API authorization with OAuth

Slide 1

Slide 1 text

API authorization with OAuth @BastianHofmann

Slide 2

Slide 2 text

http://oauth.net/

Slide 3

Slide 3 text

API

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

ResearchGate gives science back to the people who make it happen. We help researchers build reputation and accelerate scientiﬁc progress. On their terms. ‟

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Questions? Ask!

Slide 16

Slide 16 text

http://speakerdeck.com/u/bastianhofmann

Slide 17

Slide 17 text

http://oauth.net/

Slide 18

Slide 18 text

http://tools.ietf.org/html/rfc5849

Slide 19

Slide 19 text

lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared Consumer Key - Shared Consumer Secret

Slide 20

Slide 20 text

HTTP POST Connect with Twitter lanyrd.com

Slide 21

Slide 21 text

twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key Redirect URI Signature (Consumer Secret) lanyrd.com

Slide 22

Slide 22 text

twitter.com HTTP POST Connect with Twitter Request Token Request Token Secret lanyrd.com

Slide 23

Slide 23 text

http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com

Slide 24

Slide 24 text

HTTP GET twitter.com/ authorize

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Grant permission twitter.com/ authorize Create veriﬁer and bind it to User and Request Token

Slide 27

Slide 27 text

Redirect URI?veriﬁer=...&requestToken=.. HTTP Redirect twitter.com/ authorize

Slide 28

Slide 28 text

HTTP GET lanyrd.com (RedirectURI? veriﬁer=...)

Slide 29

Slide 29 text

HTTP GET HTTP GET Consumer Key, RequestToken Veriﬁer Signature (Consumer & Request Token Secret) twitter.com lanyrd.com

Slide 30

Slide 30 text

HTTP GET Access Token Access Token Secret twitter.com lanyrd.com

Slide 31

Slide 31 text

HTTP GET API Request Consumer Key, Access Token Signature (Consumer & Access Token Secret) twitter.com lanyrd.com

Slide 32

Slide 32 text

POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“, oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“

Slide 33

Slide 33 text

HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true

Slide 34

Slide 34 text

HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi

Slide 35

Slide 35 text

HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw

Slide 36

Slide 36 text

POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“

Slide 37

Slide 37 text

HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk

Slide 38

Slide 38 text

POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“ oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e

Slide 39

Slide 39 text

Signatures

Slide 40

Slide 40 text

GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net

Slide 41

Slide 41 text

GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0

Slide 42

Slide 42 text

PLAINTEXT

Slide 43

Slide 43 text

HMAC-SHA1 Salt: consumerSecret(&tokenSecret)

Slide 44

Slide 44 text

RSA-SHA1 Public/Private Key

Slide 45

Slide 45 text

Problems Does not work well with non web or JavaScript based clients The „Invalid Signature“ Problem Complicated Flow, many requests

Slide 46

Slide 46 text

How to ﬁx it?

Slide 47

Slide 47 text

http://oauth.net/

Slide 48

Slide 48 text

31 drafts ...

Slide 49

Slide 49 text

...now ﬁnal!

Slide 50

Slide 50 text

http://www.rfc-editor.org/rfc/rfc6749.txt

Slide 51

Slide 51 text

http://www.rfc-editor.org/rfc/rfc6750.txt

Slide 52

Slide 52 text

http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client proﬁles No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more ﬂexible regarding extensions Mandatory TSL/SSL

Slide 53

Slide 53 text

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to- hell/ ‟It is the biggest professional disappointment of my career. Eran Hammer

Slide 54

Slide 54 text

http://www.tbray.org/ongoing/When/201x/2012/07/28/ Oauth2-dead OAuth 2 is useful today. ‟ Tim Bray

Slide 55

Slide 55 text

Web-Server Proﬁle

Slide 56

Slide 56 text

lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared Client ID - Shared Client Secret - Redirect URI

Slide 57

Slide 57 text

HTTP(S) POST Connect with Twitter lanyrd.com

Slide 58

Slide 58 text

http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com

Slide 59

Slide 59 text

HTTPS GET twitter.com/ authorize

Slide 60

Slide 60 text

Slide 61

Slide 61 text

Grant permission twitter.com/ authorize Create authorization code and bind it to User and ClientID

Slide 62

Slide 62 text

Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize

Slide 63

Slide 63 text

HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)

Slide 64

Slide 64 text

HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret twitter.com lanyrd.com

Slide 65

Slide 65 text

HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com

Slide 66

Slide 66 text

HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com

Slide 67

Slide 67 text

HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret twitter.com lanyrd.com

Slide 68

Slide 68 text

HTTPS GET Access Token Refresh Token twitter.com lanyrd.com

Slide 69

Slide 69 text

HTTPS GET API Request with Access Token twitter.com lanyrd.com

Slide 70

Slide 70 text

HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write

Slide 71

Slide 71 text

HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz

Slide 72

Slide 72 text

POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890

Slide 73

Slide 73 text

POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl

Slide 74

Slide 74 text

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token": "jklmno", "expires_in": 3600, "refresh_token": "qrstuvq", "token_type": "bearer" }

Slide 75

Slide 75 text

GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

Slide 76

Slide 76 text

Refresh Token

Slide 77

Slide 77 text

POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq

Slide 78

Slide 78 text

Authorization Types

Slide 79

Slide 79 text

Bearer Tokens

Slide 80

Slide 80 text

http://www.rfc-editor.org/rfc/rfc6750.txt

Slide 81

Slide 81 text

GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

Slide 82

Slide 82 text

SSL not possible?

Slide 83

Slide 83 text

Signatures

Slide 84

Slide 84 text

http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

Slide 85

Slide 85 text

HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“, "expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }

Slide 86

Slide 86 text

GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“jklmno“, nonce=“274312:dj83hs“, mac=“.....“

Slide 87

Slide 87 text

timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)

Slide 88

Slide 88 text

And JavaScript?

Slide 89

Slide 89 text

User-Agent Proﬁle

Slide 90

Slide 90 text

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com

Slide 91

Slide 91 text

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize

Slide 92

Slide 92 text

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize

Slide 93

Slide 93 text

http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize

Slide 94

Slide 94 text

lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken lanyrd.com

Slide 95

Slide 95 text

lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it to opening window Close popup lanyrd.com

Slide 96

Slide 96 text

Same Origin Policy

Slide 97

Slide 97 text

lanyrd.com HTTPS Ajax Request to API Access Token twitter.com

Slide 98

Slide 98 text

Same Origin Policy

Slide 99

Slide 99 text

No content

Slide 100

Slide 100 text

JSONP

Slide 101

Slide 101 text

Cross Origin Request Sharing (CORS)

Slide 102

Slide 102 text

Backend api.twitter.com Client lanyrd. com AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/

Slide 103

Slide 103 text

GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com

Slide 104

Slide 104 text

HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600&token_type=bearer

Slide 105

Slide 105 text

1. 2. var fragmentString = location.hash.substr(1); 3. var fragment = {}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.

Slide 106

Slide 106 text

State

Slide 107

Slide 107 text

Scopes Optional parameter for provider speciﬁc implementations Additional return values Access Control

Slide 108

Slide 108 text

http://openidconnect.com/ Scope: „openid“ With access token additional values are returned UserID: URL to Portable Contacts endpoint Timestamp Signature

Slide 109

Slide 109 text

Mobile/Desktop

Slide 110

Slide 110 text

h"p://twi"er.com/Bas2anHofmann h"ps://proﬁles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann [email protected] Did you like this talk? https://joind.in/7360