Intro to OAuth

Transcript

1. Intro to OAuth Matt Frost @shrtwhitebldguy https://joind.in/10630

2. Who Am I? • Senior Engineer - Synacor • Author

   • OSS Contributor • Mentoring Proponent • Podcast co-host

3. What is OAuth?

4. None

5. Tokens

6. Statelessness

7. Applications have tokens too

8. So what you’re saying is…

9. Yep!

10. Tokens can be stolen though

11. This is bad

12. Good news though!

13. There are different versions

14. Technically OAuth 1 is deprecated

15. Just like the mysql extension You’re probably going to run

    into it at some point anyway….

16. So here’s the plan

17. None

18. OAuth 1.0 Client

19. So we need tokens, right?

20. Token Definitions

21. Consumer Tokens

22. Temporary Credentials

23. Access Tokens

24. Token Request Flow

25. Super simple right? https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

26. Let’s break this down, eh?

27. You need an application

28. Request the temporary tokens

29. If you signed it right…

30. You’ll have temporary credentials

31. You now use these to request Access Tokens

32. If you sign that request right…

33. You’ll have your actual Access Tokens!

34. You can store them in a session or database and

    use them now!

35. Remember all that signing talk?

36. This is the hardest part…

37. Base String

38. <?php! ! $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback'

    => $this->getCallback(),! ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];

39. HTTP Method and URI

40. Let’s see how this actually works

41. <?php! $httpMethod = 'POST';! $uri = ‘http://api.example.com/request_tokens';! ! $params =

    [! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',! ];! ! $tempArray = [];! ksort($params);! foreach($params as $key => $value) {! ! $tempArray = $key . '=' . rawurlencode($value);! }! ! $baseString = $httpMethod . '&';! $baseString .= rawurlencode($uri) . '&';! $baseString .= implode('&', $tempArray);

42. Composite Key This is way easier…

43. Cram the 2 secrets together…

44. $consumer_secret = 'VERYSECRETZ';! $access_secret = 'SUCHSECURITY';! ! $composite_key = rawurlencode($consumer_secret)

    .'&'. rawurlencode($access_secret);

45. Signing with HMAC-SHA1

46. $signature = base64_encode(hash_hmac(! ! 'sha1',! ! $baseString,! ! $compositeKey,! !

    true! )); Here’s your signature!

47. There are other signature types but…

48. However…

49. None

50. Authorization Header

51. $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback' => $this->getCallback(),!

    ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];! ! $params[‘oauth_signature’] = $signature; You probably remember this array?

52. $header = “Authorization: OAuth “;! $tempArray = [];! ! foreach($params

    as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);! }! ! $header .= implode(‘,’, $tempArray);! We’ve seen similar code before…

53. Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P 6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"

    This is the final result

54. Whew! That was some work

55. OAuth 1.0 Server

56. Token Generation

57. Recreate the signature with the info you received

58. If they match, they win!

59. If not…

60. None

61. Access Control…

62. OAuth 2 Client

63. Good news!

64. No signatures

65. Must use SSL/TLS

66. Consumer Credentials

67. Access Token

68. Grants

69. Authorization Code Grant

70. Authorization example - Foursquare

71. http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=code&redirect_uri=htt p://oauth.dev/examples/Foursquare/callback.php

72. Token Request

73. http://oauth.dev/examples/ Foursquare/callback.php? code=<CODE>

74. https://foursquare.com/oauth2/access_token? client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET >&code=<CODE>&callback=http://oauth.dev/examples/ Foursquare/callback.php&grant_type=authorization_code

75. If you can use this, you should

76. Implicit Grant

77. http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=token&redirect_uri=ht tp://oauth.dev/examples/Foursquare/callback.php

78. Resource Owner Credentials Grant

79. Client Credentials Grant

80. Scopes

81. “Scopes” in OAuth 1

82. Scopes in OAuth 2

83. None

84. Important Note on Scopes

85. Provides an ACL Framework

86. Refresh Tokens

87. Same Scope

88. OAuth 2 Server

89. Issuing Tokens

90. Should I Support All The Grants?

91. Maybe…

92. Authorization/Implicit Grants

93. Storing Token Info

94. Scopes

95. Reading Tokens

96. Query String, Header, Both?

97. A Caution Against Rolling Your Own

98. RFCs OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849 OAuth 2 RFC

    6749 - http://tools.ietf.org/html/rfc6749

99. Questions?

100. Thank you! Matt Frost @shrtwhitebldguy https://joind.in/10630