Scribd
Upload
83 views64 pages

Integrating Services With: Luca Mearelli Web2Expo - Berlin 2008

This document discusses OAuth, an open standard for authorization that allows users to share private resources stored on one server with another server without sharing credentials. It provides a method for services to obtain limited access to a user's account on another service without getting their password. The document outlines the OAuth protocol, including the request token exchange process, authorization by the user, and exchanging the request token for an access token. It also discusses implementation considerations and security issues.

Uploaded by

Lê Hoàng Vũ
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
83 views64 pages

Integrating Services With: Luca Mearelli Web2Expo - Berlin 2008

This document discusses OAuth, an open standard for authorization that allows users to share private resources stored on one server with another server without sharing credentials. It provides a method for services to obtain limited access to a user's account on another service without getting their password. The document outlines the OAuth protocol, including the request token exchange process, authorization by the user, and exchanging the request token for an access token. It also discusses implementation considerations and security issues.

Uploaded by

Lê Hoàng Vũ
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 64

Integrating services with

Luca Mearelli Web2Expo - Berlin 2008

Web 2.0 means sharing data, through API

Users want to access their data using many services

Developers want to satisfy their users (and make it easy for them)

Service providers need to keep their users data secure

welcome
the password antipattern

Image from http://www.codinghorror.com/blog/archives/001072.html

Passwords are precious

Stop asking them


Stop the antipattern

How to delegate access?

Your valet key for the web

a play in 3 acts (to exchange authorization)

Actors on the scene User Consumer Service Provider

Prologue Where the Consumer presents himself to the Service Provider

Consumer (to Service Provider): here i am, this is what i do

consumer

service provider

Consumer key Consumer secret

First act Where the Consumer obtains an unauthorized Request Token

Consumer (to Service Provider): give me a request token

consumer

service provider

oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)


[additional parameters]

Service Provider (to consumer): here is the request token (you can use it only once!)

service provider

consumer

oauth_token (request token) oauth_token_secret


[additional parameters]

Second act Where the User authorizes the Request Token

Consumer (to the User): Please go to the Service Provider and authorize this request

consumer

user

service provider

oauth_token (request token) oauth_callback


[additional parameters]

Service Provider (to the User): Do you authorize consumer to access your data?

User (to the Service Provider): YES! (or maybe NO :-) )

Service Provider (to the User): You can go back to the consumer

service providerservice provider user user consumer

oauth_token (request token)

Third act Where the Consumer exchanges the Request Token for an Access Token

Consumer (to the Service Provider): Please give me the acces token for the user

consumer

service provider

oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)

Service Provider (to the Consumer): here is the access token for the user

service provider

consumer

oauth_token (access token) oauth_token_secret


[additional parameters]

Epilogue Where the consumer accesses the resources

Consumer (to the Service Provider): Here i am again on behalf of the user

consumer

service provider

oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
[additional parameters]

The details...

OAuth parameters exchange

HTTP Authorization header HTTP Post body URL query parameters

Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1

Signature base string a consistent reproducible concatenation of the request elements into a single string

Other security measures Nonces Timestamps

Service setup OAuth discovery (XRDS)

<?xml version="1.0" encoding="UTF-8"?> <XRDS xmlns="xri://$xrds"> <XRD xml:id="oauth" xmlns:simple="http://xrds-simple.net/core/1.0" xmlns="xri://$XRD*($v*2.0)" version="2.0"> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority="10"> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority="10"> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority="10"> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority="10"> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority="10"> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns="xri://$XRD*($v*2.0)" version="2.0"> <Type>xri://$xrds*simple</Type> <Service priority="10"> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>

Benets Granular authorization Easy grant and revoke Tracking of use

Many open/free libraries use them, contribute to them

Challenges

UI/UX for the Service Provider Provide basic informations to the user Ease the users choice Link / enable getting deeper info

UI/UX for the Consumer Explain whats happening Educate the user Use the right language

Security considerations Condentiality of Requests Spoong, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion

Beyond the browser Mobile devices Installable applications

The sequel OAuth over XMPP

<iq from='[email protected]/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>

The morale Integrating services can be done without asking or storing the users credentials while at the same time gaining exibility and control.

Links!
http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0

Thanks for listening!!


Luca Mearelli http://spazidigitali.com [email protected]

You might also like