23
OAuth Basic Introduction

OAuth - Open API Authentication

Embed Size (px)

DESCRIPTION

http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.

Citation preview

Page 1: OAuth - Open API Authentication

OAuthBasic Introduction

Page 2: OAuth - Open API Authentication

What is OAuth?

A simple open standard for secure API authentication.

Page 3: OAuth - Open API Authentication

The Love Triangle

End User

Service Provider Consumer Application

(fake applications by EHL)

http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html

Page 4: OAuth - Open API Authentication

• Authentication

Need to log in to access parts of a website

ex: bookmark a link, post a photo, add a friend, view

a private message

• Token-based Authentication

Logged-in user has a unique token used to access

data from the site

Specifically OAuth is...

Page 5: OAuth - Open API Authentication

Similar to...

• Flickr Auth

• Google’s AuthSub

• Yahoo’s BBAuth

• Facebook Auth

• and others...

Page 6: OAuth - Open API Authentication

Who is involved?

Page 7: OAuth - Open API Authentication

Be Simple

Goals:

• standard for website API authentication

• consistent for developers

• easy for users to understand *

* this is hard

Page 8: OAuth - Open API Authentication

Be Secure

Goals:

• secure for users

• easy to implement security features for

developers

• balance security with ease of use

Page 9: OAuth - Open API Authentication

Be Open

Goals:

• any website can implement OAuth

• any developer can use OAuth

• open source client libraries

• published technical specifications

Page 10: OAuth - Open API Authentication

Be Flexible

Goals:

• don’t need a username and password

• authentication method agnostic

• can use OpenID (or not!)

• whatever works best for the web service

• developers don’t need to handle auth

Page 11: OAuth - Open API Authentication

What the end user sees...

an example from ma.gnolia

and nsyght.

Page 12: OAuth - Open API Authentication

OMG! Need to login!

Page 13: OAuth - Open API Authentication

Login with service provider

Page 14: OAuth - Open API Authentication

Authorize

Page 15: OAuth - Open API Authentication

Done!

Page 16: OAuth - Open API Authentication

How Does OAuth Work?

(for developers)

Page 17: OAuth - Open API Authentication

Register a Consumer Application

• Provide service provider with data about

your application (name, creator, url etc...)

• Service provider assigns consumer a

consumer key and consumer secret

• Service provider gives documentation of

authorization URLs and methods

Page 18: OAuth - Open API Authentication

1. Obtain request token

2. User authorizesrequest token

3. Exchange request tokenfor access token

4. Use access token toobtain protected resources

Authorization Process

Page 19: OAuth - Open API Authentication

OAuth Parameters

• oauth_consumer_key

• oauth_token

• oauth_signature

• oauth_signature_method

• oauth_timestamp

• oauth_nonce

Page 20: OAuth - Open API Authentication

Where is this information passed?

• HTTP Authorization header

• HTTP POST request body (form params)

• URL query string parameters

Page 21: OAuth - Open API Authentication

Security

• Tokens - aren’t passing username/password

• Timestamp and nonce - verify unique requests

• Signature - encrypted parameters help service provider recognize consumer

• Signature methods - HMAC-SHA1, RSA-SHA1, Plaintext over a secure channel(such as SSL)

Page 22: OAuth - Open API Authentication

Current Status of OAuth

• oauth.net

• Auth Core 1.0 Draft 7

• several libraries for consumers and service providers (PHP, Python, Ruby, Perl, C# ...)

• Ma.gnolia and Twitter implementations

• more implementations soon!

Page 23: OAuth - Open API Authentication

Chris is still working on the logo...

Thanks!