SlideShare a Scribd company logo

OAuth - Open API Authentication

L
leahculver

http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.

Related slideshows

Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
1 of 23
Download to read offline
OAuth Basic Introduction
What is OAuth? A simple open standard for secure API authentication.
The Love Triangle End User Service Provider Consumer Application (fake applications by EHL) http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
Similar to... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others...
Who is involved?
Goals: Be Simple • standard for website API authentication • consistent for developers • easy for users to understand * * this is hard
Goals: Be Secure • secure for users • easy to implement security features for developers • balance security with ease of use
Goals: Be Open • any website can implement OAuth • any developer can use OAuth • open source client libraries • published technical specifications
Goals: Be Flexible • don’t need a username and password • authentication method agnostic • can use OpenID (or not!) • whatever works best for the web service • developers don’t need to handle auth
What the end user sees... an example from ma.gnolia and nsyght.
OMG! Need to login!
Login with service provider
Authorize
Done!
How Does OAuth Work? (for developers)
Register a Consumer Application • Provide service provider with data about your application (name, creator, url etc...) • Service provider assigns consumer a consumer key and consumer secret • Service provider gives documentation of authorization URLs and methods
Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce
Where is this information passed? • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
Security • Tokens - aren’t passing username/password • Timestamp and nonce - verify unique requests • Signature - encrypted parameters help service provider recognize consumer • Signature methods - HMAC-SHA1, RSA- SHA1, Plaintext over a secure channel (such as SSL)
Current Status of OAuth • oauth.net • Auth Core 1.0 Draft 7 • several libraries Python, Ruby, Perl, C# ...) for consumers and service providers (PHP, • Ma.gnolia and Twitter implementations • more implementations soon!
Thanks! Chris is still working on the logo...

More Related Content

OAuth - Open API Authentication

  • 2. What is OAuth? A simple open standard for secure API authentication.
  • 3. The Love Triangle End User Service Provider Consumer Application (fake applications by EHL) http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
  • 4. Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 5. Similar to... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others...
  • 7. Goals: Be Simple • standard for website API authentication • consistent for developers • easy for users to understand * * this is hard
  • 8. Goals: Be Secure • secure for users • easy to implement security features for developers • balance security with ease of use
  • 9. Goals: Be Open • any website can implement OAuth • any developer can use OAuth • open source client libraries • published technical specifications
  • 10. Goals: Be Flexible • don’t need a username and password • authentication method agnostic • can use OpenID (or not!) • whatever works best for the web service • developers don’t need to handle auth
  • 11. What the end user sees... an example from ma.gnolia and nsyght.
  • 12. OMG! Need to login!
  • 15. Done!
  • 16. How Does OAuth Work? (for developers)
  • 17. Register a Consumer Application • Provide service provider with data about your application (name, creator, url etc...) • Service provider assigns consumer a consumer key and consumer secret • Service provider gives documentation of authorization URLs and methods
  • 18. Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 19. OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce
  • 20. Where is this information passed? • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters
  • 21. Security • Tokens - aren’t passing username/password • Timestamp and nonce - verify unique requests • Signature - encrypted parameters help service provider recognize consumer • Signature methods - HMAC-SHA1, RSA- SHA1, Plaintext over a secure channel (such as SSL)
  • 22. Current Status of OAuth • oauth.net • Auth Core 1.0 Draft 7 • several libraries Python, Ruby, Perl, C# ...) for consumers and service providers (PHP, • Ma.gnolia and Twitter implementations • more implementations soon!
  • 23. Thanks! Chris is still working on the logo...