45
OAuth: A Question of Trust

OAuth: Trust Issues

Embed Size (px)

DESCRIPTION

My talk for the Dutch PHP Conference, explaining the point of oauth, the mechanics of oauth2 and the various flows, and a spot of oauth1 for completeness

Citation preview

Page 1: OAuth: Trust Issues

OAuth: A Question of Trust

Page 2: OAuth: Trust Issues

About Me

2

• Lorna Jane Mitchell

• Twitter: @lornajane

• Web: http://lornajane.net

Page 3: OAuth: Trust Issues

If OAuth is the answer, what was thequestion?

Page 4: OAuth: Trust Issues

OAuth

4

username: lornajanepassword: qwerty

Page 5: OAuth: Trust Issues

OAuth

5

Hi, I’m lornajane

Page 6: OAuth: Trust Issues

Two Kinds of OAuth

6

• OAuth 1

• in use on many systems

• many steps: ’the oauth dance’

• encryption overhead (so use a lib)

• OAuth 2

• requires SSL

• fewer steps

• recognises trust

• recommended for new systems

Page 7: OAuth: Trust Issues

OAuth 2: Performance over Paranoia

Page 8: OAuth: Trust Issues

OAuth2 Relationships

8

Page 9: OAuth: Trust Issues

OAuth2 Relationships

9

Page 10: OAuth: Trust Issues

Before We Begin

10

Register for an API key and capture:

• application name

• callback URL(s) to use

• description

e.g. http://joind.in/user/apikey

Page 11: OAuth: Trust Issues

OAuth2 Endpoints

11

Application Website API Client

api key registration auth endpoint callback URL

user grant/revoke access resource endpoint

resources

Page 12: OAuth: Trust Issues

Establishing Trust

12

We need an authorisation grant for the assistant to be able to accessuser data

Page 13: OAuth: Trust Issues

Authorisation Grants

Page 14: OAuth: Trust Issues

Authorisation Grant: Many Choices

14

How we authorise a third party:

• authorisation code

• implicit

• resource owner credentials

• client credentials

• ... potentially further extensions

Page 15: OAuth: Trust Issues

Authorisation Code

15

Use for: server-side apps

Flow: we send user to application to grant access, recieve a code inreturn. Then exchange code for access token

Features: user never sees access token

Page 16: OAuth: Trust Issues

Authorisation Code Process

16

client_idredirect_urltypescopestate

Page 17: OAuth: Trust Issues

Authorisation Code Process

17User must be able to visit the site and revoke later

Page 18: OAuth: Trust Issues

Authorisation Code Process

18

code

codestate

Page 19: OAuth: Trust Issues

Authorisation Code Process

19

client_keyclient_secretcode

code

access token

access_token

Page 20: OAuth: Trust Issues

Implicit Grant

20

Use for: client-side apps

Flow: we send user to application to grant access, recieve an accesstoken in return

Features: super-simple

Page 21: OAuth: Trust Issues

Implicit Process

21

client_idredirect_urltypescopestate

Page 22: OAuth: Trust Issues

Implicit Process

22User must be able to visit the site and revoke later

Page 23: OAuth: Trust Issues

Implicit Process

23

access token

access_tokenstate

Page 24: OAuth: Trust Issues

Resource Owner Credentials

24

Use for: trusted consumers, such as same-provider apps or a script theuser writes themselves

Flow: user gives username and password to app, app exchanges foraccess token and does not store

Features: saves sending user to the main site and back

Page 25: OAuth: Trust Issues

Resource Owner Credentials Process

25

username,

password

username,

password

Page 26: OAuth: Trust Issues

Resource Owner Credentials Process

26

access token

Page 27: OAuth: Trust Issues

Client Credentials

27

Use for: privileged consumers

Flow: client credentials act as an authorsation grant, access token isreturned

Features: ideal for applications with more than per-user-data accessrights

Page 28: OAuth: Trust Issues

Client Credentials Process

28

hai

access token

Page 29: OAuth: Trust Issues

How to Choose Grant Type

29

What will be consuming this data?

It isn’t unusual for applications to support some or all of these grant types

Page 30: OAuth: Trust Issues

You have an access token, now what?

Page 31: OAuth: Trust Issues

Using Access Tokens

31

With the access token, include it in an Authorization header:

Authorization: OAuth db141c50adb74b22

Page 32: OAuth: Trust Issues

Using Access Tokens

31

With the access token, include it in an Authorization header:

Authorization: OAuth db141c50adb74b22

Everything you already knew about web APIs now applies as normal

Page 33: OAuth: Trust Issues

Refresh Tokens

32

Some applications will give you two tokens

• access token (shorter expiry)

• refresh token (longer expiry)

The refresh token is an authorisation grant in its own right, to be usedwhen the access token has expired

Page 34: OAuth: Trust Issues

What about access control?

Page 35: OAuth: Trust Issues

Scope

34

Consumers will request a given set of permissions, usually called scope

Users usually only get to accept, or not

Page 36: OAuth: Trust Issues

HTTPS (a vital OAuth2 ingredient)

Page 37: OAuth: Trust Issues

HTTPS

36

HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport LayerSecurity)

Basically, we encrypt the pipe!

Page 38: OAuth: Trust Issues

OAuth 1

Page 39: OAuth: Trust Issues

About OAuth 1

38

In a nutshell:

• Had its own encryption: needed a library/extension

• Involved many steps, therefore many request/response roundtrips

• leading to the phrase ’oauth dance’

• Solved exactly the same problem

• Had a single oauth endpoint

Page 40: OAuth: Trust Issues

OAuth 1 Process

39

• Step 0: Register as a consumer

• Step 1: Get a request token

• Step 2: Send the user to authenticate

• Step 3: Swap their verification for an access token

• Step 4: Consume data

Page 41: OAuth: Trust Issues

OAuth Today

Page 42: OAuth: Trust Issues

OAuth Today

41

• New project? Use OAuth 2

• OAuth 1 is complicated and needs PECL extension

• OAuth 2 requires SSL, and decision-making

Page 43: OAuth: Trust Issues

Resources and Further Reading

42

• OAuth2 Spec:http://tools.ietf.org/html/draft-ietf-oauth-v2

• Great introductory article:http://hueniverse.com/2010/05/introducing-oauth-2-0/

• Images from http://thenounproject.org

Page 44: OAuth: Trust Issues

Thanks!

Page 45: OAuth: Trust Issues

Thanks

44

https://joind.in/6232

@lornajane

http://lornajane.net