Maintest 100713212237-phpapp02-100714080303-phpapp02

48
Open Authentication Introduction Definitions Protocol Workflow OAuth Tokens Security Architecture OAuth and Twitter Coding Oauth Demo Troubleshooting

Transcript of Maintest 100713212237-phpapp02-100714080303-phpapp02

Page 1: Maintest 100713212237-phpapp02-100714080303-phpapp02

Open AuthenticationIntroductionDefinitionsProtocol WorkflowOAuth TokensSecurity ArchitectureOAuth and TwitterCoding OauthDemoTroubleshooting

Page 2: Maintest 100713212237-phpapp02-100714080303-phpapp02

OAuth?

Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party

Page 3: Maintest 100713212237-phpapp02-100714080303-phpapp02

Every day a new websites are launched which tie services from different sites and offer you

Why OAuth?

Page 4: Maintest 100713212237-phpapp02-100714080303-phpapp02

Service providerThe website or web-service where the restricted resources are located

UserUser have ‘stuff’ they don’t want to make pubic on the service provider but they do want to share it with another site

Consumer

The name for the application trying access the users resources

Protected ResourcesThe ‘stuff’ oauth protects and allow access.

TokensTokens are used instead of user credentials to access resources

OAuth Definitions

Page 5: Maintest 100713212237-phpapp02-100714080303-phpapp02

OAuth : Protocol Workflow

Page 6: Maintest 100713212237-phpapp02-100714080303-phpapp02

Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private.

Using OAuth terminology Jane is the User Faji is the Service Provider. The 2 photos Jane uploaded are the Protected Resources.

OAuth Example

Page 7: Maintest 100713212237-phpapp02-100714080303-phpapp02

Jane wants to share them with her grandmother. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service.

Using OAuth terminology, ◦ Beppa is the Consumer. ◦ Beppa must use OAuth to gain access to the photos in order to print them.

Page 8: Maintest 100713212237-phpapp02-100714080303-phpapp02

When Beppa added support for Faji photo import, a Beppa developer known in OAuth as a Consumer Developer obtained a Consumer Key and Consumer Secret from Faji to be used with Faji’s OAuth-enabled API.

Using OAuth terminology, ◦ Consumer Key ◦ Consumer secret

Page 9: Maintest 100713212237-phpapp02-100714080303-phpapp02

Beppa requests from Faji a Request Token. At this point, the Request Token is not User-specific, and can be used by Beppa to gain User approval from Jane to access her private photos.

Using OAuth terminology, ◦ Request Token

Page 10: Maintest 100713212237-phpapp02-100714080303-phpapp02

When Beppa receives the Request Token, it redirects Jane to the Faji OAuth User Authorization URL with the Request Token and asks Faji to redirect Jane back once approval has been granted to http://beppa.com/order.

Using OAuth terminology, ◦ Oauth User Authorization URL◦ Call Back URL

Page 11: Maintest 100713212237-phpapp02-100714080303-phpapp02

After successfully logging into Faji, Jane is asked to grant access to Beppa, the Consumer. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.

Page 12: Maintest 100713212237-phpapp02-100714080303-phpapp02

Jane waits for Beppa to present her with her photos fetched from her Faji account.

Page 13: Maintest 100713212237-phpapp02-100714080303-phpapp02

While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos.

In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.

Using OAuth terminology, ◦ Access Token

Page 14: Maintest 100713212237-phpapp02-100714080303-phpapp02

Jane is very impressed how Beppa grabbed her photos without asking for her username and password. She likes what she sees and place the print order.

Page 15: Maintest 100713212237-phpapp02-100714080303-phpapp02
Page 16: Maintest 100713212237-phpapp02-100714080303-phpapp02

OAuth uses three types of credentials

◦ Client credentials (consumer key and secret)◦ Temporary credentials (request token and

secret)◦ Token credentials (access token and secret)

Tokens

Page 17: Maintest 100713212237-phpapp02-100714080303-phpapp02

◦ Allows server to authenticate server◦ Allows server to get information about the client

Oauth_consumer_key Oauth_consumer_secret

Client Credentials

Page 18: Maintest 100713212237-phpapp02-100714080303-phpapp02

◦ Token credentials are in place of username and password

◦ The client uses token credentials to access resource owner protected resource

◦ Token credentials are limited in scope and duration Oauth_access_token Oauth_access_secret

Token Credentials

Page 19: Maintest 100713212237-phpapp02-100714080303-phpapp02

◦ Used to identify the authorization request◦ To accommodate different clients like desktop, mobile etc.◦ Add extra flexibility and security

Oauth_token Oauth_token_secret

Temporary credentials

Page 20: Maintest 100713212237-phpapp02-100714080303-phpapp02

OAuth Security Architecture

Page 21: Maintest 100713212237-phpapp02-100714080303-phpapp02

OAuth uses digital signatures instead of sending the full credentials (specifically, passwords) with each request. 

The sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.

Signature and Hash

Page 22: Maintest 100713212237-phpapp02-100714080303-phpapp02

A common way to sign digital content is using a hash algorithm. 

Hashing is the process of taking data (of any size) and condensing it to a much smaller value (digest) in a fully reproducible (one-way) manner

This means that using the same hash algorithm on the same data will always produce the same smaller value

Hashing usually does not allow going from the smaller value back to the original.

Hash Algorithm

Page 23: Maintest 100713212237-phpapp02-100714080303-phpapp02

By itself, hashing does not verify the identity of the sender, only data integrity.

In order to allow the recipient to verify that the request came from the claimed sender, the hash algorithm is combined with a shared secret

If both sides agree on some shared secret known only to them, they can add it to the content being hashed.

Shared Secret

Page 24: Maintest 100713212237-phpapp02-100714080303-phpapp02

What is missing is something to prevent requests intercepted by an unauthorized party, usually by sniffing the network, from being reused. This is known as a replay attack.

Able to make the same sign request over and over again.

To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp.

By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once

Nonce(‘Number used Once’)

Page 25: Maintest 100713212237-phpapp02-100714080303-phpapp02

Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever.

OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time.

When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period.

TimeStamp

Page 26: Maintest 100713212237-phpapp02-100714080303-phpapp02

OAuth defines 3 signature methods used to sign and verify requests◦ PLAINTEXT◦ HMAC-SHA1◦ RSA-SHA1

When signing requests, it is necessary to specify which signature method has been used to allow the recipient to reproduce the signature for verification

The decision of which signature method to use depends on the security requirements of each application

Signature Methods

Page 27: Maintest 100713212237-phpapp02-100714080303-phpapp02

Not only must they both use the same algorithm and share secret, but they must sign the same content. 

This requires a consistent method for converting HTTP requests into a single string which is used as the signed content — the Signature Base String.. 

Signature Base String

Page 28: Maintest 100713212237-phpapp02-100714080303-phpapp02

Building a reqestToken request requires the following:◦ HTTP Method,◦ Request URI,◦ oauth_callback,◦ oauth_consumer_key,◦ oauth_nonce,◦ oauth_signature_method,◦ oauth_timestamp ◦ oauth_version

Getting the Request Token

Page 29: Maintest 100713212237-phpapp02-100714080303-phpapp02

HTTP Method POST

Request URI https://api.twitter.com/oauth/request_token

Oauth_callback http://localhost/yqlproject/tweet1.html

Oauth_consumer_key ctT3Y6mUmJeXqqCp5wqw

Oauth_nonce avVTWT

Oauth_signature_method HMAC-SHA1

Oauth_timestamp 1279108728

Oauth_version 1.0

oauth_signature o2KIMa53v7vlKuXnFe1wHza0sGc=

Getting the Request Token First build your string to sign

Page 30: Maintest 100713212237-phpapp02-100714080303-phpapp02

First build your string to sign

These parameters get sorted alphabetically, each value is URL escaped, and than concatenated into a single string.

Getting the Request Token

Page 31: Maintest 100713212237-phpapp02-100714080303-phpapp02

Create your Authorization HTTP Header & and Issue the request

Now we sign this string using our consumer secret and create an HTTP Authorization header. The signature should be placed in the oauth_signature value

Getting the Request token

Page 32: Maintest 100713212237-phpapp02-100714080303-phpapp02

Now we issue this request to the requestToken endpoint, and if all is sucessful,you will get something like the following URL encoded response:

The oauth_token field is now your request token, and the oauth_token_secret will be used for signing your request for an access toen.oaut_callback_confirmed just gives you confirmation the we recognized your oauth_callback parameter

You will want to “hold on” to oauth_token and oauth_token_secret until you have completed the access token step

Evaluate the Request Token

Page 33: Maintest 100713212237-phpapp02-100714080303-phpapp02

Now that we have a request token, we can build the url to authorize the user. we will then redirect the user to this url so they can grant your application access.

An authorization url is simply this end point:https://api.twitter.com/oauth/authorize with a query parameter tacked on called oauth_token.the value for this parameter is equal to the request token you received in the previous step.

The user needs to land on this page within 5 minutes of your request take cycle. you should not pass an oauth_callback parameter to this page(you already did that in the request token step)

Authorizing the member

Build your Authorization URL

https://api.twitter.com/oauth/authorize?oauth_token=O6npS44e8ZPQfVcYfHVTGXtnLVBQ4xn8Wu2eBFtPNQ

Page 34: Maintest 100713212237-phpapp02-100714080303-phpapp02

The user will then be sent to our authorization page. when completed the user will either be sent back to your oauth_callback URL or presented with a series of digits they will be instructed to hand-enter into your application(if you are performing out-of-band authentication)

Authorizing the member

Send the user to Twitter Authorization Page

Page 35: Maintest 100713212237-phpapp02-100714080303-phpapp02
Page 36: Maintest 100713212237-phpapp02-100714080303-phpapp02
Page 37: Maintest 100713212237-phpapp02-100714080303-phpapp02

Regardless of whether you used out-of-band authentication or not, you will now be equipped with a request token an oauth_token_secret and an oauth_verfier.you are now going to exchange that request token for an access token, imbued with permission of the Twitter member to act on their behalf

Getting an Access token

Prepare your singing secret

Page 38: Maintest 100713212237-phpapp02-100714080303-phpapp02

HTTP Method POST

Request URI https://api.twitter.com/oauth/access_token

Oauth_callback http://localhost/yqlproject/tweet1.html

Oauth_consumer_key pK3cx0tphXcRRT5dGsKqA

Oauth_nonce OyTtr0

Oauth_signature_method HMAC-SHA1

Oauth_timestamp 1279109741

Oauth_version 1.0

oauth_token awT3Y6mUmJeXqqCp5wqw

oauth_signature 6upwrEDWuBvOSxFYklkfDO832bA=

Getting the Access Token First build your string to sign

Page 39: Maintest 100713212237-phpapp02-100714080303-phpapp02

First build your string to sign

These parameters get sorted alphabetically, each value is URL escaped, and than concatenated into a single string.

Getting the Access Token

Page 40: Maintest 100713212237-phpapp02-100714080303-phpapp02

Create your Authorization HTTP Header & and Issue the request

Now we sign this string using our request token secret and create an HTTP Authorization header. The signature should be placed in the oauth_signature value

Getting the Access token

Page 41: Maintest 100713212237-phpapp02-100714080303-phpapp02

Now we issue this request to the aceessToken endpoint, and if all is sucessful,you will get something like the following URL encoded response:

The oauth_token field is now your access token, and the auth_toke_secert will be used for signing all request on behalf of the member.

You will want to “hold on” to oauth_token and oauth_token_secret until you have completed the access token step

Evaluate the Access Token

Page 42: Maintest 100713212237-phpapp02-100714080303-phpapp02
Page 43: Maintest 100713212237-phpapp02-100714080303-phpapp02

Get Followers/ids

Page 44: Maintest 100713212237-phpapp02-100714080303-phpapp02
Page 45: Maintest 100713212237-phpapp02-100714080303-phpapp02

XML Response

Page 46: Maintest 100713212237-phpapp02-100714080303-phpapp02

Oauth is complicated, and there are a number of things that go wrong.

Here are some tips.◦ Every error response we send you will contain an xml body describing the error, including a

timestamp representing server time. Some oauth-based requests will also return an OAUTH_PROBLEM http header

◦ Make sure that your server’s system clock is in sync with ours

◦ Oauth_callback should only be provided on the request token step.

◦ Oauth_verifier is required in the access Token.

◦ PUT & POST operations typically have xml content-types. your oauth library should exclude the request body in signature calculations as a result.

◦ For the access token step, remember that the request tokens oauth_token_secret must be used as part of your signing key

◦ Likewise, for all resource requests, your access tokens oauth_token_secret must be used as part of your signing key.

Troubleshooting

Page 47: Maintest 100713212237-phpapp02-100714080303-phpapp02

http://oauth.net/ http://hueniverse.com/oauth/ http://developer.yahoo.com/oauth/ http://dev.twitter.com/pages/oauth_faq

References

Page 48: Maintest 100713212237-phpapp02-100714080303-phpapp02