BUILDING AND USING SECURE WEB SERVICES WITH OAUTH Skillswap Goes Portable, November 25, 2008

Bruce Boughtonbruce@bruceboughton.me.ukhttp://bruceboughton.me.uk

http://lab.madgex.com/

web services are about data let’s think about data...

DATA SHOULD BE PORTABLE(even your private data)

The Internet is awash with data(put there by our users)

why?

CONTROL YOUR DATADon't get locked into one vendor

Mash|ups < data> MORE INTERESTING

http://pipes.yahoo.com/bruceboughton/skillswapmashup

RE-PURPOSE YOUR DATAin different contexts

INTERPRET ITACCESS IT

Data is portable if you can easily

Data should be available inSTANDARD DATA FORMATS

<xml/>POSH

JSONμf

How can users let third partiesACCESS THEIR PRIVATE DATA?

User data is moving to the cloud

40-60% OF TWEETS VIA API*Blaine Cook co-authored OAuth

Why pick on Twitter?

http://kecute.wordpress.com/2007/11/05/cat-computer-geek/

we need an easy,user-friendly standard

for third party api security

GOOGLE CONTACTS DEMOhttp://lab.madgex.com/oauth-net/googlecontacts/

YOU CHOOSE who you share YOUR DATA with

OAuth puts the user back in control

NO NEED to give outyour PASSWORD

OAuth is secure

FIRE EAGLE LOCATION DEMOhttp://whereami.lab.madgex.com/

Supports FINE-GRAINED privacy controls

Lightweight and open for extension

Google YahooOpenSocial NetflixMySpace PownceMa.gnolia SmugMugGetSatisfaction and more...

Big name adoption

one thing: OAuth != OpenID

(but they do play nicely)

OpenID is authenticationOAUTH IS ACCESS CONTROL

let’s get technical

Protected resources

are exposed by service providersand used by consumer

applicationson behalf of users

e.g. My physical location

is exposed by the Fire Eagle APIand used by the Madgex Lab demo

on my behalf

Consumer identity asserted using CONSUMER KEY and SECRET

Consumer gets an ACCESS TOKEN(tied to a user, usually re-usable)

To fetch a protected resource

Consumer asks USER TO LOG IN and AUTHORIZE request

To get an access token

Requests are SIGNED and include a TIMESTAMP and NONCE

This is just PLAIN OLD HTTPwith added super powers

don’t worry, there are plenty of

open source libraries

Ruby .NETPython PHPJava JavaScriptObjective-C and more...

http://oauth.net/code

do we have time for some code?

OAuth.net libraryhttp://lab.madgex.com/oauth-net

Configuring the Fire Eagle service(without discovery)

Requesting the user’s location

Handling authorization(if we didn’t already have an access token)

Using the protected resource

QUESTIONS?OR BEER.

Bruce Boughtonbruce@bruceboughton.me.ukhttp://bruceboughton.me.uk

http://lab.madgex.com/