Chirp 2010: Too many secrets, but never enough: OAuth at Twitter
•Descargar como KEY, PDF•
21 recomendaciones•5,257 vistas
Slides from the session given by @raffi and @episod at Chirp. Additional links and slides included.
Recomendados
Más contenido relacionado
La actualidad más candente
Similar a Chirp 2010: Too many secrets, but never enough: OAuth at Twitter
Similar a Chirp 2010: Too many secrets, but never enough: OAuth at Twitter (20)
Último
Último (20)
Chirp 2010: Too many secrets, but never enough: OAuth at Twitter
- 2. Too many secrets but never enough. by Raffi Krikorian & Taylor Singletary Questions? http://bit.ly/chirpoauth #chirpoauth
- 3. OAuth is a dance.
- 4. OAuth Libraries don’t always work right or won’t bend to your will easily. Sometimes you’ve got to get your hands dirty and fix them.
- 5. All OAuth requests are similar at their core. The rules really don’t change.
- 6. The signature base string.
- 7. httpMethod + "&" + url_encode( base_uri ) + "&" + sorted_query_params.each { | k, v | url_encode ( k ) + "%3D" + url_encode ( v ) }.join("%26")
- 8. httpMethod + "&" + url_encode( base_uri ) + "&" + sorted_query_params.each { | k, v | url_encode ( k ) + "%3D" + url_encode ( v ) }.join("%26")
- 10. Signing an OAuth request is easier than you think. Take that signature base string, then sign it using HMAC-SHA1 and the proper signing key
- 11. The proper signing key is a pain point. The access token step, and any resource requests on a user’s behalf utilizes OAuth tokens and secrets to create a composite signing key.
- 12. Two-legged OAuth requests are requests that don’t require a user or oauth_token. Asking for a request token is actually a two-legged OAuth request.
- 13. The algorithm for determining what your “signing key” is url_encode( consumer_secret ) + "&" + url_encode( oauth_token_secret || nil )
- 14. The algorithm for determining what your “signing key” is With an oauth_token_secret signing_key = “abcd&efgh” Without an oauth_token_secret signing_key = “abcd&”
- 15. the OAuth 1.0A Request Cycle
- 17. xAuth & OAuth Echo
- 18. xAuth in Ruby def get_access_token_with_xauth(login, password) consumer = initiate_oauth_consumer_object options = {} options[:x_auth_username] = login options[:x_auth_password] = password options[:x_auth_mode] = "client_auth" url = "https://api.twitter.com/oauth/access_token" response = consumer.token_request(:post, url, nil, {}, options) @access_token = OAuth::AccessToken.from_hash(consumer, response) end
- 19. Working with OAuth Libraries Most OAuth Libraries are similar
- 20. Advice • Learn how to specify HTTP headers explicitly in your OAuth implementation • Master the core components of your OAuth libraries. Follow the code path through so you understand the proper places to introduce different behavior.
- 22. When things go wrong.
- 23. the OAuth Dancer ( hold me closer )
- 24. the OAuth Dancer • Nearly complete solution for testing REST-based API requests with OAuth 1.0A authentication. • Examine the signature base string, authorization headers, and oodles more debug information about requests. • Supports xAuth and two-legged OAuth. • Out-of-band (PIN) support coming soon. • Under perpetual development. OAuth 2.0 support on the way. • Very useful for creating comparative examples, testing internal OAuth implementations, and more. http://bit.ly/oauth-dancer
- 25. What’s on the horizon? Q&A
- 26. Some links OAuth Zero to Hero About OAuth Echo Beginner’s Guide to OAuth Twitter xAuth OAuth Dancer