http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
2. What is OAuth?
A simple open standard for secure API
authentication.
3. The Love Triangle
End User
Service Provider Consumer Application
(fake applications by EHL)
http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
4. Specifically OAuth is...
• Authentication
Need to log in to access parts of a website
ex: bookmark a link, post a photo, add a friend, view
a private message
• Token-based Authentication
Logged-in user has a unique token used to access
data from the site
5. Similar to...
• Flickr Auth
• Google’s AuthSub
• Yahoo’s BBAuth
• Facebook Auth
• and others...
7. Goals:
Be Simple
• standard for website API authentication
• consistent for developers
• easy for users to understand *
* this is hard
8. Goals:
Be Secure
• secure for users
• easy to implement security features for
developers
• balance security with ease of use
9. Goals:
Be Open
• any website can implement OAuth
• any developer can use OAuth
• open source client libraries
• published technical specifications
10. Goals:
Be Flexible
• don’t need a username and password
• authentication method agnostic
• can use OpenID (or not!)
• whatever works best for the web service
• developers don’t need to handle auth
11. What the end user sees...
an example from ma.gnolia
and nsyght.
17. Register a Consumer
Application
• Provide service provider with data about
your application (name, creator, url etc...)
• Service provider assigns consumer a
consumer key and consumer secret
• Service provider gives documentation of
authorization URLs and methods
18. Authorization Process
1. Obtain request token
2. User authorizes
request token
3. Exchange request token
for access token
4. Use access token to
obtain protected resources
20. Where is this
information passed?
• HTTP Authorization header
• HTTP POST request body (form params)
• URL query string parameters
21. Security
• Tokens - aren’t passing username/password
• Timestamp and nonce - verify unique
requests
• Signature - encrypted parameters help
service provider recognize consumer
• Signature methods - HMAC-SHA1, RSA-
SHA1, Plaintext over a secure channel
(such as SSL)
22. Current Status of
OAuth
• oauth.net
• Auth Core 1.0 Draft 7
• several libraries Python, Ruby, Perl, C# ...)
for consumers and service
providers (PHP,
• Ma.gnolia and Twitter implementations
• more implementations soon!