21. OAuth goal...
oAuth is...
Authentication
• must logged-in to access the website/application
22. OAuth goal...
oAuth is...
Authentication
• must logged-in to access the website/application
Token-based authentication
• logged-in user has unique token per application
24. OAuth goal...
oAuth goal...
be simple
• standard for website API authentication
• consistent for developers
• easy for users to understand *
25. OAuth goal...
oAuth goal...
be simple
• standard for website API authentication
• consistent for developers
• easy for users to understand *
* this is hard
29. OAuth goal...
oAuth goal...
be open
• any website can implement OAuth
• any developer can user OAuth
• open source client libraries
• published technical specifications
31. OAuth goal...
be flexible
• don’t need username and password
• authentication method agnostic
• can use OpenID (or not)
• whatever works best for the web service
• developers don’t need to handle auth
32. what the user end sees?
example from Primus Core Helang Api
37. register a consumer app
provide service provider with data about your
application (name, url...)
38. register a consumer app
provide service provider with data about your
application (name, url...)
service provider assigns consumer a
consumer key and consumer secret
39. register a consumer app
provide service provider with data about your
application (name, url...)
service provider assigns consumer a
consumer key and consumer secret
service provider gives documentation of
authorization URLs and methods
42. user consumer service provider
click connect request token
43. user consumer service provider
click connect request token
request token, request secret
44. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
45. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
user authorise request token
46. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
user authorise request token
redirect with verifier
47. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
user authorise request token
redirect with verifier
notifies app with verifier
48. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
user authorise request token
redirect with verifier
notifies app with verifier
request token → access token
49. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
user authorise request token
redirect with verifier
notifies app with verifier
request token → access token
access token, access secret
50. user consumer service provider
click connect request token
request token, request secret
redirect user to provider
user authorise request token
redirect with verifier
notifies app with verifier
request token → access token
access token, access secret
request on user’s behalf
68. security
tokens: aren’t passing username/password
timestamp and nonce: very unique requests
signature: encrypted parameters help service
provider recognise consumer
69. security
tokens: aren’t passing username/password
timestamp and nonce: very unique requests
signature: encrypted parameters help service
provider recognise consumer
signature methods: HMAC-SHA1, RSA-SHA1,
plaintext over a secure channel (SSL)
77. credit
OAuth - Open API Authentication by
leahculver on Dec 01, 2007
Implementing OAuth with PHP by Lorna
Mitchell on May 17, 2011
Using OAuth with PHP by David Ingram on
Nov 04, 2010