Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to OAuth

Frost
May 23, 2014
Technology
0
430

Intro to OAuth

Introduction to OAuth talk, given at PHP[tek] 2014

Frost

May 23, 2014
Tweet

More Decks by Frost

See All by Frost
Mocking Dependencies in PHPUnit
mfrost503
0
320
Mocking Dependencies in PHPUnit
mfrost503
1
380

Other Decks in Technology

See All in Technology
インシデントキーメトリクスによるインシデント対応の改善 / Improving Incident Response using Incident Key Metrics
nari_ex
0
3.5k
パブリッククラウドのプロダクトマネジメントとアーキテクト
tagomoris
4
630
Zenn のウラガワ ~エンジニアのアウトプットを支える環境で Google Cloud が採用されているワケ~ #burikaigi #burikaigi_h
kongmingstrap
16
5k
【Λ(らむだ)】アップデート機能振り返りΛ編 / PADjp20250127
lambda
0
110
AWSエンジニアに捧ぐLangChainの歩き方
tsukuboshi
0
180
ドメイン駆動設計によるdodaダイレクトのリビルド実践 / Rebuild practice of doda direct with domain-driven design
techtekt
0
510
LLM活用の現在とこれから:LayerXにおける事例とともに 2025/1 ver. / layerx-llm-202501
yuya4
3
260
大学教員が押さえておくべき生成 AI の基礎と活用例〜より効率的な教育のために〜
soh9834
1
180
信頼性を支えるテレメトリーパイプラインの構築 / Building Telemetry Pipeline with OpenTelemetry
ymotongpoo
9
4.6k
[SRE kaigi 2025] ガバメントクラウドに向けた開発と変化するSRE組織のあり方 / Development for Government Cloud and the Evolving Role of SRE Teams
kazeburo
4
1.7k
脅威モデリングをやってみた
ledsue
0
100
現実的なCompose化戦略 ~既存リスト画面の置き換え~
sansantech
PRO
0
160

Featured

See All Featured
The Invisible Side of Design
smashingmag
299
50k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
980
Gamification - CAS2011
davidbonilla
80
5.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Into the Great Unknown - MozCon
thekraken
34
1.6k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
RailsConf 2023
tenderlove
29
980
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
How GitHub (no longer) Works
holman
312
140k
Designing for Performance
lara
604
68k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Building a Scalable Design System with Sketch
lauravandoore
460
33k

Transcript

  1. Intro to OAuth Matt Frost @shrtwhitebldguy https://joind.in/10630

  2. Who Am I? • Senior Engineer - Synacor • Author

    • OSS Contributor • Mentoring Proponent • Podcast co-host

  3. What is OAuth?

  4. None

  5. Tokens

  6. Statelessness

  7. Applications have tokens too

  8. So what you’re saying is…

  9. Yep!

  10. Tokens can be stolen though

  11. This is bad

  12. Good news though!

  13. There are different versions

  14. Technically OAuth 1 is deprecated

  15. Just like the mysql extension You’re probably going to run

    into it at some point anyway….

  16. So here’s the plan

  17. None

  18. OAuth 1.0 Client

  19. So we need tokens, right?

  20. Token Definitions

  21. Consumer Tokens

  22. Temporary Credentials

  23. Access Tokens

  24. Token Request Flow

  25. Super simple right? https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

  26. Let’s break this down, eh?

  27. You need an application

  28. Request the temporary tokens

  29. If you signed it right…

  30. You’ll have temporary credentials

  31. You now use these to request Access Tokens

  32. If you sign that request right…

  33. You’ll have your actual Access Tokens!

  34. You can store them in a session or database and

    use them now!

  35. Remember all that signing talk?

  36. This is the hardest part…

  37. Base String

  38. <?php! ! $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback'

    => $this->getCallback(),! ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];

  39. HTTP Method and URI

  40. Let’s see how this actually works

  41. <?php! $httpMethod = 'POST';! $uri = ‘http://api.example.com/request_tokens';! ! $params =

    [! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',! ];! ! $tempArray = [];! ksort($params);! foreach($params as $key => $value) {! ! $tempArray = $key . '=' . rawurlencode($value);! }! ! $baseString = $httpMethod . '&';! $baseString .= rawurlencode($uri) . '&';! $baseString .= implode('&', $tempArray);

  42. Composite Key This is way easier…

  43. Cram the 2 secrets together…

  44. $consumer_secret = 'VERYSECRETZ';! $access_secret = 'SUCHSECURITY';! ! $composite_key = rawurlencode($consumer_secret)

    .'&'. rawurlencode($access_secret);

  45. Signing with HMAC-SHA1

  46. $signature = base64_encode(hash_hmac(! ! 'sha1',! ! $baseString,! ! $compositeKey,! !

    true! )); Here’s your signature!

  47. There are other signature types but…

  48. However…

  49. None

  50. Authorization Header

  51. $params = [! 'oauth_nonce' => $this->getNonce(),! ! 'oauth_callback' => $this->getCallback(),!

    ! 'oauth_signature_method' => $this->getSignatureMethod(),! ! 'oauth_timestamp' => time(),! ! 'oauth_consumer_key' => $this->getConsumerKey(),! ! 'oauth_token' => '',! ! 'oauth_version' => '1.0',! ];! ! $params[‘oauth_signature’] = $signature; You probably remember this array?

  52. $header = “Authorization: OAuth “;! $tempArray = [];! ! foreach($params

    as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);! }! ! $header .= implode(‘,’, $tempArray);! We’ve seen similar code before…

  53. Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P 6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"

    This is the final result

  54. Whew! That was some work

  55. OAuth 1.0 Server

  56. Token Generation

  57. Recreate the signature with the info you received

  58. If they match, they win!

  59. If not…

  60. None

  61. Access Control…

  62. OAuth 2 Client

  63. Good news!

  64. No signatures

  65. Must use SSL/TLS

  66. Consumer Credentials

  67. Access Token

  68. Grants

  69. Authorization Code Grant

  70. Authorization example - Foursquare

  71. http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=code&redirect_uri=htt p://oauth.dev/examples/Foursquare/callback.php

  72. Token Request

  73. http://oauth.dev/examples/ Foursquare/callback.php? code=<CODE>

  74. https://foursquare.com/oauth2/access_token? client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET >&code=<CODE>&callback=http://oauth.dev/examples/ Foursquare/callback.php&grant_type=authorization_code

  75. If you can use this, you should

  76. Implicit Grant

  77. http://foursquare.com/oauth2/authenticate? client_id=XXXXXXXXX&response_type=token&redirect_uri=ht tp://oauth.dev/examples/Foursquare/callback.php

  78. Resource Owner Credentials Grant

  79. Client Credentials Grant

  80. Scopes

  81. “Scopes” in OAuth 1

  82. Scopes in OAuth 2

  83. None

  84. Important Note on Scopes

  85. Provides an ACL Framework

  86. Refresh Tokens

  87. Same Scope

  88. OAuth 2 Server

  89. Issuing Tokens

  90. Should I Support All The Grants?

  91. Maybe…

  92. Authorization/Implicit Grants

  93. Storing Token Info

  94. Scopes

  95. Reading Tokens

  96. Query String, Header, Both?

  97. A Caution Against Rolling Your Own

  98. RFCs OAuth 1 RFC 5849 - http://tools.ietf.org/html/rfc5849 OAuth 2 RFC

    6749 - http://tools.ietf.org/html/rfc6749

  99. Questions?

  100. Thank you! Matt Frost @shrtwhitebldguy https://joind.in/10630