Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API authorization with OAuth

Bastian Hofmann
October 17, 2012
Programming
5
670

API authorization with OAuth

Bastian Hofmann

October 17, 2012
Tweet

More Decks by Bastian Hofmann

See All by Bastian Hofmann
Monitoring in Kubernetes with Prometheus and Grafana
bastianhofmann
0
210
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
74
Highly available cross-region deployments with Kubernetes
bastianhofmann
1
100
From source to Kubernetes in 30 minutes
bastianhofmann
0
100
Introduction to Kubernetes
bastianhofmann
1
140
CI/CD with Kubernetes
bastianhofmann
0
120
Creating a fast Kubernetes Development Workflow
bastianhofmann
1
220
Deploying your first Micro-Service application to Kubernetes
bastianhofmann
2
140
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
140

Other Decks in Programming

See All in Programming
Dart3を試す
masumitsu
0
180
一緒にスクラム開発___GPT-4と人間が共創するプロダクトの進化.pdf
itohiro73
5
6.2k
Famm Android改善記
akatsuki174
0
130
本当に 0 からの 関数型プログラミングの歩き始め方 / How to Walk into Functional Programming from Scratch
guvalif
1
430
失敗から学ぶオーナーシップ欠乏症への処方箋 #phperkaigi #d
77web
0
190
macのunicode正規化.pdf
mski_iksm
0
10k
Babylon.js書籍出版の裏側。ツイートから始まった奇跡の1年を振り返る
iwaken71
0
110
The Art of Unit Testing
dicoding
0
150
Réinventer le composant Console de Symfony
chalasr
3
570
Run Your Firebase for Web App Locally Using Firebase Emulator Suite
dicoding
0
150
実録レガシー Rails アプリ改善ジャーニー / Legacy Rails app improvement journey
shutooike
3
140
CodeCrafters にチャレンジして PHP で Redis を作ってみる
gennei
3
310

Featured

See All Featured
Six Lessons from altMBA
skipperchong
15
2.4k
How GitHub (no longer) Works
holman
299
140k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Build The Right Thing And Hit Your Dates
maggiecrowley
22
1.5k
Building Adaptive Systems
keathley
28
1.4k
Bootstrapping a Software Product
garrettdimon
299
110k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
38
3.7k
Git: the NoSQL Database
bkeepers
PRO
419
60k
The Language of Interfaces
destraynor
149
21k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k

Transcript

  1. API authorization with OAuth
    @BastianHofmann

    View Slide

  2. http://oauth.net/

    View Slide

  3. API

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. ResearchGate gives
    science back to the people
    who make it happen.
    We help researchers build
    reputation and accelerate
    scientific progress.
    On their terms.

    View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. Questions?
    Ask!

    View Slide

  16. http://speakerdeck.com/u/bastianhofmann

    View Slide

  17. http://oauth.net/

    View Slide

  18. http://tools.ietf.org/html/rfc5849

    View Slide

  19. lanyrd.com
    twitter.com
    Pre Registration of Client at
    Twitter:
    - Shared Consumer Key
    - Shared Consumer Secret

    View Slide

  20. HTTP POST
    Connect with Twitter
    lanyrd.com

    View Slide

  21. twitter.com
    HTTP POST
    Connect with Twitter
    HTTP GET
    Consumer Key
    Redirect URI
    Signature (Consumer
    Secret)
    lanyrd.com

    View Slide

  22. twitter.com
    HTTP POST
    Connect with Twitter
    Request Token
    Request Token Secret
    lanyrd.com

    View Slide

  23. http://twitter.com/authorize?
    requestToken=...
    HTTP Redirect
    lanyrd.com

    View Slide

  24. HTTP GET
    twitter.com/
    authorize

    View Slide

  25. Login
    twitter.com/
    authorize

    View Slide

  26. Grant permission
    twitter.com/
    authorize
    Create verifier
    and bind it to
    User and Request
    Token

    View Slide

  27. Redirect URI?verifier=...&requestToken=..
    HTTP Redirect
    twitter.com/
    authorize

    View Slide

  28. HTTP GET
    lanyrd.com
    (RedirectURI?
    verifier=...)

    View Slide

  29. HTTP GET
    HTTP GET
    Consumer Key,
    RequestToken
    Verifier
    Signature (Consumer &
    Request Token Secret)
    twitter.com
    lanyrd.com

    View Slide

  30. HTTP GET
    Access Token
    Access Token Secret
    twitter.com
    lanyrd.com

    View Slide

  31. HTTP GET
    API Request
    Consumer Key, Access Token
    Signature (Consumer &
    Access Token Secret)
    twitter.com
    lanyrd.com

    View Slide

  32. POST /oauth/request_token HTTP/1.1
    Host: api.twitter.com
    Authorization: OAuth
    oauth_consumer_key=“abcdef“,
    oauth_signature_method=“HMAC-SHA1“,
    oauth_timestamp=“137131200“,
    oauth_nonce=“gggg“,
    oauth_callback=“http%3A%2F
    %2Fexample.com%2Fcallback“
    oauth_signature=“...“

    View Slide

  33. HTTP/1.1 200 OK
    Content-Type: application/x-www-form-
    urlencode
    oauth_token=defghi&oauth_token_secret=jkl
    mnop&oauth_callback_confirmed=true

    View Slide

  34. HTTP/1.1 302 Found
    Location: https://api.twitter.com/oauth/
    authorization?oauth_token=defghi

    View Slide

  35. HTTP/1.1 302 Found
    Location: http://example.com/callback?
    oauth_token=defghi&oauth_verifier=qrstuvw

    View Slide

  36. POST /oauth/access_token HTTP/1.1
    Host: api.twitter.com
    Authorization: OAuth
    oauth_consumer_key=“abcdef“,
    oauth_token=“defghi“
    oauth_signature_method=“HMAC-SHA1“,
    oauth_timestamp=“137131201“,
    oauth_nonce=“hhhhh“,
    oauth_verifier=“qrstuvw“
    oauth_signature=“...“

    View Slide

  37. HTTP/1.1 200 OK
    Content-Type: application/x-www-form-
    urlencode
    oauth_token=xzyabc&oauth_token_secret=defg
    hijk

    View Slide

  38. POST /1/statuses/update.json HTTP/1.1
    Host: api.twitter.com
    Authorization: OAuth
    oauth_consumer_key=“abcdef“,
    oauth_token=“ xzyabc“
    oauth_signature_method=“HMAC-SHA1“,
    oauth_timestamp=“137131203“,
    oauth_nonce=“iiiiiii“,
    oauth_signature=“...“
    status=New
    %20Tweet&trim_user=true&include_entities=tru
    e

    View Slide

  39. Signatures

    View Slide

  40. GET /photos/vacation.jpg?
    oauth_consumer_key=123&oauth_nonce=
    456&oauth_signature_method=HMAC-
    SHA1&oauth_timestamp=1191242096&oau
    th_token=789&oauth_version=1.0
    HTTP/1.1
    Host: photos.example.net

    View Slide

  41. GET&http%3A%2F
    %2Fphotos.example.net%2Fphotos
    %2Fvacation.jpg&oauth_consumer_key
    %3D123%26oauth_nonce
    %3D456%26oauth_signature_method
    %3DHMAC-SHA1%26oauth_timestamp
    %3D1191242096%26oauth_token
    %3D789%26oauth_version%3D1.0

    View Slide

  42. PLAINTEXT

    View Slide

  43. HMAC-SHA1
    Salt: consumerSecret(&tokenSecret)

    View Slide

  44. RSA-SHA1
    Public/Private Key

    View Slide

  45. Problems
    Does not work well with non web or
    JavaScript based clients
    The „Invalid Signature“ Problem
    Complicated Flow, many requests

    View Slide

  46. How to fix it?

    View Slide

  47. http://oauth.net/

    View Slide

  48. 31 drafts ...

    View Slide

  49. ...now final!

    View Slide

  50. http://www.rfc-editor.org/rfc/rfc6749.txt

    View Slide

  51. http://www.rfc-editor.org/rfc/rfc6750.txt

    View Slide

  52. http://tools.ietf.org/html/draft-ietf-oauth-v2
    What‘s new in OAuth2?
    (Draft 10)
    Different client profiles
    No signatures
    No Token Secrets
    Cookie-like Bearer Token
    No Request Tokens
    Much more flexible regarding extensions
    Mandatory TSL/SSL

    View Slide

  53. http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-
    hell/
    ‟It is the biggest
    professional
    disappointment
    of my career.
    Eran Hammer

    View Slide

  54. http://www.tbray.org/ongoing/When/201x/2012/07/28/
    Oauth2-dead
    OAuth 2 is
    useful today.

    Tim Bray

    View Slide

  55. Web-Server Profile

    View Slide

  56. lanyrd.com
    twitter.com
    Pre Registration of Client at
    Twitter:
    - Shared Client ID
    - Shared Client Secret
    - Redirect URI

    View Slide

  57. HTTP(S) POST
    Connect with Twitter
    lanyrd.com

    View Slide

  58. http://twitter.com/authorize?&clientId=...
    HTTPS Redirect
    lanyrd.com

    View Slide

  59. HTTPS GET
    twitter.com/
    authorize

    View Slide

  60. Login
    twitter.com/
    authorize

    View Slide

  61. Grant permission
    twitter.com/
    authorize
    Create
    authorization code
    and bind it to
    User and ClientID

    View Slide

  62. Redirect URI?authorizationCode=...
    HTTPS Redirect
    twitter.com/
    authorize

    View Slide

  63. HTTPS GET
    lanyrd.com
    (RedirectURI?
    authorizationCode=
    ...)

    View Slide

  64. HTTPS GET
    HTTPS GET
    Consumer Key
    Authorization Code
    Consumer Secret
    twitter.com
    lanyrd.com

    View Slide

  65. HTTPS GET
    Access Token
    (Refresh Token)
    twitter.com
    lanyrd.com

    View Slide

  66. HTTPS GET
    HTTPS API Request
    Access Token
    twitter.com
    lanyrd.com

    View Slide

  67. HTTPS GET
    HTTPS GET
    Consumer Key
    Refresh Token
    Consumer Secret
    twitter.com
    lanyrd.com

    View Slide

  68. HTTPS GET
    Access Token
    Refresh Token
    twitter.com
    lanyrd.com

    View Slide

  69. HTTPS GET
    API Request
    with Access Token
    twitter.com
    lanyrd.com

    View Slide

  70. HTTP/1.1 302 Found
    Location: https://api.twitter.com/oauth2/
    authorize?
    response_type=code&client_id=abcdefg&state=x
    yz&scope=write

    View Slide

  71. HTTP/1.1 302 Found
    Location: https://example.com/callback?
    code=ghijkl&state=xyz

    View Slide

  72. POST /oauth2/token HTTP/1.1
    Host: api.twitter.com
    Content-Type: application/x-www-form-
    urlencoded;charset=UTF-8
    grant_type=authorization_code&code=ghijkl&c
    lient_id=12345&client_secret=7890

    View Slide

  73. POST /oauth2/token HTTP/1.1
    Host: api.twitter.com
    Authorization: Basic mnopqrs
    Content-Type: application/x-www-form-
    urlencoded;charset=UTF-8
    grant_type=authorization_code&code=ghijkl

    View Slide

  74. HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
    {
    "access_token": "jklmno",
    "expires_in": 3600,
    "refresh_token": "qrstuvq",
    "token_type": "bearer"
    }

    View Slide

  75. GET /1/statuses/home_timeline HTTP/1.1
    Host: api.twitter.com
    Authorization: Bearer jklmno

    View Slide

  76. Refresh Token

    View Slide

  77. POST /oauth2/token HTTP/1.1
    Host: api.twitter.com
    Authorization: Basic mnopqrs
    Content-Type: application/x-www-form-
    urlencoded;charset=UTF-8
    grant_type=refresh_token&code=qrstuvq

    View Slide

  78. Authorization Types

    View Slide

  79. Bearer Tokens

    View Slide

  80. http://www.rfc-editor.org/rfc/rfc6750.txt

    View Slide

  81. GET /1/statuses/home_timeline HTTP/1.1
    Host: api.twitter.com
    Authorization: Bearer jklmno

    View Slide

  82. SSL not possible?

    View Slide

  83. Signatures

    View Slide

  84. http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

    View Slide

  85. HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
    {
    "access_token“: "jklmno“,
    "token_type“: "mac“,
    "expires_in“: 3600,
    "refresh_token“: "qrstuvq“
    "mac_key":"adijq39jdlaska9asud",
    "mac_algorithm":"hmac-sha-1"
    }

    View Slide

  86. GET /1/statuses/home_timeline HTTP/1.1
    Host: api.twitter.com
    Authorization: MAC id=“jklmno“,
    nonce=“274312:dj83hs“,
    mac=“.....“

    View Slide

  87. timestamp\n
    nonce\n
    HTTP_METHOD\n
    HTTP Request URI\n
    Hostname\n
    Port\n
    (Authorization extension)

    View Slide

  88. And JavaScript?

    View Slide

  89. User-Agent Profile

    View Slide

  90. http://twitter.com/authorize?&clientId=...
    Open Popup
    lanyrd.com

    View Slide

  91. http://twitter.com/authorize?&clientId=...
    Open Popup
    lanyrd.com
    HTTPS GET
    twitter.co
    m/
    authorize

    View Slide

  92. http://twitter.com/authorize?&clientId=...
    Open Popup
    lanyrd.com
    Login
    twitter.co
    m/
    authorize

    View Slide

  93. http://twitter.com/authorize?&clientId=...
    Open Popup
    lanyrd.com
    Grant
    Permission
    twitter.co
    m/
    authorize

    View Slide

  94. lanyrd.com
    HTTPS Redirect
    RedirectURI#acces
    sToken
    twitter.co
    m/
    authorize
    RedirectURI#
    accessToken
    lanyrd.com

    View Slide

  95. lanyrd.com
    RedirectURI#
    accessToken
    Parse Access Token from Fragment
    Send it to opening window
    Close popup lanyrd.com

    View Slide

  96. Same Origin Policy

    View Slide

  97. lanyrd.com
    HTTPS Ajax
    Request to API
    Access Token
    twitter.com

    View Slide

  98. Same Origin Policy

    View Slide

  99. View Slide

  100. JSONP

    View Slide

  101. Cross Origin Request
    Sharing (CORS)

    View Slide

  102. Backend
    api.twitter.com
    Client
    lanyrd.
    com
    AJAX
    Access-Control-Allow-Origin: *
    http://www.w3.org/TR/cors/

    View Slide

  103. GET /oauth2/authorize?
    response_type=token&client_id=abcdefg&stat
    e=xyz&scope=write HTTP/1.1
    Host: api.twitter.com

    View Slide

  104. HTTP/1.1 302 Found
    Location: http://example.com/
    callback#access_token=gahorha&state=xyz&exp
    ires_in=3600&token_type=bearer

    View Slide

  105. 1.<br/>2. var fragmentString = location.hash.substr(1);<br/>3. var fragment = {};<br/>4. var fragmentItemStrings = fragmentString.split('&');<br/>5. for (var i in fragmentItemStrings) {<br/>6. var fragmentItem =<br/>fragmentItemStrings[i].split('=');<br/>7. if (fragmentItem.length !== 2) {<br/>8. continue;<br/>9. }<br/>10. fragment[fragmentItem[0]] = fragmentItem[1];<br/>11. }<br/>12. opener.setAccessToken(fragment['access_token']);<br/>13. window.close();<br/>14.

    View Slide

  106. State

    View Slide

  107. Scopes
    Optional parameter for provider
    specific implementations
    Additional return values
    Access Control

    View Slide

  108. http://openidconnect.com/
    Scope: „openid“
    With access token additional values are returned
    UserID: URL to Portable Contacts endpoint
    Timestamp
    Signature

    View Slide

  109. Mobile/Desktop

    View Slide

  110. h"p://twi"er.com/Bas2anHofmann
    h"ps://profiles.google.com/bashofmann
    h"p://lanyrd.com/people/Bas2anHofmann/
    h"p://speakerdeck.com/u/bas2anhofmann
    [email protected]
    Did you like this talk?
    https://joind.in/7360

    View Slide