API Authorization with OAuth2

Transcript

1. @BastianHofmann API Authorization with OAuth2 How it works and how

   to use it

2. http://oauth.net/

3. None
4. None
5. None
6. None
7. None
8. None
9. None

10. Questions? Ask!

11. http://speakerdeck.com/u/bastianhofmann

12. http://oauth.net/

13. http://tools.ietf.org/html/rfc5849

14. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Consumer Key - Shared Consumer Secret

15. HTTP POST Connect with Twitter lanyrd.com

16. twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key

    Redirect URI Signature (Consumer Secret) lanyrd.com

17. twitter.com HTTP POST Connect with Twitter Request Token Request Token

    Secret lanyrd.com

18. http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com

19. HTTP GET twitter.com/ authorize

20. Login twitter.com/ authorize

21. Grant permission twitter.com/ authorize Create verifier and bind it to

    User and Request Token

22. Redirect URI?verifier=...&requestToken=.. HTTP Redirect twitter.com/ authorize

23. HTTP GET lanyrd.com (RedirectURI? verifier=...)

24. HTTP GET HTTP GET Consumer Key, RequestToken Verifier Signature (Consumer

    & Request Token Secret) twitter.com lanyrd.com

25. HTTP GET Access Token Access Token Secret twitter.com lanyrd.com

26. HTTP GET API Request Consumer Key, Access Token Signature (Consumer

    & Access Token Secret) twitter.com lanyrd.com

27. POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“,

    oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“

28. HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true

29. HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi

30. HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw

31. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“,

    oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“

32. HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk

33. POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“

    oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e

34. Signatures

35. GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net

36. GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0

37. PLAINTEXT

38. HMAC-SHA1 Salt: consumerSecret(&tokenSecret)

39. RSA-SHA1 Public/Private Key

40. DEMO

41. http://oauth.googlecode.com/svn/code/java/

42. Problems Does not work well with non web or JavaScript

    based clients The „Invalid Signature“ Problem Complicated Flow, many requests

43. How to fix it?

44. http://oauth.net/

45. http://tools.ietf.org/html/draft-ietf-oauth-v2

46. http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client profiles

    No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more flexible regarding extensions Mandatory TSL/SSL

47. Web-Server Profile

48. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Client ID - Shared Client Secret - Redirect URI

49. HTTP(S) POST Connect with Twitter lanyrd.com

50. http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com

51. HTTPS GET twitter.com/ authorize

52. Login twitter.com/ authorize

53. Grant permission twitter.com/ authorize Create authorization code and bind it

    to User and ClientID

54. Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize

55. HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)

56. HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret

    twitter.com lanyrd.com

57. HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com

58. HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com

59. HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret

    twitter.com lanyrd.com

60. HTTPS GET Access Token Refresh Token twitter.com lanyrd.com

61. HTTPS GET API Request with Access Token twitter.com lanyrd.com

62. HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write

63. HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz

64. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890

65. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-

    urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl

66. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "expires_in“: 3600,

    "refresh_token“: "qrstuvq“ }

67. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

68. DEMO

69. https://github.com/bashofmann/oauth2_java_webapp_example http://code.google.com/p/google-oauth-java-client/

70. Refresh Token

71. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-

    urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq

72. Authorization Types

73. Bearer Tokens

74. http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer

75. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

76. SSL not possible?

77. Signatures

78. http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

79. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,

    "expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }

80. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“123456“, nonce=“274312:dj83hs“, mac=“.....“

81. timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)

82. And JavaScript?

83. User-Agent Profile

84. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com

85. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize

86. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize

87. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize

88. lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken

    lanyrd.com

89. lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it

    to opening window Close popup lanyrd.com

90. Same Origin Policy

91. lanyrd.com HTTPS Ajax Request to API Access Token twitter.com

92. Same Origin Policy

93. None

94. JSONP

95. Cross Origin Request Sharing (CORS)

96. Backend api.twitter.com Client lanyrd. com AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/

97. GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com

98. HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600

99. 1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =

    {}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>

100. DEMO

101. https://github.com/bashofmann/statusnet_js_mashup_2nd

102. State

103. Scopes Optional parameter for provider specific implementations Additional return values

     Access Control

104. http://openidconnect.com/ Scope: „openid“ With access token additional values are returned

     UserID: URL to Portable Contacts endpoint Timestamp Signature

105. Mobile/Desktop

106. h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann [email protected]