4. A simple open standard for secure API
authentication.
http://oauth.net
5. The (API) Love Triangle
End User
Web Service 3rd Party App
“Service Provider” “Consumer Application”
6. Specifically OAuth is...
Authentication
Need to log in to access parts of a website
ex: post a message, add a friend, view private
data
Token-based Authentication
Logged-in user has a unique token used to
access data from the site
7. Just like...
‣ Flickr Auth
‣ Google’s AuthSub
‣ Yahoo’s BBAuth
‣ Facebook Auth
‣ and others...
10. Goals
Be Simple
‣ standard for website API authentication
‣ consistent for developers
‣ easy for end users to understand *
* this is hard
11. Goals
Be Secure
‣ secure for end users
‣ easy to implement security features
‣ 3rd party developers don’t have access
to passwords
‣ balance security with ease of use
12. Goals
Be Open
‣ any website can implement OAuth
‣ any 3rd party developer can use OAuth
‣ open source client libraries
‣ community-designed technical
specifications
13. Goals
Be Flexible
‣ authentication method agnostic
‣ don’t need a username and password
‣ can use OpenID
‣ 3rd party developers don’t handle auth
15. OAuth Setup
‣ Service provider gives
documentation of endpoint URLs
and signature method
‣ Consumer registers an application
with the service provider and gets
a consumer key/secret
24. Basic Authorization Process
1. Obtain request token
2. User authorizes
request token
3. Exchange request token
for access token
4. Use access token to
obtain protected resources
25. Where is this information
passed?
‣ HTTP Authorization header
‣ HTTP POST request body (form
parameters)
‣ URL query string parameters
26. Timestamp and nonce
oauth_timestamp
‣ seconds since Unix epoch
‣ must be greater than last request
oauth_nonce
‣ “number used once”
‣ ensure unique requests
29. Security considerations
‣ PLAINTEXT needs to be encrypted
‣ Secrecy of consumer secret
(desktop consumers)
‣ Phishing attacks
‣ Repeat authorizations
‣ and more...
30. Session fixation attack
Attacker gets victim to authorize
attacker’s request token.
April 2009
http://oauth.net/advisories/2009-1
31. 1.0a
‣ Consumer must specify
oauth_callback during the request
token phase
‣ Service provider returns
oauth_callback_confirmed with
request token and oauth_verifier
after user verification
‣ oauth_verifier used when
exchanging request token for
access token
32. Current status
‣ 1.0 final (Dec 2007)
‣ 1.0a (24 June 2009)
‣ IETF draft phase
‣ 2.0 coming soon!
‣ Lots of client libraries
46. Discovery
‣ white-lists
‣ HTML head item
<link rel="alternate" type="text/xml+oembed"
href="http://www.youtube.com/oembed?
url=http%3A//www.youtube.com/watch?v
%3Di-5AMapzFWg&format=xml" title="Drunk
Ewok Moonwalks & Molests Al Roker on
Today Show" />