SlideShare uma empresa Scribd logo

Integrating services with OAuth

Luca Mearelli
Luca Mearelli

1. The document discusses the OAuth protocol which allows secure authorization for consumers to access user data from service providers without having to share the user's credentials. 2. OAuth uses a three-step process where a consumer first requests a request token, then directs the user to authorize access, and finally exchanges the request token for an access token to access the user's data on the service provider. 3. The document provides details on OAuth parameters, signing requests, security considerations, and implementing OAuth for mobile and XMPP applications. It emphasizes that OAuth allows integration of services while maintaining user control over authorization and access to their data.

TecnologiaNegócios
1 de 64
Baixar para ler offline
Integrating services with Luca Mearelli Web2Expo - Berlin 2008
Web 2.0 means sharing data, through API
Users want to access their data using many services
Developers want to satisfy their users (and make it easy for them)
Service providers need to keep their users data secure
welcome the password antipattern
Image from http://www.codinghorror.com/blog/archives/001072.html
Passwords are precious
Stop asking them Stop the antipattern
How to delegate access?
Your valet key for the web
a play in 3 acts (to exchange authorization)
Actors on the scene User Consumer Service Provider
Prologue Where the Consumer presents himself to the Service Provider
Consumer (to Service Provider): here i am, this is what i do
consumer service provider Consumer key Consumer secret
First act Where the Consumer obtains an unauthorized Request Token
Consumer (to Service Provider): give me a request token
consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
Service Provider (to consumer): here is the request token (you can use it only once!)
service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
Second act Where the User authorizes the Request Token
Consumer (to the User): Please go to the Service Provider and authorize this request
consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
Service Provider (to the User): Do you authorize consumer to access your data?
User (to the Service Provider): YES! (or maybe NO :-) )
Service Provider (to the User): You can go back to the consumer
service providerservice provider user user consumer oauth_token (request token)
Third act Where the Consumer exchanges the Request Token for an Access Token
Consumer (to the Service Provider): Please give me the acces token for the user
consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Service Provider (to the Consumer): here is the access token for the user
service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
Epilogue Where the consumer accesses the resources
Consumer (to the Service Provider): Here i am again on behalf of the user
consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
The details...
OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
Signature base string a consistent reproducible concatenation of the request elements into a single string
Other security measures Nonces Timestamps
Service setup OAuth discovery (XRDS)
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
Benefits Granular authorization Easy grant and revoke Tracking of use
Many open/free libraries use them, contribute to them
Challenges
UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
Beyond the browser Mobile devices Installable applications
The sequel OAuth over XMPP
<iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com

Recomendados

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magicguestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the worldTimo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mixDieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksTom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 

Recomendados

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magicguestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the worldTimo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mixDieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksTom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
O auth
O authO auth
O authfaisalqau
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxKasaTiga
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 

Mais conteúdo relacionado

Destaque

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 

Destaque (6)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 

Semelhante a Integrating services with OAuth

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxKasaTiga
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 

Semelhante a Integrating services with OAuth (20)

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
O auth
O authO auth
O auth
 
OAuth
OAuthOAuth
OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsx
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth2
OAuth2OAuth2
OAuth2
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 

Mais de Luca Mearelli

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two ProblemsLuca Mearelli
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographicLuca Mearelli
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del webLuca Mearelli
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To BatchLuca Mearelli
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your AppLuca Mearelli
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With PythonLuca Mearelli
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On RailsLuca Mearelli
 

Mais de Luca Mearelli (11)

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two Problems
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographic
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del web
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To Batch
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your App
 
WorseSoftware
WorseSoftwareWorseSoftware
WorseSoftware
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With Python
 
Open Web
Open WebOpen Web
Open Web
 
Capistrano2
Capistrano2Capistrano2
Capistrano2
 
Wikierp
WikierpWikierp
Wikierp
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On Rails
 

Último

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Último (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Integrating services with OAuth

  • 1. Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  • 2. Web 2.0 means sharing data, through API
  • 3. Users want to access their data using many services
  • 4. Developers want to satisfy their users (and make it easy for them)
  • 5. Service providers need to keep their users data secure
  • 7.
  • 8.
  • 9.
  • 12. Stop asking them Stop the antipattern
  • 13. How to delegate access?
  • 14. Your valet key for the web
  • 15. a play in 3 acts (to exchange authorization)
  • 16. Actors on the scene User Consumer Service Provider
  • 17. Prologue Where the Consumer presents himself to the Service Provider
  • 18. Consumer (to Service Provider): here i am, this is what i do
  • 19. consumer service provider Consumer key Consumer secret
  • 20.
  • 21. First act Where the Consumer obtains an unauthorized Request Token
  • 22. Consumer (to Service Provider): give me a request token
  • 23. consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 24. Service Provider (to consumer): here is the request token (you can use it only once!)
  • 25. service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  • 26.
  • 27. Second act Where the User authorizes the Request Token
  • 28. Consumer (to the User): Please go to the Service Provider and authorize this request
  • 29. consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  • 30. Service Provider (to the User): Do you authorize consumer to access your data?
  • 31.
  • 32. User (to the Service Provider): YES! (or maybe NO :-) )
  • 33. Service Provider (to the User): You can go back to the consumer
  • 34. service providerservice provider user user consumer oauth_token (request token)
  • 35. Third act Where the Consumer exchanges the Request Token for an Access Token
  • 36. Consumer (to the Service Provider): Please give me the acces token for the user
  • 37. consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 38. Service Provider (to the Consumer): here is the access token for the user
  • 39. service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  • 40.
  • 41. Epilogue Where the consumer accesses the resources
  • 42. Consumer (to the Service Provider): Here i am again on behalf of the user
  • 43. consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 44.
  • 46. OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  • 47. Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  • 48. Signature base string a consistent reproducible concatenation of the request elements into a single string
  • 49. Other security measures Nonces Timestamps
  • 51. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 52. Benefits Granular authorization Easy grant and revoke Tracking of use
  • 53. Many open/free libraries use them, contribute to them
  • 55. UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  • 56. UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  • 57. Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  • 58. Beyond the browser Mobile devices Installable applications
  • 59.
  • 61. <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  • 62. The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  • 64. Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com