Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to OAuth

Frost
May 23, 2014
Technology
0
220

Intro to OAuth

Introduction to OAuth talk, given at PHP[tek] 2014

Frost

May 23, 2014
Tweet

More Decks by Frost

See All by Frost
Mocking Dependencies in PHPUnit
mfrost503
0
230
Mocking Dependencies in PHPUnit
mfrost503
1
310

Other Decks in Technology

See All in Technology
microCMS AI
microcms
0
580
FaaS における Java 起動時間の比較 (AWS / Azure / GCP) #jjug_ccc #jjug_ccc_d
tacck
2
880
Oracle Exadata Database Service on [email protected] ([email protected]) - UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
430
When to use a Lambda function? And when not?!
jeromevdl
1
110
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
0
150
Impressions of the Ruby Kaigi
suzukahr
1
5.3k
データマイニングと機械学習 - ニューラルネットワーク
trycycle
0
170
エンジニアのキャリアパスはどう描く? まつもとりーさんと考える後悔しないキャリア選択
matsumoto_r
PRO
2
330
GLOBIS データサイエンスチームのご紹介/ GLOBIS Data Science Team is hiring.
globis_gdp
0
1.9k
Large Language Models: From Prototype to Production
inesmontani
PRO
9
3k
AWS Direct Connectと愉快なGWたちのおさらい
minorun365
5
1.1k
What to talk about when you have nothing to talk about
moyheen
0
100

Featured

See All Featured
Building Effective Engineering Teams - LeadDev
addyosmani
5
600
Side Projects
sachag
450
39k
Typedesign – Prime Four
hannesfritz
34
1.6k
Teambox: Starting and Learning
jrom
124
8k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Infographics Made Easy
chrislema
236
17k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
23
1.8k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
18k
Building Flexible Design Systems
yeseniaperezcruz
315
35k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
Adopting Sorbet at Scale
ufuk
66
8k

Transcript

  1. Intro to OAuth
    Matt Frost
    @shrtwhitebldguy
    https://joind.in/10630

    View Slide

  2. Who Am I?
    • Senior Engineer - Synacor
    • Author
    • OSS Contributor
    • Mentoring Proponent
    • Podcast co-host

    View Slide

  3. What is OAuth?

    View Slide

  4. View Slide

  5. Tokens

    View Slide

  6. Statelessness

    View Slide

  7. Applications have tokens too

    View Slide

  8. So what you’re saying is…

    View Slide

  9. Yep!

    View Slide

  10. Tokens can be stolen though

    View Slide

  11. This is bad

    View Slide

  12. Good news though!

    View Slide

  13. There are different versions

    View Slide

  14. Technically OAuth 1 is
    deprecated

    View Slide

  15. Just like the mysql extension
    You’re probably going to run into it at some point anyway….

    View Slide

  16. So here’s the plan

    View Slide

  17. View Slide

  18. OAuth 1.0
    Client

    View Slide

  19. So we need tokens, right?

    View Slide

  20. Token Definitions

    View Slide

  21. Consumer Tokens

    View Slide

  22. Temporary Credentials

    View Slide

  23. Access Tokens

    View Slide

  24. Token Request Flow

    View Slide

  25. Super simple right?
    https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

    View Slide

  26. Let’s break this down, eh?

    View Slide

  27. You need an application

    View Slide

  28. Request the temporary tokens

    View Slide

  29. If you signed it right…

    View Slide

  30. You’ll have temporary
    credentials

    View Slide

  31. You now use these to request
    Access Tokens

    View Slide

  32. If you sign that request right…

    View Slide

  33. You’ll have your actual Access
    Tokens!

    View Slide

  34. You can store them in a session
    or database and use them now!

    View Slide

  35. Remember all that signing talk?

    View Slide

  36. This is the hardest part…

    View Slide

  37. Base String

    View Slide

  38. !
    $params = [!
    'oauth_nonce' => $this->getNonce(),!
    ! 'oauth_callback' => $this->getCallback(),!
    ! 'oauth_signature_method' => $this->getSignatureMethod(),!
    ! 'oauth_timestamp' => time(),!
    ! 'oauth_consumer_key' => $this->getConsumerKey(),!
    ! 'oauth_token' => '',!
    ! 'oauth_version' => '1.0',!
    ];

    View Slide

  39. HTTP Method and URI

    View Slide

  40. Let’s see how this actually works

    View Slide

  41. $httpMethod = 'POST';!
    $uri = ‘http://api.example.com/request_tokens';!
    !
    $params = [!
    'oauth_nonce' => $this->getNonce(),!
    'oauth_callback' => $this->getCallback(),!
    'oauth_signature_method' => $this->getSignatureMethod(),!
    'oauth_timestamp' => time(),!
    ‘oauth_consumer_key' => $this->getConsumerKey(),!
    'oauth_token' => ‘',!
    'oauth_version' => '1.0',!
    ];!
    !
    $tempArray = [];!
    ksort($params);!
    foreach($params as $key => $value) {!
    ! $tempArray = $key . '=' . rawurlencode($value);!
    }!
    !
    $baseString = $httpMethod . '&';!
    $baseString .= rawurlencode($uri) . '&';!
    $baseString .= implode('&', $tempArray);

    View Slide

  42. Composite Key
    This is way easier…

    View Slide

  43. Cram the 2 secrets together…

    View Slide

  44. $consumer_secret = 'VERYSECRETZ';!
    $access_secret = 'SUCHSECURITY';!
    !
    $composite_key =
    rawurlencode($consumer_secret) .'&'.
    rawurlencode($access_secret);

    View Slide

  45. Signing with HMAC-SHA1

    View Slide

  46. $signature = base64_encode(hash_hmac(!
    ! 'sha1',!
    ! $baseString,!
    ! $compositeKey,!
    ! true!
    ));
    Here’s your signature!

    View Slide

  47. There are other signature types
    but…

    View Slide

  48. However…

    View Slide

  49. View Slide

  50. Authorization Header

    View Slide

  51. $params = [!
    'oauth_nonce' => $this->getNonce(),!
    ! 'oauth_callback' => $this->getCallback(),!
    ! 'oauth_signature_method' => $this->getSignatureMethod(),!
    ! 'oauth_timestamp' => time(),!
    ! 'oauth_consumer_key' => $this->getConsumerKey(),!
    ! 'oauth_token' => '',!
    ! 'oauth_version' => '1.0',!
    ];!
    !
    $params[‘oauth_signature’] = $signature;
    You probably remember this array?

    View Slide

  52. $header = “Authorization: OAuth “;!
    $tempArray = [];!
    !
    foreach($params as $key => $value) {!
    $tempArray[] = $key . ‘=“‘. rawurlencode($value);!
    }!
    !
    $header .= implode(‘,’, $tempArray);!
    We’ve seen similar code before…

    View Slide

  53. Authorization: OAuth
    oauth_consumer_key="xxxxxxxxx",
    oauth_nonce="fklj2324kljfksjf234k",
    oauth_signature="8xJAdrE00wGH21w87P
    6N%2F8c0XZfeo%3D",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1399488541",
    oauth_token="xxxxxxxxx",
    oauth_version="1.0"
    This is the final result

    View Slide

  54. Whew! That was some work

    View Slide

  55. OAuth 1.0
    Server

    View Slide

  56. Token Generation

    View Slide

  57. Recreate the signature with the
    info you received

    View Slide

  58. If they match, they win!

    View Slide

  59. If not…

    View Slide

  60. View Slide

  61. Access Control…

    View Slide

  62. OAuth 2
    Client

    View Slide

  63. Good news!

    View Slide

  64. No signatures

    View Slide

  65. Must use SSL/TLS

    View Slide

  66. Consumer Credentials

    View Slide

  67. Access Token

    View Slide

  68. Grants

    View Slide

  69. Authorization Code Grant

    View Slide

  70. Authorization example -
    Foursquare

    View Slide

  71. http://foursquare.com/oauth2/authenticate?
    client_id=XXXXXXXXX&response_type=code&redirect_uri=htt
    p://oauth.dev/examples/Foursquare/callback.php

    View Slide

  72. Token Request

    View Slide

  73. http://oauth.dev/examples/
    Foursquare/callback.php?
    code=

    View Slide

  74. https://foursquare.com/oauth2/access_token?
    client_id=&client_secret=>&code=&callback=http://oauth.dev/examples/
    Foursquare/callback.php&grant_type=authorization_code

    View Slide

  75. If you can use this, you should

    View Slide

  76. Implicit Grant

    View Slide

  77. http://foursquare.com/oauth2/authenticate?
    client_id=XXXXXXXXX&response_type=token&redirect_uri=ht
    tp://oauth.dev/examples/Foursquare/callback.php

    View Slide

  78. Resource Owner Credentials
    Grant

    View Slide

  79. Client Credentials Grant

    View Slide

  80. Scopes

    View Slide

  81. “Scopes” in OAuth 1

    View Slide

  82. Scopes in OAuth 2

    View Slide

  83. View Slide

  84. Important Note on Scopes

    View Slide

  85. Provides an ACL Framework

    View Slide

  86. Refresh Tokens

    View Slide

  87. Same Scope

    View Slide

  88. OAuth 2
    Server

    View Slide

  89. Issuing Tokens

    View Slide

  90. Should I Support All The
    Grants?

    View Slide

  91. Maybe…

    View Slide

  92. Authorization/Implicit Grants

    View Slide

  93. Storing Token Info

    View Slide

  94. Scopes

    View Slide

  95. Reading Tokens

    View Slide

  96. Query String, Header, Both?

    View Slide

  97. A Caution Against Rolling Your
    Own

    View Slide

  98. RFCs
    OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849
    OAuth 2 RFC 6749 - http://tools.ietf.org/html/rfc6749

    View Slide

  99. Questions?

    View Slide

  100. Thank you!
    Matt Frost
    @shrtwhitebldguy
    https://joind.in/10630

    View Slide