Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to OAuth

Frost
May 23, 2014

Intro to OAuth

Introduction to OAuth talk, given at PHP[tek] 2014

Frost

May 23, 2014
Tweet

More Decks by Frost

Other Decks in Technology

Transcript

  1. Intro to OAuth
    Matt Frost
    @shrtwhitebldguy
    https://joind.in/10630

    View Slide

  2. Who Am I?
    • Senior Engineer - Synacor
    • Author
    • OSS Contributor
    • Mentoring Proponent
    • Podcast co-host

    View Slide

  3. What is OAuth?

    View Slide

  4. View Slide

  5. Tokens

    View Slide

  6. Statelessness

    View Slide

  7. Applications have tokens too

    View Slide

  8. So what you’re saying is…

    View Slide

  9. Yep!

    View Slide

  10. Tokens can be stolen though

    View Slide

  11. This is bad

    View Slide

  12. Good news though!

    View Slide

  13. There are different versions

    View Slide

  14. Technically OAuth 1 is
    deprecated

    View Slide

  15. Just like the mysql extension
    You’re probably going to run into it at some point anyway….

    View Slide

  16. So here’s the plan

    View Slide

  17. View Slide

  18. OAuth 1.0
    Client

    View Slide

  19. So we need tokens, right?

    View Slide

  20. Token Definitions

    View Slide

  21. Consumer Tokens

    View Slide

  22. Temporary Credentials

    View Slide

  23. Access Tokens

    View Slide

  24. Token Request Flow

    View Slide

  25. Super simple right?
    https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

    View Slide

  26. Let’s break this down, eh?

    View Slide

  27. You need an application

    View Slide

  28. Request the temporary tokens

    View Slide

  29. If you signed it right…

    View Slide

  30. You’ll have temporary
    credentials

    View Slide

  31. You now use these to request
    Access Tokens

    View Slide

  32. If you sign that request right…

    View Slide

  33. You’ll have your actual Access
    Tokens!

    View Slide

  34. You can store them in a session
    or database and use them now!

    View Slide

  35. Remember all that signing talk?

    View Slide

  36. This is the hardest part…

    View Slide

  37. Base String

    View Slide

  38. !
    $params = [!
    'oauth_nonce' => $this->getNonce(),!
    ! 'oauth_callback' => $this->getCallback(),!
    ! 'oauth_signature_method' => $this->getSignatureMethod(),!
    ! 'oauth_timestamp' => time(),!
    ! 'oauth_consumer_key' => $this->getConsumerKey(),!
    ! 'oauth_token' => '',!
    ! 'oauth_version' => '1.0',!
    ];

    View Slide

  39. HTTP Method and URI

    View Slide

  40. Let’s see how this actually works

    View Slide

  41. $httpMethod = 'POST';!
    $uri = ‘http://api.example.com/request_tokens';!
    !
    $params = [!
    'oauth_nonce' => $this->getNonce(),!
    'oauth_callback' => $this->getCallback(),!
    'oauth_signature_method' => $this->getSignatureMethod(),!
    'oauth_timestamp' => time(),!
    ‘oauth_consumer_key' => $this->getConsumerKey(),!
    'oauth_token' => ‘',!
    'oauth_version' => '1.0',!
    ];!
    !
    $tempArray = [];!
    ksort($params);!
    foreach($params as $key => $value) {!
    ! $tempArray = $key . '=' . rawurlencode($value);!
    }!
    !
    $baseString = $httpMethod . '&';!
    $baseString .= rawurlencode($uri) . '&';!
    $baseString .= implode('&', $tempArray);

    View Slide

  42. Composite Key
    This is way easier…

    View Slide

  43. Cram the 2 secrets together…

    View Slide

  44. $consumer_secret = 'VERYSECRETZ';!
    $access_secret = 'SUCHSECURITY';!
    !
    $composite_key =
    rawurlencode($consumer_secret) .'&'.
    rawurlencode($access_secret);

    View Slide

  45. Signing with HMAC-SHA1

    View Slide

  46. $signature = base64_encode(hash_hmac(!
    ! 'sha1',!
    ! $baseString,!
    ! $compositeKey,!
    ! true!
    ));
    Here’s your signature!

    View Slide

  47. There are other signature types
    but…

    View Slide

  48. However…

    View Slide

  49. View Slide

  50. Authorization Header

    View Slide

  51. $params = [!
    'oauth_nonce' => $this->getNonce(),!
    ! 'oauth_callback' => $this->getCallback(),!
    ! 'oauth_signature_method' => $this->getSignatureMethod(),!
    ! 'oauth_timestamp' => time(),!
    ! 'oauth_consumer_key' => $this->getConsumerKey(),!
    ! 'oauth_token' => '',!
    ! 'oauth_version' => '1.0',!
    ];!
    !
    $params[‘oauth_signature’] = $signature;
    You probably remember this array?

    View Slide

  52. $header = “Authorization: OAuth “;!
    $tempArray = [];!
    !
    foreach($params as $key => $value) {!
    $tempArray[] = $key . ‘=“‘. rawurlencode($value);!
    }!
    !
    $header .= implode(‘,’, $tempArray);!
    We’ve seen similar code before…

    View Slide

  53. Authorization: OAuth
    oauth_consumer_key="xxxxxxxxx",
    oauth_nonce="fklj2324kljfksjf234k",
    oauth_signature="8xJAdrE00wGH21w87P
    6N%2F8c0XZfeo%3D",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1399488541",
    oauth_token="xxxxxxxxx",
    oauth_version="1.0"
    This is the final result

    View Slide

  54. Whew! That was some work

    View Slide

  55. OAuth 1.0
    Server

    View Slide

  56. Token Generation

    View Slide

  57. Recreate the signature with the
    info you received

    View Slide

  58. If they match, they win!

    View Slide

  59. If not…

    View Slide

  60. View Slide

  61. Access Control…

    View Slide

  62. OAuth 2
    Client

    View Slide

  63. Good news!

    View Slide

  64. No signatures

    View Slide

  65. Must use SSL/TLS

    View Slide

  66. Consumer Credentials

    View Slide

  67. Access Token

    View Slide

  68. Grants

    View Slide

  69. Authorization Code Grant

    View Slide

  70. Authorization example -
    Foursquare

    View Slide

  71. http://foursquare.com/oauth2/authenticate?
    client_id=XXXXXXXXX&response_type=code&redirect_uri=htt
    p://oauth.dev/examples/Foursquare/callback.php

    View Slide

  72. Token Request

    View Slide

  73. http://oauth.dev/examples/
    Foursquare/callback.php?
    code=

    View Slide

  74. https://foursquare.com/oauth2/access_token?
    client_id=&client_secret=>&code=&callback=http://oauth.dev/examples/
    Foursquare/callback.php&grant_type=authorization_code

    View Slide

  75. If you can use this, you should

    View Slide

  76. Implicit Grant

    View Slide

  77. http://foursquare.com/oauth2/authenticate?
    client_id=XXXXXXXXX&response_type=token&redirect_uri=ht
    tp://oauth.dev/examples/Foursquare/callback.php

    View Slide

  78. Resource Owner Credentials
    Grant

    View Slide

  79. Client Credentials Grant

    View Slide

  80. Scopes

    View Slide

  81. “Scopes” in OAuth 1

    View Slide

  82. Scopes in OAuth 2

    View Slide

  83. View Slide

  84. Important Note on Scopes

    View Slide

  85. Provides an ACL Framework

    View Slide

  86. Refresh Tokens

    View Slide

  87. Same Scope

    View Slide

  88. OAuth 2
    Server

    View Slide

  89. Issuing Tokens

    View Slide

  90. Should I Support All The
    Grants?

    View Slide

  91. Maybe…

    View Slide

  92. Authorization/Implicit Grants

    View Slide

  93. Storing Token Info

    View Slide

  94. Scopes

    View Slide

  95. Reading Tokens

    View Slide

  96. Query String, Header, Both?

    View Slide

  97. A Caution Against Rolling Your
    Own

    View Slide

  98. RFCs
    OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849
    OAuth 2 RFC 6749 - http://tools.ietf.org/html/rfc6749

    View Slide

  99. Questions?

    View Slide

  100. Thank you!
    Matt Frost
    @shrtwhitebldguy
    https://joind.in/10630

    View Slide