Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Authorization with OAuth2

Avatar for Bastian Hofmann Bastian Hofmann
April 18, 2012
Technology
4
770

API Authorization with OAuth2

How it works and how to use it

Avatar for Bastian Hofmann

Bastian Hofmann

April 18, 2012
Tweet

More Decks by Bastian Hofmann

See All by Bastian Hofmann
Monitoring in Kubernetes with Prometheus and Grafana
Avatar for Bastian Hofmann bastianhofmann
0
340
Creating a fast Kubernetes Development Workflow
Avatar for Bastian Hofmann bastianhofmann
0
130
Highly available cross-region deployments with Kubernetes
Avatar for Bastian Hofmann bastianhofmann
1
150
From source to Kubernetes in 30 minutes
Avatar for Bastian Hofmann bastianhofmann
0
170
Introduction to Kubernetes
Avatar for Bastian Hofmann bastianhofmann
1
140
CI/CD with Kubernetes
Avatar for Bastian Hofmann bastianhofmann
0
210
Creating a fast Kubernetes Development Workflow
Avatar for Bastian Hofmann bastianhofmann
1
270
Deploying your first Micro-Service application to Kubernetes
Avatar for Bastian Hofmann bastianhofmann
2
180
Creating a fast Kubernetes Development Workflow
Avatar for Bastian Hofmann bastianhofmann
0
240

Other Decks in Technology

See All in Technology
AI駆動PjMの理想像 と現在地 -実践例を添えて-
Avatar for オカムラ masahiro_okamura
1
110
生成AI時代にこそ求められるSRE / SRE for Gen AI era
Avatar for ymotongpoo ymotongpoo
5
3.1k
配列に見る bash と zsh の違い
Avatar for kazzpapa3 kazzpapa3
1
140
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
2
640
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
Avatar for Masataka Tsukamoto tsukaman
0
130
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
360
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
Avatar for maaaato maaaato
0
130
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
Avatar for Riotaro OKADA okdt
PRO
3
660
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
4
17k
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
Avatar for soudai sone soudai
PRO
12
5.3k
今日から始める Amazon Bedrock AgentCore
Avatar for Har1101 har1101
4
400
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
Avatar for Kuniaki Moriya zepprix
0
440

Featured

See All Featured
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
1
120
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
2
250
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
Navigating Team Friction
Avatar for Lara Hogan lara
192
16k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
62
49k
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
1
750
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
187
22k
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
4.6k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
1
240
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
16
1.8k

Transcript

  1. @BastianHofmann API Authorization with OAuth2 How it works and how

    to use it

  2. http://oauth.net/

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None

  10. Questions? Ask!

  11. http://speakerdeck.com/u/bastianhofmann

  12. http://oauth.net/

  13. http://tools.ietf.org/html/rfc5849

  14. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Consumer Key - Shared Consumer Secret

  15. HTTP POST Connect with Twitter lanyrd.com

  16. twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key

    Redirect URI Signature (Consumer Secret) lanyrd.com

  17. twitter.com HTTP POST Connect with Twitter Request Token Request Token

    Secret lanyrd.com

  18. http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com

  19. HTTP GET twitter.com/ authorize

  20. Login twitter.com/ authorize

  21. Grant permission twitter.com/ authorize Create verifier and bind it to

    User and Request Token

  22. Redirect URI?verifier=...&requestToken=.. HTTP Redirect twitter.com/ authorize

  23. HTTP GET lanyrd.com (RedirectURI? verifier=...)

  24. HTTP GET HTTP GET Consumer Key, RequestToken Verifier Signature (Consumer

    & Request Token Secret) twitter.com lanyrd.com

  25. HTTP GET Access Token Access Token Secret twitter.com lanyrd.com

  26. HTTP GET API Request Consumer Key, Access Token Signature (Consumer

    & Access Token Secret) twitter.com lanyrd.com

  27. POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“,

    oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“

  28. HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true

  29. HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi

  30. HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw

  31. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“,

    oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“

  32. HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk

  33. POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“

    oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e

  34. Signatures

  35. GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net

  36. GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0

  37. PLAINTEXT

  38. HMAC-SHA1 Salt: consumerSecret(&tokenSecret)

  39. RSA-SHA1 Public/Private Key

  40. DEMO

  41. http://oauth.googlecode.com/svn/code/java/

  42. Problems Does not work well with non web or JavaScript

    based clients The „Invalid Signature“ Problem Complicated Flow, many requests

  43. How to fix it?

  44. http://oauth.net/

  45. http://tools.ietf.org/html/draft-ietf-oauth-v2

  46. http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client profiles

    No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more flexible regarding extensions Mandatory TSL/SSL

  47. Web-Server Profile

  48. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Client ID - Shared Client Secret - Redirect URI

  49. HTTP(S) POST Connect with Twitter lanyrd.com

  50. http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com

  51. HTTPS GET twitter.com/ authorize

  52. Login twitter.com/ authorize

  53. Grant permission twitter.com/ authorize Create authorization code and bind it

    to User and ClientID

  54. Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize

  55. HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)

  56. HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret

    twitter.com lanyrd.com

  57. HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com

  58. HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com

  59. HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret

    twitter.com lanyrd.com

  60. HTTPS GET Access Token Refresh Token twitter.com lanyrd.com

  61. HTTPS GET API Request with Access Token twitter.com lanyrd.com

  62. HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write

  63. HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz

  64. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890

  65. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-

    urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl

  66. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "expires_in“: 3600,

    "refresh_token“: "qrstuvq“ }

  67. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

  68. DEMO

  69. https://github.com/bashofmann/oauth2_java_webapp_example http://code.google.com/p/google-oauth-java-client/

  70. Refresh Token

  71. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-

    urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq

  72. Authorization Types

  73. Bearer Tokens

  74. http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer

  75. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

  76. SSL not possible?

  77. Signatures

  78. http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

  79. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,

    "expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }

  80. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“123456“, nonce=“274312:dj83hs“, mac=“.....“

  81. timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)

  82. And JavaScript?

  83. User-Agent Profile

  84. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com

  85. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize

  86. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize

  87. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize

  88. lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken

    lanyrd.com

  89. lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it

    to opening window Close popup lanyrd.com

  90. Same Origin Policy

  91. lanyrd.com HTTPS Ajax Request to API Access Token twitter.com

  92. Same Origin Policy

  93. None

  94. JSONP

  95. Cross Origin Request Sharing (CORS)

  96. Backend api.twitter.com Client lanyrd. com AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/

  97. GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com

  98. HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600

  99. 1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =

    {}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>

  100. DEMO

  101. https://github.com/bashofmann/statusnet_js_mashup_2nd

  102. State

  103. Scopes Optional parameter for provider specific implementations Additional return values

    Access Control

  104. http://openidconnect.com/ Scope: „openid“ With access token additional values are returned

    UserID: URL to Portable Contacts endpoint Timestamp Signature

  105. Mobile/Desktop

  106. h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann [email protected]