Powerful Google developer tools for immediate impact! (2023-24 C)
#dd12 OAuth for Domino Developers
1. OAuth
for the Domino Developer
Julian Robichaux
panagenda
2. Too Many Logins
• Every website has its own login
• How many different web accounts do you
have?
– 5, 10, 20... ???
– I have 4 different accounts on IBM.com!
• Very annoying, and bad security
– You re-use passwords or write them down
2
3. Single-Sign On
• Why isn’t there a global single-sign on (SSO)?
• It would be great to have one account that
logs in to everything
– Google wants that. So does Facebook.
• Problems:
– If someone hacks the “master” account, they can
log in everywhere
– Websites want user information for marketing
3
4. The Password Problem
• What if we share logins on multiple websites?
• Where do you login?
– If you “give” your password to one website so it
can validate your account on a different website,
that is a big security problem
– If you are already logged in to one website, how
does another website know who you are?
4
24. What Did We Learn?
• Tony and Frank did NOT have to share their
list of customers (logins)
• All they needed was a token and a signature
– Frank knew what the token looks like
– Tony knew what the signature looks like
• Natalie never had to give her personal
information (name & password) to Tony
24
25. Why the Timestamp?
• The timestamp means the token is good
NOW
• That way you can’t re-use a token from
yesterday, or last week, or whatever the
time-out period is
• It also shows that Natalie was STILL on
Frank’s friend list
01-01-12
19:00
25
27. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
28. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
29. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
30. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
31. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
32. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
#4: Log in to the Service Provider, Request Token is now Authorized 01-01-12
19:00
33. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
#4: Log in to the Service Provider, Request Token is now Authorized 01-01-12
19:00
#5: Okay, you’re authenticated
34. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
#4: Log in to the Service Provider, Request Token is now Authorized 01-01-12
19:00
#5: Okay, you’re authenticated
if access
#6: Get an Access Token to user
info is
allowed
35. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
#4: Log in to the Service Provider, Request Token is now Authorized 01-01-12
19:00
#5: Okay, you’re authenticated
if access
#6: Get an Access Token to user
info is
allowed
36. 3-Legged OAuth
User Consumer Service Provider
(website you want to visit) (where your account lives)
#1: Create a Request Token
#2: Go to a website
#3: Receive the Request Token, get redirected to the Service Provider
#4: Log in to the Service Provider, Request Token is now Authorized 01-01-12
19:00
#5: Okay, you’re authenticated
if access
#6: Get an Access Token to user
info is
We are authorized. Let’s work.
allowed
37. OAuth Goals
• Do NOT send or share passwords
• Access should be limited
– How much user data can be seen?
– How long does the access last?
• Access can be revoked
37
38. Data Transmission
• How do the tokens get passed from client to
server?
• Depends on the server. Options include:
– URL query string parameters
– POST requests
– Cookies
• You should always use HTTPS
38
39. OAuth Security
• Token signatures and shared secrets
– Trust the cryptography
• Two different kinds of tokens (request and
access)
• NONCE’s (Number used ONCE) and
timestamps to prevent replay attacks
• User information is not shared (unless that’s
part of what’s being authorized)
39
40. Who Uses OAuth?
• OAuth Core 1.0 • Google
• Facebook
• Created in 2006
• Twitter
• Published December
2007 • Flickr
• Finalized April 2010 • Yahoo
(RFC 5849) • Amazon AWS
• OAuth 2.0 • TripIt
• Currently being • Instagram
standardized • Evernote
• Some sites are • And more...
already using it
40
41. What’s in OAuth 2.0?
• Based on more use-cases and lessons learned
• Better for mobile app developers
– It’s hard to do OAuth redirection on mobile
– New “2-Legged” OAuth models are easier
• Simplified signature process
• Refreshable tokens
• Easier to scale on the server side
41
42. OAuth on Lotus Domino
• Great code already written by Niklas Heidloff
and Phillippe Riand from IBM
geniuses
• Free! Open-source! On OpenNTF.org
– Old version: http://socialenabler.openntf.org
• New version in the XPages Extension Library
– http://extlib.openntf.org
42
43. In The Toolkit
• ExtLib plugins
– Contain code and wrappers for using OAuth
• WebSecurityStore.ntf template
– Set up and store OAuth tokens
• XPagesSBT.nsf database
– Examples for accessing Dropbox, Facebook,
Twitter, LotusLive, and more!
43
44. Setting Up The Toolkit
• Detailed instructions in “Appendix A” of
these slides
• Basic overview:
– Lotus Domino server 8.5.3 or higher
– Create an UpdateSite for the ExtLib plugins
– Create and configure WebSecurityStore.nsf
– Look at the examples in XPagesSBT.nsf
44
47. Lotus-Specific
• http://extlib.openntf.org
• Niklas Heidloff’s demo of an older version of the
Social Business Toolkit:
http://www.youtube.com/watch?v=UAmgqP20Okw
• Lotusphere 2012 sessions AD104 & AD105
• Matt White’s example of connecting to Facebook
with OAuth:
http://mattwhite.me/blog/2010/10/20/how-to-get-
sso-for-facebook-working-with-xpages.html
47
48. You can read
this later
Appendix A
Setting up the XPages Extension Library
to access Dropbox
50. Step 2: Set Up ExtLib
• Make sure you’re running Domino 8.5.3+
• Follow the excellent instructions at:
http://www-
10.lotus.com/ldd/ddwiki.nsf/dx/XPages_Extension_Library_Deployment
– Create an Update Site database
– Import plugins
– Add notes.ini variable
– Restart HTTP task
50
51. Step 3: WebSecurityStore.ntf
• Copy WebSecurityStore.ntf to the Domino
data directory
• Sign the NTF with an administrator ID
• Create a WebSecurityStore.nsf database from
the template
– Use the exact name WebSecurityStore.nsf
– Use the root Domino data directory (not a
subdirectory)
51
53. no subdirectory;
must be named
WebSecurityStore.nsf
OAuth
Token Store
Template
(WebSecurityStore.ntf)
54. Step 4: Get a Dropbox App ID
• Go to http://www.dropbox.com/developers
– “My Apps”
– Accept license agreement
– “Create an App”
• Fill out information for your custom App ID
– Used for generating tokens for your app
– Access type must be “Full Dropbox” for this
54
55. you will need
these later
important: use
“Full Dropbox”
55
56. Step 5: Add a Token
• Open
http://your.server/websecuritystore.nsf/KeysApplic
ations.xsp
• Click the “Add Token” button:
– App ID=XPagesSBT, Service Name=Dropbox
– Add your Dropbox Consumer Key and Secret
– Use redirection URLs from Dropbox:
https://www.dropbox.com/developers/reference/api
56
57. App ID = XPagesSBT
Service Name = Dropbox
Key Type = HMAC-SHA1
Uri values from
https://www.dropbox.com/developers/reference/api
57
58. Step 6: XPagesSBT.nsf
• Copy the XPagesSBT.nsf database to your
Domino server (name and location do not
matter)
– It is in the zip of ExtLib files you downloaded from
OpenNTF
• Sign it with an administrator ID
58
59. Step 7: Try It Out!
• Go to: http://your.server/XPagesSBT.nsf/DropboxFiles.xsp
• You should be prompted to log in to
Dropbox...
– Log in
– Authorize the XPages app
– View your Dropbox files in XPages
59
63. Watch the OAuth Dance
• If you want to see what’s going on with your
OAuth tokens when you log in
• Open http://your.server/XPagesSBT.nsf/DropboxOauth.xsp
– Shows token information read in from
WebSecurityStore.nsf
– Add, delete, and renew tokens
63
65. Overriding Defaults
• Default name & location for
WebSecurityStore.nsf is in the faces-config.xml
file of XPagesSBT.nsf
• Default app ID & service name for Dropbox is
also in faces-config.xml of XPagesSBT.nsf
• If you change your consumer keys or secrets in
WebSecurityStore.nsf, you might need to
restart the server and browser to make sure all
the old information goes away
65
67. XPages ExtLib Book
• More information on
using the OAuth
custom controls and
plugins in the
“XPages Extension
Library” book at
IbmPressBooks.com
67