SlideShare una empresa de Scribd logo

Oauth Ruby

Descargar como ODP, PDF
Don Park
Don Park
TecnologíaDiseño
1 de 15
OAUTH Don Park 3-Feb-2009
Terms Provider Consumer User
API Call PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold
API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence
API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence Signature generation: Variables + token_secret
How are the access token and token secret acquired?
How are the access token and token secret acquired? The provider sends your the access token and secret In the clear! HTTPS is required
The last OAUTH-specific URL: the access token URL direction: Provider to Consumer Given: the request token Returned: the access token and secret if the access token has been blessed http://icecendor.com/oauth/access&oauth_token=req132 icecondor-android-app:///&oauth_token=access1234 &oauth_token_secret=xfz123 HTTP 302 redirect to:
The next OAUTH-specific URL: the user permission URL Direction: User to provider Given: the request token Post: Bless the token http://icecendor.com/oauth/authorize&oauth_token=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
The first OAUTH-specific URL: the request token URL Direction: Consumer to Provider Given: the consumer key Post: Bless the token http://icecendor.com/oauth/request& oauth_consumer_key=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle
How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle Out of scope! The spec doesn't say. Use an out-of-band method. Example: Receive the consumer key and secret in an email, and hard-code the values into the consumer app. Also, the request token URL, the authorization URL, and the access token URLs are not standardized and have to be communicated out-of-band.
Help is on the way OAUTH DISCOVERY (draft spec) XRDS document location in the headers Date: Wed, 04 Feb 2009 01:06:17 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.6 X-Runtime: 3125ms Etag: "aafe6ca507f518d040c9868cddaad9ef" X-XRDS-Location: http://icecondor.com/xrds.xml Cache-Contro: private, max-age=0, must-revalidate
xrds.xml <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <XRDS xmlns=&quot;xri://$xrds&quot;> <XRD xml:id=&quot;oauth&quot; xmlns:simple=&quot;http://xrds-simple.net/core/1.0&quot; xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Expires>2009-12-31T23:59:59Z</Expires> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/request </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI> https://icecondor.com/oauth/authorize </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/access </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID> 0685bd9184jfhq22 </LocalID> </Service> </XRD> <XRD xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
http://code.google.com/p/oauth-plugin/ Rails OAUTH plugin class SandwichApiController < ApplicationController before_filter :oauth_required,:only=>[:dispense] def dispense end end

Recomendados

Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
Frank Denis
 
El Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign onEl Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign on
Frank Denis
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Proyecto Corenet
Proyecto CorenetProyecto Corenet
Proyecto Corenet
Alejandro Maceira
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 

Recomendados

Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
Frank Denis
 
El Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign onEl Passo - Privacy-preserving single sign on
El Passo - Privacy-preserving single sign on
Frank Denis
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Proyecto Corenet
Proyecto CorenetProyecto Corenet
Proyecto Corenet
Alejandro Maceira
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
Abdullah Mamun
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli
 
Api security
Api security Api security
Api security
teodorcotruta
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
Taylor Singletary
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Más contenido relacionado

Similar a Oauth Ruby

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
Luca Mearelli
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
 

Similar a Oauth Ruby (20)

Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
Api security
Api security Api security
Api security
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Oauth Ruby

  • 1. OAUTH Don Park 3-Feb-2009
  • 3. API Call PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold
  • 4. API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence
  • 5. API Call + OAUTH PUT /vendingmachine/dispense Variables: brand=hershey quantity=1 change=gold oauth_token=abc123 oauth_consumer_key=123abc oauth_signature_method=HMAC-SHA1 oauth_signature=xyz1234 oauth_timestamp=2009-01-011234 oauth_nonce=nonsence Signature generation: Variables + token_secret
  • 6. How are the access token and token secret acquired?
  • 7. How are the access token and token secret acquired? The provider sends your the access token and secret In the clear! HTTPS is required
  • 8. The last OAUTH-specific URL: the access token URL direction: Provider to Consumer Given: the request token Returned: the access token and secret if the access token has been blessed http://icecendor.com/oauth/access&oauth_token=req132 icecondor-android-app:///&oauth_token=access1234 &oauth_token_secret=xfz123 HTTP 302 redirect to:
  • 9. The next OAUTH-specific URL: the user permission URL Direction: User to provider Given: the request token Post: Bless the token http://icecendor.com/oauth/authorize&oauth_token=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
  • 10. The first OAUTH-specific URL: the request token URL Direction: Consumer to Provider Given: the consumer key Post: Bless the token http://icecendor.com/oauth/request& oauth_consumer_key=req132 http://icecondor.com/oauth/authorize&oauth_token=req123 &granted=1 Displays a screen that asks the user to authorize this application for access to protected data. Redirects to pre-defined return-to URL back to the consumer
  • 11. How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle
  • 12. How to does the consumer acquire a consumer key and secret from the provider? Last parts of the puzzle Out of scope! The spec doesn't say. Use an out-of-band method. Example: Receive the consumer key and secret in an email, and hard-code the values into the consumer app. Also, the request token URL, the authorization URL, and the access token URLs are not standardized and have to be communicated out-of-band.
  • 13. Help is on the way OAUTH DISCOVERY (draft spec) XRDS document location in the headers Date: Wed, 04 Feb 2009 01:06:17 GMT Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.6 X-Runtime: 3125ms Etag: &quot;aafe6ca507f518d040c9868cddaad9ef&quot; X-XRDS-Location: http://icecondor.com/xrds.xml Cache-Contro: private, max-age=0, must-revalidate
  • 14. xrds.xml <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?> <XRDS xmlns=&quot;xri://$xrds&quot;> <XRD xml:id=&quot;oauth&quot; xmlns:simple=&quot;http://xrds-simple.net/core/1.0&quot; xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Expires>2009-12-31T23:59:59Z</Expires> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/request </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI> https://icecondor.com/oauth/authorize </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI> https://icecondor.com/oauth/access </URI> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID> 0685bd9184jfhq22 </LocalID> </Service> </XRD> <XRD xmlns=&quot;xri://$XRD*($v*2.0)&quot; version=&quot;2.0&quot;> <Type>xri://$xrds*simple</Type> <Service priority=&quot;10&quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 15. http://code.google.com/p/oauth-plugin/ Rails OAUTH plugin class SandwichApiController < ApplicationController before_filter :oauth_required,:only=>[:dispense] def dispense end end