SlideShare una empresa de Scribd logo

OAuth

Descargar como ZIP, PDF
Blaine
Blaine
TecnologíaDiseño
1 de 37
Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
Community Driven
Extraction of Existing Patterns
http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
Web-Native
So how does it work?
The User
Jane
Her Protected Resources Jane
Jane
Jane A Service Provider
Jane
Jane And a Consumer
Jane
The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
OAuth Request Example
The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.

Recomendados

Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
The problem with the real world
The problem with the real worldThe problem with the real world
The problem with the real worldMichal Špaček
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCloudIDSummit
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?Asaf Gery
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Evolution of The Twitter Stack
Evolution of The Twitter StackEvolution of The Twitter Stack
Evolution of The Twitter StackChris Aniszczyk
 

Recomendados

Webspam (English Version)
Webspam (English Version)Webspam (English Version)
Webspam (English Version)Dirk Haun
 
The problem with the real world
The problem with the real worldThe problem with the real world
The problem with the real worldMichal Špaček
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCloudIDSummit
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?Asaf Gery
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 
Evolution of The Twitter Stack
Evolution of The Twitter StackEvolution of The Twitter Stack
Evolution of The Twitter StackChris Aniszczyk
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerBlaine
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
A Small Talk on Getting Big
A Small Talk on Getting BigA Small Talk on Getting Big
A Small Talk on Getting Bigbritt
 
Improving Running Components at Twitter
Improving Running Components at TwitterImproving Running Components at Twitter
Improving Running Components at TwitterEvan Weaver
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling TwitterBlaine
 
Twitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsTwitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsAditya Rao
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 

Más contenido relacionado

Destacado

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerBlaine
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introductionh_marvin
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Nabeel Yoosuf
 
A Small Talk on Getting Big
A Small Talk on Getting BigA Small Talk on Getting Big
A Small Talk on Getting Bigbritt
 
Improving Running Components at Twitter
Improving Running Components at TwitterImproving Running Components at Twitter
Improving Running Components at TwitterEvan Weaver
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling TwitterBlaine
 
Twitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsTwitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsAditya Rao
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 

Destacado (17)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Social Privacy for HTTP over Webfinger
Social Privacy for HTTP over WebfingerSocial Privacy for HTTP over Webfinger
Social Privacy for HTTP over Webfinger
 
OAuth Introduction
OAuth IntroductionOAuth Introduction
OAuth Introduction
 
Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2Introduction to OAuth 2.0 - Part 2
Introduction to OAuth 2.0 - Part 2
 
A Small Talk on Getting Big
A Small Talk on Getting BigA Small Talk on Getting Big
A Small Talk on Getting Big
 
Improving Running Components at Twitter
Improving Running Components at TwitterImproving Running Components at Twitter
Improving Running Components at Twitter
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling Twitter
 
Twitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessonsTwitter - Architecture and Scalability lessons
Twitter - Architecture and Scalability lessons
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 

Similar a OAuth

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground UpMichael Bleigh
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Alvaro Sanchez-Mariscal
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
Computer Networks: An Introduction
Computer Networks: An IntroductionComputer Networks: An Introduction
Computer Networks: An Introductionsanand0
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter AppsDamon Cortesi
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 

Similar a OAuth (20)

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground Up
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Computer Networks: An Introduction
Computer Networks: An IntroductionComputer Networks: An Introduction
Computer Networks: An Introduction
 
Building Secure Twitter Apps
Building Secure Twitter AppsBuilding Secure Twitter Apps
Building Secure Twitter Apps
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Security
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

OAuth

  • 1.
  • 2. Delegated Authorization http://flickr.com/photos/claveirole/3028193046/
  • 5. http://flickr.com/photos/olivander/58499153/ Flexible ... ... But with a low barrier to entry.
  • 7. So how does it work?
  • 10. Her Protected Resources Jane
  • 11. Jane
  • 13. Jane
  • 14. Jane And a Consumer
  • 15. Jane
  • 16. The Problem fake : Hi Jane, what’s your username? : I dunno, jane@hotmail.com? fake : Okay, great! What’s your password? : h4pp1n3ss fake : Brilliant! We’ll steal your credit card details using your email account print those photos right away!
  • 17. Step 1: Intent : Hey, ! I need to print out some that are on , but I marked them as private. Could you print them for me? : Sure, but first I need to ask for permission.
  • 18. Step 2: Request Token ! Can I have a Request Token? “Hi ! This is HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Request Token is: 9iKot2y5UQTDlS2V and your secret is: 1Hv0pzNXMXdEfBd” : Great, thanks!
  • 19. Step 3: Authorize Request Token : Hey, could you go to flickr and authorize this Request Token: 9iKot2y5UQTDlS2V? Once you do that, I can access your . : Sure, one sec! My browser’s great at redirects, so this won’t hurt a bit.
  • 20. Step 3, Continued : , I’d like to authorize 9iKot2y5UQTDlS2V : Sure - just to be sure, you’re authorizing for read-only access to your private photos? We trust them, so it’s pretty safe. : Yup, that’s right! : Cool. Now, go back and tell to go ahead.
  • 21. Step 3, Optional Notify : Hey, , I gave permission to and they said you could go ahead. : Awesome, thanks! I’ll get right on that.
  • 22. Step 4: Exchange Token Hey, . Could I exchange this token: 9iKot2y5UQTDlS2V for the Access Token? HMAC-SHA1 (Yours Truly, Moo.) : “Sure! Your Access Token is: 94S3sJVmuuxSPiZz and your Secret is: 4Fc8bwdKNGSM0iNe” : Great, thanks!
  • 23. Step 5: Access Data Dear , I’d like to access the photos that are owned by 94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.) : Here they are! Any other requests?
  • 24. Things to Note (non-obvious) • No identity information. Moo doesn’t know who Jane is on Flickr. • The Consumer could be anonymous. • The User could be anonymous (where permission is implicit), providing verified User-Agent. • API-independent. • Tokens (permissions) can be revoked.
  • 25. Signatures • Currently three methods: • HMAC-SHA1 (shared secrets + hash) • PLAINTEXT (shared secrets + SSL) • RSA-SHA1 (PKI)
  • 26. Signatures • Signature Base String is what we called the signed bits. It includes: • URI • Request Parameters • OAuth Parameters • Does NOT sign HTTP Headers, non x-www-form-urlencoded HTTP Body.
  • 27. Signatures • Not just limited to HTTP. • Signature method exists for XMPP, methods could be described for any protocol. • Did we mention it’s extensible? Easy to describe extensions to sign, for example, multi-part HTTP bodies.
  • 29. The Request GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80
  • 30. The Request, with OAuth GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot;
  • 31. How did we get there? • Collect the following: • Consumer Key & Secret • Access Token & Secret • Timestamp and Nonce • Request Parameters (normalized) • Destination URI and HTTP method
  • 32. Request Example GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 33. HTTP Request Method GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 34. Request URI GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 35. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature Base String: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal
  • 36. Request Parameters GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm=quot;http://photos.example.net/photosquot; oauth_consumer_key=quot;dpf43f3p2l4k3l03quot; oauth_token=quot;nnch734d00sl2jdkquot; oauth_nonce=quot;kllo9940pd9333jhquot; oauth_timestamp=quot;1191242096quot; oauth_signature_method=quot;HMAC-SHA1quot; oauth_version=quot;1.0quot; oauth_signature=quot;tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3Dquot; Signature: HMAC-SHA1(GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file %3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal)
  • 37. Issues • Documentation. • Spec is precise, not ideal for implementors. • Harder than HTTP Basic Auth. • Concerns of API usage dropoff due to user loss during the redirect step. • Not perfect. Doesn’t solve phishing / brute force attacks.

Notas del editor