
a Request Token?”
“LinkedIn, you corporate beast! Of
course you can. Your Request
Token is 9iKot2y5UQTDlS2V and your
secret is 1Hv0pzNXMXdEfBd.”
74. 3 - Authorize The Request
“OK, Fred. Right, can you go to
Twitter and authorize the Request
Token 9iKot2y5UQTDlS2V, please?
Once that’s done, I’ll be able to
access your status updates.”
“OK”
75. 3 - Authorize The Request
“Hey Twitter. I want to authorize the
Request Token 9iKot2y5UQTDlS2V”
“To confirm, you want to authorize
LinkedIn to access your status
updates. You’re happy with that?”
76. 3 - Authorize The Request
“That’s just what I wanted, yes.”
“Sweet! Tell LinkedIn you authorized
it with me.”
77. 3 - Authorize The Request
“Right.. Twitter knows I want you to
do stuff for me. Everything’s set for
you.”
“Nice work, Fred. I’ll go and speak to
Twitter now.”
78. 4 - Exchange the Token
“Please can I exchange Request
Token 9iKot2y5UQTDlS2V for an Access
Token?”
“No worries. Your Access Token is
94S3sJVmuuxSPiZz and your Secret is
4Fc8bwdKNGSM0iNe.”
79. 5 - Get Restricted Data
“Awesome. Now I have those
details, please can you give me the
status updates that are owned by
Access Token 94S3sJVmuuxSPiZz?”
“Of course. Here you go...”
81. LinkedIn didn’t need to
know Fred’s Twitter
account details
His identity was kept secret; it wasn’t
important to access the data. What was
important was his permission to proceed.
86. Even Simpler (kind of)
1 - Obtain a Request Token
2 - User authorizes the Request Token
87. Even Simpler (kind of)
1 - Obtain a Request Token
2 - User authorizes the Request Token
3 - Exchange Request Token for Access token
88. Even Simpler (kind of)
1 - Obtain a Request Token
2 - User authorizes the Request Token
3 - Exchange Request Token for Access token
4 - Use Access Token to obtain the protected resources
104. An Example Request
you need:
HTTP Method
Request URI (endpoint)
oauth_callback
oauth_consumer_key
oauth_nonce
oauth_signature_method
oauth_timestamp
oauth_version
137. Benefits to OAuth
a standardised protocol that is becoming widely
implemented by many providers
138. Benefits to OAuth
a standardised protocol that is becoming widely
implemented by many providers
user has control over access and can easily
revoke consumers and application privileges
139. Benefits to OAuth
a standardised protocol that is becoming widely
implemented by many providers
user has control over access and can easily
revoke consumers and application privileges
ability to track usage and statistics due to the
access tokens
140. Benefits to OAuth
a standardised protocol that is becoming widely
implemented by many providers
user has control over access and can easily
revoke consumers and application privileges
ability to track usage and statistics due to the
access tokens
many open-source libraries and clients available
to use
144. Issues with OAuth
documentation could be much better
harder to implement that basic authentication
145. Issues with OAuth
documentation could be much better
harder to implement that basic authentication
variations on the principle already exist
146. Issues with OAuth
documentation could be much better
harder to implement that basic authentication
variations on the principle already exist
does not solve brute force attacks or phishing
152. As A Developer You...
(can) make integration, UX and UI as easy as
possible for users
by not-overcomplicating the process and the
content, keeping it simple and worded succinctly
to help them understand the process without
scaring them
153. As A Developer You...
(can) make sure that user’s data is secure
and protected wherever possible
by ensuring that you only store what you need to
store, and keep them safe and protected at all
times
154. As A Developer You...
(can) keep your clients / users happy
by ensuring that you make it simple, straight
forward and secure for them
160. OAuth: demystified
(hopefully)
Matt Gifford
aka coldfumonkeh
http://www.mattgifford.co.uk
Editor's Notes
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Privacy. It’s a tricky idea. It’s really to try and protect the interests and information of our users. As they want. \n\n
Or sometimes what we do is provide the perception of privacy. This is what a privacy policy is, Nobody reads it, so what it really does is provide the perception that there is privacy. \n
Many users don’t want to appear in public at all, or they want to be able to delete their users and associated information. Perhaps they don’t want everybody to know they’re in the furries flickr group. \n
Beyond problems with corporations and large enterprise sites wanting to obtain your data for various reasons, you’ve got the hacker problem. They really want to get at our users and systems. In all of our work we’ve got to think about what kinds of attacks we might face within a production environment. \n
\n
\n
\n
\n
\n
\n
\n
Users data is important, user access is important, protecting these users is a freedom. Not totally dis-similar to the free software freedoms. We need to create systems which by default, transparently do the right thing by our users. If you engineer a system to protect privacy, then you are setting the rules of the game. It’s tremendous power and a tremendous responsibility. \n
\n
\n
Right now we use email as the primary way of logging in to systems. It’s the core of the identity system online right now. \n
Right now we use email as the primary way of logging in to systems. It’s the core of the identity system online right now. \n
Instantly raises questions about privacy policy and the protection of individual’s security and data.\n
We are allowing services to access our personal information and hold our passwords, which should be sacred and kept by only the privileged few... yourself, essentially.\n
We are allowing services to access our personal information and hold our passwords, which should be sacred and kept by only the privileged few... yourself, essentially.\n
The majority of people use a single email account for everything. The protection of this email is very important. \n\n
You’ll find your personal information runs the risk of being taken.. including any financial accounts that you may hold.. (paypal transactions etc)\n
\n
\n
\n
\n
There are many authorisation systems that do not ask for (or require) email addresses or passwords. Each one manages a similar process and practice for security, although in slightly different ways.\n\nOAuth seems to have reached the top of the pile of accepted authentication processes and is starting to become much more of a widely used protocol to delegate authentication.\n
Many luxury cars come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will only allow the car to be driven a short distance while blocking access to the trunk and the onboard cell phone. Regardless of the restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using another key to unlock everything else\n\nIt allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password.\n\nOAuth allows users to hand out tokens instead of credentials to their data hosted by a given service provider. Each token grants access to a specific site (e.g. a video editing site) for specific resources (e.g. just videos from a specific album) and for a defined duration (e.g. the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.\n
What are these token things we talk about? There’re little things we use to represent access, kind of like a barrier token or ticket to get into the underground. Each token is unique. More like symbols, which can be used to represent something without it being the thing. \n
Ultimately, the end users (us) use the services, but the majority of the time we are not aware.\n
Ultimately, the end users (us) use the services, but the majority of the time we are not aware.\n
Who is using it at the moment?\n
Who is using it at the moment?\n
Are the two not the same? Why have both?\n
Both protocols are similar in many ways.. they both move users between consumer and service provider. OpenID claims to own the URL.. OAuth claims to own the resource\n\nOpenID is an open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.[1]\n
Both protocols are similar in many ways.. they both move users between consumer and service provider. OpenID claims to own the URL.. OAuth claims to own the resource\n\nOpenID is an open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.[1]\n
So, what is the benefit of OAuth? How easy is it? Let’s take a look at Twitter and how they used to implement API access, and how they do it now..\n
In Basic Authentication you need only provide a "return address" (the username and password), and the recipient's address (the resource you are accessing) -- occasionally stuffing the envelope with some data that is pertinent to the API request you are making. \nAspects of Basic Authentication with the Twitter API\nThe client application must store the user's login and password\nThe client application must send the user's login and password with every request\nIf the user's password changes, the client application must acquire a new password for the user\nThe user has no means to discover which basic auth-based apps have their login and password\nThe user has no ability to restrict an application from using their account after giving their login and password\nThe client application has a very weak identity within the Twitter ecosystem.\nPOST variables, query parameters, and the URL of the request can be modified at any stage of the request cycle without invalidating the request\nReplayed requests are not preventable\n\n
So, essentially basic authentication can be thought of like this.\n
\n
OAuth Authentication is a bit more complex in this metaphor. While you still address the envelope to the same recipient (the resource), you identify your request as coming from both the user performing the request and your application that's working on behalf of the user. In addition, you must provide a "post mark" of sorts, describing the time the "letter" was sent and the actual contents of the envelope. In some ways, this is the biggest difference between the access methods.\nAspects of OAuth Authentication with the Twitter API\nThe client application doesn't need to store a login and password\nThe client application delegates authorization to a trusted location, namely https://api.twitter.com/oauth/authorize\nThe client application sends an access token representing the user with each request instead of a login & password\nPOST variables, query parameters, and the URL of the request must remain intact for a request to successfully complete (the oauth_signature cannot be verified unless all elements of the request retain their original qualities at the time of signature generation)\nIf the user's password changes, the client application continues functioning\nThe user is in control of what applications may act on their behalf and can remove authorization at any time\nYour application is a known entity in the ecosystem, with benefits both realized and to come in the area of analytics, attribution, and more.\nReplayed requests are prevented by a unique identifier for each request (the oauth_nonce)\n\n
Whereas OAuth can be thought of like this.\n
\n
All this is to say that OAuth is like a love triangle. That is to say that the relationship between the provider, end user, and consumer is a love triangle. Each part communicates with both of the other parts. \n\nThe original idea of OAuth would be that it’s super simple, clear, everybody could read the standard and understand. It was nice and clear. Little by little in the standards process the standards people from IETF and W3C got involved. Now the spec is full of diagrams like... THIS!\n
\n
\n
\n
the application asks for a request token\n
the application asks for a request token\nla aplicación inicia el\nintercambio del\nrequest token\n
the application asks for a request token\nla aplicación inicia el\nintercambio del\nrequest token\n
the application asks for a request token\nla aplicación inicia el\nintercambio del\nrequest token\n
the application asks for a request token\nla aplicación inicia el\nintercambio del\nrequest token\n
the application asks for a request token\nla aplicación inicia el\nintercambio del\nrequest token\n
the application asks for a request token\nla aplicación inicia el\nintercambio del\nrequest token\n
the application asks for a request token\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
That whole interaction makes it slightly easier to see how the request was being made... The tokens were being passed between the consumer and service provider, and it was those tokens they were using for dealing with a specific individual.. again, NO names, personal information or other details were passed between the two parties; purely a token (a reference or symbol) to that particular individual. \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
That was the token dance for web applications. There is a similar but slightly different process for desktop and out of band applications like browserless mobile phones and embedded systems.\n
Service provider gives documentation of authorization URLs and methods. Consumer registers an application with the service provider\n
Important information that Service Providers MUST give the consumers... (or SHOULD, at any rate)\n\nRequest token endpoint\nAuthorization endpoint\nAccess token endpoint\nAccepted request method(s) (GET, POST, PUT, etc...)\nSignature method(s)\nExtra parameters (non-oauth)\nAny specific notes about OAuth for that provider (they may all have different ‘rules’)\n
\n
\n
\n
\n
Consumer Key\n• assigned during consumer registration\n• which will get passed as a request parameter\n\nConsumer Secret\n• assigned during consumer registration and used for signing (e.g. HMAC-SHA1)\n
specific to the user, not the consumer or provider\n\ntoken key\n• unique string granted by service provider\n• passed as a request parameter\n• same variable name (oauth_token_key) for\nboth request and access type tokens\n\ntoken secret\n• also granted by service provider\n• same variable name (oauth_token_secret)\nfor both request and access type tokens\n
\n
Building any OAuth request in theory is quite simple. In theory. There is a short list of standard ingredients that you need to include in your recipe to ensure you have the base created. You MAY have optional extra ingredients (depending on the service provider and their requirements) but above all, you will NEED to create your request signature to sign it and add in the extra level of security, which we’ll cover here. Let’s have a look at what we need...\n
Here is our list of ‘standard’ ingredients. Quite a simple list in the grand scheme of things. Let’s have a look at them to clarify\n
All of the oauth params start with the oauth_* prefix. \n
As we saw before, there are keys (tokens) and secrets. The consumer application or library itself has a token secret part, in addition to a user’s access token and secret. The key is passed with each request, and the consumer secret is used for signing every request.\n\n
The tokens are just random strings which should be unique.\n
Then we require that each request have a timestamp and nonce. The timestamp is an integer which needs to increment and it’s the number of seconds since Unix epoch (unless otherwise specified\nby service provider). It must be equal or greater than previous request.\nThe nonce is a unique number/string which can’t be reused with the same timestamp. The combination of these, and the signing prevents replay attacks.\n
The last couple define the signing method. There are three options for signing..\nRSA-SHA1 or PLAINTEXT, but it’s usually HMAC-SHA1 (which seems to be the standard preferred method). Then the version of oauth, which despite the current standard being 1.0a the standard says you should still say 1.0. Then the actual signature of the request.\n\n
\n
The signature itself forms a critically important role in the security of the OAuth request protocol, and can be a difficult beast to tame.\n
The trick with all the delegated token authorization systems is that they DON’T pass the password with each request. They use a base string coupled with a secret. The secret is used in the signature but is not passed over the wire in the request (so it’s not visible). \n
So what does this look like, well we use the signature base string and the consumer secret. We’ll look at how to create the actual base string next.\n
We use the combination of the signature base string and then the consumer secret as the hash key to sign the string.\n
Then that signature is created as a param which can be passed in the requests, typically within the header of the request, which we will see.. although you could send via URL query params too.\n
So you end up something like this. The base request and the hashed signature are passed over the wire. The consumer secret is kept on both ends to verify the signature. It is never displayed or passed through any of the requests.\n
So, back to the parameters! You have seen in essence how the signature parameter is created. Let’s have a look at a sample request to try to better understand the building blocks and to see how the ingredients for our OAuth recipe have been used.\n
\n
Where is this\ninformation passed?\n• HTTP Authorization header\n• HTTP POST request body (form params)\n• URL query string parameters\n
\n
\n
\n
\n
By creating a signature in this manner, you’re able to successfully sign your requests and then complete your call for data.\n
\n
\n
\n
\n
\n
\n
xAuth is still OAuth. You still need to master how to send signed requests to Twitter.\nxAuth provides a way for desktop and mobile applications to exchange a username and password for an OAuth access token. Once the access token is retrieved, xAuth-enabled developers should dispose of the login and password corresponding to the user.\n\nxAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step.\n\nOAuth Echo is a means to securely delegate OAuth authorization with a third party while interacting with an API. Within the Twitter ecosystem, we use OAuth Echo as a means to allow your application to use services such as Twitpic and yfrog.\nThere are four parties involved in this interaction:\nthe User who is using Twitter through a particular, authorized Twitter application\nthe Consumer, or the Twitter application that is attempting to interact with the 3rd party media provider (e.g. the photo sharing site)\nthe Delegator, or the 3rd party media provider; and\nthe Service Provider a.k.a. Twitter itself.\nEssentially, you will be preparing a request for the delegator to send to the Twitter API on your application and user's behalf. You'll be sticking what would otherwise be a signed OAuth request into an HTTP header and asking the delegator to send that request to Twitter after completing the intermediary operation.\n\n\n
xAuth is still OAuth. You still need to master how to send signed requests to Twitter.\nxAuth provides a way for desktop and mobile applications to exchange a username and password for an OAuth access token. Once the access token is retrieved, xAuth-enabled developers should dispose of the login and password corresponding to the user.\n\nxAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step.\n\nOAuth Echo is a means to securely delegate OAuth authorization with a third party while interacting with an API. Within the Twitter ecosystem, we use OAuth Echo as a means to allow your application to use services such as Twitpic and yfrog.\nThere are four parties involved in this interaction:\nthe User who is using Twitter through a particular, authorized Twitter application\nthe Consumer, or the Twitter application that is attempting to interact with the 3rd party media provider (e.g. the photo sharing site)\nthe Delegator, or the 3rd party media provider; and\nthe Service Provider a.k.a. Twitter itself.\nEssentially, you will be preparing a request for the delegator to send to the Twitter API on your application and user's behalf. You'll be sticking what would otherwise be a signed OAuth request into an HTTP header and asking the delegator to send that request to Twitter after completing the intermediary operation.\n\n\n
xAuth is still OAuth. You still need to master how to send signed requests to Twitter.\nxAuth provides a way for desktop and mobile applications to exchange a username and password for an OAuth access token. Once the access token is retrieved, xAuth-enabled developers should dispose of the login and password corresponding to the user.\n\nxAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step.\n\nOAuth Echo is a means to securely delegate OAuth authorization with a third party while interacting with an API. Within the Twitter ecosystem, we use OAuth Echo as a means to allow your application to use services such as Twitpic and yfrog.\nThere are four parties involved in this interaction:\nthe User who is using Twitter through a particular, authorized Twitter application\nthe Consumer, or the Twitter application that is attempting to interact with the 3rd party media provider (e.g. the photo sharing site)\nthe Delegator, or the 3rd party media provider; and\nthe Service Provider a.k.a. Twitter itself.\nEssentially, you will be preparing a request for the delegator to send to the Twitter API on your application and user's behalf. You'll be sticking what would otherwise be a signed OAuth request into an HTTP header and asking the delegator to send that request to Twitter after completing the intermediary operation.\n\n\n
xAuth is still OAuth. You still need to master how to send signed requests to Twitter.\nxAuth provides a way for desktop and mobile applications to exchange a username and password for an OAuth access token. Once the access token is retrieved, xAuth-enabled developers should dispose of the login and password corresponding to the user.\n\nxAuth allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step.\n\nOAuth Echo is a means to securely delegate OAuth authorization with a third party while interacting with an API. Within the Twitter ecosystem, we use OAuth Echo as a means to allow your application to use services such as Twitpic and yfrog.\nThere are four parties involved in this interaction:\nthe User who is using Twitter through a particular, authorized Twitter application\nthe Consumer, or the Twitter application that is attempting to interact with the 3rd party media provider (e.g. the photo sharing site)\nthe Delegator, or the 3rd party media provider; and\nthe Service Provider a.k.a. Twitter itself.\nEssentially, you will be preparing a request for the delegator to send to the Twitter API on your application and user's behalf. You'll be sticking what would otherwise be a signed OAuth request into an HTTP header and asking the delegator to send that request to Twitter after completing the intermediary operation.\n\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
It’s very important that you have your forms which catch CSRF and XSS when you authorize an oauth app. Twitter messed this up for a bit, and you could authorize via oauth through an image in the page or javascript hack. That’s bad. Don’t do that. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of awebsite whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.\n
Another important thing to think about, is what not to log. We make a mistake by collecting all this ambient information we might not use. It might come back to bite us or our users. If we don’t collect data, hackers can’t get at it when they compromise our systems or when we get court orders. So implement a policy of selective logging. Just like you can do A/B testing for features, you can turn on logging to catch specific abuse cases or or performance issues. When in doubt, find a way to get what you want while storing less information. Make encryption be by default on. \n
\n
\n
\n
Users data is important, user access is important, protecting these users is a freedom. Not totally dis-similar to the free software freedoms. We need to create systems which by default, transparently do the right thing by our users. If you engineer a system to protect privacy, then you are setting the rules of the game. It’s tremendous power and a tremendous responsibility. \n
github, Facebook Graphs API\n
The important thing is to not let it overwhelm you.\n
OAuth.. it’s not a black art, but the documentation does not help :)\n
Some really useful links for you, should you wish to follow them to find out more.\n