SlideShare a Scribd company logo

Some OAuth love

Nicolas Blanco
Nicolas Blanco

Some OAuth love in Ruby

TechnologyBusiness
1 of 31
Download to read offline
Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
WHY ? THE STORY
OAuth • 2006 by Blaine Cook (Twitter) • OpenID for API access • Delegation of access • IETF - final protocol in 2010
OAuth • 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
OAuth - Resource provider YOU !
OAuth - Resource owner
OAuth - workflow Temporary credentials trolololdvd.com vimeo Redirection Authorization page
OAuth - Authorization page
OAuth - Workflow Authorized request token Access token Access token
OAuth - Signature • Must sign all requests • Base string • Consumer key • Consumer secret • The signature
OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce %3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
OAuth - Ruby • At least some Ruby! • ruby gem install oauth @callback_url = "http://www.dvdtrololol.com/oauth/callback" @consumer = OAuth::Consumer.new("key","secret", :site => "https:// vimeo.com/auth") @request_token = @consumer.get_request_token(:oauth_callback => @callback_url) session[:request_token] = @request_token redirect_to @request_token.authorize_url(:oauth_callback => @callback_url) @access_token = @request_token.get_access_token @videos = @access_token.get('/videos.json')
OAuth - signature • Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faraday builder.use Faraday::Request::OAuth, {         :consumer_key => @consumer_key,         :consumer_secret => @consumer_secret,         :token => @atoken,         :token_secret => @asecret        }
OAuth - Faraday middleware
OAuth2 • The next evolution : OAuth2 • Not backward-compatible • IETF Draft • Use it now!!! • Facebook OpenGraph - Google - Microsoft
Why <3 OAuth2 • Clients don’t need cryptography anymore (HTTPS) • Less complicated signatures • Better support for non-browser apps • Access tokens are short-lived • Clean separation between auth server and request server
OAuth 2 - Debug with Curl! curl -H "Authorization: Bearer ACCESS_TOKEN" https://gdata.youtube.com/ feeds/api/users/default/uploads
OAuth2 - Gem client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://www.youtube.com/ auth') client.auth_code.authorize_url(:redirect_uri => 'http://www.dvdtrololol.com/oauth2/callback') # => "https://example.org/oauth/authorization? response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback" token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http:// www.dvdtrololol.com/oauth2/callback') videos = token.get('/videos.json')
OAuth2 - Faraday middleware module Faraday   class Request::OAuth2 < Faraday::Middleware     def call(env)       env[:request_headers]['Authorization'] = "Bearer #{@access_token.token}"       @app.call(env)     end     def initialize(app, access_token)       @app, @access_token = app, access_token     end   end end
Omniauth love <3 • Rack standardized multi-provider authentication • Very flexible Rails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET'] end
Omniauth - Authentication Lifecycle • Setup phase • Request phase • Callback phase
Omniauth basic strategy module OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end end end
Omniauth base OAuth strategies • omniauth-oauth • omniauth-oauth2
Write a custom OAuth2 strategy Dailymotion ?
Omniauth default stack • omniauth-oauth2 • multi-json • multi-xml • faraday
Omniauth custom OAuth2 strategy require 'omniauth/strategies/oauth2' module OmniAuth   module Strategies     class Dailymotion < OmniAuth::Strategies::OAuth2       DEFAULT_SCOPE = 'email userinfo'              option :name, "dailymotion"              option :client_options, {         :site => 'https://api.dailymotion.com',         :authorize_url => '/oauth/authorize',         :token_url => '/oauth/token'       } # ...
Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info['id'] }              info do         prune!({           'screenname' => raw_info['screenname'],           'url' => raw_info['url'],           'email' => raw_info['email'],           'fullname' => raw_info['fullname'],           'description' => raw_info['description'],           'gender' => raw_info['gender']         })       end              def raw_info         @raw_info ||= access_token.get('/me', :params => { :fields => %w(id,url,email,fullname,description,gender).join(",") }).parsed       end
Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion" match '/auth/:provider/callback', to: 'profiles#link_provider'
class ProfilesController < AuthenticatedController   def show   end   def link_provider     current_user.update_attributes_for_provider(params[:provider], auth_hash.credentials)     redirect_to profile_path, notice: "Successfully linked to provider"   end   protected   def auth_hash     request.env['omniauth.auth']   end end class User # ... def update_attributes_for_provider(provider, credentials)     credentials.each do |key, val|       send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")     end     save   end end
Omniauth in Rails - Authentication with Devise class Users::OmniauthCallbacksController < ApplicationController   def create     @user = User.find_or_create_for_provider(params[:provider], auth_hash)     sign_in_and_redirect(@user, :event => :authentication)   end end
Thank you ! Follow me : twitter.com/slainer68

Recommended

Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 

Recommended

Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Découplez votre appli en micro-APIs
Découplez votre appli en micro-APIsDécouplez votre appli en micro-APIs
Découplez votre appli en micro-APIsNicolas Blanco
 
Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Revath S Kumar
 
Iffy
IffyIffy
IffySuresh Babu koya
 
Backbone identity map
Backbone identity mapBackbone identity map
Backbone identity mapBen Teese
 

More Related Content

What's hot

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 

What's hot (18)

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 

Viewers also liked

Découplez votre appli en micro-APIs
Découplez votre appli en micro-APIsDécouplez votre appli en micro-APIs
Découplez votre appli en micro-APIsNicolas Blanco
 
Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Revath S Kumar
 
Backbone identity map
Backbone identity mapBackbone identity map
Backbone identity mapBen Teese
 
Breaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynoteBreaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynoteChristian Heilmann
 
Rich Object Models & Angular.js
Rich Object Models & Angular.jsRich Object Models & Angular.js
Rich Object Models & Angular.jsBen Teese
 
An app on the shoulders of giants
An app on the shoulders of giantsAn app on the shoulders of giants
An app on the shoulders of giantsJeroen van Dijk
 

Viewers also liked (7)

Découplez votre appli en micro-APIs
Découplez votre appli en micro-APIsDécouplez votre appli en micro-APIs
Découplez votre appli en micro-APIs
 
Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02
 
Iffy
IffyIffy
Iffy
 
Backbone identity map
Backbone identity mapBackbone identity map
Backbone identity map
 
Breaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynoteBreaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynote
 
Rich Object Models & Angular.js
Rich Object Models & Angular.jsRich Object Models & Angular.js
Rich Object Models & Angular.js
 
An app on the shoulders of giants
An app on the shoulders of giantsAn app on the shoulders of giants
An app on the shoulders of giants
 

Similar to Some OAuth love

Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground UpMichael Bleigh
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 

Similar to Some OAuth love (20)

Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Api security
Api security Api security
Api security
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground Up
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Some OAuth love

  • 1. Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
  • 3. OAuth • 2006 by Blaine Cook (Twitter) • OpenID for API access • Delegation of access • IETF - final protocol in 2010
  • 4. OAuth • 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
  • 5. OAuth - Resource provider YOU !
  • 7. OAuth - workflow Temporary credentials trolololdvd.com vimeo Redirection Authorization page
  • 9. OAuth - Workflow Authorized request token Access token Access token
  • 10. OAuth - Signature • Must sign all requests • Base string • Consumer key • Consumer secret • The signature
  • 11. OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce %3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
  • 12. OAuth - Ruby • At least some Ruby! • ruby gem install oauth @callback_url = "http://www.dvdtrololol.com/oauth/callback" @consumer = OAuth::Consumer.new("key","secret", :site => "https:// vimeo.com/auth") @request_token = @consumer.get_request_token(:oauth_callback => @callback_url) session[:request_token] = @request_token redirect_to @request_token.authorize_url(:oauth_callback => @callback_url) @access_token = @request_token.get_access_token @videos = @access_token.get('/videos.json')
  • 13. OAuth - signature • Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faraday builder.use Faraday::Request::OAuth, {         :consumer_key => @consumer_key,         :consumer_secret => @consumer_secret,         :token => @atoken,         :token_secret => @asecret        }
  • 14. OAuth - Faraday middleware
  • 15. OAuth2 • The next evolution : OAuth2 • Not backward-compatible • IETF Draft • Use it now!!! • Facebook OpenGraph - Google - Microsoft
  • 16. Why <3 OAuth2 • Clients don’t need cryptography anymore (HTTPS) • Less complicated signatures • Better support for non-browser apps • Access tokens are short-lived • Clean separation between auth server and request server
  • 17. OAuth 2 - Debug with Curl! curl -H "Authorization: Bearer ACCESS_TOKEN" https://gdata.youtube.com/ feeds/api/users/default/uploads
  • 18. OAuth2 - Gem client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://www.youtube.com/ auth') client.auth_code.authorize_url(:redirect_uri => 'http://www.dvdtrololol.com/oauth2/callback') # => "https://example.org/oauth/authorization? response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback" token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http:// www.dvdtrololol.com/oauth2/callback') videos = token.get('/videos.json')
  • 19. OAuth2 - Faraday middleware module Faraday   class Request::OAuth2 < Faraday::Middleware     def call(env)       env[:request_headers]['Authorization'] = "Bearer #{@access_token.token}"       @app.call(env)     end     def initialize(app, access_token)       @app, @access_token = app, access_token     end   end end
  • 20. Omniauth love <3 • Rack standardized multi-provider authentication • Very flexible Rails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET'] end
  • 21. Omniauth - Authentication Lifecycle • Setup phase • Request phase • Callback phase
  • 22. Omniauth basic strategy module OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end end end
  • 23. Omniauth base OAuth strategies • omniauth-oauth • omniauth-oauth2
  • 24. Write a custom OAuth2 strategy Dailymotion ?
  • 25. Omniauth default stack • omniauth-oauth2 • multi-json • multi-xml • faraday
  • 26. Omniauth custom OAuth2 strategy require 'omniauth/strategies/oauth2' module OmniAuth   module Strategies     class Dailymotion < OmniAuth::Strategies::OAuth2       DEFAULT_SCOPE = 'email userinfo'              option :name, "dailymotion"              option :client_options, {         :site => 'https://api.dailymotion.com',         :authorize_url => '/oauth/authorize',         :token_url => '/oauth/token'       } # ...
  • 27. Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info['id'] }              info do         prune!({           'screenname' => raw_info['screenname'],           'url' => raw_info['url'],           'email' => raw_info['email'],           'fullname' => raw_info['fullname'],           'description' => raw_info['description'],           'gender' => raw_info['gender']         })       end              def raw_info         @raw_info ||= access_token.get('/me', :params => { :fields => %w(id,url,email,fullname,description,gender).join(",") }).parsed       end
  • 28. Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion" match '/auth/:provider/callback', to: 'profiles#link_provider'
  • 29. class ProfilesController < AuthenticatedController   def show   end   def link_provider     current_user.update_attributes_for_provider(params[:provider], auth_hash.credentials)     redirect_to profile_path, notice: "Successfully linked to provider"   end   protected   def auth_hash     request.env['omniauth.auth']   end end class User # ... def update_attributes_for_provider(provider, credentials)     credentials.each do |key, val|       send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")     end     save   end end
  • 30. Omniauth in Rails - Authentication with Devise class Users::OmniauthCallbacksController < ApplicationController   def create     @user = User.find_or_create_for_provider(params[:provider], auth_hash)     sign_in_and_redirect(@user, :event => :authentication)   end end
  • 31. Thank you ! Follow me : twitter.com/slainer68