introduction to oauth
TRANSCRIPT
OAuth: Open Standard for Sharing#OpenWebTO - June 1st, 2010
the problem
password anti-pattern
Sharing without passwords.
Sites exchange user authorized tokens.
Tokens can be revoked.
Tokens can be scoped.
Tokens can be time-limited.
Terminology has changed a lot.
These slides are old school.
some history12/07 - OAuth 1.0
06/08 - OAuth 1.0a
11/09 - OAuth WRAP
03/10 - OAuth 2.0 Draft 1
04/10 - RFC 5849
05/10 - OpenID Connect
OAuth 1.0a addresses a session fixation vulnerability discovered in theoriginal spec.
Step 1. Attacker initiates OAuth authorization
Step 2. Tricks victim into visiting authorization URI specially crafted fornefarious purposes (attacker specifies the callback).
Step 3. User enters their credentials at the authorization page,unwittingly authorizing the attacker's request token. User is redirected to
a URI determined by the attacker.
Step 4. Attacker completes the OAuth workflow. Has access to the victim'sprotected resources.
Step 5. $$$
The ResultInconsistent implementations.
Different fixes for older providers.
Be aware.
OAuth 1.0a Protocol Overview
Endpoint URIsRequest Token URL
User Authorization URL
Access Token URL
Request a Request Token
Example: TwitterRequest:
POST /oauth/request HTTP/1.1Host: local.eval.ca:8000User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3...Content-Type: application/x-www-form-urlencodedAuthorization: OAuth realm="", oauth_nonce="79013965", oauth_timestamp="1275364485", oauth_consumer_key="TgF80q20x4j4kPRTiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="PmA%2FUWGZSN%2B%2FYZ0ak4yHAtT7in8%3D"
Response:
oauth_token=ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0& oauth_token_secret=YGgcxX60kCHyoGiO2LhE0gfWXxZyJQnfBzpp64djykU
Example: FreshBooksRequest:
Authorization: OAuth realm="", oauth_nonce="92490670", oauth_timestamp="1275365018", oauth_consumer_key="oauthprovider", oauth_signature_method="PLAINTEXT", oauth_version="1.0", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26", oauth_callback="http%3A%2F%2Flocal.eval.ca%3A8000%2Foauth%2Fcallback%2F"
Response:
oauth_token=YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2& oauth_token_secret=gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh& oauth_callback_confirmed=true
Redirect user to Authorization URITwitter:
http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
FreshBooks:
https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
Handle CallbackTwitter:
http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
FreshBooks:
http://yourapp.com/oauth/callback?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8 &oauth_verifier=zzUWbPe1nOYkG9dzb8nm9X7t6gzbjW4l9kIAeRLQs
Exchange authorized RequestToken for Access Token
Example: TwitterRequest:
Authorization: OAuth realm="", oauth_nonce="83131550", oauth_timestamp="1275364497", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="ZABxRSmYFX9oLsZOTfMbYlDXldtKuVARFkjfPjsJbT0", oauth_signature="K1J5Q7TgU2S81FDLcDHrscRazGM%3D"
Response:
oauth_token=149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo& oauth_token_secret=BWZ5riq707pP4gpb8dRguD2NmhSiHt7XdA1O99YGGI& user_id=149686823&screen_name=freshnotifydemo
Example: FreshBooksRequest:
Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh"
Response:
oauth_token=yF53TK3Ya6eQdWPNWLuZZTviHWZaKXLrh&oauth_token_secret=UCrmxWriVsyD69URtQd6u7NQxFhiTpXBW
Accessing a Protected Resource
Example: TwitterRequest:
POST /1/statuses/update.json HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995", oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo", oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D"
status=Ohai.
Response:
{ a lot of JSON }
Example: FreshBooksRequest:
POST /api/2.1/xml-in HTTP/1.1 ... Content-Type: application/xml Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024", oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider", oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0", oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2", oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh" <request method="invoice.list" />
Response:
<response status="ok"> A bunch of XML </response>
Common QuestionsWhat about Desktop & Mobile applications?
What the heck is OAuth WRAP?
What does OAuth have to do with OpenID?
What is up with OAuth 2?
OAuth 2.0
Problems with OAuth 1.0Complex cryptographic requirements
Poor user experience for desktop / mobile
Performance at scale
OAuth 2.0OAuth 2.0 defines authorization flows.
User Delegation Flows
Direct Credentials Flows
Autonomous Flows
User Delegation FlowsUser-Agent Flow
Web Server Flow
Device Flow
Direct credentials FlowsUsername and Password Flow
Client Credentials Flow
Autonomous flows:Assertion Flow
OAuth 2.0Bearer tokens over SSL
Simpler signatures
Short lived tokens with refresh tokens
Authorization server and resource server
Progress
OAuth 2.0 is currently in its 5th version of an IETF Draft.
There are implementations in the wild including Facebook, 37 Signalsand Github.
There are Objective C, Python and Ruby libraries available with varyingdegrees of completeness.
So things are looking good, but as always when working with somethingthis new...
Resourceshttp://oauth.net/
http://tools.ietf.org/html/rfc5849
http://hueniverse.com/oauth/
http://tools.ietf.org/html/draft-ietf-oauth-v2-07