SlideShare ist ein Scribd-Unternehmen logo

OAuth

Als ZIP, PDF herunterladen
Blaine
Blaine
TechnologieDesign
1 von 37
Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
Community Driven
Extraction of Existing Patterns
http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
Web-Native
So how does it work?
The User
Jane
Her Protected Resources Jane
Jane
Jane A Service Provider
Jane
Jane And a Consumer
Jane
The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
OAuth Request Example
The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.

Empfohlen

Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
The problem with the real world
The problem with the real worldThe problem with the real world
The problem with the real worldMichal Špaček
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCloudIDSummit
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?Asaf Gery
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Evolution of The Twitter Stack
Evolution of The Twitter StackEvolution of The Twitter Stack
Evolution of The Twitter StackChris Aniszczyk
 

Empfohlen

Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
The problem with the real world
The problem with the real worldThe problem with the real world
The problem with the real worldMichal Špaček
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCloudIDSummit
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?Asaf Gery
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Evolution of The Twitter Stack
Evolution of The Twitter StackEvolution of The Twitter Stack
Evolution of The Twitter StackChris Aniszczyk
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerBlaine
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
A Small Talk on Getting Big
A Small Talk on Getting BigA Small Talk on Getting Big
A Small Talk on Getting Bigbritt
 
Improving Running Components at Twitter
Improving Running Components at TwitterImproving Running Components at Twitter
Improving Running Components at TwitterEvan Weaver
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling TwitterBlaine
 
Twitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsTwitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsAditya Rao
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 

Weitere ähnliche Inhalte

Andere mochten auch

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerBlaine
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
A Small Talk on Getting Big
A Small Talk on Getting BigA Small Talk on Getting Big
A Small Talk on Getting Bigbritt
 
Improving Running Components at Twitter
Improving Running Components at TwitterImproving Running Components at Twitter
Improving Running Components at TwitterEvan Weaver
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling TwitterBlaine
 
Twitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsTwitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsAditya Rao
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 

Andere mochten auch (17)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over Webfinger
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introduction
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
 
A Small Talk on Getting Big
A Small Talk on Getting BigA Small Talk on Getting Big
A Small Talk on Getting Big
 
Improving Running Components at Twitter
Improving Running Components at TwitterImproving Running Components at Twitter
Improving Running Components at Twitter
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling Twitter
 
Twitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsTwitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessons
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 

Ähnlich wie OAuth

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground UpMichael Bleigh
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Alvaro Sanchez-Mariscal
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
Computer Networks: An Introduction
Computer Networks: An IntroductionComputer Networks: An Introduction
Computer Networks: An Introductionsanand0
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter AppsDamon Cortesi
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 

Ähnlich wie OAuth (20)

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground Up
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Computer Networks: An Introduction
Computer Networks: An IntroductionComputer Networks: An Introduction
Computer Networks: An Introduction
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Security
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 

Kürzlich hochgeladen

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Kürzlich hochgeladen (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

OAuth

  • 1.
  • 2. Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
  • 5. http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
  • 7. So how does it work?
  • 10. Her Protected Resources Jane
  • 11. Jane
  • 13. Jane
  • 14. Jane And a Consumer
  • 15. Jane
  • 16. The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
  • 17. Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
  • 18. Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
  • 19. Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
  • 20. Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
  • 21. Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
  • 22. Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
  • 23. Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
  • 24. Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
  • 25. Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
  • 26. Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
  • 27. Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
  • 29. The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
  • 30. The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
  • 31. How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
  • 32. Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 33. HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 34. Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 35. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 36. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
  • 37. Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.

Hinweis der Redaktion