OAuth - Open API Authentication
- 3. The Love Triangle
End User
Service Provider Consumer Application
(fake applications by EHL)
http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
- 4. Specifically OAuth is...
• Authentication
Need to log in to access parts of a website
ex: bookmark a link, post a photo, add a friend, view
a private message
• Token-based Authentication
Logged-in user has a unique token used to access
data from the site
- 7. Goals:
Be Simple
• standard for website API authentication
• consistent for developers
• easy for users to understand *
* this is hard
- 8. Goals:
Be Secure
• secure for users
• easy to implement security features for
developers
• balance security with ease of use
- 9. Goals:
Be Open
• any website can implement OAuth
• any developer can use OAuth
• open source client libraries
• published technical specifications
- 10. Goals:
Be Flexible
• don’t need a username and password
• authentication method agnostic
• can use OpenID (or not!)
• whatever works best for the web service
• developers don’t need to handle auth
- 11. What the end user sees...
an example from ma.gnolia
and nsyght.
- 17. Register a Consumer
Application
• Provide service provider with data about
your application (name, creator, url etc...)
• Service provider assigns consumer a
consumer key and consumer secret
• Service provider gives documentation of
authorization URLs and methods
- 18. Authorization Process
1. Obtain request token
2. User authorizes
request token
3. Exchange request token
for access token
4. Use access token to
obtain protected resources
- 20. Where is this
information passed?
• HTTP Authorization header
• HTTP POST request body (form params)
• URL query string parameters
- 21. Security
• Tokens - aren’t passing username/password
• Timestamp and nonce - verify unique
requests
• Signature - encrypted parameters help
service provider recognize consumer
• Signature methods - HMAC-SHA1, RSA-
SHA1, Plaintext over a secure channel
(such as SSL)
- 22. Current Status of
OAuth
• oauth.net
• Auth Core 1.0 Draft 7
• several libraries Python, Ruby, Perl, C# ...)
for consumers and service
providers (PHP,
• Ma.gnolia and Twitter implementations
• more implementations soon!