Slides from the session given by @raffi and @episod at Chirp. Additional links and slides included.

2. Too many secrets but never
enough.
by Raffi Krikorian & Taylor Singletary
Questions? http://bit.ly/chirpoauth
#chirpoauth

3. OAuth is a dance.

4. OAuth Libraries don’t always
work right or won’t bend to your
will easily.
Sometimes you’ve got to get your
hands dirty and fix them.

5. All OAuth requests are similar at
their core. The rules really don’t
change.

6. The signature base string.

7. httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
url_encode ( k ) + "%3D" +
url_encode ( v )
}.join("%26")

8. httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
url_encode ( k ) + "%3D" +
url_encode ( v )
}.join("%26")

9. Signing requests.

10. Signing an OAuth request is easier
than you think.
Take that signature base string,
then sign it using HMAC-SHA1
and the proper signing key

11. The proper signing key is a pain
point.
The access token step, and any
resource requests on a user’s behalf
utilizes OAuth tokens and secrets to
create a composite signing key.

12. Two-legged OAuth requests are
requests that don’t require a user or
oauth_token.
Asking for a request token is
actually a two-legged OAuth
request.

13. The algorithm for determining
what your “signing key” is
url_encode( consumer_secret )
+
"&" +
url_encode(
oauth_token_secret || nil )

14. The algorithm for determining
what your “signing key” is
With an oauth_token_secret
signing_key = “abcd&efgh”
Without an oauth_token_secret
signing_key = “abcd&”

15. the OAuth 1.0A Request Cycle

17. xAuth & OAuth Echo

18. xAuth in Ruby
def get_access_token_with_xauth(login, password)
consumer = initiate_oauth_consumer_object
options = {}
options[:x_auth_username] = login
options[:x_auth_password] = password
options[:x_auth_mode] = "client_auth"
url = "https://api.twitter.com/oauth/access_token"
response = consumer.token_request(:post, url, nil, {}, options)
@access_token = OAuth::AccessToken.from_hash(consumer,
response)
end

19. Working with OAuth Libraries
Most OAuth Libraries are similar

20. Advice
• Learn how to specify HTTP headers explicitly in your
OAuth implementation
• Master the core components of your OAuth libraries.
Follow the code path through so you understand the proper
places to introduce different behavior.

21. Truth & Reconciliation

22. When things go wrong.

23. the OAuth Dancer
( hold me closer )

24. the OAuth Dancer
• Nearly complete solution for testing REST-based API
requests with OAuth 1.0A authentication.
• Examine the signature base string, authorization headers,
and oodles more debug information about requests.
• Supports xAuth and two-legged OAuth.
• Out-of-band (PIN) support coming soon.
• Under perpetual development. OAuth 2.0 support on the
way.
• Very useful for creating comparative examples, testing
internal OAuth implementations, and more.
http://bit.ly/oauth-dancer

25. What’s on the horizon? Q&A

26. Some links
OAuth Zero to Hero
About OAuth Echo
Beginner’s Guide to OAuth
Twitter xAuth
OAuth Dancer