Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Authorization with OAuth2

API Authorization with OAuth2

How it works and how to use it

Bastian Hofmann

April 18, 2012
Tweet

More Decks by Bastian Hofmann

Other Decks in Technology

Transcript

  1. twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key

    Redirect URI Signature (Consumer Secret) lanyrd.com
  2. HTTP GET API Request Consumer Key, Access Token Signature (Consumer

    & Access Token Secret) twitter.com lanyrd.com
  3. POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“

    oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e
  4. Problems Does not work well with non web or JavaScript

    based clients The „Invalid Signature“ Problem Complicated Flow, many requests
  5. http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client profiles

    No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more flexible regarding extensions Mandatory TSL/SSL
  6. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Client ID - Shared Client Secret - Redirect URI
  7. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,

    "expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }
  8. 1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =

    {}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>
  9. http://openidconnect.com/ Scope: „openid“ With access token additional values are returned

    UserID: URL to Portable Contacts endpoint Timestamp Signature