SlideShare ist ein Scribd-Unternehmen logo

OAuth 1.0

•
•
Nov Matake
Nov Matake

An Open API Authorization Standard

Technologie
1 von 72
Downloaden Sie, um offline zu lesen
OAuth 1.0 An Open API Authorization Standard @nov 2010 9 2
@nov • Web Developer @ Smart.fm • Smart.fm API (OAuth Server) • Integration with other APIs (OAuth Client) • OAuth.jp • OAuth Japan - Google Groups • OpenID Foundation Japan WG • The OAuth 1.0 Protocol 2010 9 2
The OAuth 1.0 Protocol http://j.mp/oauth1 2010 9 2
APIs for 3rd party Google Maps, Gmail, Contacts, Calender, YouTube, AdSence, AdWords, Analytics, Checkout, Docs, FriendConnect, Social Graph, Buzz, Wave etc. Yahoo! US: Mail, Contacts, Flickr, Delicious, Answers, Maps etc. Japan: Auction, Shopping, Maps, Chiebukuro etc. Others Twitter, Facebook, MySpace, LinkedIn, GitHub, Evernote, Dropbox, Vimeo, Tumblr mixi, mobage, gree 2010 9 2
3rd-party Apps 2010 9 2
APIs for 3rd-party enable.. • Access to "protected resources" • profile information • email, contact list • status update • payment • Needs ”Access Control” 2010 9 2
Access Control for APIs • Access Control • Authentication • Authorization • + alpha • For APIs • Users won’t involve every time 2010 9 2
Basic Authentication • easy to use • just input username & password • easy to understand • yes, you are logging-in! • widely supported • IE6 also support it!! 2010 9 2
But Basic Auth is not secure... 2010 9 2
Basic Authentication terminated in Twitter API 2010 9 2
The migration from basic auth isn't an issue of protecting from man-in-the-middle attacks (such that SSL would prevent) but more of an issue with applications having access to Twitter usernames and passwords. There are many people who use the same passwords across multiple sites, so the security risk of supporting basic auth does not stop at Twitter. by Taylor Singletary from Twitter Inc. 2010 9 2
Is your mixi password different with Twitter's one? How about Google, Amazon or Paypal? 2010 9 2
Use different password on each service! ... but can you remember more than 10 passwords? 2010 9 2
2010 9 2
o rd !? passw m y e re is W h 2010 9 2
o rd !? passw m y e re is W h EVERYWHERE!! 2010 9 2
Anti-password • Google AuthSub, Yahoo! BBAuth, Flickr API Auth etc. • Stop to share password • Token based • Secure • But not standardized 2010 9 2
Let’s make API authentication standard 2010 9 2
OAuth 1.0 An Open API Authorization Standard 2010 9 2
OAuth 1.0 • Published by community in October 2007 (Final Draft) • RFC5849 in April 2010 • Supported widely by big players • Twitter, Google, Yahoo! etc. 2010 9 2
OAuth Scenario • User approves 3rd party applications access • Without share his/her password • How API provider knows the approval? • 3rd party applications access to the API • Prove pre-gained user approval • How 3rd-party proves user approval? 2010 9 2
3 Roles • User (Resource Owner) • You • Consumer (Client) • Twitter client on your iPhone • Service Provider (Server) • Twitter 2010 9 2
3 Kind of Tokens (credentials) • Consumer Key & Secret (Client Credentials) • ID & Password of Consumer • Request Token & Secret (Temporary Credentials) • Used during approval process • For session management • Access Token & Secret (Token Credentials) • Represent the user approval 2010 9 2
3 Steps • Step 0 • Consumer registration (out of scope) • Step 1 • Consumer gets User approval • Step 2 • Consumer accesses to the protected resources on Service Provider on behalf of User 2010 9 2
Step 0: Consumer Registration • Not standardized yet • Go developer site • Twitter => http://developer.twitter.com • Facebook => http://developers.facebook.com • Yahoo! US => http://developer.yahoo.com • Yahoo! Japan => http://developer.yahoo.co.jp • Google => Google ”google oauth” 2010 9 2
Step 0: Consumer Registration http://developer.twitter.com 2010 9 2
Step 0: Consumer Registration • OAuth 1.0a Settings • Consumer Key • Consumer Secret • Request Token URL • Access Token URL • Authorize URL • Registered OAuth Callback URL • Access Level 2010 9 2
Step 1: Get User Approval • Step 1.0: User let Consumer start OAuth dance • Step 1.1: Consumer gets unauthorized Request Token • Step 1.2: Consumer redirects User to Service Provider with unauthorized Request Token • Step 1.3: User approves Consumer access, Service Provider marks Request Token authorized • Step 1.4: Service Provider redirects User to Consumer with authorized Request Token • Step 1.5: Consumer exchanges authorized Request Token with Access Token 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
Step 1.1: Get Request Token • Consumer requests to Service Provider • POST to Request Token URL • Include protocol parameters in Authorization header 2010 9 2
OAuth Protocol Parameters • realm • The scope of access control • oauth_consumer_key • Identifier of Consumer • oauth_signature, oauth_signature_method • Used for request verification 2010 9 2
OAuth Protocol Parameters • oauth_nonce • Nonce is unique in each request from Consumer • Against replay attack • oauth_timestamp • Service Provider clears out nonces after certain time period • oauth_callback • The endpoint where Service Provider let User redirect back later 2010 9 2
Step 1.1: Get Request Token • Service Provider responses to Consumer • Include Request Token in response body • application/x-www-form-urlencoded 2010 9 2
OAuth Protocol Parameters • oauth_token, oauth_token_secret • Request Token, Request Token Secret • Used for session management during OAuth dance • oauth_callback_confirmed • Always true • Differentiate legacy OAuth 1.0 and OAuth 1.0a • There is a long history.. 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
Step 1.2: Redirect to Service Provider • Consumer let User redirect to Authorize URL • Include Request Token in query string 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
Step 1.3: User Approval 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
Step 1.4: Redirect back to Consumer • Service Provider let User redirect back to Consumer • Redirect to ”oauth_callback” Consumer specified • Include Request Token and verifier in query string 2010 9 2
OAuth Protocol Parameters • oauth_verifier • Used when establishing Access Token • Against session fixation attack • Yeah, it’s a long history.. 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
Step 1.5: Establish Access Token • Consumer requests to Service Provider • POST to Access Token URL • Include protocol parameters in Authorization header 2010 9 2
Step 1.5: Establish Access Token • Service Provider responses to Consumer • Include Access Token in response body • application/x-www-form-urlencoded 2010 9 2
OAuth Protocol Parameters • oauth_token, oauth_token_secret • Access Token, Access Token Secret • Represent User approval • Used to prove User approval when accessing API • Available until expired or revoked (in many cases) 2010 9 2
User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
LOOK UP! GOAL IS ALMOST THERE!! 2010 9 2
Step 2: Access to Protected Resources User Consumer Service Provider API Access API Access API Access Revoke or Expired x API Access 2010 9 2
Step 2: Access to Protected Resources • Ex.) Twitter Status Update • POST /statuses/update • status=”Sorry Matz, I’m at OAuth Night tonight :p” • lat=35.611953 • long=139.709272 2010 9 2
Step 2: Access to Protected Resources 2010 9 2
2010 9 2
2010 9 2
o riz ed n au th 4 01 U 2010 9 2
OAuth Errors • version_rejected • token_used • parameter_absent • token_expired • parameter_rejected • token_revoked • timestamp_refused • token_rejected • nonce_used • verifier_invalid • signature_method_rejected • additional_authorization_req uired • signature_invalid • permission_unknown • consumer_key_unknown • permission_denied • consumer_key_rejected • user_refused • consumer_key_refused 2010 9 2
OAuth Signature • Signature method • PLAINTEXT • No signing • Use SSL/TLS instead • HMAC-SHA1 • Use Consumer Secret & Access Token Secret • RSA-SHA1 • Use Consumer’s RSA key pair 2010 9 2
OAuth Signature • Signature Base String • HTTP method (GET/POST/PUT/DELETE) • Endpoint (http://server.example.com/user/nov) • Parameter • Protocol parameters (oauth_*) • All other query/body parameters (only x-www- form-urlencoded) • Sort by key • ”Custom” percent encoding - tricky & buggy 2010 9 2
OAuth Signature 2010 9 2
OAuth Signature 2010 9 2
OAuth Signature 2010 9 2
OAuth Signature 2010 9 2
OAuth Signature 2010 9 2
OAuth Signature Signature Base String POST&http%3A%2F%2Fapi.twitter.com%2Fstatuses%2Fupdate&lat% 3D35.611953%26long%3D139.709272%26message%3DSorry%2520M atz%252C%2520I%2527m%2520at%2520OAuth%2520Night%2520toni ght%2520%253Ap%26oauth_consumer_key%3D9djdj82h48djs9d2%2 6oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHMA C-SHA1%26oauth_timestamp%3D137131201%26realm%3Dapi.twitt er.com HMAC-SHA1 Consumer Secret + Access Token Secret Signature 1y4jjlXD7DC974H9cJVlXORwzt0%3D 2010 9 2
Signature Verification • Consumer sign the request • Service Provider re-generate signature based on the request, and compare it with ”oauth_signature” • If matched, it’s OK • If not, 401 signature_invalid • Request had been tempered? • Consumer/Service Provider’s bug? • Debugging on Consumer side is painful... 2010 9 2
Ask Service Provider!! 2010 9 2
When you got 401 • Check error response body • Ask others • OAuth - Google Groups • OAuth Japan - Google Groups • Twitter Development Talk - Google Groups • Facebook Developers Forum 2010 9 2
Road to OAuth 2.0 2010 9 2
OAuth 1.0 Known Issues • UX for non-web application • No-browser environment (desktop apps) • iPhone/Android apps? > @pofee • Secret disclosure • JS client/OpenSouce apps can’t keep Consumer Secret secret • Complexity of Signature • Use library! • Scalability 2010 9 2
OAuth 2.0 is solving those issues > @ritou 2010 9 2
Questions? 2010 9 2
2010 9 2
2010 9 2

Empfohlen

Twitter oauth #idcon7
Twitter oauth #idcon7Twitter oauth #idcon7
Twitter oauth #idcon7Nov Matake
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるMasaru Kurahayashi
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 

Empfohlen

Twitter oauth #idcon7
Twitter oauth #idcon7Twitter oauth #idcon7
Twitter oauth #idcon7Nov Matake
 
OAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaOAuth 2.0 Updates #technight in Osaka
OAuth 2.0 Updates #technight in OsakaNov Matake
 
OpenID Connect via WebIntents
OpenID Connect via WebIntentsOpenID Connect via WebIntents
OpenID Connect via WebIntentsNov Matake
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
OAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightOAuth 2.0 Updates #technight
OAuth 2.0 Updates #technightNov Matake
 
エンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるエンタープライズの視点からFIDOとFederationのビジネスを考える
エンタープライズの視点からFIDOとFederationのビジネスを考えるMasaru Kurahayashi
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...Cyber Security Alliance
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Api security
Api security Api security
Api security teodorcotruta
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
OAuth 1.0
OAuth 1.0OAuth 1.0
OAuth 1.0simonetripodi
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Oauth Behind The Scenes
Oauth Behind The Scenes Oauth Behind The Scenes
Oauth Behind The Scenes Thang Tran Duc
 
OAuth
OAuthOAuth
OAuthTom Elrod
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2Leonard Moustacchis
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
OAuth
OAuthOAuth
OAuthIvĂĄn FernĂĄndez Perea
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Authenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 isAuthenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 isH Mohammed Rajjaz
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Twitter API, Streaming and SharePoint 2013
Twitter API, Streaming and SharePoint 2013Twitter API, Streaming and SharePoint 2013
Twitter API, Streaming and SharePoint 2013Sebastian Huppmann
 
#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next StageNov Matake
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19Nov Matake
 

Weitere ähnliche Inhalte

Ähnlich wie OAuth 1.0

ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...Cyber Security Alliance
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Oauth Behind The Scenes
Oauth Behind The Scenes Oauth Behind The Scenes
Oauth Behind The Scenes Thang Tran Duc
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Authenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 isAuthenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 isH Mohammed Rajjaz
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Twitter API, Streaming and SharePoint 2013
Twitter API, Streaming and SharePoint 2013Twitter API, Streaming and SharePoint 2013
Twitter API, Streaming and SharePoint 2013Sebastian Huppmann
 

Ähnlich wie OAuth 1.0 (20)

ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Api security
Api security Api security
Api security
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
OAuth 1.0
OAuth 1.0OAuth 1.0
OAuth 1.0
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Oauth Behind The Scenes
Oauth Behind The Scenes Oauth Behind The Scenes
Oauth Behind The Scenes
 
OAuth
OAuthOAuth
OAuth
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
OAuth
OAuthOAuth
OAuth
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Authenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 isAuthenticator and provisioning connector in wso2 is
Authenticator and provisioning connector in wso2 is
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFest
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Twitter API, Streaming and SharePoint 2013
Twitter API, Streaming and SharePoint 2013Twitter API, Streaming and SharePoint 2013
Twitter API, Streaming and SharePoint 2013
 

Mehr von Nov Matake

#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next StageNov Matake
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19Nov Matake
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Nov Matake
 
FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24Nov Matake
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24Nov Matake
 
NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)Nov Matake
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016Nov Matake
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22Nov Matake
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22Nov Matake
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13Nov Matake
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconNov Matake
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18Nov Matake
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11Nov Matake
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014Nov Matake
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onNov Matake
 
JWT Translation #technight
JWT Translation #technightJWT Translation #technight
JWT Translation #technightNov Matake
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteNov Matake
 

Mehr von Nov Matake (20)

#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage#idcon vol.29 - #fidcon WebAuthn, Next Stage
#idcon vol.29 - #fidcon WebAuthn, Next Stage
 
FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19FedCM - OpenID TechNight vol.19
FedCM - OpenID TechNight vol.19
 
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
Safari (ITP) & Chrome (SameSite=Lax as default) が Federation に与える影響 - OpenID ...
 
FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24FIDO @ LINE - #idcon vol.24
FIDO @ LINE - #idcon vol.24
 
W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
 
NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)NIST SP 800-63C - Federation and Assertions (FINAL)
NIST SP 800-63C - Federation and Assertions (FINAL)
 
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
OPTiM StoreにおけるSCIM & OIDC活用事例 - ID&IT 2016
 
NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22NIST SP 800-63C #idcon vol.22
NIST SP 800-63C #idcon vol.22
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13ID連携概要 - OpenID TechNight vol.13
ID連携概要 - OpenID TechNight vol.13
 
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idconミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
ミスコンとプライバシー ~ IdentityDuck誕生秘話 ~ #idcon
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
 
OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11OpenID Connect 101 @ OpenID TechNight vol.11
OpenID Connect 101 @ OpenID TechNight vol.11
 
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
池澤あやかと学ぼう!: はじめてのOAuthとOpenID Connect - JICS 2014
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devlove
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-on
 
JWT Translation #technight
JWT Translation #technightJWT Translation #technight
JWT Translation #technight
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
 

KĂźrzlich hochgeladen

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vĂĄzquez
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

KĂźrzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

OAuth 1.0

  • 1. OAuth 1.0 An Open API Authorization Standard @nov 2010 9 2
  • 2. @nov • Web Developer @ Smart.fm • Smart.fm API (OAuth Server) • Integration with other APIs (OAuth Client) • OAuth.jp • OAuth Japan - Google Groups • OpenID Foundation Japan WG • The OAuth 1.0 Protocol 2010 9 2
  • 3. The OAuth 1.0 Protocol http://j.mp/oauth1 2010 9 2
  • 4. APIs for 3rd party Google Maps, Gmail, Contacts, Calender, YouTube, AdSence, AdWords, Analytics, Checkout, Docs, FriendConnect, Social Graph, Buzz, Wave etc. Yahoo! US: Mail, Contacts, Flickr, Delicious, Answers, Maps etc. Japan: Auction, Shopping, Maps, Chiebukuro etc. Others Twitter, Facebook, MySpace, LinkedIn, GitHub, Evernote, Dropbox, Vimeo, Tumblr mixi, mobage, gree 2010 9 2
  • 6. APIs for 3rd-party enable.. • Access to "protected resources" • profile information • email, contact list • status update • payment • Needs ”Access Control” 2010 9 2
  • 7. Access Control for APIs • Access Control • Authentication • Authorization • + alpha • For APIs • Users won’t involve every time 2010 9 2
  • 8. Basic Authentication • easy to use • just input username & password • easy to understand • yes, you are logging-in! • widely supported • IE6 also support it!! 2010 9 2
  • 9. But Basic Auth is not secure... 2010 9 2
  • 10. Basic Authentication terminated in Twitter API 2010 9 2
  • 11. The migration from basic auth isn't an issue of protecting from man-in-the-middle attacks (such that SSL would prevent) but more of an issue with applications having access to Twitter usernames and passwords. There are many people who use the same passwords across multiple sites, so the security risk of supporting basic auth does not stop at Twitter. by Taylor Singletary from Twitter Inc. 2010 9 2
  • 12. Is your mixi password different with Twitter's one? How about Google, Amazon or Paypal? 2010 9 2
  • 13. Use different password on each service! ... but can you remember more than 10 passwords? 2010 9 2
  • 14. 2010 9 2
  • 15. o rd !? passw m y e re is W h 2010 9 2
  • 16. o rd !? passw m y e re is W h EVERYWHERE!! 2010 9 2
  • 17. Anti-password • Google AuthSub, Yahoo! BBAuth, Flickr API Auth etc. • Stop to share password • Token based • Secure • But not standardized 2010 9 2
  • 18. Let’s make API authentication standard 2010 9 2
  • 19. OAuth 1.0 An Open API Authorization Standard 2010 9 2
  • 20. OAuth 1.0 • Published by community in October 2007 (Final Draft) • RFC5849 in April 2010 • Supported widely by big players • Twitter, Google, Yahoo! etc. 2010 9 2
  • 21. OAuth Scenario • User approves 3rd party applications access • Without share his/her password • How API provider knows the approval? • 3rd party applications access to the API • Prove pre-gained user approval • How 3rd-party proves user approval? 2010 9 2
  • 22. 3 Roles • User (Resource Owner) • You • Consumer (Client) • Twitter client on your iPhone • Service Provider (Server) • Twitter 2010 9 2
  • 23. 3 Kind of Tokens (credentials) • Consumer Key & Secret (Client Credentials) • ID & Password of Consumer • Request Token & Secret (Temporary Credentials) • Used during approval process • For session management • Access Token & Secret (Token Credentials) • Represent the user approval 2010 9 2
  • 24. 3 Steps • Step 0 • Consumer registration (out of scope) • Step 1 • Consumer gets User approval • Step 2 • Consumer accesses to the protected resources on Service Provider on behalf of User 2010 9 2
  • 25. Step 0: Consumer Registration • Not standardized yet • Go developer site • Twitter => http://developer.twitter.com • Facebook => http://developers.facebook.com • Yahoo! US => http://developer.yahoo.com • Yahoo! Japan => http://developer.yahoo.co.jp • Google => Google ”google oauth” 2010 9 2
  • 26. Step 0: Consumer Registration http://developer.twitter.com 2010 9 2
  • 27. Step 0: Consumer Registration • OAuth 1.0a Settings • Consumer Key • Consumer Secret • Request Token URL • Access Token URL • Authorize URL • Registered OAuth Callback URL • Access Level 2010 9 2
  • 28. Step 1: Get User Approval • Step 1.0: User let Consumer start OAuth dance • Step 1.1: Consumer gets unauthorized Request Token • Step 1.2: Consumer redirects User to Service Provider with unauthorized Request Token • Step 1.3: User approves Consumer access, Service Provider marks Request Token authorized • Step 1.4: Service Provider redirects User to Consumer with authorized Request Token • Step 1.5: Consumer exchanges authorized Request Token with Access Token 2010 9 2
  • 29. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 30. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 31. Step 1.1: Get Request Token • Consumer requests to Service Provider • POST to Request Token URL • Include protocol parameters in Authorization header 2010 9 2
  • 32. OAuth Protocol Parameters • realm • The scope of access control • oauth_consumer_key • Identifier of Consumer • oauth_signature, oauth_signature_method • Used for request verification 2010 9 2
  • 33. OAuth Protocol Parameters • oauth_nonce • Nonce is unique in each request from Consumer • Against replay attack • oauth_timestamp • Service Provider clears out nonces after certain time period • oauth_callback • The endpoint where Service Provider let User redirect back later 2010 9 2
  • 34. Step 1.1: Get Request Token • Service Provider responses to Consumer • Include Request Token in response body • application/x-www-form-urlencoded 2010 9 2
  • 35. OAuth Protocol Parameters • oauth_token, oauth_token_secret • Request Token, Request Token Secret • Used for session management during OAuth dance • oauth_callback_confirmed • Always true • Differentiate legacy OAuth 1.0 and OAuth 1.0a • There is a long history.. 2010 9 2
  • 36. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 37. Step 1.2: Redirect to Service Provider • Consumer let User redirect to Authorize URL • Include Request Token in query string 2010 9 2
  • 38. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 39. Step 1.3: User Approval 2010 9 2
  • 40. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 41. Step 1.4: Redirect back to Consumer • Service Provider let User redirect back to Consumer • Redirect to ”oauth_callback” Consumer specified • Include Request Token and verifier in query string 2010 9 2
  • 42. OAuth Protocol Parameters • oauth_verifier • Used when establishing Access Token • Against session fixation attack • Yeah, it’s a long history.. 2010 9 2
  • 43. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 44. Step 1.5: Establish Access Token • Consumer requests to Service Provider • POST to Access Token URL • Include protocol parameters in Authorization header 2010 9 2
  • 45. Step 1.5: Establish Access Token • Service Provider responses to Consumer • Include Access Token in response body • application/x-www-form-urlencoded 2010 9 2
  • 46. OAuth Protocol Parameters • oauth_token, oauth_token_secret • Access Token, Access Token Secret • Represent User approval • Used to prove User approval when accessing API • Available until expired or revoked (in many cases) 2010 9 2
  • 47. User Consumer Service Provider Dance Start! Establish Request Token Redirect with unauthorized Request Token Approve Consumer access Authorized! Redirect with authorized Request Token Exchange it with Access Token 2010 9 2
  • 48. LOOK UP! GOAL IS ALMOST THERE!! 2010 9 2
  • 49. Step 2: Access to Protected Resources User Consumer Service Provider API Access API Access API Access Revoke or Expired x API Access 2010 9 2
  • 50. Step 2: Access to Protected Resources • Ex.) Twitter Status Update • POST /statuses/update • status=”Sorry Matz, I’m at OAuth Night tonight :p” • lat=35.611953 • long=139.709272 2010 9 2
  • 51. Step 2: Access to Protected Resources 2010 9 2
  • 52. 2010 9 2
  • 53. 2010 9 2
  • 54. o riz ed n au th 4 01 U 2010 9 2
  • 55. OAuth Errors • version_rejected • token_used • parameter_absent • token_expired • parameter_rejected • token_revoked • timestamp_refused • token_rejected • nonce_used • verifier_invalid • signature_method_rejected • additional_authorization_req uired • signature_invalid • permission_unknown • consumer_key_unknown • permission_denied • consumer_key_rejected • user_refused • consumer_key_refused 2010 9 2
  • 56. OAuth Signature • Signature method • PLAINTEXT • No signing • Use SSL/TLS instead • HMAC-SHA1 • Use Consumer Secret & Access Token Secret • RSA-SHA1 • Use Consumer’s RSA key pair 2010 9 2
  • 57. OAuth Signature • Signature Base String • HTTP method (GET/POST/PUT/DELETE) • Endpoint (http://server.example.com/user/nov) • Parameter • Protocol parameters (oauth_*) • All other query/body parameters (only x-www- form-urlencoded) • Sort by key • ”Custom” percent encoding - tricky & buggy 2010 9 2
  • 63. OAuth Signature Signature Base String POST&http%3A%2F%2Fapi.twitter.com%2Fstatuses%2Fupdate&lat% 3D35.611953%26long%3D139.709272%26message%3DSorry%2520M atz%252C%2520I%2527m%2520at%2520OAuth%2520Night%2520toni ght%2520%253Ap%26oauth_consumer_key%3D9djdj82h48djs9d2%2 6oauth_nonce%3D7d8f3e4a%26oauth_signature_method%3DHMA C-SHA1%26oauth_timestamp%3D137131201%26realm%3Dapi.twitt er.com HMAC-SHA1 Consumer Secret + Access Token Secret Signature 1y4jjlXD7DC974H9cJVlXORwzt0%3D 2010 9 2
  • 64. Signature Verification • Consumer sign the request • Service Provider re-generate signature based on the request, and compare it with ”oauth_signature” • If matched, it’s OK • If not, 401 signature_invalid • Request had been tempered? • Consumer/Service Provider’s bug? • Debugging on Consumer side is painful... 2010 9 2
  • 66. When you got 401 • Check error response body • Ask others • OAuth - Google Groups • OAuth Japan - Google Groups • Twitter Development Talk - Google Groups • Facebook Developers Forum 2010 9 2
  • 67. Road to OAuth 2.0 2010 9 2
  • 68. OAuth 1.0 Known Issues • UX for non-web application • No-browser environment (desktop apps) • iPhone/Android apps? > @pofee • Secret disclosure • JS client/OpenSouce apps can’t keep Consumer Secret secret • Complexity of Signature • Use library! • Scalability 2010 9 2
  • 69. OAuth 2.0 is solving those issues > @ritou 2010 9 2
  • 71. 2010 9 2
  • 72. 2010 9 2

Hinweis der Redaktion