Upload File

authorization with oauth

43

Click here to load reader

Upload: vivastream

Post on 17-May-2015

887 views

Category:

Documents


2 download

Report

Tags:

TRANSCRIPT

Page 1: Authorization with oAuth

Authorization with OAuth

Rob Richards

October 22, 2009

cdatazone.org

http://xri.net/=rob.richards

Page 2: Authorization with oAuth

Authentication

• HTTP Authentication• Basic

• Digest

• TLS/SSL

• WS-Security

• Developer Keys

• 3rd Party Authentication• Yahoo BBAuth

• AOL OpenAuth

Page 3: Authorization with oAuth

OAuth

An Open Protocol

to allow

Secure API Authorization

Page 4: Authorization with oAuth

Oauth is not OpenID

Oauth

Is Like

OpenID

Page 5: Authorization with oAuth

Data Authorization

Plaxo

Page 6: Authorization with oAuth

OAuth

OAuth

is like a

Valet Key

Page 7: Authorization with oAuth

OAuth

OAuth

is like a

Hotel Keycard

Page 8: Authorization with oAuth

M aster Key

101 103 105 107

102 104 106 108

Page 9: Authorization with oAuth

Guest Key: Granting Access

101 103 105 107

102 104 106 108

Page 10: Authorization with oAuth

Guest Key: Revoking Access

101 103 105 107

102 104 106 108

Page 11: Authorization with oAuth

M aster Key M aintains Full Access

101 103 105 107

102 104 106 108

Page 12: Authorization with oAuth

Oauth C lients

Page 13: Authorization with oAuth

OAuth and Netfl ix

developer.netfl ix.com

Page 14: Authorization with oAuth

Netfl ix API

Page 15: Authorization with oAuth

Netfl ix API: User Resources

Page 16: Authorization with oAuth

Netfl ix Applications... and many more

Page 17: Authorization with oAuth

Obtaining a Consumer Key / Secret

Page 18: Authorization with oAuth

Obtaining a Consumer Key / Secret

Page 19: Authorization with oAuth

3-Legged OAuth“The OAuth Dance”

Page 20: Authorization with oAuth

S tep 1: Obtaining a Request Token

http://api.netfix.com/oauth/request_token

Signed Request

Request Token & Secret

Page 21: Authorization with oAuth

S tep 1: Obtaining a Request Token

http://api.netfix.com/oauth/request_token?

oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback

&oauth_consumer_key=1234567890123456789012345

&oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e

&oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D

&oauth_signature_method=HMAC-SHA1

&oauth_timestamp=1255631744

&oauth_version=1.0

Page 22: Authorization with oAuth

Calculating The S ignature

Calculate Base String

<HTTP method>&<canonicalized URL path>&<parameters>

GET&http%3A%2F%2Fapi.netfix.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Fwww.example.com%252Fcallback%26oauth_consumer_key%3D1234567890123456789012345%26oauth_nonce%3D3eb496472d2a46ceb71d65fc1b7341ae359f932c%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1255631744%26oauth_version%3D1.0

Page 23: Authorization with oAuth

Calculating The S ignature

• Parameters are collected, sorted and concatenated into a normalized string• Parameters in the OAuth HTTP Authorization header excluding the realm

parameter.

• Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded).

• HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3)

•The oauth_signature parameter MUST be excluded•Parameters are sorted by name, using lexicographical byte

value ordering

Page 24: Authorization with oAuth

Calculating The S ignature (Authorization Header)

GET /oauth/request_token HTTP/1.1

User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10)

Host: api.netfix.com

Accept: */*

Authorization: OAuth oauth_callback="http%3A%2F%2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"

Page 25: Authorization with oAuth

Calculating The S ignature

Create Secret

<consumer secret>&<token secret>

1234567890123456789012345&

Sign Base String using algorithm specifed

HMAC(1234567890123456789012345&,<Base String>)

Base64 encode then URL encode result:

oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D

Page 26: Authorization with oAuth

S tep 1: Obtaining a Request Token (Response)

oauth_token=bqba9rku48yacfatjxjw3fkc

&oauth_token_secret=EZ2mBk6rC2vZ

&oauth_callback_confrmed=true

&login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth%2Flogin

Page 27: Authorization with oAuth

S tep 2: User Authentication

Determined by needs of Service Providerhttps://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc

Page 28: Authorization with oAuth

S tep 2: User Authentication

Determined by needs of Service Provider

oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg

Callback

Page 29: Authorization with oAuth

S tep 2: User Authentication

Determined by needs of Service Provider

Page 30: Authorization with oAuth

Oauth Trust

A MatterOf

Trust

Page 31: Authorization with oAuth

S tep 3: Obtaining an Access Token

http://api.netfix.com/oauth/access_token

Signed Request

Access Token & Secret

Page 32: Authorization with oAuth

S tep 3: Obtaining an Access Token

http://api.netfix.com/oauth/access_token?

oauth_consumer_key=1234567890123456789012345

&oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a

&oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D

&oauth_signature_method=HMAC-SHA1

&oauth_timestamp=1255704433

&oauth_token=bqba9rku48yacfatjxjw3fkc

&oauth_verifer=abcdefg

&oauth_version=1.0

http://api.netflix.com/oauth/access_token
Page 33: Authorization with oAuth

Calculating The S ignature

Calculate Base String

<HTTP method>&<canonicalized URL path>&<parameters>

GET&http%3A%2F%2Fapi.netfix.com%2Foauth%2Faccess_token&oauth_consumer_key%3D1234567890123456789012345%26oauth_nonce%3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1255704433%26oauth_token%3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg%26oauth_version%3D1.0

Page 34: Authorization with oAuth

Calculating The S ignature

Create Secret

<consumer secret>&<token secret>

1234567890123456789012345&EZ2mBk6rC2vZ

Sign Base String using algorithm specifed

HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>)

Base64 encode then URL encode result:

oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D

Page 35: Authorization with oAuth

S tep 3: Obtaining an Access Token (Response)

oauth_token=5432109876543210987654321

&user_id=123myuserid456

&oauth_token_secret=543210987654321

Page 36: Authorization with oAuth

Accessing Resources

Signed Request

Resource

http://api.netfix.com/<path to resource>

http://api.netflix.com/
Page 37: Authorization with oAuth

Accessing Resources

http://api.netfix.com/users/123myuserid456/queues?

oauth_consumer_key=1234567890123456789012345

&oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2

&oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D

&oauth_signature_method=HMAC-SHA1

&oauth_timestamp=1255712310

&oauth_token=5432109876543210987654321

&oauth_version=1.0

&v=1.5

http://api.netflix.com/users/123myuserid456/queues
Page 38: Authorization with oAuth

Calculating The S ignature

Create Secret

<consumer secret>&<token secret>

1234567890123456789012345&543210987654321

Sign Base String using algorithm specifed

HMAC(1234567890123456789012345&543210987654321,<Base String>)

Base64 encode then URL encode result:

oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D

Page 39: Authorization with oAuth

Accessing Resources (Response)

<?xml version="1.0" standalone="yes"?>

<resource>

<link href="http://api.netfix.com/users/123myuserid456/queues/disc"

rel="http://schemas.netfix.com/queues.disc" title="disc queue" />

<link href="http://api.netfix.com/users/123myuserid456/queues/instant"

rel="http://schemas.netfix.com/queues.instant"

title="instant queue" />

</resource>

http://api.netflix.com/users/123myuserid456/queues/disc
http://api.netflix.com/users/123myuserid456/queues/instant
Page 40: Authorization with oAuth

Accessing Resources (Response)

Page 41: Authorization with oAuth

M anaging Access Tokens

Page 42: Authorization with oAuth

2-Legged OAuth

• No Dance Required

• Only Consumer Key and Secret required

• Application making requests on its own behalf

• Direct Access / No Delegation

• Replacement for HTTP Basic Authentication

• Sign request just as if they were requests for Request Tokens

Page 43: Authorization with oAuth

Authorization with OAuth

Rob Richards

http://xri.net/=rob.richardswww.cdatazone.org

Questions?


OAuth based AuthN/ AuthZ in DIRAC€¦ · OAuth/OIDC/SSO 7 } OAuth 2.0 is the industry-standard delegation protocol for conveying authorization decisions across a network of web-enabled

Introduction to OpenID Connect - self-issued.infoself-issued.info/presentations/OpenID_Connect... · •OAuth 2.0 Form Post Response Mode –Defines how to return OAuth 2.0 Authorization

Category: Standards Track The OAuth 2.0 Authorization Framework · 2012. 10. 12. · The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a

swiss-rx-login - RefdataTesting it in the Google OAuth 2.0 Playground (Authorization Grant, Server-side OAuth flow) Google offers a nice online playground to experiment with any OAuth2

Make Redirection Evil Again URL Parser Issues in OAuth...History of Redirection Issues in OAuth •Dec 2012. In RFC 6749 - The OAuth 2.0 Authorization Framework • The authorization

An OAuth-Based Authorization Remote Collaboration Systems

The OAuth 2.0 Authorization Frameworkself-issued.info/docs/draft-ietf-oauth-v2-30.pdf · 2012. 7. 15. · The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30 Abstract The

The OAuth 2.0 Authorization Protocol · The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

OAuth with OpenPNE3

The OAuth 2.0 Authorization Framework - self-issuedself-issued.info/docs/draft-ietf-oauth-v2.pdfTOC TOC This specification is designed for use with HTTP ( ). The use of OAuth over

Authorization for Internet of Things using OAuth 2.0

CHAPTER 4 OAUTH€¦ · 2 OBJECTIVES After completing “OAuth,” you will be able to: Identify issues of authorization for RESTful services. Explain the OAuth standard for establishing

Building Office 365 App with AAD OAuth - Microsoft · OAuth •Widely adopted open standard for authorization •Provides client app a “secure delegated access” to server resources

(4) OAuth 2.0 Obtaining Authorization

The OAuth 2.0 Authorization Framework

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

Authorization with OAuth - CDATA Zone

The OAuth 2.0 Authorization for the Internet of Things · PDF file Thesis Title: The OAuth 2.0 Authorization for the Internet of Things Description of the units: The Networked Embedded

RFC 6749 - The OAuth 2.0 Authorization Framework...The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a third-party application to obtain

OAuth and OpenID Connect · OAuth 2.0 authorization code flow yelp.com Connect with Google Redirect URI: accounts.google.com Email Password accounts.google.com Allow Yelp to access

Introduc)on to OAuth 2 · The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an ... • Web service (API) with security controls •

The OAuth 2.0 Authorization Frameworkself-issued.info/docs/rfc6749.pdf · TOC TOC This specification is designed for use with HTTP ( ). The use of OAuth over any protocol other than

[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for …...The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that

OAuth 2 - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/OAuth2.0from...OAuth 2.0 From scratch What is OAuth 2 •OAuth 2 is an authorization framework that enables applications

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization ... · The Active Directory Federation Services OAuth Authcode Lookup Protocol is defined as a RESTful protocol

CHRISTIAN KELLER CLOUD NATIVE APPS SICHERN MIT OAUTH … fileCLOUD NATIVE APPS SICHERN MIT OAUTH 2/OPENID CONNECT GLIEDERUNG OAuth 2.0 - Flows Authorization Code Grant Implicit Grant

[MS-XOAUTH]: OAuth 2.0 Authorization Protocol ExtensionsMS... · 5.1 Security Considerations for Implementers ... The OAuth 2.0 Authorization Protocol Extensions extend the OAuth

OAuth 2.0 Proof-of-Possession: Authorization Server to ......OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution draft-bradley-oauth-pop-key-distribution-01.txt

Recent Enhancements to Scale the Conversation...OAuth 2.0 Authorization Server n s NOTE: OAuth 2.0 is not currently supported for the Appliance. OAuth 2.0 is now supported for all

Oauth (Open Authorization)

How (Not) to Use OAuth - Daniel Fett...Authorization OAuth Authorization Server & Resource Server User Client Photo Editor Google Photos account authorizes to access Authentication

[MS-ADFSOAL]: Active Directory Federation Services …... · Active Directory Federation Services OAuth Authorization Code ... Active Directory Federation Services OAuth ... Federation

Oracle OAuth ServiceOAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0 Resource Server roles. OAM OAuth