OAuth1.0

1. Token: Unique Identifier issued by server

2. CallBack Uri: Url to which the page is redirected after authentication or
Authorization

3. Oauth_token : Temporary credentials identifier

4. Oauth_token_secret : Temporary Credentials shared secret

5. Oauth_verifier: The verification code received from the server in the
previous step.

6. Oauth_callback_confirmed: It must be present and set value true. This
parameter is used to differentiate from previous versions of protocol

7. http/1.1 200 : STATUS OK and returns true – refer document (page no 10 )

 Oauth provides 2 sets of credentials

1. To verify client.

2. To verify resource Owner.

 Before client making request on behalf of resource owner client must
have Authentication Token.

 Client details are in the form of unique identifier and associated with
Shared secret or RSA key pair

 Authentication requests include many protocol parameters each start with
“auth_” as prefix and names are case sensitive

 Clients make authenticated requests by calculating the values of a set of
protocol parameters and adding them to the HTTP request as follows:

1. Client assigns values to each of the following parameters:
1. Oauth_consumer_key

2. Oauth_token

3. Oauth_signature_method

4. Oauth_timestamp

5. Oauth_nonce

6. Oauth_version

2. Parameter is not repeated again.

3. Client assigns values of the oauth_signature.

4. Client sends authenticated http request toe the server.

Oauth_signature: oauth provides 3 methods to client to verify the
ownership

 Server validate the Following:
1. Recalculate the signature independently and comparing the value received
from client via Oauth_signature parameter.
2. Based on (HMAC-SHA1,RSA-SHA1) methods ensuring that the combination
of nonce/timestamp/token received from client are not used before
(previous request).
3. If token is present we verify the Scope and state of authorization
4. If Oauth_version is present we see that the value is 1.0
If the request fails server should respond with appropriate http response code

1. 200 - success

2. 400 – bad request

3. 403 - unauthorized

 Nonce : Random string helps client to verify that requests are not made
before. This is used to prevent from replay attacks
◦ Must be unique with Timestamp+client credentials+token
credentials

 Signature : OAuth-authenticated requests can have two sets of
credentials:
1. those passed via the "oauth_consumer_key" parameter
2. those in the "oauth_token" parameter.
In order for the server to verify the authenticity of the request and
prevent unauthorized access, the client needs to prove that it is the
rightful owner of the credentials.

 Signature Methods: Oauth provides 3 methods for client to prove the owner
ship

1. HMAC-SHA1

2. RSA-SHA1 (USES RSA KEY INSTEAD OF SHARED KEY)

3. PLAIN TEXT (DOESN‟T INVOLVE A SIGNATURE)

 Signature Base String : It is a consistent, reproducible concatenation of
several of the HTTP request elements into a single string.

 The string is used as an input to the “HMAC-SHA1” and “RSA-SHA1” signature
methods. More information (page no : 19)

 String Construction : page no 19 – 3.4.1.1

 Base String Uri : Page no 20 – 3.4.1.2.

 The Parameters collected in the previous steps are collected and
concatenated in to a single string using Following steps
1. Name and value of each parameter is encoded
2. Parameters are sorted by name using byte value ordering (if 2 or more
have the same name then they are sorted using values)
3. Name is concatenated to its value using “=” character as separator
4. Sorted Name and value concatenated using ”&” character as separator

 Protocol Parameters are included in header can be transmitted using http
authorization header with auth scheme name set to Oauth

 Parameters are included as Follows:
1. Names and values are encoded per parameter
2. Each parameter is immediately followed by “=” and between „”‟
character
3. Parameters are separated by „,‟
4. Optional Parameter „Realm‟ may be included

 Conditions are required to meet transmit protocol parameters in http-
request if the following Conditions are met

1. The entity-body is single-part.

2. The entity-body follows the encoding requirements of the
"application/x-www-form-urlencoded"

3. The HTTP request entity-header includes the "Content-Type" header
field set to "application/x-www-form-urlencoded".

1. Algorithm is defined as

Digest = HMAC-SHA1(key,text)
Text: Is set to value of signature base string
Key: Concatenate values of

1. Client shared secret after encoding

2. „&‟ character must be included in secret

3. Token shared secret after encoded

Digest: Set the value of Oauth-sign protocol after result octet is base 64

 Signature method uses RSASSA-PKCS1-V1_5 signature algorithm using
SHA1 as hash function for EMSA-PCKS1-V1_5.

 To use this client must have established client credentials with server that
included RSA public Key

S = RSASSA-PKCS1_V1_5-sign(K,M)

K : is set to client‟s RSA private key.

M: is set to the value of base string

S: result signature method to set value of Oauth- protocol parameter
after result octet is base 64

 Server Verifies signature per

RSASSA-PCK1-V1_5-VERIFY((n,e),M,S)

(n,e) set to client‟s public key

M is set to value of signature base string

S is set to octet string value of Oauth-signature protocol
parameter received from client

 This Algorithm doesn‟t employ signature algorithm.

 It must be used with Transport Layer Mechanism using TLS,SSL

 Doesn‟t uses Oauth_timestamps , Oauth_nonce

 Oauth protocol is set to concatenated value of

1. Client-shred secret after encoding

2. “&” character must be included

3. Token shared after being encoded

 The OAuth 1.0 Protocol – by E. Hammer-Lahav, Ed. ISSN: 2070-1721

 Oauth community Site - http://oauth.net/

 book can be downloaded at - http://tools.ietf.org/html/rfc5849

OAuth1.0

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

Similaire à OAuth1.0

Similaire à OAuth1.0 (20)

Dernier

Dernier (20)

OAuth1.0