SlideShare uma empresa Scribd logo
1 de 48
Baixar para ler offline
Open Authentication,[object Object],Introduction,[object Object],Definitions,[object Object],Protocol Workflow,[object Object],OAuth Tokens,[object Object],Security Architecture,[object Object],OAuth and Twitter,[object Object],Coding Oauth,[object Object],Demo,[object Object],Troubleshooting,[object Object]
OAuth?,[object Object],Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party ,[object Object]
Why OAuth?,[object Object],Every day a new websites are launched which tie services from different sites and offer you,[object Object]
OAuth Definitions,[object Object],Service provider,[object Object],	The website or web-service where the restricted resources are located,[object Object],User,[object Object],	User have ‘stuff’ they don’t want to make pubic on the service provider but they do want to share it with another site,[object Object],Consumer,[object Object],	The name for the application trying access the users resources,[object Object],Protected Resources,[object Object],	The ‘stuff’ oauth protects and allow access.,[object Object],Tokens,[object Object],	Tokens are used instead of user credentials to access resources,[object Object]
OAuth : Protocol Workflow,[object Object]
Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her faji.com account, and uploads two photos which she marks private.,[object Object],	Using OAuth terminology,[object Object],		 Jane is the User ,[object Object],		Faji is the Service Provider. ,[object Object],		The 2 photos Jane uploaded are the Protected Resources.,[object Object],		OAuth Example,[object Object]
	Jane wants to share them with her grandmother. But grandma doesn’t have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service.,[object Object],Using OAuth terminology, ,[object Object],Beppa is the Consumer. ,[object Object],Beppa must use OAuth to gain access to the photos in order to print them.,[object Object]
When Beppa added support for Faji photo import, a Beppa developer known in OAuth as a Consumer Developer obtained a Consumer Key and Consumer Secret from Faji to be used with Faji’s OAuth-enabled API.,[object Object],Using OAuth terminology, ,[object Object],Consumer Key ,[object Object],Consumer secret,[object Object]
Beppa requests from Faji a Request Token. At this point, the Request Token is not User-specific, and can be used by Beppa to gain User approval from Jane to access her private photos.,[object Object],Using OAuth terminology, ,[object Object],Request Token,[object Object]
When Beppa receives the Request Token, it redirects Jane to the Faji OAuth User Authorization URL with the Request Token and asks Faji to redirect Jane back once approval has been granted to http://beppa.com/order.,[object Object],Using OAuth terminology, ,[object Object],Oauth User Authorization URL,[object Object],Call Back URL,[object Object]
After successfully logging into Faji, Jane is asked to grant access to Beppa, the Consumer. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.,[object Object]
Jane waits for Beppa to present her with her photos fetched from her Faji account.,[object Object]
While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos.,[object Object], In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.,[object Object],Using OAuth terminology, ,[object Object],Access Token,[object Object]
Jane is very impressed how Beppa grabbed her photos without asking for her username and password. She likes what she sees and place the print order.,[object Object]
OAuth
	Tokens,[object Object],OAuth uses three types of credentials,[object Object],Client credentials (consumer key and secret),[object Object],Temporary credentials (request token and secret),[object Object],Token credentials (access token and secret),[object Object]
		Client Credentials,[object Object],Allows server to authenticate server,[object Object],Allows server to get information about the client,[object Object],Oauth_consumer_key,[object Object],	 Oauth_consumer_secret,[object Object]
Token Credentials,[object Object],Token credentials are in place of username and password,[object Object],The client uses token credentials to access resource owner protected resource,[object Object],Token credentials are limited in scope and duration,[object Object],Oauth_access_token,[object Object],Oauth_access_secret,[object Object]
Temporary credentials,[object Object],Used to identify the authorization request,[object Object],To accommodate different clients like desktop, mobile etc.,[object Object],Add extra flexibility and security,[object Object],Oauth_token,[object Object],Oauth_token_secret,[object Object]
	  OAuth  Security Architecture,[object Object]
 Signature and Hash,[object Object],OAuth uses digital signatures instead of sending the full credentials (specifically, passwords) with each request. ,[object Object],The sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.,[object Object]
Hash Algorithm,[object Object],A common way to sign digital content is using a hash algorithm. ,[object Object],Hashing is the process of taking data (of any size) and condensing it to a much smaller value (digest) in a fully reproducible (one-way) manner,[object Object],This means that using the same hash algorithm on the same data will always produce the same smaller value,[object Object],Hashing usually does not allow going from the smaller value back to the original.,[object Object]
Shared Secret,[object Object],By itself, hashing does not verify the identity of the sender, only data integrity.,[object Object],In order to allow the recipient to verify that the request came from the claimed sender, the hash algorithm is combined with a shared secret,[object Object],If both sides agree on some shared secret known only to them, they can add it to the content being hashed.,[object Object]
		Nonce(‘Number used Once’),[object Object],What is missing is something to prevent requests intercepted by an unauthorized party, usually by sniffing the network, from being reused. This is known as a replay attack.,[object Object],Able to make the same sign request over and over again.,[object Object],To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp.,[object Object],By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once,[object Object]
TimeStamp,[object Object],Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever.,[object Object],OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time.,[object Object],When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period.,[object Object]
Signature Methods,[object Object],OAuth defines 3 signature methods used to sign and verify requests,[object Object],PLAINTEXT,[object Object],HMAC-SHA1,[object Object],RSA-SHA1,[object Object],	When signing requests, it is necessary to specify which signature method has been used to allow the recipient to reproduce the signature for verification,[object Object],The decision of which signature method to use depends on the security requirements of each application,[object Object]
Signature Base String,[object Object],Not only must they both use the same algorithm and share secret, but they must sign the same content. ,[object Object],This requires a consistent method for converting HTTP requests into a single string which is used as the signed content — the Signature Base String.. ,[object Object]
Getting the Request Token,[object Object],Building a reqestToken request requires the following:,[object Object],HTTP Method,,[object Object],Request URI,,[object Object],oauth_callback,,[object Object],oauth_consumer_key,,[object Object],oauth_nonce,,[object Object],oauth_signature_method,,[object Object],oauth_timestamp ,[object Object],oauth_version,[object Object]
Getting the Request Token,[object Object],[object Object],[object Object]
Create your Authorization HTTP Header & and Issue the  request,[object Object],Now we sign this string using our consumer secret and create an HTTP Authorization header. The signature should be placed in the oauth_signature value,[object Object],Getting the Request token,[object Object]
Now we issue this request to the requestToken endpoint, and if all is sucessful,you will get something like the following URL encoded response:,[object Object],The oauth_token field is now your request token, and the oauth_token_secret will be used for signing your request for an access toen.oaut_callback_confirmed just gives you confirmation the we recognized your oauth_callback parameter ,[object Object],You will want to “hold on” to oauth_token and oauth_token_secret until you have completed the access token step,[object Object],Evaluate the Request Token,[object Object]
Now that we have a request token, we can build the url to authorize the user. we  will then redirect the user to this url so they can grant your application access.,[object Object],An authorization url is simply this end point:,[object Object],https://api.twitter.com/oauth/authorize with a query parameter tacked on called oauth_token.the value for this parameter is equal to the request token you received in the previous step.,[object Object],The user needs to land on this page within 5 minutes of your request take cycle. you should not pass an oauth_callback parameter to this page(you already did that in the request token step) ,[object Object],Authorizing the member,[object Object],Build your Authorization URL,[object Object],https://api.twitter.com/oauth/authorize?oauth_token=O6npS44e8ZPQfVcYfHVTGXtnLVBQ4xn8Wu2eBFtPNQ,[object Object]
Send the user to Twitter Authorization Page,[object Object],The user will then be sent to our authorization page. when completed the user will either be sent back to your oauth_callback URL or presented with a series of digits they will be instructed to hand-enter into your application(if you are performing out-of-band authentication),[object Object],Authorizing the member,[object Object]
OAuth
OAuth
 Prepare your singing secret,[object Object],Regardless of whether you used out-of-band authentication or not, you will now be equipped with a request token an oauth_token_secret and an oauth_verfier.you are now going to exchange that request token for an access token, imbued with permission of the Twitter member to act on their behalf,[object Object],Getting an Access token,[object Object]
Getting the Access Token,[object Object],[object Object],[object Object]
Create your Authorization HTTP Header & and Issue the  request,[object Object],Now we sign this string using our request token secret and create an HTTP Authorization header. The signature should be placed in the oauth_signature value,[object Object],Getting the Access token,[object Object]
Now we issue this request to the aceessToken endpoint, and if all is sucessful,you will get something like the following URL encoded response:,[object Object],The oauth_token field is now your access token, and the auth_toke_secert will be used for signing all request on behalf of the member.,[object Object],You will want to “hold on” to oauth_token and oauth_token_secret until you have completed the access token step,[object Object],Evaluate the Access Token,[object Object]
OAuth
Get Followers/ids,[object Object]
OAuth
	XML Response,[object Object]
Oauth is complicated, and there are a number of things that go wrong.,[object Object],Here are some tips.,[object Object],Every error response we send you will contain an xml body describing the error, including a timestamp representing server time. Some oauth-based requests will also return an OAUTH_PROBLEM http header,[object Object],Make sure that your server’s system clock is in sync with ours,[object Object],Oauth_callback should only be provided on the request token step.,[object Object],Oauth_verifier is required in the access Token.,[object Object],PUT & POST operations typically have xml content-types. your oauth library should exclude the request body in signature calculations as a result.,[object Object],For the access token step, remember that the request tokens oauth_token_secret must be used as part of your signing key,[object Object],Likewise, for all resource requests, your access tokens oauth_token_secret must be used as part of your signing key.,[object Object],Troubleshooting,[object Object]
References,[object Object],http://oauth.net/,[object Object],http://hueniverse.com/oauth/,[object Object],http://developer.yahoo.com/oauth/,[object Object],http://dev.twitter.com/pages/oauth_faq,[object Object]
OAuth
OAuth
OAuth

Mais conteúdo relacionado

Mais procurados

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 

Mais procurados (19)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
OAuth OpenID Connect
OAuth OpenID ConnectOAuth OpenID Connect
OAuth OpenID Connect
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 

Semelhante a OAuth

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
OAuth: demystified (hopefully)
OAuth: demystified (hopefully)OAuth: demystified (hopefully)
OAuth: demystified (hopefully)Matt Gifford
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 

Semelhante a OAuth (20)

LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
O auth
O authO auth
O auth
 
Api security
Api security Api security
Api security
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth
OAuthOAuth
OAuth
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
OAuth: demystified (hopefully)
OAuth: demystified (hopefully)OAuth: demystified (hopefully)
OAuth: demystified (hopefully)
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Oauth
OauthOauth
Oauth
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 

OAuth

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 36.
  • 37.
  • 38.
  • 39.
  • 41.
  • 43.
  • 44.
  • 45.