SlideShare une entreprise Scribd logo

Authorization with oAuth

Vivastream
Vivastream
1  sur  43
Télécharger pour lire hors ligne
Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
OAuth An Open Protocol to allow Secure API Authorization
Oauth is not OpenID Oauth Is Like OpenID
Data Authorization Plaxo
OAuth OAuth is like a Valet Key
OAuth OAuth is like a Hotel Keycard
M as ter K ey 101 103 105 107 102 104 106 108
Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
Oauth C lients
OAuth and Netf ix l developer.netf ix.com l
Netf ix API l
Netf ix API: Us er R es ources l
Netf ix Applications ... and many more l
Obtaining a C ons umer K ey / S ecret
Obtaining a C ons umer K ey / S ecret
3-Leg g ed OAuth “The OAuth Dance”
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
S tep 2: Us er Authentication Determined by needs of Service Provider
Oauth Trus t A Matter Of Trust
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
Acces s ing R es ources (R es pons e)
M anag ing Acces s Tokens
2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org

Recommandé

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 

Recommandé

OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0G Jayendra Kartheek
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthPaul Osman
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Building a Microgateway in Ballerina_KubeCon 2108
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMFernando Lopez Aguilar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertBrecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOUEric Lewis
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
SF Test 008 (pdf)
SF Test 008 (pdf)SF Test 008 (pdf)
SF Test 008 (pdf)Vivastream
 
How to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessHow to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessVivastream
 
311382
311382311382
311382Vivastream
 
Social Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersSocial Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersVivastream
 

Contenu connexe

Tendances

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertBrecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 

Tendances (18)

The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht RyckaertWordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015
 

En vedette

SF Test 008 (pdf)
SF Test 008 (pdf)SF Test 008 (pdf)
SF Test 008 (pdf)Vivastream
 
How to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessHow to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessVivastream
 
Social Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersSocial Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersVivastream
 
The New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to StorytellingThe New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to StorytellingVivastream
 
11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing CampaignsVivastream
 

En vedette (6)

SF Test 008 (pdf)
SF Test 008 (pdf)SF Test 008 (pdf)
SF Test 008 (pdf)
 
How to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for BusinessHow to Best Utilize Location-Based Media for Business
How to Best Utilize Location-Based Media for Business
 
311382
311382311382
311382
 
Social Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires CustomersSocial Media that Generates Leads and Acquires Customers
Social Media that Generates Leads and Acquires Customers
 
The New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to StorytellingThe New World of Emotional Data: From Analysis to Storytelling
The New World of Emotional Data: From Analysis to Storytelling
 
11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns11 Tips to Optimize Your Multichannel Marketing Campaigns
11 Tips to Optimize Your Multichannel Marketing Campaigns
 

Similaire à Authorization with oAuth

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,apidays
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itBastian Hofmann
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 

Similaire à Authorization with oAuth (20)

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth簡介
OAuth簡介OAuth簡介
OAuth簡介
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,INTERFACE by apidays - The State of OAuth by Aaron Parecki,
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
Api security
Api security Api security
Api security
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 

Plus de Vivastream

Exchange Solutions Datasheet_Ecommerce
Exchange Solutions Datasheet_EcommerceExchange Solutions Datasheet_Ecommerce
Exchange Solutions Datasheet_EcommerceVivastream
 
Exchange Solutions Datasheet_Customer Engagement Roadmap
Exchange Solutions Datasheet_Customer Engagement RoadmapExchange Solutions Datasheet_Customer Engagement Roadmap
Exchange Solutions Datasheet_Customer Engagement RoadmapVivastream
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream PosterVivastream
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream PosterVivastream
 
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with ChecksBreaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with ChecksVivastream
 
EY Smart Commerce Report
EY Smart Commerce ReportEY Smart Commerce Report
EY Smart Commerce ReportVivastream
 
EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014Vivastream
 
EY Global Consumer Banking Survey
EY Global Consumer Banking SurveyEY Global Consumer Banking Survey
EY Global Consumer Banking SurveyVivastream
 
Automation for RDC and Mobile
Automation for RDC and MobileAutomation for RDC and Mobile
Automation for RDC and MobileVivastream
 
Healthcare Payments Automation Center
Healthcare Payments Automation CenterHealthcare Payments Automation Center
Healthcare Payments Automation CenterVivastream
 
Next Generation Recognition Solutions
Next Generation Recognition SolutionsNext Generation Recognition Solutions
Next Generation Recognition SolutionsVivastream
 
Automation Services
Automation ServicesAutomation Services
Automation ServicesVivastream
 
Company Overview
Company OverviewCompany Overview
Company OverviewVivastream
 

Plus de Vivastream (20)

Exchange Solutions Datasheet_Ecommerce
Exchange Solutions Datasheet_EcommerceExchange Solutions Datasheet_Ecommerce
Exchange Solutions Datasheet_Ecommerce
 
Exchange Solutions Datasheet_Customer Engagement Roadmap
Exchange Solutions Datasheet_Customer Engagement RoadmapExchange Solutions Datasheet_Customer Engagement Roadmap
Exchange Solutions Datasheet_Customer Engagement Roadmap
 
Test
TestTest
Test
 
Tcap
TcapTcap
Tcap
 
SQA
SQASQA
SQA
 
Jeeva jessf
Jeeva jessfJeeva jessf
Jeeva jessf
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream Poster
 
Vivastream Poster
Vivastream PosterVivastream Poster
Vivastream Poster
 
APEX
APEXAPEX
APEX
 
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with ChecksBreaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
Breaking Up is Hard to Do: Small Businesses’ Love Affair with Checks
 
EY Smart Commerce Report
EY Smart Commerce ReportEY Smart Commerce Report
EY Smart Commerce Report
 
EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014EY Global Consumer Banking Survey 2014
EY Global Consumer Banking Survey 2014
 
EY Global Consumer Banking Survey
EY Global Consumer Banking SurveyEY Global Consumer Banking Survey
EY Global Consumer Banking Survey
 
Serano
SeranoSerano
Serano
 
Accura XV
Accura XVAccura XV
Accura XV
 
Automation for RDC and Mobile
Automation for RDC and MobileAutomation for RDC and Mobile
Automation for RDC and Mobile
 
Healthcare Payments Automation Center
Healthcare Payments Automation CenterHealthcare Payments Automation Center
Healthcare Payments Automation Center
 
Next Generation Recognition Solutions
Next Generation Recognition SolutionsNext Generation Recognition Solutions
Next Generation Recognition Solutions
 
Automation Services
Automation ServicesAutomation Services
Automation Services
 
Company Overview
Company OverviewCompany Overview
Company Overview
 

Authorization with oAuth

  • 1. Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
  • 2. Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
  • 3. OAuth An Open Protocol to allow Secure API Authorization
  • 4. Oauth is not OpenID Oauth Is Like OpenID
  • 6. OAuth OAuth is like a Valet Key
  • 7. OAuth OAuth is like a Hotel Keycard
  • 8. M as ter K ey 101 103 105 107 102 104 106 108
  • 9. Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
  • 10. Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
  • 11. M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
  • 13. OAuth and Netf ix l developer.netf ix.com l
  • 15. Netf ix API: Us er R es ources l
  • 16. Netf ix Applications ... and many more l
  • 17. Obtaining a C ons umer K ey / S ecret
  • 18. Obtaining a C ons umer K ey / S ecret
  • 19. 3-Leg g ed OAuth “The OAuth Dance”
  • 20. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
  • 21. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
  • 22. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
  • 23. C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
  • 24. C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
  • 25. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
  • 26. S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
  • 27. S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
  • 28. S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
  • 29. S tep 2: Us er Authentication Determined by needs of Service Provider
  • 30. Oauth Trus t A Matter Of Trust
  • 31. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
  • 32. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
  • 33. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
  • 34. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
  • 35. S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
  • 36. Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
  • 37. Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
  • 38. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
  • 39. Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
  • 40. Acces s ing R es ources (R es pons e)
  • 41. M anag ing Acces s Tokens
  • 42. 2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
  • 43. Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org