SlideShare una empresa de Scribd logo

O auth how_to

V
vivaqa
TecnologíaEmpresariales
1 de 43
Descargar para leer sin conexión
Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
OAuth An Open Protocol to allow Secure API Authorization
Oauth is not OpenID Oauth Is Like OpenID
Data Authorization Plaxo
OAuth OAuth is like a Valet Key
OAuth OAuth is like a Hotel Keycard
M as ter K ey 101 103 105 107 102 104 106 108
Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
Oauth C lients
OAuth and Netf ix l developer.netf ix.com l
Netf ix API l
Netf ix API: Us er R es ources l
Netf ix Applications ... and many more l
Obtaining a C ons umer K ey / S ecret
Obtaining a C ons umer K ey / S ecret
3-Leg g ed OAuth “The OAuth Dance”
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
S tep 2: Us er Authentication Determined by needs of Service Provider
Oauth Trus t A Matter Of Trust
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
Acces s ing R es ources (R es pons e)
M anag ing Acces s Tokens
2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org

Recomendados

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 

Recomendados

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertBrecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOUEric Lewis
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介firestoke
 

Más contenido relacionado

La actualidad más candente

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertBrecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 

La actualidad más candente (18)

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 

Similar a O auth how_to

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,apidays
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 

Similar a O auth how_to (20)

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Api security
Api security Api security
Api security
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 

Último

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 

Último (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 

O auth how_to

  • 1. Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
  • 2. Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
  • 3. OAuth An Open Protocol to allow Secure API Authorization
  • 4. Oauth is not OpenID Oauth Is Like OpenID
  • 6. OAuth OAuth is like a Valet Key
  • 7. OAuth OAuth is like a Hotel Keycard
  • 8. M as ter K ey 101 103 105 107 102 104 106 108
  • 9. Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
  • 10. Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
  • 11. M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
  • 13. OAuth and Netf ix l developer.netf ix.com l
  • 15. Netf ix API: Us er R es ources l
  • 16. Netf ix Applications ... and many more l
  • 17. Obtaining a C ons umer K ey / S ecret
  • 18. Obtaining a C ons umer K ey / S ecret
  • 19. 3-Leg g ed OAuth “The OAuth Dance”
  • 20. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
  • 21. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
  • 22. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
  • 23. C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
  • 24. C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
  • 25. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
  • 26. S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
  • 27. S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
  • 28. S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
  • 29. S tep 2: Us er Authentication Determined by needs of Service Provider
  • 30. Oauth Trus t A Matter Of Trust
  • 31. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
  • 32. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
  • 33. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
  • 34. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
  • 35. S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
  • 36. Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
  • 37. Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
  • 38. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
  • 39. Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
  • 40. Acces s ing R es ources (R es pons e)
  • 41. M anag ing Acces s Tokens
  • 42. 2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
  • 43. Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org