SlideShare une entreprise Scribd logo

OAuth簡介

F
firestoke

OAuth protocol, a security mechanism for different web sites to retrieve data.

Technologie
1  sur  12
Télécharger pour lire hors ligne
OAuth Protocol 簡介 by david
目的 ➲ An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. ➲ 為了提供讓第三方軟體取得網路服務的被保護使用者資料 ➲ 共同公開標準的 API 取得授權流程 User Consumer Service Provider
取得授權流程
OAuth App Sample: Twitter
如何產生認證簽署 (Signature) ➲ HMAC-SHA1 ● var sig = b64_hmac_sha1(key, baseString); ● RFC2104 ➲ RSA-SHA1 ● RFC3447 section 8.2 ➲ PLAINTEXT ● 建議只有在 SSL 加密時才使用
Signature Key via HMAC-SHA1 ➲ Format: ● [consumer secret]&[token secret] ● token secret 即使是空值, & 符號仍然要保留 ➲ Example: ● 8vHfFq5mPB46AUjO7PtWGgFJcpAI1VfEyNA5F6Hh&
Signature Base String via HMAC- SHA1 ➲ Format: ● [http method]&[request url]&[request parameter string] ● request query string 必須要照字母排序 ● request url 及 request parameter string 都必須經過編碼 (javascript: encodeURIComponent) ➲ Request Parameter String Example: ● oauth_consumer_key=5rxRZZUSI2T00KIyLIMQAA &oauth_nonce=2998391270622 &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1267410026 &oath_version=1.0 ➲ Example: ● GET&http%3A%2F%2Ftwitter.com%2Foauth %2Frequest_token&oauth_consumer_key %3D5rxRZZUSI2T00KIyLIMQAA%26oauth_nonce %3D2998391270622%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1267410026%26oauth_version %3D1.0
OAuth Requset Example (request token) ➲ Authorization: OAuth oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTS MK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
Demo http://localhost/prototype/test_oauth.jsp
OAuth Authorize Page: Twitter http://twitter.com/oauth/authorize/? oauth_token=[received token value]
參考資料 ➲ OAuth 1.0 Spec - http://oauth.net/core/1.0/ ➲ OAuth Library - http://oauth.net/code/ ● Java ● Javascript ● PHP ● Ruby ● ... ➲ MHAC-SHA1 [RFC2104] http://tools.ietf.org/html/rfc2104
Thank You!

Recommandé

REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017
Cloud Native Day Tel Aviv
 
Rest is bad
Rest is badRest is bad
Rest is bad
Kfir Bloch
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Proxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trendsProxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trends
Proxies Rent
 
對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談
Jerry
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Paul Osman
 
Engage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data CollectionEngage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data Collection
Webtrends
 
Android webservices
Android webservicesAndroid webservices
Android webservices
Krazy Koder
 

Recommandé

REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017REST is bad - Kfir Bloch - OpenStack Day Israel 2017
REST is bad - Kfir Bloch - OpenStack Day Israel 2017
Cloud Native Day Tel Aviv
 
Rest is bad
Rest is badRest is bad
Rest is bad
Kfir Bloch
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Proxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trendsProxy : effective logs for tracking down usage trends
Proxy : effective logs for tracking down usage trends
Proxies Rent
 
對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談
Jerry
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Paul Osman
 
Engage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data CollectionEngage 2013 - Multi Channel Data Collection
Engage 2013 - Multi Channel Data Collection
Webtrends
 
Android webservices
Android webservicesAndroid webservices
Android webservices
Krazy Koder
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
geeksec80
 
Django and Nginx reverse proxy cache
Django and Nginx reverse proxy cacheDjango and Nginx reverse proxy cache
Django and Nginx reverse proxy cache
Anton Pirker
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.
Carlos Catanejo
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
sullis
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
codeandyou forums
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Phishsense
PhishsensePhishsense
Phishsense
Lorenzo Eccher
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
VMware Tanzu
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear
DesBear Li
 
SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談
tsunghaolee
 
CSS架構如何加速功能開發
CSS架構如何加速功能開發CSS架構如何加速功能開發
CSS架構如何加速功能開發
Oliver Lin
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思
Adam Wang
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
Wen-Tien Chang
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 

Contenu connexe

Tendances

02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
geeksec80
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 

Tendances (15)

02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
Django and Nginx reverse proxy cache
Django and Nginx reverse proxy cacheDjango and Nginx reverse proxy cache
Django and Nginx reverse proxy cache
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Anex....,,,.
Anex....,,,.Anex....,,,.
Anex....,,,.
 
Connecting to Web Services on Android
Connecting to Web Services on AndroidConnecting to Web Services on Android
Connecting to Web Services on Android
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Phishsense
PhishsensePhishsense
Phishsense
 
Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?Ignite Talk: I AM a robot, how do I log in?
Ignite Talk: I AM a robot, how do I log in?
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 

En vedette

GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear
DesBear Li
 

En vedette (6)

GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear GSS FED 別亂來交給我們來 Bear
GSS FED 別亂來交給我們來 Bear
 
SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談SiteTag 系統窮人調校法經驗談
SiteTag 系統窮人調校法經驗談
 
CSS架構如何加速功能開發
CSS架構如何加速功能開發CSS架構如何加速功能開發
CSS架構如何加速功能開發
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思Pinkoi 與 RWD @RGBA 構思
Pinkoi 與 RWD @RGBA 構思
 
淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2淺談 Startup 公司的軟體開發流程 v2
淺談 Startup 公司的軟體開發流程 v2
 

Similaire à OAuth簡介

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
Aaron Parecki
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
Aaron Parecki
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
WSO2
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 

Similaire à OAuth簡介 (20)

Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Pushed Authorization Requests
Pushed Authorization RequestsPushed Authorization Requests
Pushed Authorization Requests
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 

Dernier

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Dernier (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

OAuth簡介

  • 2. 目的 ➲ An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. ➲ 為了提供讓第三方軟體取得網路服務的被保護使用者資料 ➲ 共同公開標準的 API 取得授權流程 User Consumer Service Provider
  • 5. 如何產生認證簽署 (Signature) ➲ HMAC-SHA1 ● var sig = b64_hmac_sha1(key, baseString); ● RFC2104 ➲ RSA-SHA1 ● RFC3447 section 8.2 ➲ PLAINTEXT ● 建議只有在 SSL 加密時才使用
  • 6. Signature Key via HMAC-SHA1 ➲ Format: ● [consumer secret]&[token secret] ● token secret 即使是空值, & 符號仍然要保留 ➲ Example: ● 8vHfFq5mPB46AUjO7PtWGgFJcpAI1VfEyNA5F6Hh&
  • 7. Signature Base String via HMAC- SHA1 ➲ Format: ● [http method]&[request url]&[request parameter string] ● request query string 必須要照字母排序 ● request url 及 request parameter string 都必須經過編碼 (javascript: encodeURIComponent) ➲ Request Parameter String Example: ● oauth_consumer_key=5rxRZZUSI2T00KIyLIMQAA &oauth_nonce=2998391270622 &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1267410026 &oath_version=1.0 ➲ Example: ● GET&http%3A%2F%2Ftwitter.com%2Foauth %2Frequest_token&oauth_consumer_key %3D5rxRZZUSI2T00KIyLIMQAA%26oauth_nonce %3D2998391270622%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1267410026%26oauth_version %3D1.0
  • 8. OAuth Requset Example (request token) ➲ Authorization: OAuth oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTS MK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
  • 10. OAuth Authorize Page: Twitter http://twitter.com/oauth/authorize/? oauth_token=[received token value]
  • 11. 參考資料 ➲ OAuth 1.0 Spec - http://oauth.net/core/1.0/ ➲ OAuth Library - http://oauth.net/code/ ● Java ● Javascript ● PHP ● Ruby ● ... ➲ MHAC-SHA1 [RFC2104] http://tools.ietf.org/html/rfc2104