oAuth

Transcript

1. @Ravi_Suhag

2. OAuth The OAuth authorization framework enables a third-party application to

   obtain limited access to an HTTP service without sharing their passwords.

3. OAuth Flow Roles : • Consumer (client) • Service provider

   (server) • User (resource owner) Flow : • 2-Legged • 3-Legged • n-Legged

4. OAuth Terminology • consumer key (client credential) • consumer secret

   (client credential) • request token (temporary credential) • request secret (temporary credential) • access token (temporary credential) • access secret (token credential)

5. OAuth 1.0 - RFC 5849 Specification structure: • Introduction •

   Redirection-Based Authorization • Authenticated Requests • Security Considerations

6. OAuth Workflow

7. OAuth 1.0 - Security framework • Beyond HTTP Basic auth

   • Primarily designed for insecure communications — mainly non-HTTPS • MITM - man-in-the-middle attack • decoupling of username and password from the access token • HMAC-SHA1 and RSA-SHA1. • Two channels: a front-channel which is used to engage the resource owner and request authorization, and a back-channel used by the client to directly interact with the server.

8. OAuth 1.0 - Signature and Hash • Digital signatures for

   requests • Hash algorithm + Shared secret • HMAC, RSA-SHA1 etc. • Timestamp and nonce for network sniffing protection oAuth playground : http://nouncer.com/oauth/authentication.html

9. Thanks