Post on 17-May-2015
description
OAuthBasic Introduction
What is OAuth?
A simple open standard for secure API authentication.
The Love Triangle
End User
Service Provider Consumer Application
(fake applications by EHL)
http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
• Authentication
Need to log in to access parts of a website
ex: bookmark a link, post a photo, add a friend, view
a private message
• Token-based Authentication
Logged-in user has a unique token used to access
data from the site
Specifically OAuth is...
Similar to...
• Flickr Auth
• Google’s AuthSub
• Yahoo’s BBAuth
• Facebook Auth
• and others...
Who is involved?
Be Simple
Goals:
• standard for website API authentication
• consistent for developers
• easy for users to understand *
* this is hard
Be Secure
Goals:
• secure for users
• easy to implement security features for
developers
• balance security with ease of use
Be Open
Goals:
• any website can implement OAuth
• any developer can use OAuth
• open source client libraries
• published technical specifications
Be Flexible
Goals:
• don’t need a username and password
• authentication method agnostic
• can use OpenID (or not!)
• whatever works best for the web service
• developers don’t need to handle auth
What the end user sees...
an example from ma.gnolia
and nsyght.
OMG! Need to login!
Login with service provider
Authorize
Done!
How Does OAuth Work?
(for developers)
Register a Consumer Application
• Provide service provider with data about
your application (name, creator, url etc...)
• Service provider assigns consumer a
consumer key and consumer secret
• Service provider gives documentation of
authorization URLs and methods
1. Obtain request token
2. User authorizesrequest token
3. Exchange request tokenfor access token
4. Use access token toobtain protected resources
Authorization Process
OAuth Parameters
• oauth_consumer_key
• oauth_token
• oauth_signature
• oauth_signature_method
• oauth_timestamp
• oauth_nonce
Where is this information passed?
• HTTP Authorization header
• HTTP POST request body (form params)
• URL query string parameters
Security
• Tokens - aren’t passing username/password
• Timestamp and nonce - verify unique requests
• Signature - encrypted parameters help service provider recognize consumer
• Signature methods - HMAC-SHA1, RSA-SHA1, Plaintext over a secure channel(such as SSL)
Current Status of OAuth
• oauth.net
• Auth Core 1.0 Draft 7
• several libraries for consumers and service providers (PHP, Python, Ruby, Perl, C# ...)
• Ma.gnolia and Twitter implementations
• more implementations soon!
Chris is still working on the logo...
Thanks!