Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth2 for me and you

OAuth2 for me and you

Authentication is key when dealing with the web, certainly when calling, liaising with and using external API services. You may even need to implement ( or may already have ) your own authentication service for your apps or for others to use.

In this session, Matt will discuss the OAuth 2 protocol, what it means to be a consumer or provider, and how to navigate the handshake communications between the service. At the end of this session, you will walk taller, safe in the fact that you are filled with knowledge of OAuth 2, how to use it and how to build your own service.

0a9fcc5e8302fa9b1a9b4573bee0d547?s=128

Matt Gifford

October 19, 2017
Tweet

Transcript

  1. @coldfumonkeh Matt Gifford OAUTH 2 for ME and YOU

  2. None
  3. None
  4. An open protocol to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications
  5. BACKGROUND

  6. 2006 Twitter Chief Architect looked for a better authentication method

    - no passwords 2007 OpenID development group (and contributors) came up with the OAuth 1 first draft 2007 7 updated drafts by the end of the year 2009 OAuth 2.0 spec was started “.. to clear up many of the aspects of OAuth 1 that were difficult or confusing.” 2010 OAuth 2.0 draft 10 was published Most people stayed on draft 10 (as most people started adopting it at that point) There were 22 more revisions to the draft
  7. None
  8. None
  9. An open protocol framework

  10. None
  11. An open protocol delegation framework

  12. DIFFERENCES

  13. Flickr Auth Facebook Auth Google AuthSub Yahoo BBAuth

  14. SIGNATURES

  15. None
  16. None
  17. OAUTH 1 SIGNATURE

  18. POST OAUTH 1 SIGNATURE

  19. OAUTH 1 SIGNATURE POST https://api.twitter.com/1.1/statuses/update.json

  20. OAUTH 1 SIGNATURE status include_entities oauth_consumer_key oauth_nonce oauth_signature_method oauth_timestamp oauth_token

    oauth_version Hello Ladies + Gentlemen, a signed OAuth request! true xvz1evFS4wEEPTGEFPHBog kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg HMAC-SHA1 1318622958 370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb 1.0 POST https://api.twitter.com/1.1/statuses/update.json
  21. OAUTH 1 SIGNATURE include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFa bxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1318622958&oauth_token=370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B %20Gentlemen%2C%20a%20signed%20OAuth%20request%21 POST https://api.twitter.com/1.1/statuses/update.json

  22. OAUTH 1 SIGNATURE include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFa bxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1318622958&oauth_token=370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B %20Gentlemen%2C%20a%20signed%20OAuth%20request%21 POST https://api.twitter.com/1.1/statuses/update.json

  23. OAUTH 1 SIGNATURE include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFa bxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1318622958&oauth_token=370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B %20Gentlemen%2C%20a%20signed%20OAuth%20request%21 POST https://api.twitter.com/1.1/statuses/update.json

  24. OAUTH 1 SIGNATURE include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFa bxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1318622958&oauth_token=370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B %20Gentlemen%2C%20a%20signed%20OAuth%20request%21 POST&https://api.twitter.com/1.1/statuses/update.json

  25. OAUTH 1 SIGNATURE include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFa bxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1318622958&oauth_token=370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B %20Gentlemen%2C%20a%20signed%20OAuth%20request%21 POST&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json

  26. OAUTH 1 SIGNATURE include_entities=true&oauth_consumer_key=xvz1evFS4wEEPTGEFPHBog&oauth_nonce=kYjzVBB8Y0ZFa bxSWbWovY3uYSQ2pTgmZeNu2VS4cg&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1318622958&oauth_token=370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb&oauth_version=1.0&status=Hello%20Ladies%20%2B %20Gentlemen%2C%20a%20signed%20OAuth%20request%21 POST&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json&

  27. OAUTH 1 SIGNATURE include_entities%3Dtrue%26oauth_consumer_key%3Dxvz1evFS4wEEPTGEFPHBog%26oauth_nonce %3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1318622958%26oauth_token%3D370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb%26oauth_version%3D1.0%26status%3DHello%2520Ladies %2520%252B%2520Gentlemen%252C%2520a%2520signed%2520OAuth%2520request%2521 POST&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json&

  28. OAUTH 1 SIGNATURE POST&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json&include_entities%3Dtrue %26oauth_consumer_key%3Dxvz1evFS4wEEPTGEFPHBog%26oauth_nonce %3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1318622958%26oauth_token%3D370773112- GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb%26oauth_version%3D1.0%26status%3DHello%2520Ladies %2520%252B%2520Gentlemen%252C%2520a%2520signed%2520OAuth%2520request%2521

  29. OAUTH 1 SIGNING KEY kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw

  30. OAUTH 1 SIGNING KEY kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw&

  31. OAUTH 1 SIGNING KEY kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw&LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE

  32. OAUTH 1 SIGNING KEY 84 2B 52 99 88 7E

    88 7602 12 A0 56 AC 4E C2 EE 16 26 B5 49
  33. OAUTH 1 SIGNING KEY hCtSmYh+iHYCEqBWrE7C7hYmtUk=

  34. None
  35. PERFORMANCE

  36. USER EXPERIENCE

  37. None
  38. 19,733

  39. None
  40. DEFINITIONS

  41. ROLES

  42. Resource Owner (The User) ROLES

  43. Resource Server ROLES

  44. Authorization Server ROLES

  45. The Client (The App) ROLES

  46. CONFIDENTIAL CLIENTS

  47. PUBLIC CLIENTS

  48. OTHER KEY TERMS

  49. ACCESS TOKEN

  50. None
  51. REFRESH TOKEN

  52. AUTHORIZATION CODE

  53. REDIRECT URI

  54. SCOPES

  55. THE SET UP

  56. None
  57. None
  58. None
  59. None
  60. None
  61. None
  62. None
  63. None
  64. None
  65. THE SCENARIO

  66. None
  67. I am writing a web-based application for lovers of music.

    I want to access data from third-party services to enhance my application.
  68. ROLES User My App API

  69. THE WORKFLOW My Application

  70. THE WORKFLOW My Application

  71. THE WORKFLOW My Application Spotify Authorization Server Spotify Resource Server

  72. THE WORKFLOW My Application Spotify Authorization Server Spotify Resource Server

    Authorization Request
  73. THE WORKFLOW My Application Spotify Do you give permission for

    My Application to access your basic profile information? No Yes Spotify Authorization Server Spotify Resource Server Authorization Request
  74. THE WORKFLOW Authorization Request My Application Spotify Authorization Server Spotify

    Resource Server
  75. THE WORKFLOW Authorization Request Authorization Grant My Application Spotify Authorization

    Server Spotify Resource Server
  76. THE WORKFLOW Authorization Request Authorization Grant Authorization Grant My Application

    Spotify Authorization Server Spotify Resource Server
  77. THE WORKFLOW Authorization Request Authorization Grant Authorization Grant Access Token

    My Application Spotify Authorization Server Spotify Resource Server
  78. THE WORKFLOW Authorization Request Authorization Grant Authorization Grant Access Token

    Access Token My Application Spotify Authorization Server Spotify Resource Server
  79. THE WORKFLOW Authorization Request Authorization Grant Authorization Grant Access Token

    Access Token Protected Resources My Application Spotify Authorization Server Spotify Resource Server
  80. My Application Spotify

  81. My Application Spotify Name Website Callback URL

  82. My Application Spotify Name Website Callback URL

  83. My Application Spotify Client ID Client Secret

  84. My Application Spotify Client ID Client Secret

  85. Spotify My Application Client ID Client Secret

  86. Authorization Code Grant Implicit Grant Password Grant Client Credentials Grant

  87. GRANTING APPROVAL

  88. None
  89. https://accounts.spotify.com/authorize/? GET

  90. https://accounts.spotify.com/authorize/? client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 GET

  91. https://accounts.spotify.com/authorize/? client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 &response_type=code GET

  92. https://accounts.spotify.com/authorize/? client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 &response_type=code &redirect_uri=http://127.0.0.1:8080/tests/oauth2request.cfm GET

  93. https://accounts.spotify.com/authorize/? client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 &response_type=code &redirect_uri=http://127.0.0.1:8080/tests/oauth2request.cfm &state=34fFs29kd09 GET

  94. https://accounts.spotify.com/authorize/? client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 &response_type=code &redirect_uri=http://127.0.0.1:8080/tests/oauth2request.cfm &state=34fFs29kd09 &scope=playlist-read-private user-library-read GET

  95. None
  96. None
  97. 10 mins

  98. 10 mins 30-60 secs

  99. None
  100. USE THE STATE

  101. None
  102. None
  103. HEADER PAYLOAD SIGNATURE JWT

  104. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    eyJ0eXAiOiJKV1QiLCJhbGci OiJIUzI1NiJ9
  105. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "homepage": "https://mydashboard.net/profile", "clickDate": "{ts '2017-10-16 21:07:46'}", "session": { "cart": [ { "unitId": 1, "quantity": 2 }, { "unitId": 51, "quantity": 10 } ] } } eyJ0eXAiOiJKV1QiLCJhbGci OiJIUzI1NiJ9.eyJzZXNzaW9 uIjp7ImNhcnQiOlt7InVuaXR JZCI6MSwicXVhbnRpdHkiOjJ 9LHsidW5pdElkIjo1MSwicXV hbnRpdHkiOjEwfV19LCJob21 lcGFnZSI6Imh0dHBzOi8vbXl kYXNoYm9hcmQubmV0L3Byb2Z pbGUiLCJjbGlja0RhdGUiOiJ 7dHMgJzIwMTctMTAtMTYgMjE 6MDc6NDYnfSJ9
  106. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "homepage": "https://mydashboard.net/profile", "clickDate": "{ts '2017-10-16 21:07:46'}", "session": { "cart": [ { "unitId": 1, "quantity": 2 }, { "unitId": 51, "quantity": 10 } ] } } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJ0eXAiOiJKV1QiLCJhbGci OiJIUzI1NiJ9.eyJzZXNzaW9 uIjp7ImNhcnQiOlt7InVuaXR JZCI6MSwicXVhbnRpdHkiOjJ 9LHsidW5pdElkIjo1MSwicXV hbnRpdHkiOjEwfV19LCJob21 lcGFnZSI6Imh0dHBzOi8vbXl kYXNoYm9hcmQubmV0L3Byb2Z pbGUiLCJjbGlja0RhdGUiOiJ 7dHMgJzIwMTctMTAtMTYgMjE 6MDc6NDYnfSJ9.5mm2OMMYIo lGW9MiyYnSt6dMuo2zaX2EKY jkUvkT-dY
  107. THE ACCESS TOKEN

  108. None
  109. https://accounts.spotify.com/api/token POST

  110. https://accounts.spotify.com/api/token grant_type=authorization_code POST

  111. POST https://accounts.spotify.com/api/token grant_type=authorization_code code=AQCdYyolAtoKTZnpDvb1AqfMM6EhV...

  112. POST https://accounts.spotify.com/api/token grant_type=authorization_code code=AQCdYyolAtoKTZnpDvb1AqfMM6EhV... redirect_uri=http://127.0.0.1:8080/tests/oauth2request.cfm

  113. POST https://accounts.spotify.com/api/token grant_type=authorization_code code=AQCdYyolAtoKTZnpDvb1AqfMM6EhV... redirect_uri=http://127.0.0.1:8080/tests/oauth2request.cfm client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010

  114. POST https://accounts.spotify.com/api/token grant_type=authorization_code code=AQCdYyolAtoKTZnpDvb1AqfMM6EhV... redirect_uri=http://127.0.0.1:8080/tests/oauth2request.cfm client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=9948a51bb5c04048a464e5649f7b606a

  115. None
  116. None
  117. None
  118. ACCESSING RESOURCES

  119. None
  120. None
  121. THE REFRESH TOKEN

  122. None
  123. https://accounts.spotify.com/api/token POST

  124. https://accounts.spotify.com/api/token grant_type=refresh_token POST

  125. POST https://accounts.spotify.com/api/token grant_type=refresh_token refresh_token=AQDhLQPewwmlZaiqL2APqBuL…

  126. POST https://accounts.spotify.com/api/token grant_type=refresh_token refresh_token=AQDhLQPewwmlZaiqL2APqBuL… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010

  127. POST https://accounts.spotify.com/api/token grant_type=refresh_token refresh_token=AQDhLQPewwmlZaiqL2APqBuL… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=9948a51bb5c04048a464e5649f7b606a

  128. None
  129. None
  130. None
  131. GENERATING YOUR OWN

  132. None
  133. None
  134. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508159081, "sub": 1000, "exp": 1508159111, "redirect_uri": "https://mycallback.fake", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJ0eXAiOiJKV1QiLCJhbGci OiJIUzI1NiJ9.eyJpYXQiOjE 1MDgxNTkwODEsInN1YiI6MTA wMCwiZXhwIjoxNTA4MTU5MTE xLCJyZWRpcmVjdF91cmkiOiJ odHRwczovL215Y2FsbGJhY2s uZmFrZSIsImF1ZCI6IkJGMjM 0NzNFLUE2QUEtNDc3RC1BRER FQjNBNkRDMjREMjhFIn0.JGZ 1WMBXXE4BE5iwdmkrq5mJYK6 lirkTqChWdy0IS1s
  135. None
  136. None
  137. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private,write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJ0eXAiOiJKV1QiLCJhbGci OiJIUzI1NiJ9.eyJpYXQiOjE 1MDgxNTgxMTIsImlzcyI6Imh 0dHBzOi8vdGVzdC5tb25rZWh zZXJ2ZXIuY29tL29hdXRoL3R va2VuIiwic3ViIjoxMDAwLCJ leHAiOjE1MDgxNjE3MTIsInN jb3BlIjoicmVhZC1wcml2YXR lLHdyaXRlIiwiYXVkIjoiQkY yMzQ3M0UtQTZBQS00NzdELUF EREVCM0E2REMyNEQyOEUifQ. pLiNkS2GLW9Wp4tthm4MAyRU f0Y4LeYrKnkasXtCY24
  138. OPENID CONNECT http://openid.net/connect/

  139. https://openidconnect.net/

  140. USEFUL TOOLS

  141. None
  142. None
  143. None
  144. None
  145. None
  146. None
  147. None
  148. None
  149. None
  150. https://oauth.net/

  151. https://cfmlbadges.monkehworks.com

  152. 3?

  153. None
  154. None