SlideShare une entreprise Scribd logo

OAuth and OEmbed

L
leahculver

Talk on OAuth and OEmbed given in December 2009 in NYC for the Gilt Group.

TechnologieDesign
1  sur  50
Leah Culver Six Apart
OAuth and OEmbed Dec 2009
‣ Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
A simple open standard for secure API authentication. http://oauth.net
The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
Who is involved?
Who is involved?
Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
OAuth Setup
OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
OAuth Setup
OAuth Setup
OAuth Flow
1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
2. User authorizes request token
3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
Questions?
OEmbed API format for converting a URL into an embed code. http://oembed.com
Who is involved?
Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
Response params ‣ type (photo, video, rich or link)
Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
plus any addional parameters...
YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?
Questions?

Recommandé

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 

Recommandé

JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
Creating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityCreating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityAlvaro Sanchez-Mariscal
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3Paul Glavich
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...ZabGU
 

Contenu connexe

Tendances

Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerationsEoin Keary
 
Creating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityCreating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityAlvaro Sanchez-Mariscal
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3Paul Glavich
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Tendances (20)

Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
Creating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring SecurityCreating RESTful API’s with Grails and Spring Security
Creating RESTful API’s with Grails and Spring Security
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
OAuth2 and IdentityServer3
OAuth2 and IdentityServer3OAuth2 and IdentityServer3
OAuth2 and IdentityServer3
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

En vedette

Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...ZabGU
 
Distribuciones drupal
Distribuciones drupalDistribuciones drupal
Distribuciones drupalPedro Cambra
 
oEmbed in Drupal
oEmbed in DrupaloEmbed in Drupal
oEmbed in DrupalPure Sign
 
Handling the media
Handling the mediaHandling the media
Handling the mediaTallat Satti
 
Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Pure Sign
 
Acquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia
 

En vedette (7)

Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPI
 
Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...Рекомендательный аннотированный библиографический указатель. психологическая ...
Рекомендательный аннотированный библиографический указатель. психологическая ...
 
Distribuciones drupal
Distribuciones drupalDistribuciones drupal
Distribuciones drupal
 
oEmbed in Drupal
oEmbed in DrupaloEmbed in Drupal
oEmbed in Drupal
 
Handling the media
Handling the mediaHandling the media
Handling the media
 
Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)
 
Acquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public SectorAcquia Opensource Conference 2014 for UK Public Sector
Acquia Opensource Conference 2014 for UK Public Sector
 

Similaire à OAuth and OEmbed

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsJeff Fontas
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 

Similaire à OAuth and OEmbed (20)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Api security
Api security Api security
Api security
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
 
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

OAuth and OEmbed

  • 2. OAuth and OEmbed Dec 2009
  • 3. Pownce ‣ Six Apart ‣ OAuth co-author ‣ OAuth Python library ‣ OEmbed co-author
  • 4. A simple open standard for secure API authentication. http://oauth.net
  • 5. The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application”
  • 6. Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 7. Just like... ‣ Flickr Auth ‣ Google’s AuthSub ‣ Yahoo’s BBAuth ‣ Facebook Auth ‣ and others...
  • 10. Goals Be Simple ‣ standard for website API authentication ‣ consistent for developers ‣ easy for end users to understand * * this is hard
  • 11. Goals Be Secure ‣ secure for end users ‣ easy to implement security features ‣ 3rd party developers don’t have access to passwords ‣ balance security with ease of use
  • 12. Goals Be Open ‣ any website can implement OAuth ‣ any 3rd party developer can use OAuth ‣ open source client libraries ‣ community-designed technical specifications
  • 13. Goals Be Flexible ‣ authentication method agnostic ‣ don’t need a username and password ‣ can use OpenID ‣ 3rd party developers don’t handle auth
  • 15. OAuth Setup ‣ Service provider gives documentation of endpoint URLs and signature method ‣ Consumer registers an application with the service provider and gets a consumer key/secret
  • 19. 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  • 20. 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  • 21. 2. User authorizes request token
  • 22. 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  • 23. 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 24. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 25. Where is this information passed? ‣ HTTP Authorization header ‣ HTTP POST request body (form parameters) ‣ URL query string parameters
  • 26. Timestamp and nonce oauth_timestamp ‣ seconds since Unix epoch ‣ must be greater than last request oauth_nonce ‣ “number used once” ‣ ensure unique requests
  • 27. Signature methods oauth_signature_method ‣ HMAC-SHA1 ‣ RSA-SHA1 ‣ PLAINTEXT oauth_signature ‣ string constructed based on signature method
  • 28. HTTP Errors 400 Bad Request ‣ unsupported parameter ‣ unsupported signature method ‣ missing required parameter ‣ duplicate OAuth parameter 401 Unauthorized ‣ invalid consumer key ‣ invalid / expired token ‣ invalid signature (signature does not match) ‣ invalid / used nonce
  • 29. Security considerations ‣ PLAINTEXT needs to be encrypted ‣ Secrecy of consumer secret (desktop consumers) ‣ Phishing attacks ‣ Repeat authorizations ‣ and more...
  • 30. Session fixation attack Attacker gets victim to authorize attacker’s request token. April 2009 http://oauth.net/advisories/2009-1
  • 31. 1.0a ‣ Consumer must specify oauth_callback during the request token phase ‣ Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ‣ oauth_verifier used when exchanging request token for access token
  • 32. Current status ‣ 1.0 final (Dec 2007) ‣ 1.0a (24 June 2009) ‣ IETF draft phase ‣ 2.0 coming soon! ‣ Lots of client libraries
  • 34. OEmbed API format for converting a URL into an embed code. http://oembed.com
  • 36. Goals ‣ Embed content from any site ‣ Standard API for embeds ‣ Support many photo/video providers
  • 37. Embed types ‣ photo ‣ video ‣ rich ‣ link (can be used if content is not embeddable)
  • 38. Request params ‣ URL ‣ format (XML, JSON) ‣ maxwidth ‣ maxheight
  • 39. Response params ‣ type (photo, video, rich or link)
  • 40. Response params photo ‣ url (img src) ‣ width ‣ height video / rich ‣ html (embed) ‣ width ‣ height
  • 41. Response params ‣ version (always 1.0) ‣ author_name ‣ author_url ‣ provider_name ‣ provider_url ‣ cache_age ‣ thumbnail_url, thumbnail_width, thumbnail height
  • 42. plus any addional parameters...
  • 43. YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  • 44. Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value="http://www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src="http://www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  • 45.
  • 46. Discovery ‣ white-lists ‣ HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  • 47. Proposed discovery ‣ HTTP HEAD requests ‣ URL templates e.g. url.to.resource.json
  • 48. Issues ‣ trust (white-lists and iFrames) ‣ discovery ‣ multiple requests (for discovery) ‣ REST-based as opposed to inline semantic markup
  • 49. Current status ‣ Supported by lots of providers! ‣ Not as many consumers ‣ Need an embed code from a URL?