SlideShare ist ein Scribd-Unternehmen logo

OAuth and OEmbed

L
leahculver

Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.

TechnologieDesign
1 von 50
Leah Culver Six Apart
OAuth and OEmbed Dec 2009
‣ Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
A simple open standard for secure API authentication. http://oauth.net
The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
Who is involved?
Who is involved?
Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
OAuth Setup
OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
OAuth Setup
OAuth Setup
OAuth Flow
1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
2. User authorizes request token
3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
Questions?
OEmbed API format for converting a URL into an embed code. http://oembed.com
Who is involved?
Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
Response params ‣ type (photo, video, rich or link)
Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
plus any addional parameters...
YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?
Questions?

Empfohlen

Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)
Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)
Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)Cikgu Nanie
 
BM tahun 3
BM tahun 3BM tahun 3
BM tahun 3Hazel Bug
 
Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)
Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)
Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)Miz Malinz
 
Pentaksiran bahasa melayu tahun 3 2016
Pentaksiran bahasa melayu tahun 3 2016Pentaksiran bahasa melayu tahun 3 2016
Pentaksiran bahasa melayu tahun 3 2016zarinamb
 
Metric Mania Worksheet
Metric Mania WorksheetMetric Mania Worksheet
Metric Mania WorksheetMrs. Henley
 
Peperiksaan akhir tahun tingkatan 1
Peperiksaan akhir tahun tingkatan 1Peperiksaan akhir tahun tingkatan 1
Peperiksaan akhir tahun tingkatan 1Wardah Shaik Abdullah
 
Peralihan exam paper
Peralihan exam paperPeralihan exam paper
Peralihan exam paperlizamaria91
 
Pksr 2 english year 3
Pksr 2 english year 3Pksr 2 english year 3
Pksr 2 english year 3Nurul Nadia Salahudin
 

Empfohlen

Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)
Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)
Set 1_Ujian 1 SAINS, SOSIAL DAN ALAM SEKITAR (PPKI)Cikgu Nanie
 
BM tahun 3
BM tahun 3BM tahun 3
BM tahun 3Hazel Bug
 
Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)
Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)
Pentaksiran Bahasa Inggeris Tingkatan 1 (Q)Miz Malinz
 
Pentaksiran bahasa melayu tahun 3 2016
Pentaksiran bahasa melayu tahun 3 2016Pentaksiran bahasa melayu tahun 3 2016
Pentaksiran bahasa melayu tahun 3 2016zarinamb
 
Metric Mania Worksheet
Metric Mania WorksheetMetric Mania Worksheet
Metric Mania WorksheetMrs. Henley
 
Peperiksaan akhir tahun tingkatan 1
Peperiksaan akhir tahun tingkatan 1Peperiksaan akhir tahun tingkatan 1
Peperiksaan akhir tahun tingkatan 1Wardah Shaik Abdullah
 
Peralihan exam paper
Peralihan exam paperPeralihan exam paper
Peralihan exam paperlizamaria91
 
Pksr 2 english year 3
Pksr 2 english year 3Pksr 2 english year 3
Pksr 2 english year 3Nurul Nadia Salahudin
 
Exam akhir tahun thn 3
Exam akhir tahun thn 3Exam akhir tahun thn 3
Exam akhir tahun thn 3Laila Mohammad Zaini
 
Pendidikan moral pksr 3
Pendidikan moral pksr 3Pendidikan moral pksr 3
Pendidikan moral pksr 3zulhelmi
 
08 都市更新常見問題-2017第1版
08 都市更新常見問題-2017第1版08 都市更新常見問題-2017第1版
08 都市更新常見問題-2017第1版財團法人都市更新研究發展基金會
 
Lihat gambar di bawah dengan teliti
Lihat gambar di bawah dengan telitiLihat gambar di bawah dengan teliti
Lihat gambar di bawah dengan telitiKuan Lian Pong
 
Kvkv
KvkvKvkv
KvkvRachael Luke
 
Tg1 Ujian 1_Mac 2017 Bahasa Melayu
Tg1 Ujian 1_Mac 2017 Bahasa MelayuTg1 Ujian 1_Mac 2017 Bahasa Melayu
Tg1 Ujian 1_Mac 2017 Bahasa Melayu慈心 Chan
 
Latihan kesalahan ejaan 2
Latihan kesalahan ejaan 2Latihan kesalahan ejaan 2
Latihan kesalahan ejaan 2kevinyok01
 
Soalan bm pertghn thn tahun 3
Soalan bm pertghn thn tahun 3Soalan bm pertghn thn tahun 3
Soalan bm pertghn thn tahun 3Basshunter Finale
 
Bank tatabahasa upsr 1 2019
Bank tatabahasa upsr 1 2019Bank tatabahasa upsr 1 2019
Bank tatabahasa upsr 1 2019Letchumi Perumal
 
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvin
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvinBm ulangkaji peperiksaan PT3 disediakan oleh kelvin
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvinKelvinSmart2
 
Bahagian A - Penulisan Tahun 5
Bahagian A - Penulisan Tahun 5Bahagian A - Penulisan Tahun 5
Bahagian A - Penulisan Tahun 5PAKLONG CIKGU
 
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...ZabGU
 
Distribuciones drupal
Distribuciones drupalDistribuciones drupal
Distribuciones drupalPedro Cambra
 
oEmbed in Drupal
oEmbed in DrupaloEmbed in Drupal
oEmbed in DrupalPure Sign
 
Handling the media
Handling the mediaHandling the media
Handling the mediaTallat Satti
 
Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Pure Sign
 
Acquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pendidikan moral pksr 3
Pendidikan moral pksr 3Pendidikan moral pksr 3
Pendidikan moral pksr 3zulhelmi
 
Lihat gambar di bawah dengan teliti
Lihat gambar di bawah dengan telitiLihat gambar di bawah dengan teliti
Lihat gambar di bawah dengan telitiKuan Lian Pong
 
Tg1 Ujian 1_Mac 2017 Bahasa Melayu
Tg1 Ujian 1_Mac 2017 Bahasa MelayuTg1 Ujian 1_Mac 2017 Bahasa Melayu
Tg1 Ujian 1_Mac 2017 Bahasa Melayu慈心 Chan
 
Latihan kesalahan ejaan 2
Latihan kesalahan ejaan 2Latihan kesalahan ejaan 2
Latihan kesalahan ejaan 2kevinyok01
 
Soalan bm pertghn thn tahun 3
Soalan bm pertghn thn tahun 3Soalan bm pertghn thn tahun 3
Soalan bm pertghn thn tahun 3Basshunter Finale
 
Bank tatabahasa upsr 1 2019
Bank tatabahasa upsr 1 2019Bank tatabahasa upsr 1 2019
Bank tatabahasa upsr 1 2019Letchumi Perumal
 
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvin
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvinBm ulangkaji peperiksaan PT3 disediakan oleh kelvin
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvinKelvinSmart2
 
Bahagian A - Penulisan Tahun 5
Bahagian A - Penulisan Tahun 5Bahagian A - Penulisan Tahun 5
Bahagian A - Penulisan Tahun 5PAKLONG CIKGU
 

Was ist angesagt? (11)

Exam akhir tahun thn 3
Exam akhir tahun thn 3Exam akhir tahun thn 3
Exam akhir tahun thn 3
 
Pendidikan moral pksr 3
Pendidikan moral pksr 3Pendidikan moral pksr 3
Pendidikan moral pksr 3
 
08 都市更新常見問題-2017第1版
08 都市更新常見問題-2017第1版08 都市更新常見問題-2017第1版
08 都市更新常見問題-2017第1版
 
Lihat gambar di bawah dengan teliti
Lihat gambar di bawah dengan telitiLihat gambar di bawah dengan teliti
Lihat gambar di bawah dengan teliti
 
Kvkv
KvkvKvkv
Kvkv
 
Tg1 Ujian 1_Mac 2017 Bahasa Melayu
Tg1 Ujian 1_Mac 2017 Bahasa MelayuTg1 Ujian 1_Mac 2017 Bahasa Melayu
Tg1 Ujian 1_Mac 2017 Bahasa Melayu
 
Latihan kesalahan ejaan 2
Latihan kesalahan ejaan 2Latihan kesalahan ejaan 2
Latihan kesalahan ejaan 2
 
Soalan bm pertghn thn tahun 3
Soalan bm pertghn thn tahun 3Soalan bm pertghn thn tahun 3
Soalan bm pertghn thn tahun 3
 
Bank tatabahasa upsr 1 2019
Bank tatabahasa upsr 1 2019Bank tatabahasa upsr 1 2019
Bank tatabahasa upsr 1 2019
 
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvin
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvinBm ulangkaji peperiksaan PT3 disediakan oleh kelvin
Bm ulangkaji peperiksaan PT3 disediakan oleh kelvin
 
Bahagian A - Penulisan Tahun 5
Bahagian A - Penulisan Tahun 5Bahagian A - Penulisan Tahun 5
Bahagian A - Penulisan Tahun 5
 

Andere mochten auch

Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...ZabGU
 
Distribuciones drupal
Distribuciones drupalDistribuciones drupal
Distribuciones drupalPedro Cambra
 
oEmbed in Drupal
oEmbed in DrupaloEmbed in Drupal
oEmbed in DrupalPure Sign
 
Handling the media
Handling the mediaHandling the media
Handling the mediaTallat Satti
 
Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Pure Sign
 
Acquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia
 

Andere mochten auch (7)

Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPI
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...
 
Distribuciones drupal
Distribuciones drupalDistribuciones drupal
Distribuciones drupal
 
oEmbed in Drupal
oEmbed in DrupaloEmbed in Drupal
oEmbed in Drupal
 
Handling the media
Handling the mediaHandling the media
Handling the media
 
Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)
 
Acquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public Sector
 

Ähnlich wie OAuth and OEmbed

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsJeff Fontas
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 

Ähnlich wie OAuth and OEmbed (20)

Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Api security
Api security Api security
Api security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

OAuth and OEmbed

  • 2. OAuth and OEmbed Dec 2009
  • 3. Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
  • 4. A simple open standard for secure API authentication. http://oauth.net
  • 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
  • 6. Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 7. Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
  • 10. Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
  • 11. Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
  • 12. Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
  • 13. Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
  • 15. OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
  • 19. 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  • 20. 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  • 21. 2. User authorizes request token
  • 22. 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  • 23. 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 24. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 25. Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
  • 26. Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
  • 27. Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
  • 28. HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
  • 29. Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
  • 30. Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
  • 31. 1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
  • 32. Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
  • 34. OEmbed API format for converting a URL into an embed code. http://oembed.com
  • 36. Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
  • 37. Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
  • 38. Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
  • 39. Response params ‣ type (photo, video, rich or link)
  • 40. Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
  • 41. Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
  • 42. plus any addional parameters...
  • 43. YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  • 44. Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  • 45.
  • 46. Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  • 47. Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
  • 48. Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
  • 49. Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?