Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
API Authorization with OAuth2
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Bastian Hofmann
April 18, 2012
Technology
4
770
API Authorization with OAuth2
How it works and how to use it
Bastian Hofmann
April 18, 2012
Tweet
Share
More Decks by Bastian Hofmann
See All by Bastian Hofmann
Monitoring in Kubernetes with Prometheus and Grafana
bastianhofmann
0
340
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
130
Highly available cross-region deployments with Kubernetes
bastianhofmann
1
150
From source to Kubernetes in 30 minutes
bastianhofmann
0
170
Introduction to Kubernetes
bastianhofmann
1
140
CI/CD with Kubernetes
bastianhofmann
0
210
Creating a fast Kubernetes Development Workflow
bastianhofmann
1
270
Deploying your first Micro-Service application to Kubernetes
bastianhofmann
2
180
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
240
Other Decks in Technology
See All in Technology
使いにくいの壁を突破する
sansantech
PRO
1
110
セキュリティについて学ぶ会 / 2026 01 25 Takamatsu WordPress Meetup
rocketmartue
1
280
Mosaic AI Gatewayでコーディングエージェントを配るための運用Tips / JEDAI 2026 新春 Meetup! AIコーディング特集
genda
0
150
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
430
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
khmoryz
0
150
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
6
67k
2人で作ったAIダッシュボードが、開発組織の次の一手を照らした話― Cursor × SpecKit × 可視化の実践 ― Qiita AI Summit
noalisaai
1
370
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
n11sh1
0
120
日本の85%が使う公共SaaSは、どう育ったのか
taketakekaho
1
130
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
aeonpeople
1
170
AI時代、1年目エンジニアの悩み
jin4
1
160
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
41k
Featured
See All Featured
Information Architects: The Missing Link in Design Systems
soysaucechin
0
770
Utilizing Notion as your number one productivity tool
mfonobong
2
210
Measuring & Analyzing Core Web Vitals
bluesmoon
9
750
Visualization
eitanlees
150
17k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
410
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.2k
SEO for Brand Visibility & Recognition
aleyda
0
4.2k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
150
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
420
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
Crafting Experiences
bethany
1
46
Google's AI Overviews - The New Search
badams
0
900
Transcript
@BastianHofmann API Authorization with OAuth2 How it works and how
to use it
http://oauth.net/
None
None
None
None
None
None
None
Questions? Ask!
http://speakerdeck.com/u/bastianhofmann
http://oauth.net/
http://tools.ietf.org/html/rfc5849
lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared
Consumer Key - Shared Consumer Secret
HTTP POST Connect with Twitter lanyrd.com
twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key
Redirect URI Signature (Consumer Secret) lanyrd.com
twitter.com HTTP POST Connect with Twitter Request Token Request Token
Secret lanyrd.com
http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com
HTTP GET twitter.com/ authorize
Login twitter.com/ authorize
Grant permission twitter.com/ authorize Create verifier and bind it to
User and Request Token
Redirect URI?verifier=...&requestToken=.. HTTP Redirect twitter.com/ authorize
HTTP GET lanyrd.com (RedirectURI? verifier=...)
HTTP GET HTTP GET Consumer Key, RequestToken Verifier Signature (Consumer
& Request Token Secret) twitter.com lanyrd.com
HTTP GET Access Token Access Token Secret twitter.com lanyrd.com
HTTP GET API Request Consumer Key, Access Token Signature (Consumer
& Access Token Secret) twitter.com lanyrd.com
POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“,
oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“
HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true
HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi
HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw
POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“,
oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“
HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk
POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“
oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e
Signatures
GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net
GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0
PLAINTEXT
HMAC-SHA1 Salt: consumerSecret(&tokenSecret)
RSA-SHA1 Public/Private Key
DEMO
http://oauth.googlecode.com/svn/code/java/
Problems Does not work well with non web or JavaScript
based clients The „Invalid Signature“ Problem Complicated Flow, many requests
How to fix it?
http://oauth.net/
http://tools.ietf.org/html/draft-ietf-oauth-v2
http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client profiles
No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more flexible regarding extensions Mandatory TSL/SSL
Web-Server Profile
lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared
Client ID - Shared Client Secret - Redirect URI
HTTP(S) POST Connect with Twitter lanyrd.com
http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com
HTTPS GET twitter.com/ authorize
Login twitter.com/ authorize
Grant permission twitter.com/ authorize Create authorization code and bind it
to User and ClientID
Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize
HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)
HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret
twitter.com lanyrd.com
HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com
HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com
HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret
twitter.com lanyrd.com
HTTPS GET Access Token Refresh Token twitter.com lanyrd.com
HTTPS GET API Request with Access Token twitter.com lanyrd.com
HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write
HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz
POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890
POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-
urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "expires_in“: 3600,
"refresh_token“: "qrstuvq“ }
GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno
DEMO
https://github.com/bashofmann/oauth2_java_webapp_example http://code.google.com/p/google-oauth-java-client/
Refresh Token
POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-
urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq
Authorization Types
Bearer Tokens
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer
GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno
SSL not possible?
Signatures
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,
"expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }
GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“123456“, nonce=“274312:dj83hs“, mac=“.....“
timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)
And JavaScript?
User-Agent Profile
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize
lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken
lanyrd.com
lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it
to opening window Close popup lanyrd.com
Same Origin Policy
lanyrd.com HTTPS Ajax Request to API Access Token twitter.com
Same Origin Policy
None
JSONP
Cross Origin Request Sharing (CORS)
Backend api.twitter.com Client lanyrd. com AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/
GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com
HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600
1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =
{}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>
DEMO
https://github.com/bashofmann/statusnet_js_mashup_2nd
State
Scopes Optional parameter for provider specific implementations Additional return values
Access Control
http://openidconnect.com/ Scope: „openid“ With access token additional values are returned
UserID: URL to Portable Contacts endpoint Timestamp Signature
Mobile/Desktop
h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann
[email protected]
bastianhofmann
sansantech
rocketmartue
genda
torounit
khmoryz
sansan33
noalisaai
n11sh1
taketakekaho
aeonpeople
jin4
safie_recruit
soysaucechin
mfonobong
bluesmoon
eitanlees
tomoyanonymous
irinanazarova
aleyda
nikkihalliwell
inesmontani
morganepeng
bethany
badams
![h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann [email protected]](https://files.speakerdeck.com/presentations/4f8ecd9137aff9002101a0b1/slide_105.jpg){kind=link}