72
OAuth Practical Implementation

Implementing OAuth

Embed Size (px)

DESCRIPTION

Workshop on OAuth from MeshU 2008 in Toronto. The basics of OAuth API authentication are covered in this talk as well as some implementation examples.

Citation preview

Page 1: Implementing OAuth

OAuthPractical Implementation

Page 2: Implementing OAuth

• Pownce launched (June 2007)

• developers wanted an API

• became involved with OAuth (Aug 2007)

• public read-only API (Oct 2007)

• full API with OAuth (Mar 2008)

• 200+ apps built on Pownce API

Pownce and OAuth

Page 3: Implementing OAuth

• an author of the specification

• wrote first library (Python)

• maintain Python library

• maintain Pownce API OAuth implementation

Me and OAuth

Page 4: Implementing OAuth

What is OAuth?

A simple open standard for secure API authentication.

http://oauth.net

Page 5: Implementing OAuth

The (API) Love Triangle

End User

“Service Provider” “Consumer Application”

Web Service 3rd Party App

Pownce AIM bot

Page 6: Implementing OAuth

• Authentication

Need to log in to access parts of a website

ex: bookmark a link, post a photo, add a friend, view

a private message

• Token-based Authentication

Logged-in user has a unique token used to access

data from the site

Specifically OAuth is...

Page 7: Implementing OAuth

Just like...

• Flickr Auth

• Google’s AuthSub

• Yahoo’s BBAuth

• Facebook Auth

• and others...

http://flickr.com/photos/bees/2504039638/

Page 8: Implementing OAuth

Who is involved?

Page 9: Implementing OAuth

• Service Providers - have an web API that needs authorization for certain functions

• Consumers - want to use an API that requires (or encourages) OAuth

Who is it for?

Page 10: Implementing OAuth

Be Simple

Goals:

• standard for website API authentication

• consistent for developers

• easy for end users to understand *

* this is hard

Page 11: Implementing OAuth

Be Secure

Goals:

• secure for end users

• easy to implement security features for

website developers

• 3rd party developers don’t have access to

passwords

• balance security with ease of use

Page 12: Implementing OAuth

Be Open

Goals:

• any website can implement OAuth

• any 3rd party developer can use OAuth

• open source client libraries

• community-designed technical specifications

Page 13: Implementing OAuth

Be Flexible

Goals:

• authentication method agnostic

• users don’t need a username and password

• can use OpenID (or not!)

• whatever auth works best for the service

• 3rd party developers don’t handle auth

Page 14: Implementing OAuth

Is OAuth different from OpenID?

Yes.

(short answer)

Page 15: Implementing OAuth

Is OAuth different from OpenID?

(medium answer)

OpenID - user identification by provider URL, login on provider site.

OAuth - API authorization and permissions, any form of user identification, login on

provider site.

Page 17: Implementing OAuth

I’d like to search my Ma.gnolia bookmarks via social search

engine Nsyght.

What the end user sees...

Web Consumer

Ma.gnolia and Nsyght

Page 18: Implementing OAuth

OMG! Need to log in!

Page 19: Implementing OAuth

Login with service provider

alternative login methodnot username/password

service provider’s site!

Page 20: Implementing OAuth

Authorize

Page 21: Implementing OAuth

Done!

Page 22: Implementing OAuth

Web flow

Nsyght

asks forrequest token

returnsrequest token

Ma.gnolia

...

Request Token!

API calls

Page 23: Implementing OAuth

Nsyght

user sentto ma.gnolia withrequest token in

URL user logs inand/or authorizes

nsyght

Ma.gnolia

...redirected back

to nsyghtwith (authorized)

request token

Authorize!

...

http redirect

Page 24: Implementing OAuth

Nsyght

ask for accesstoken withauthorized

request tokenrequest tokenexchanged foraccess token

Ma.gnolia

Access Token!

nsyght storesaccess token

API calls

Page 25: Implementing OAuth

use the access token...

by Blaine Cook

Page 26: Implementing OAuth

What the end user sees...

Desktop Consumer

I’d like to get alerts about new Pownce notes via AIM.

Pownce and PownceAIM

Page 27: Implementing OAuth

OMG! Need to log in!

Page 28: Implementing OAuth

Login with service provider

service provider’s site!

Page 29: Implementing OAuth

Authorize

click “Okay!”

Page 30: Implementing OAuth

Authorized!Return to

desktop app.

Page 31: Implementing OAuth

Desktop flow

PownceAIM

asks forrequest token

returnsrequest token

Pownce

...

Request Token!

API calls

Page 32: Implementing OAuth

PownceAIM

user sentto Pownce withrequest token in

URL user logs inand/or authorizes

PownceAIM

Pownce

...user tells

PownceAIMthat auth iscomplete

Authorize!

...

user follows link

Page 33: Implementing OAuth

PownceAIM

ask for accesstoken withauthorized

request tokenrequest tokenexchanged foraccess token

Pownce

Access Token!

PownceAIM storesaccess token

API calls

Page 34: Implementing OAuth

1. Obtain request token

2. User authorizesrequest token

3. Exchange request tokenfor access token

4. Use access token toobtain protected resources

Basic Authorization Process

Page 35: Implementing OAuth

OAuth Setup

• Service provider gives documentation of

authorization URLs and methods

• Consumer registers an application with the

service provider

Page 36: Implementing OAuth

Service Provider Documentation

• Request token endpoint

• Authorization endpoint

• Access token endpoint

• Accepted request method(s) (GET, POST, PUT, etc...)

• Signature method(s)

• Extra parameters (non-oauth)

• Any specific notes about OAuth for that provider

Page 37: Implementing OAuth

Pownce API Documentation

https://pownce.pbwiki.com/API%20Documentation2-0#VerifyAuth

Page 38: Implementing OAuth

Register a Consumer Application

• Consumer gives service provider data

about the application (name, creator, url

etc...)

• Service provider assigns the application a

consumer key and consumer secret

Page 39: Implementing OAuth

Registering aFire Eagle Application

consumer app sign up page

https://fireeagle.yahoo.net/developer/create

Page 40: Implementing OAuth

Registering a Fire Eagle Application

Done!

oooh!

https://fireeagle.yahoo.net/developer/manage

Page 41: Implementing OAuth

OAuth Objects - Consumer

consumer key

• assigned during consumer registration• passed as a request parameter

consumer secret

• assigned during consumer registration• used for signing (e.g. HMAC-SHA1)

Page 42: Implementing OAuth

OAuth Objects - Consumer

Page 43: Implementing OAuth

OAuth Objects - Token

token key

token secret

• unique string granted by service provider• passed as a request parameter• same variable name (oauth_token_key) for both request and access type tokens

• also granted by service provider• same variable name (oauth_token_secret) for both request and access type tokens

Page 44: Implementing OAuth

OAuth Objects - Token

Page 45: Implementing OAuth

OAuth Parameters

• oauth_consumer_key

• oauth_token

• oauth_signature

• oauth_signature_method

• oauth_timestamp

• oauth_nonce

• oauth_version

Page 46: Implementing OAuth

Where is this information passed?

• HTTP Authorization header

• HTTP POST request body (form params)

• URL query string parameters

(in order of preference)

Page 47: Implementing OAuth

Timestamp and Nonce

• seconds since Unix epoch (unless otherwise specified by service provider)

• must be equal or greater than previous request

oauth_timestamp

• random string per timestamp / request

• attempt to stop replay attacks

oauth_nonce

Page 48: Implementing OAuth

Signing Requests

• HMAC-SHA1

• RSA-SHA1

• PLAINTEXT

oauth_signature_method

• string constructed according to the chosen signature method

oauth_signature

Page 49: Implementing OAuth

Signing Requests

Page 50: Implementing OAuth

Signature Methods

• construct the signature base string by joining the following with a ‘&’:

1. http request method (e.g. GET)

2. http url (endpoint url)

3. normalized request parameters (sorted by name)

• key = encoded consumer secret and token secret separated by an ‘&’

HMAC-SHA1

Page 51: Implementing OAuth

Signature Methods

HMAC-SHA1

Page 52: Implementing OAuth

GET&http%3A%2F%2Fapi.pownce.com%2Fauth%2Fverify.xml&oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j%26oauth_nonce%3DD81FBEDC-1050-40EE-B899-21A1E07C4EC5%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1211254098%26oauth_token%3D0qic7f318nj42ogm%26oauth_version%3D1.0

Signature Methods

HMAC-SHA1Example base string:

Example signature:

oauth_signature="UFHiNYSf++3N18oTZ864IAGlvxU%3D"

Page 53: Implementing OAuth

Signature Methods

PLAINTEXT

• should be used over a secure channel (SSL)

• no base string

• url-encoded consumer secret and token secret separated by an ‘&’

Page 54: Implementing OAuth

Signature Methods

PLAINTEXT

Ex:

oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3

Page 55: Implementing OAuth

Signature Methods

RSA-SHA1

• sign with Consumer’s RSA private key and the signature base string

• verify with Consumer’s RSA public key

• same signature base string as HMAC-SHA1

• still in development for most OAuth libraries

Page 56: Implementing OAuth

Big Fatty Example

PownceAIM and Pownce

warning: screen shots might not match text.

Page 57: Implementing OAuth

PownceAIM

asks forrequest token

returnsrequest token

PownceAPI call

Authorization: OAuth realm="http://api.pownce.com/",oauth_consumer_key="nbe958225r999a706d1u4qgwx2nx9e8j",oauth_signature_method="HMAC-SHA1",oauth_signature="7A4blmAxXMDPmCQuTBR4CocpdNo%3D",oauth_timestamp="1211257266",oauth_nonce="9BD703ED-EBA0-4B79-B9F2-AA09C9945D4B",oauth_version="1.0"

oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8

Page 58: Implementing OAuth

user sentto Pownce withrequest token in

URL

user logs inand/or authorizes

PownceAIM

user follows link

PownceAIM Pownce

http://api.pownce.com/oauth/authorize?oauth_token=3fjay66o4x78j4c8

Page 59: Implementing OAuth

click “Okay!”

let’s pretend the user is logged in to the Pownce site

Page 60: Implementing OAuth

user tellsPownceAIMthat auth iscomplete

PownceAIM

cue to PownceAIM thatrequest token has been

authorized

Page 61: Implementing OAuth

ask for accesstoken withauthorized

request token

request tokenexchanged foraccess token

PownceAIM storesaccess token

API callsPownceAIM Pownce

Authorization: OAuth realm="http://api.pownce.com/",oauth_consumer_key="nbe958225r999a706d1u4qgwx2nx9e8j",oauth_token="3fjay66o4x78j4c8",oauth_signature_method="HMAC-SHA1",oauth_signature="6A87eXJ8MimMnCHfRM1hedEPHG4%3D",oauth_timestamp="1211258114",oauth_nonce="F85482A6-B1BC-4580-95B2-0E51300CBEF7",oauth_version="1.0"

oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2

Page 62: Implementing OAuth

ask forprotected resource

(note list)

return APIdata

API callsPownceAIM Pownce

<?xml version="1.0" encoding="utf-8"?><notes> <note> <body>Check out my website Leah!</body> <permalink>http://pownce.com/iamcal/notes/2211344/</permalink> <sender> <user> <username>iamcal</username> ...

Authorization: OAuth realm="http://api.pownce.com/",oauth_consumer_key="nbe958225r999a706d1u4qgwx2nx9e8j",oauth_token="oixvd0538vmw3hm2",oauth_signature_method="HMAC-SHA1",oauth_signature="YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3D",oauth_timestamp="1211258746",oauth_nonce="DE648679-003B-42B5-806A-F185D0714EEB",oauth_version="1.0"

Page 63: Implementing OAuth

Managing Tokens

• request token expiration

• access token expiration

• end user token management

Page 64: Implementing OAuth

Token Management

http://pownce.com/settings/applications

Page 65: Implementing OAuth

HTTP Errors

• 400 Bad Request

• unsupported parameter

• unsupported signature method

• missing required parameter

• duplicate OAuth parameter

• 401 Unauthorized

• invalid consumer key

• invalid / expired token

• invalid signature (signature does not match)

• invalid / used nonce

Page 66: Implementing OAuth

Common Errors

• signature does not match

• providers can show expected base string

• token is invalid

• expired? wrong type of token?

• request token unauthorized

• user needs to login to authorize the request token

Page 67: Implementing OAuth

Testing Tools

• web-based test server and client by Andy Smith (http://term.ie/oauth/example)

• Endpointr, mac desktop app by Jon Crosby

Page 68: Implementing OAuth

Issues

• service provider documentation

• files

• granular permissions

• timestamp and nonce verification

• vague token expiration, consumers check for expired tokens

Page 69: Implementing OAuth

Current Status• OAuth Core 1.0 Final (Dec 2007)

• OAuth Discovery 1.0 Draft 2

• Libraries:• coldfusion• csharp• java• javascript• maven• obj-c• obj-c1• perl• php• python• ruby

Page 70: Implementing OAuth

Service ProviderImplementations

• 88 Miles

• Google Contacts API

• Ma.gnolia

• Pownce

• Thmbnl

• Yahoo! Fire Eagle

http://wiki.oauth.net/ServiceProviders

Page 71: Implementing OAuth

More Info

• main site: http://oauth.net

• spec: http://oauth.net/core/1.0

• code: http://code.google.com/p/oauth

• mailing list: http://groups.google.com/group/oauth

• wiki: http://wiki.oauth.net

• Pownce API: http://pownce.com/api

Page 72: Implementing OAuth

Thanks!

ugly logo!