SlideShare ist ein Scribd-Unternehmen logo

OAuth and OEmbed

L
leahculver

Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.

TechnologieDesign
1 von 50
Leah Culver Six Apart
OAuth and OEmbed Dec 2009
‣ Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
A simple open standard for secure API authentication. http://oauth.net
The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
Who is involved?
Who is involved?
Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
OAuth Setup
OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
OAuth Setup
OAuth Setup
OAuth Flow
1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
2. User authorizes request token
3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
Questions?
OEmbed API format for converting a URL into an embed code. http://oembed.com
Who is involved?
Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
Response params ‣ type (photo, video, rich or link)
Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
plus any addional parameters...
YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?
Questions?

Empfohlen

Alucobond fire safety - FR
Alucobond fire safety - FRAlucobond fire safety - FR
Alucobond fire safety - FR
Architectura
 
Immunesystem
ImmunesystemImmunesystem
Immunesystem
shabeel pn
 
11 fundamental art 5 9 (7)
11 fundamental art 5 9 (7)11 fundamental art 5 9 (7)
11 fundamental art 5 9 (7)
Ainnabila Rosdi
 
Commercial Law - Consumer Guarantees
Commercial Law - Consumer GuaranteesCommercial Law - Consumer Guarantees
Commercial Law - Consumer Guarantees
Francois Brun
 
Landlawtest
LandlawtestLandlawtest
Landlawtest
FAROUQ
 
Unit 3.pptx
Unit 3.pptxUnit 3.pptx
Unit 3.pptx
monika kaurav
 
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...
ZabGU
 

Empfohlen

Alucobond fire safety - FR
Alucobond fire safety - FRAlucobond fire safety - FR
Alucobond fire safety - FR
Architectura
 
Immunesystem
ImmunesystemImmunesystem
Immunesystem
shabeel pn
 
11 fundamental art 5 9 (7)
11 fundamental art 5 9 (7)11 fundamental art 5 9 (7)
11 fundamental art 5 9 (7)
Ainnabila Rosdi
 
Commercial Law - Consumer Guarantees
Commercial Law - Consumer GuaranteesCommercial Law - Consumer Guarantees
Commercial Law - Consumer Guarantees
Francois Brun
 
Landlawtest
LandlawtestLandlawtest
Landlawtest
FAROUQ
 
Unit 3.pptx
Unit 3.pptxUnit 3.pptx
Unit 3.pptx
monika kaurav
 
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...
ZabGU
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
Api security
Api security Api security
Api security
teodorcotruta
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
Álvaro Alonso González
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
Jeff Fontas
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Weitere ähnliche Inhalte

Ähnlich wie OAuth and OEmbed

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
 

Ähnlich wie OAuth and OEmbed (20)

Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Api security
Api security Api security
Api security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Kürzlich hochgeladen (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

OAuth and OEmbed

  • 2. OAuth and OEmbed Dec 2009
  • 3. Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
  • 4. A simple open standard for secure API authentication. http://oauth.net
  • 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
  • 6. Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 7. Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
  • 10. Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
  • 11. Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
  • 12. Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
  • 13. Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
  • 15. OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
  • 19. 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  • 20. 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  • 21. 2. User authorizes request token
  • 22. 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  • 23. 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 24. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 25. Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
  • 26. Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
  • 27. Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
  • 28. HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
  • 29. Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
  • 30. Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
  • 31. 1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
  • 32. Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
  • 34. OEmbed API format for converting a URL into an embed code. http://oembed.com
  • 36. Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
  • 37. Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
  • 38. Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
  • 39. Response params ‣ type (photo, video, rich or link)
  • 40. Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
  • 41. Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
  • 42. plus any addional parameters...
  • 43. YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  • 44. Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  • 45.
  • 46. Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  • 47. Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
  • 48. Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
  • 49. Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?