SlideShare uma empresa Scribd logo

Integrating services with OAuth

Luca Mearelli
Luca Mearelli

1. The document discusses the OAuth protocol which allows secure authorization for consumers to access user data from service providers without having to share the user's credentials. 2. OAuth uses a three-step process where a consumer first requests a request token, then directs the user to authorize access, and finally exchanges the request token for an access token to access the user's data on the service provider. 3. The document provides details on OAuth parameters, signing requests, security considerations, and implementing OAuth for mobile and XMPP applications. It emphasizes that OAuth allows integration of services while maintaining user control over authorization and access to their data.

TecnologiaNegócios
1 de 64
Baixar para ler offline
Integrating services with Luca Mearelli Web2Expo - Berlin 2008
Web 2.0 means sharing data, through API
Users want to access their data using many services
Developers want to satisfy their users (and make it easy for them)
Service providers need to keep their users data secure
welcome the password antipattern
Image from http://www.codinghorror.com/blog/archives/001072.html
Passwords are precious
Stop asking them Stop the antipattern
How to delegate access?
Your valet key for the web
a play in 3 acts (to exchange authorization)
Actors on the scene User Consumer Service Provider
Prologue Where the Consumer presents himself to the Service Provider
Consumer (to Service Provider): here i am, this is what i do
consumer service provider Consumer key Consumer secret
First act Where the Consumer obtains an unauthorized Request Token
Consumer (to Service Provider): give me a request token
consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
Service Provider (to consumer): here is the request token (you can use it only once!)
service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
Second act Where the User authorizes the Request Token
Consumer (to the User): Please go to the Service Provider and authorize this request
consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
Service Provider (to the User): Do you authorize consumer to access your data?
User (to the Service Provider): YES! (or maybe NO :-) )
Service Provider (to the User): You can go back to the consumer
service providerservice provider user user consumer oauth_token (request token)
Third act Where the Consumer exchanges the Request Token for an Access Token
Consumer (to the Service Provider): Please give me the acces token for the user
consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Service Provider (to the Consumer): here is the access token for the user
service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
Epilogue Where the consumer accesses the resources
Consumer (to the Service Provider): Here i am again on behalf of the user
consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
The details...
OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
Signature base string a consistent reproducible concatenation of the request elements into a single string
Other security measures Nonces Timestamps
Service setup OAuth discovery (XRDS)
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
Benefits Granular authorization Easy grant and revoke Tracking of use
Many open/free libraries use them, contribute to them
Challenges
UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
Beyond the browser Mobile devices Installable applications
The sequel OAuth over XMPP
<iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com

Recomendados

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magic
guestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08
Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the world
Timo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mix
Dieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Tom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
 

Recomendados

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magic
guestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08
Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the world
Timo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mix
Dieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Tom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
 
O auth
O authO auth
O auth
faisalqau
 
OAuth
OAuthOAuth
OAuth
Aslam Jarwar
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsx
KasaTiga
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
Matthias Käppler
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 

Mais conteúdo relacionado

Destaque

Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 

Destaque (6)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 

Semelhante a Integrating services with OAuth

Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 

Semelhante a Integrating services with OAuth (20)

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
O auth
O authO auth
O auth
 
OAuth
OAuthOAuth
OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsx
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth2
OAuth2OAuth2
OAuth2
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 

Mais de Luca Mearelli

L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del web
Luca Mearelli
 
WorseSoftware
WorseSoftwareWorseSoftware
WorseSoftware
Luca Mearelli
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With Python
Luca Mearelli
 

Mais de Luca Mearelli (11)

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two Problems
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographic
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del web
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To Batch
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your App
 
WorseSoftware
WorseSoftwareWorseSoftware
WorseSoftware
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With Python
 
Open Web
Open WebOpen Web
Open Web
 
Capistrano2
Capistrano2Capistrano2
Capistrano2
 
Wikierp
WikierpWikierp
Wikierp
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On Rails
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Integrating services with OAuth

  • 1. Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  • 2. Web 2.0 means sharing data, through API
  • 3. Users want to access their data using many services
  • 4. Developers want to satisfy their users (and make it easy for them)
  • 5. Service providers need to keep their users data secure
  • 7.
  • 8.
  • 9.
  • 12. Stop asking them Stop the antipattern
  • 13. How to delegate access?
  • 14. Your valet key for the web
  • 15. a play in 3 acts (to exchange authorization)
  • 16. Actors on the scene User Consumer Service Provider
  • 17. Prologue Where the Consumer presents himself to the Service Provider
  • 18. Consumer (to Service Provider): here i am, this is what i do
  • 19. consumer service provider Consumer key Consumer secret
  • 20.
  • 21. First act Where the Consumer obtains an unauthorized Request Token
  • 22. Consumer (to Service Provider): give me a request token
  • 23. consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 24. Service Provider (to consumer): here is the request token (you can use it only once!)
  • 25. service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  • 26.
  • 27. Second act Where the User authorizes the Request Token
  • 28. Consumer (to the User): Please go to the Service Provider and authorize this request
  • 29. consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  • 30. Service Provider (to the User): Do you authorize consumer to access your data?
  • 31.
  • 32. User (to the Service Provider): YES! (or maybe NO :-) )
  • 33. Service Provider (to the User): You can go back to the consumer
  • 34. service providerservice provider user user consumer oauth_token (request token)
  • 35. Third act Where the Consumer exchanges the Request Token for an Access Token
  • 36. Consumer (to the Service Provider): Please give me the acces token for the user
  • 37. consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 38. Service Provider (to the Consumer): here is the access token for the user
  • 39. service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  • 40.
  • 41. Epilogue Where the consumer accesses the resources
  • 42. Consumer (to the Service Provider): Here i am again on behalf of the user
  • 43. consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 44.
  • 46. OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  • 47. Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  • 48. Signature base string a consistent reproducible concatenation of the request elements into a single string
  • 49. Other security measures Nonces Timestamps
  • 51. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 52. Benefits Granular authorization Easy grant and revoke Tracking of use
  • 53. Many open/free libraries use them, contribute to them
  • 55. UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  • 56. UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  • 57. Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  • 58. Beyond the browser Mobile devices Installable applications
  • 59.
  • 61. <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  • 62. The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  • 64. Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com