SlideShare una empresa de Scribd logo

O auth how_to

V
vivaqa
TecnologíaEmpresariales
1 de 43
Descargar para leer sin conexión
Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
OAuth An Open Protocol to allow Secure API Authorization
Oauth is not OpenID Oauth Is Like OpenID
Data Authorization Plaxo
OAuth OAuth is like a Valet Key
OAuth OAuth is like a Hotel Keycard
M as ter K ey 101 103 105 107 102 104 106 108
Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
Oauth C lients
OAuth and Netf ix l developer.netf ix.com l
Netf ix API l
Netf ix API: Us er R es ources l
Netf ix Applications ... and many more l
Obtaining a C ons umer K ey / S ecret
Obtaining a C ons umer K ey / S ecret
3-Leg g ed OAuth “The OAuth Dance”
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
S tep 2: Us er Authentication Determined by needs of Service Provider
Oauth Trus t A Matter Of Trust
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
Acces s ing R es ources (R es pons e)
M anag ing Acces s Tokens
2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org

Recomendados

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 

Recomendados

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertBrecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOUEric Lewis
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介firestoke
 

Más contenido relacionado

La actualidad más candente

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertBrecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 

La actualidad más candente (18)

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 

Similar a O auth how_to

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,apidays
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 

Similar a O auth how_to (20)

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Api security
Api security Api security
Api security
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 

Último

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Último (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

O auth how_to

  • 1. Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
  • 2. Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
  • 3. OAuth An Open Protocol to allow Secure API Authorization
  • 4. Oauth is not OpenID Oauth Is Like OpenID
  • 6. OAuth OAuth is like a Valet Key
  • 7. OAuth OAuth is like a Hotel Keycard
  • 8. M as ter K ey 101 103 105 107 102 104 106 108
  • 9. Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
  • 10. Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
  • 11. M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
  • 13. OAuth and Netf ix l developer.netf ix.com l
  • 15. Netf ix API: Us er R es ources l
  • 16. Netf ix Applications ... and many more l
  • 17. Obtaining a C ons umer K ey / S ecret
  • 18. Obtaining a C ons umer K ey / S ecret
  • 19. 3-Leg g ed OAuth “The OAuth Dance”
  • 20. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
  • 21. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
  • 22. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
  • 23. C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
  • 24. C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
  • 25. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
  • 26. S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
  • 27. S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
  • 28. S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
  • 29. S tep 2: Us er Authentication Determined by needs of Service Provider
  • 30. Oauth Trus t A Matter Of Trust
  • 31. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
  • 32. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
  • 33. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
  • 34. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
  • 35. S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
  • 36. Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
  • 37. Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
  • 38. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
  • 39. Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
  • 40. Acces s ing R es ources (R es pons e)
  • 41. M anag ing Acces s Tokens
  • 42. 2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
  • 43. Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org