SlideShare ist ein Scribd-Unternehmen logo
1 von 43
Downloaden Sie, um offline zu lesen
Authorization with OAuth
          Rob Richards
        October 22, 2009
          cdatazone.org
   http://xri.net/=rob.richards
Authentication

• HTTP Authentication
  • Basic
  • Digest
  • TLS/SSL
• WS-Security
• Developer Keys
• 3rd Party Authentication
  • Yahoo BBAuth
  • AOL OpenAuth
OAuth




   An Open Protocol
       to allow
Secure API Authorization
Oauth is not OpenID




       Oauth
      Is Like
      OpenID
Data Authorization




Plaxo
OAuth




 OAuth
is like a
Valet Key
OAuth




   OAuth
   is like a
Hotel Keycard
M as ter K ey




101       103    105   107




102       104    106   108
Gues t K ey: Granting Acces s




       101      103      105    107




        102     104      106    108
Gues t K ey: R evoking Acces s




       101       103      105    107




        102      104      106    108
M as ter K ey M aintains Full Acces s




           101       103      105       107




           102       104      106       108
Oauth C lients
OAuth and Netf ix
              l

developer.netf ix.com
             l
Netf ix API
   l
Netf ix API: Us er R es ources
   l
Netf ix Applications ... and many more
   l
Obtaining a C ons umer K ey / S ecret
Obtaining a C ons umer K ey / S ecret
3-Leg g ed OAuth
“The OAuth Dance”
S tep 1: Obtaining a R eques t Token


http://api.netfix.com/oauth/request_token


            Signed Request




           Request Token & Secret
S tep 1: Obtaining a R eques t Token


http://api.netfix.com/oauth/request_token?
oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback
&oauth_consumer_key=1234567890123456789012345
&oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e
&oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255631744
&oauth_version=1.0
C alculating The S ig nature


Calculate Base String
<HTTP method>&<canonicalized URL path>&<parameters>


GET&http%3A%2F%2Fapi.netfix.com%2Foauth
 %2Frequest_token&oauth_callback%3Dhttp%253A%252F
 %252Fwww.example.com%252Fcallback
 %26oauth_consumer_key
 %3D1234567890123456789012345%26oauth_nonce
 %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c
 %26oauth_signature_method%3DHMAC-
 SHA1%26oauth_timestamp
 %3D1255631744%26oauth_version%3D1.0
C alculating The S ig nature


• Parameters are collected, sorted and concatenated into a
   normalized string
  • Parameters in the OAuth HTTP Authorization header excluding the realm
     parameter.
  • Parameters in the HTTP POST request body (with a content-type of
     application/x-www-form-urlencoded).
  • HTTP GET parameters added to the URLs in the query part (as defned by
     [RFC3986] section 3)
• The oauth_signature parameter MUST be excluded
• Parameters are sorted by name, using lexicographical byte
   value ordering
C alculating The S ig nature (Authorization Header)


GET /oauth/request_token HTTP/1.1
User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10)
Host: api.netfix.com
Accept: */*
Authorization: OAuth oauth_callback="http%3A%2F
 %2Fwww.example.com%2Fcallback",
 oauth_consumer_key="1234567890123456789012345",
 oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e",
 oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D",
 oauth_signature_method="HMAC-SHA1",
 oauth_timestamp="1255631744", oauth_version="1.0"
C alculating The S ig nature


Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&


Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&,<Base String>)


Base64 encode then URL encode result:
oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
S tep 1: Obtaining a R eques t Token (R es pons e)


oauth_token=bqba9rku48yacfatjxjw3fkc
&oauth_token_secret=EZ2mBk6rC2vZ
&oauth_callback_confrmed=true
&login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth
 %2Flogin
S tep 2: Us er Authentication

              Determined by needs of Service Provider
https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
S tep 2: Us er Authentication

Determined by needs of Service Provider



                  Callback




oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
S tep 2: Us er Authentication

Determined by needs of Service Provider
Oauth Trus t




A Matter
   Of
  Trust
S tep 3: Obtaining an Acces s Token


http://api.netfix.com/oauth/access_token


            Signed Request




           Access Token & Secret
S tep 3: Obtaining an Acces s Token


http://api.netfix.com/oauth/access_token?
oauth_consumer_key=1234567890123456789012345
&oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a
&oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255704433
&oauth_token=bqba9rku48yacfatjxjw3fkc
&oauth_verifer=abcdefg
&oauth_version=1.0
C alculating The S ig nature


Calculate Base String
<HTTP method>&<canonicalized URL path>&<parameters>


GET&http%3A%2F%2Fapi.netfix.com%2Foauth
 %2Faccess_token&oauth_consumer_key
 %3D1234567890123456789012345%26oauth_nonce
 %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a
 %26oauth_signature_method%3DHMAC-
 SHA1%26oauth_timestamp%3D1255704433%26oauth_token
 %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg
 %26oauth_version%3D1.0
C alculating The S ig nature


Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&EZ2mBk6rC2vZ


Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>)


Base64 encode then URL encode result:
oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
S tep 3: Obtaining an Acces s Token (R es pons e)


oauth_token=5432109876543210987654321
&user_id=123myuserid456
&oauth_token_secret=543210987654321
Acces s ing R es ources


http://api.netfix.com/<path to resource>

            Signed Request




               Resource
Acces s ing R es ources


http://api.netfix.com/users/123myuserid456/queues?
oauth_consumer_key=1234567890123456789012345
&oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2
&oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255712310
&oauth_token=5432109876543210987654321
&oauth_version=1.0
&v=1.5
C alculating The S ig nature


Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&543210987654321


Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&543210987654321,<Base String>)



Base64 encode then URL encode result:
oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
Acces s ing R es ources (R es pons e)

<?xml version="1.0" standalone="yes"?>
<resource>
 <link href="http://api.netfix.com/users/123myuserid456/queues/disc"
      rel="http://schemas.netfix.com/queues.disc" title="disc queue" />
 <link href="http://api.netfix.com/users/123myuserid456/queues/instant"
      rel="http://schemas.netfix.com/queues.instant"
      title="instant queue" />
</resource>
Acces s ing R es ources (R es pons e)
M anag ing Acces s Tokens
2-Leg g ed OAuth


• No Dance Required
• Only Consumer Key and Secret required
• Application making requests on its own behalf
• Direct Access / No Delegation
• Replacement for HTTP Basic Authentication
• Sign request just as if they were requests for Request
   Tokens
Ques tions ?




Authorization with OAuth

        Rob Richards

  http://xri.net/=rob.richards
     www.cdatazone.org

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (18)

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices  - Spring I/O 2015Stateless authentication for microservices  - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 

Andere mochten auch

SF Test 008 (pdf)
SF Test 008 (pdf)SF Test 008 (pdf)
SF Test 008 (pdf)
Vivastream
 
How to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessHow to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for Business
Vivastream
 
Social Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersSocial Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires Customers
Vivastream
 
The New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to StorytellingThe New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to Storytelling
Vivastream
 
11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns
Vivastream
 

Andere mochten auch (6)

SF Test 008 (pdf)
SF Test 008 (pdf)SF Test 008 (pdf)
SF Test 008 (pdf)
 
How to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessHow to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for Business
 
311382
311382311382
311382
 
Social Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersSocial Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires Customers
 
The New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to StorytellingThe New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to Storytelling
 
11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns
 

Ähnlich wie Authorization with oAuth

Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 

Ähnlich wie Authorization with oAuth (20)

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Api security
Api security Api security
Api security
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 

Mehr von Vivastream

Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream Poster
Vivastream
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream Poster
Vivastream
 
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with ChecksBreaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Vivastream
 
EY Smart Commerce Report
EY Smart Commerce ReportEY Smart Commerce Report
EY Smart Commerce Report
Vivastream
 
EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014
Vivastream
 
EY Global Consumer Banking Survey
EY Global Consumer Banking SurveyEY Global Consumer Banking Survey
EY Global Consumer Banking Survey
Vivastream
 
Automation for RDC and Mobile
Automation for RDC and MobileAutomation for RDC and Mobile
Automation for RDC and Mobile
Vivastream
 
Healthcare Payments Automation Center
Healthcare Payments Automation CenterHealthcare Payments Automation Center
Healthcare Payments Automation Center
Vivastream
 
Next Generation Recognition Solutions
Next Generation Recognition SolutionsNext Generation Recognition Solutions
Next Generation Recognition Solutions
Vivastream
 
Automation Services
Automation ServicesAutomation Services
Automation Services
Vivastream
 
Company Overview
Company OverviewCompany Overview
Company Overview
Vivastream
 

Mehr von Vivastream (20)

Exchange Solutions Datasheet_Ecommerce
Exchange Solutions Datasheet_EcommerceExchange Solutions Datasheet_Ecommerce
Exchange Solutions Datasheet_Ecommerce
 
Exchange Solutions Datasheet_Customer Engagement Roadmap
Exchange Solutions Datasheet_Customer Engagement RoadmapExchange Solutions Datasheet_Customer Engagement Roadmap
Exchange Solutions Datasheet_Customer Engagement Roadmap
 
Test
TestTest
Test
 
Tcap
TcapTcap
Tcap
 
SQA
SQASQA
SQA
 
Jeeva jessf
Jeeva jessfJeeva jessf
Jeeva jessf
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream Poster
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream Poster
 
APEX
APEXAPEX
APEX
 
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with ChecksBreaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
 
EY Smart Commerce Report
EY Smart Commerce ReportEY Smart Commerce Report
EY Smart Commerce Report
 
EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014
 
EY Global Consumer Banking Survey
EY Global Consumer Banking SurveyEY Global Consumer Banking Survey
EY Global Consumer Banking Survey
 
Serano
SeranoSerano
Serano
 
Accura XV
Accura XVAccura XV
Accura XV
 
Automation for RDC and Mobile
Automation for RDC and MobileAutomation for RDC and Mobile
Automation for RDC and Mobile
 
Healthcare Payments Automation Center
Healthcare Payments Automation CenterHealthcare Payments Automation Center
Healthcare Payments Automation Center
 
Next Generation Recognition Solutions
Next Generation Recognition SolutionsNext Generation Recognition Solutions
Next Generation Recognition Solutions
 
Automation Services
Automation ServicesAutomation Services
Automation Services
 
Company Overview
Company OverviewCompany Overview
Company Overview
 

Authorization with oAuth

  • 1. Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
  • 2. Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
  • 3. OAuth An Open Protocol to allow Secure API Authorization
  • 4. Oauth is not OpenID Oauth Is Like OpenID
  • 6. OAuth OAuth is like a Valet Key
  • 7. OAuth OAuth is like a Hotel Keycard
  • 8. M as ter K ey 101 103 105 107 102 104 106 108
  • 9. Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
  • 10. Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
  • 11. M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
  • 13. OAuth and Netf ix l developer.netf ix.com l
  • 15. Netf ix API: Us er R es ources l
  • 16. Netf ix Applications ... and many more l
  • 17. Obtaining a C ons umer K ey / S ecret
  • 18. Obtaining a C ons umer K ey / S ecret
  • 19. 3-Leg g ed OAuth “The OAuth Dance”
  • 20. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
  • 21. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
  • 22. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
  • 23. C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
  • 24. C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
  • 25. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
  • 26. S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
  • 27. S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
  • 28. S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
  • 29. S tep 2: Us er Authentication Determined by needs of Service Provider
  • 30. Oauth Trus t A Matter Of Trust
  • 31. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
  • 32. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
  • 33. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
  • 34. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
  • 35. S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
  • 36. Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
  • 37. Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
  • 38. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
  • 39. Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
  • 40. Acces s ing R es ources (R es pons e)
  • 41. M anag ing Acces s Tokens
  • 42. 2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
  • 43. Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org