SlideShare uma empresa Scribd logo

Maintest3

Transferir como PPTX, PDF
Mohan Kumar Tadikimalla
Mohan Kumar Tadikimalla
Tecnologia
1 de 48
OAuth? Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party
Why OAuth? Every day a new websites are launched which tie services from different sites and offer you
OAuth Definitions Service provider The website or web-service where the restricted resources are located User User have ‘stuff’ they don’t want to make pubic on the service provider but they do want to share it with another site Consumer The name for the application trying access the users resources Protected Resources The ‘stuff’ oauth protects and allow access. Tokens Tokens are used instead of user credentials to access resources
OAuth : Protocol Workflow
Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private. Using OAuth terminology Jane is the User Faji is the Service Provider. The 2 photos Jane uploaded are the Protected Resources. OAuth Example
Jane wants to share them with her grandmother. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service. Using OAuth terminology, Beppa is the Consumer. Beppa must use OAuth to gain access to the photos in order to print them.
When Beppa added support for Faji photo import, a Beppa developer known in OAuth as a Consumer Developer obtained a Consumer Key and Consumer Secret from Faji to be used with Faji’s OAuth-enabled API. Using OAuth terminology, Consumer Key Consumer secret
Beppa requests from Faji a Request Token. At this point, the Request Token is not User-specific, and can be used by Beppa to gain User approval from Jane to access her private photos. Using OAuth terminology, Request Token
When Beppa receives the Request Token, it redirects Jane to the Faji OAuth User Authorization URL with the Request Token and asks Faji to redirect Jane back once approval has been granted to http://beppa.com/order. Using OAuth terminology, Oauth User Authorization URL Call Back URL
After successfully logging into Faji, Jane is asked to grant access to Beppa, the Consumer. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.
Jane waits for Beppa to present her with her photos fetched from her Faji account.
While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos. In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos. Using OAuth terminology, Access Token
Jane is very impressed how Beppa grabbed her photos without asking for her username and password. She likes what she sees and place the print order.
Tokens OAuth uses three types of credentials Client credentials (consumer key and secret) Temporary credentials (request token and secret) Token credentials (access token and secret)
Client Credentials Allows server to authenticate server Allows server to get information about the client Oauth_consumer_key Oauth_consumer_secret
Token Credentials Token credentials are in place of username and password The client uses token credentials to access resource owner protected resource Token credentials are limited in scope and duration Oauth_access_token Oauth_access_secret
Temporary credentials Used to identify the authorization request To accommodate different clients like desktop, mobile etc. Add extra flexibility and security Oauth_token Oauth_token_secret
OAuthSecurity Architecture
Signature and Hash OAuth uses digital signatures instead of sending the full credentials (specifically, passwords) with each request.  The sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.
Hash Algorithm A common way to sign digital content is using a hash algorithm.  Hashing is the process of taking data (of any size) and condensing it to a much smaller value (digest) in a fully reproducible (one-way) manner This means that using the same hash algorithm on the same data will always produce the same smaller value Hashing usually does not allow going from the smaller value back to the original.
Shared Secret By itself, hashing does not verify the identity of the sender, only data integrity. In order to allow the recipient to verify that the request came from the claimed sender, the hash algorithm is combined with a shared secret If both sides agree on some shared secret known only to them, they can add it to the content being hashed.
Nonce(‘Number used Once’) What is missing is something to prevent requests intercepted by an unauthorized party, usually by sniffing the network, from being reused. This is known as a replay attack. Able to make the same sign request over and over again. To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once
TimeStamp Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever. OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time. When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period.
Signature Methods OAuth defines 3 signature methods used to sign and verify requests PLAINTEXT HMAC-SHA1 RSA-SHA1 When signing requests, it is necessary to specify which signature method has been used to allow the recipient to reproduce the signature for verification The decision of which signature method to use depends on the security requirements of each application
Signature Base String Not only must they both use the same algorithm and share secret, but they must sign the same content.  This requires a consistent method for converting HTTP requests into a single string which is used as the signed content — the Signature Base String.. 
Building a reqestToken request requires the following:HTTPMethod,Request URI,oauth_callback,oauth_consumer_key,oauth_nonce,oauth_signature_method,oauth_timestamp and oauth_version Getting the Request Token
Getting the Request Token ,[object Object],[object Object]
Create your Authorization HTTP Header & and Issue the request Now we sign this string using our consumer secret and create an HTTP Authorization header.The signature should be placed in the oauth_signature value Getting the request token
Now we issue this request to the requestTokenendpoint,and if all is sucessful,you will get something like the following URL encoded response: The oauth_token field is now your request token,and the oauth_token_secret will be used for signing your request for an access toen.oaut_callback_confirmed just gives you confirmation the we recogized your oauth_callback parameter You will want to “hold on” to oauth_token and oauth_token_secretuntill you have completed the access token step Evaluate the Request Token
Now that we have a request token,we can build the url to authoriza the user.we will then redirect the user to this url so they can grant your application access. An authorization ur is simply this end point:http://api.linkedIn.com/usas/oauth/authorize with a query parameter tacked on called oauth_token.the value for this parameter is eual to the request token you received in the previous step. The user needs to land on this page within 5 minutes of your request toke cycle.you should not pass an oauth_callbac parameter to this page(you already did that in the reuest token step) Authorizing the member Build your authrization URL
The user will then be sent to our authorization paeg.when completed the user wil either be sent back to your oauth_callback URL or presented with a series of digits they will be instructed to hand-enter into your application(if you are performing out-of-band authentication) Authorizing the member Send the user to LinkedIn’s Authorization PAge
Regardless of whether you used out-of-band authentication or not,you will now be euipped with a request token an oauth_token_secret and an oauth_verfier.you are now going to excahge that request token for an access token,imbued with permission of the linkedIn member to act on their behalf Getting an Access token Prepare your singing secret
Getting the Access Token ,[object Object],[object Object]
Create your Authorization HTTP Header & and Issue the request Now we sign this string using our consumer secret and create an HTTP Authorization header.The signature should be placed in the oauth_signature value Getting the Access token
Now we issue this request to the aceessTokenendpoint,and if all is sucessful,you will get something like the following URL encoded response: The oauth_token field is now your access token,and the auth_toke_secert will be used for signing all reuest on behalf of the member. You will want to “hold on” to oauth_token and oauth_token_secretuntill you have completed the access token step Evaluate the Access Token
Reuesting your own profile ,[object Object],[object Object]
Create your Authorization HTTP Header & and Issue the request Now we sign this string using our consumer secret and create an HTTP Authorization header.The signature should be placed in the oauth_signature value Requesting your own profile
Now we issue this reuest to thew people resource,and if all is sucessful,you will get something like the following XML response,with your own profile values in place of my own If the access token is invalid,or your signature was not properly calculated,youwil receive a 401 Unauthorized error.There is always interesting debugging information in the xml body of failed request and the http headers we return to you.Maybe your timestamp was off by a few minutes?Maybe your signature was invaid?maybe the access token is no longer vaid? Requesting your own profile
Oauth is complicated, and there are a number of things that go wrong. Here are some tips. Every error response we send you will contain an xml body describing the error, including a timestamp representing server time. Some oauth-based requests will LSO RETURN AN OAUTH_PROBLEM HHTP HEADER Make sure that your server’s system clock is in sync with ours Oauth_callback should only be provided on the request token step. Oauth_verifier is required in the access Token. PUT & POST operations typically have xml content-types. your oauth library should exclude the request body in signature calculations as a result. For the access token step, remember that the request tokens oauth_token_secret must be used as part of your signing key Likewise, for ai resource requests, your access tokens oauth_token_secret must be used as part of your signing key. Troubleshootong
Links
Maintest3
Maintest3
Maintest3
Maintest3

Recomendados

MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Maintest2
Maintest2Maintest2
Maintest2Mohan Kumar Tadikimalla
 
Maintest
MaintestMaintest
MaintestMohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth OpenID Connect
OAuth OpenID ConnectOAuth OpenID Connect
OAuth OpenID ConnectLéopold Gault
 

Recomendados

MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Maintest2
Maintest2Maintest2
Maintest2Mohan Kumar Tadikimalla
 
Maintest
MaintestMaintest
MaintestMohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth OpenID Connect
OAuth OpenID ConnectOAuth OpenID Connect
OAuth OpenID ConnectLéopold Gault
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 

Mais conteúdo relacionado

Mais procurados

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 

Mais procurados (19)

OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 

Semelhante a Maintest3

Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
OAuth: demystified (hopefully)
OAuth: demystified (hopefully)OAuth: demystified (hopefully)
OAuth: demystified (hopefully)Matt Gifford
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 

Semelhante a Maintest3 (20)

Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
O auth
O authO auth
O auth
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
OAuth
OAuthOAuth
OAuth
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Api security
Api security Api security
Api security
 
OAuth: demystified (hopefully)
OAuth: demystified (hopefully)OAuth: demystified (hopefully)
OAuth: demystified (hopefully)
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 

Último

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Último (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Maintest3

  • 1. OAuth? Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party
  • 2. Why OAuth? Every day a new websites are launched which tie services from different sites and offer you
  • 3. OAuth Definitions Service provider The website or web-service where the restricted resources are located User User have ‘stuff’ they don’t want to make pubic on the service provider but they do want to share it with another site Consumer The name for the application trying access the users resources Protected Resources The ‘stuff’ oauth protects and allow access. Tokens Tokens are used instead of user credentials to access resources
  • 4. OAuth : Protocol Workflow
  • 5. Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private. Using OAuth terminology Jane is the User Faji is the Service Provider. The 2 photos Jane uploaded are the Protected Resources. OAuth Example
  • 6. Jane wants to share them with her grandmother. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service. Using OAuth terminology, Beppa is the Consumer. Beppa must use OAuth to gain access to the photos in order to print them.
  • 7. When Beppa added support for Faji photo import, a Beppa developer known in OAuth as a Consumer Developer obtained a Consumer Key and Consumer Secret from Faji to be used with Faji’s OAuth-enabled API. Using OAuth terminology, Consumer Key Consumer secret
  • 8. Beppa requests from Faji a Request Token. At this point, the Request Token is not User-specific, and can be used by Beppa to gain User approval from Jane to access her private photos. Using OAuth terminology, Request Token
  • 9. When Beppa receives the Request Token, it redirects Jane to the Faji OAuth User Authorization URL with the Request Token and asks Faji to redirect Jane back once approval has been granted to http://beppa.com/order. Using OAuth terminology, Oauth User Authorization URL Call Back URL
  • 10. After successfully logging into Faji, Jane is asked to grant access to Beppa, the Consumer. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.
  • 11. Jane waits for Beppa to present her with her photos fetched from her Faji account.
  • 12. While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos. In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos. Using OAuth terminology, Access Token
  • 13. Jane is very impressed how Beppa grabbed her photos without asking for her username and password. She likes what she sees and place the print order.
  • 14.
  • 15. Tokens OAuth uses three types of credentials Client credentials (consumer key and secret) Temporary credentials (request token and secret) Token credentials (access token and secret)
  • 16. Client Credentials Allows server to authenticate server Allows server to get information about the client Oauth_consumer_key Oauth_consumer_secret
  • 17. Token Credentials Token credentials are in place of username and password The client uses token credentials to access resource owner protected resource Token credentials are limited in scope and duration Oauth_access_token Oauth_access_secret
  • 18. Temporary credentials Used to identify the authorization request To accommodate different clients like desktop, mobile etc. Add extra flexibility and security Oauth_token Oauth_token_secret
  • 20. Signature and Hash OAuth uses digital signatures instead of sending the full credentials (specifically, passwords) with each request.  The sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.
  • 21. Hash Algorithm A common way to sign digital content is using a hash algorithm.  Hashing is the process of taking data (of any size) and condensing it to a much smaller value (digest) in a fully reproducible (one-way) manner This means that using the same hash algorithm on the same data will always produce the same smaller value Hashing usually does not allow going from the smaller value back to the original.
  • 22. Shared Secret By itself, hashing does not verify the identity of the sender, only data integrity. In order to allow the recipient to verify that the request came from the claimed sender, the hash algorithm is combined with a shared secret If both sides agree on some shared secret known only to them, they can add it to the content being hashed.
  • 23. Nonce(‘Number used Once’) What is missing is something to prevent requests intercepted by an unauthorized party, usually by sniffing the network, from being reused. This is known as a replay attack. Able to make the same sign request over and over again. To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once
  • 24. TimeStamp Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever. OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time. When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period.
  • 25. Signature Methods OAuth defines 3 signature methods used to sign and verify requests PLAINTEXT HMAC-SHA1 RSA-SHA1 When signing requests, it is necessary to specify which signature method has been used to allow the recipient to reproduce the signature for verification The decision of which signature method to use depends on the security requirements of each application
  • 26. Signature Base String Not only must they both use the same algorithm and share secret, but they must sign the same content.  This requires a consistent method for converting HTTP requests into a single string which is used as the signed content — the Signature Base String.. 
  • 27. Building a reqestToken request requires the following:HTTPMethod,Request URI,oauth_callback,oauth_consumer_key,oauth_nonce,oauth_signature_method,oauth_timestamp and oauth_version Getting the Request Token
  • 28.
  • 29. Create your Authorization HTTP Header & and Issue the request Now we sign this string using our consumer secret and create an HTTP Authorization header.The signature should be placed in the oauth_signature value Getting the request token
  • 30. Now we issue this request to the requestTokenendpoint,and if all is sucessful,you will get something like the following URL encoded response: The oauth_token field is now your request token,and the oauth_token_secret will be used for signing your request for an access toen.oaut_callback_confirmed just gives you confirmation the we recogized your oauth_callback parameter You will want to “hold on” to oauth_token and oauth_token_secretuntill you have completed the access token step Evaluate the Request Token
  • 31. Now that we have a request token,we can build the url to authoriza the user.we will then redirect the user to this url so they can grant your application access. An authorization ur is simply this end point:http://api.linkedIn.com/usas/oauth/authorize with a query parameter tacked on called oauth_token.the value for this parameter is eual to the request token you received in the previous step. The user needs to land on this page within 5 minutes of your request toke cycle.you should not pass an oauth_callbac parameter to this page(you already did that in the reuest token step) Authorizing the member Build your authrization URL
  • 32. The user will then be sent to our authorization paeg.when completed the user wil either be sent back to your oauth_callback URL or presented with a series of digits they will be instructed to hand-enter into your application(if you are performing out-of-band authentication) Authorizing the member Send the user to LinkedIn’s Authorization PAge
  • 33.
  • 34.
  • 35. Regardless of whether you used out-of-band authentication or not,you will now be euipped with a request token an oauth_token_secret and an oauth_verfier.you are now going to excahge that request token for an access token,imbued with permission of the linkedIn member to act on their behalf Getting an Access token Prepare your singing secret
  • 36.
  • 37. Create your Authorization HTTP Header & and Issue the request Now we sign this string using our consumer secret and create an HTTP Authorization header.The signature should be placed in the oauth_signature value Getting the Access token
  • 38. Now we issue this request to the aceessTokenendpoint,and if all is sucessful,you will get something like the following URL encoded response: The oauth_token field is now your access token,and the auth_toke_secert will be used for signing all reuest on behalf of the member. You will want to “hold on” to oauth_token and oauth_token_secretuntill you have completed the access token step Evaluate the Access Token
  • 39.
  • 40.
  • 41. Create your Authorization HTTP Header & and Issue the request Now we sign this string using our consumer secret and create an HTTP Authorization header.The signature should be placed in the oauth_signature value Requesting your own profile
  • 42. Now we issue this reuest to thew people resource,and if all is sucessful,you will get something like the following XML response,with your own profile values in place of my own If the access token is invalid,or your signature was not properly calculated,youwil receive a 401 Unauthorized error.There is always interesting debugging information in the xml body of failed request and the http headers we return to you.Maybe your timestamp was off by a few minutes?Maybe your signature was invaid?maybe the access token is no longer vaid? Requesting your own profile
  • 43. Oauth is complicated, and there are a number of things that go wrong. Here are some tips. Every error response we send you will contain an xml body describing the error, including a timestamp representing server time. Some oauth-based requests will LSO RETURN AN OAUTH_PROBLEM HHTP HEADER Make sure that your server’s system clock is in sync with ours Oauth_callback should only be provided on the request token step. Oauth_verifier is required in the access Token. PUT & POST operations typically have xml content-types. your oauth library should exclude the request body in signature calculations as a result. For the access token step, remember that the request tokens oauth_token_secret must be used as part of your signing key Likewise, for ai resource requests, your access tokens oauth_token_secret must be used as part of your signing key. Troubleshootong
  • 44. Links