Introduction to OAuth 1.0a

Introduction to OAuth 1.0a

A briefly explanation of OAuth 1.0a

842515eaf8fbb2dfcc75197e7797dc15?s=128

Satoru Takeuchi

October 12, 2017
Tweet

Transcript

  1. 2.

    Introduction • This document intends to be used for preparation

    for reading the specification of OAuth 1.0a [1] ◦ OAuth 1.0a is *very complex* (at least for me) and hard to understand ◦ Although there is simpler OAuth2.0, OAuth1.0a still be used by many web services • Omit some of features for simplicity ◦ e.g. Out-of-bound authentication • Please let me know if you have any comments
  2. 4.

    What is it • The authorization way that a web

    service (Provider) permits third-party services (Consumers) to use its functions on behalf of its users (Users) • Basic terms Name Meaning Typical example Provider An arbitrary web service Famous SNS services like Facebook and Twitter Consumer A service requires Provider’s function to implement its function Facebook clients and Twitter clients User User of both Provider and Consumer You
  3. 5.

    Advantages • Can reduce security risks compare with password authentication

    ◦ Don’t need to give Consumer unnecessary information and authorization password authentication OAuth The information which User gives Consumers User ID and password The tokens only used for using the subset of Provider’s function Authorized Provider’s functions All functions The subset of Provider’s functions that Consumer requests and user permits
  4. 6.

    Processing flow • Describe the processing flow as the following

    order a. Overview of all processes b. When each process is used c. The summary of each process ▪ Sequence diagram ▪ The explanation for each sequence
  5. 7.

    Processing flow: overview User Consumer Provider 1) Register itself as

    Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself
  6. 8.

    When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per starting service of a Consumer Used once per stopping service of a Consumer
  7. 9.

    When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer Used once per a User stops using a Consumer
  8. 10.

    When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer, or previous authentication timed out
  9. 11.

    When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a Consumer uses a Provider’s function
  10. 12.

    The summary of each process • Describe the following processes

    a. Register a service as Consumer b. Authorize Consumer c. Authenticate “Authorized” Consumer d. Use Provider’s function • Don’t describe other processes a. How these processes are done depend on each Provider very much
  11. 13.

    Register a service as Consumer Consumer Provider 1) Visit Registration

    URI 2) List of functions exported to Consumers 3) Declare functions to use on behalf of Users 4) The information for authenticating Consumer
  12. 14.

    Register a service as Consumer 1. Consumer: Visit Provider’s registration

    URI 2. Consumer: Give the list of function exported to Consumers 3. Consumer: Declare what kind of functions will it use, from the list of functions which Provider offers 4. Provider: Give Consumer the following tokens ◦ consumer_key: Used for identifying Consumer ◦ consumer_secret: Used for authenticating Consumer
  13. 15.

    Prepare to authorize Consumer Consumer Provider 1) Make and sign

    a request 2) Send the signed request 3) Authenticate Consumer 4) Give the information needed by authorization request
  14. 16.

    Prepare to authorize Consumer 1. Consumer: Make a request from

    the following information ◦ consumer_key ◦ etc 2. Consumer: Sign the request with consumer_secret 3. Consumer: Send the request to Provider’s request token URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give the following information to Consumer ◦ request token: Used for identifying the authorizing request ◦ request token secret: Used for the authorizing request
  15. 17.

    Authorize Consumer User Consumer Provider 4) Give ID/password 1) Redirect

    to Provider’s authorization URI with callback URI 5) Ask for authorizing Consumer to use the list of functions 2) Redirected 3) Request ID/password 6) Answer “Yes” 7) Redirect to callback URI with information for identifying “Authorized” Consumer 8) Redirected
  16. 18.

    Authorize Consumer 1. Consumer: Make a request with the following

    information ◦ request key ◦ Callback: URI to which should be redirected after authorization ◦ etc 2. Consumer: Sign the request with request token secret 3. Consumer: Redirect User to Provider’s authorization URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate User, typically with ID and password 5. Provider: Ask for User whether authorize Consumer to use a subset of Provider’s functions on behalf of User 6. Provider: Give Consumer the following token ◦ oauth_verifier: Used for identifying authorized Consumer 7. Provider: Redirect User to callback URI
  17. 19.

    Authenticate “Authorized” Consumer Consumer Provider 1) Make and sign a

    request 2) Send the signed request 3) Authenticate Consumer 4) Give the information needed by using Provider’s functions
  18. 20.

    Authenticate “authorized” Consumer 1. Consumer: Make a request from the

    following information ◦ consumer_key ◦ request token ◦ oauth_verifier ◦ etc 2. Consumer: Sign the request with the key constructed from consumer_secret and request token secret 3. Consumer: Send the request to Provider’s access Token URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give Consumer the following tokens ◦ access token: Used for identifying authorized Consumer ◦ access token secret: Used for authenticating “authorized” Consumer
  19. 21.

    Use Provider’s functions User Consumer Provider 2) Make and sign

    a request 1) Use Consumer’s function 3) Send the signed request to Provider’s API URI 4) Authenticate Consumer 5) Execute a requested function 6) Return the result 7) Return the result
  20. 22.

    Use Provider’s functions 1. User: Use Consumer’s function requires Provider’s

    function 2. Consumer: Make a request from the following information ◦ API’s parameters ◦ access token ◦ etc 3. Consumer: Sign the request with the key constructed from consumer_secret and access token secret 4. Consumer: Send the request to Provider’s API URI 5. Provider: Authenticate Consumer 6. Provider: Execute a requested function 7. Provider: Give the result of the API call to Consumer 8. Consumer: Achieve its function with the result
  21. 23.

    References • [1] OAuth Core 1.0 Revision A ◦ http://oauth.net/core/1.0a

    • [2] Zero to Hero ~ The Linkedin OAuth Dance by Taylor Singletary ◦ http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero • [3] OAuth Ruby example ◦ http://wiki.openstreetmap.org/wiki/OAuth_ruby_examples