Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to OAuth 1.0a

Introduction to OAuth 1.0a

A briefly explanation of OAuth 1.0a

842515eaf8fbb2dfcc75197e7797dc15?s=128

Satoru Takeuchi

October 12, 2017
Tweet

Transcript

  1. Introduction to OAuth 1.0a ver 0.3 Satoru Takeuchi <satoru.takeuchi@gmail.com>

  2. Introduction • This document intends to be used for preparation

    for reading the specification of OAuth 1.0a [1] ◦ OAuth 1.0a is *very complex* (at least for me) and hard to understand ◦ Although there is simpler OAuth2.0, OAuth1.0a still be used by many web services • Omit some of features for simplicity ◦ e.g. Out-of-bound authentication • Please let me know if you have any comments
  3. Agenda • What is it • Advantages • Processing flow

  4. What is it • The authorization way that a web

    service (Provider) permits third-party services (Consumers) to use its functions on behalf of its users (Users) • Basic terms Name Meaning Typical example Provider An arbitrary web service Famous SNS services like Facebook and Twitter Consumer A service requires Provider’s function to implement its function Facebook clients and Twitter clients User User of both Provider and Consumer You
  5. Advantages • Can reduce security risks compare with password authentication

    ◦ Don’t need to give Consumer unnecessary information and authorization password authentication OAuth The information which User gives Consumers User ID and password The tokens only used for using the subset of Provider’s function Authorized Provider’s functions All functions The subset of Provider’s functions that Consumer requests and user permits
  6. Processing flow • Describe the processing flow as the following

    order a. Overview of all processes b. When each process is used c. The summary of each process ▪ Sequence diagram ▪ The explanation for each sequence
  7. Processing flow: overview User Consumer Provider 1) Register itself as

    Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself
  8. When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per starting service of a Consumer Used once per stopping service of a Consumer
  9. When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer Used once per a User stops using a Consumer
  10. When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer, or previous authentication timed out
  11. When each process is used User Consumer Provider 1) Register

    itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a Consumer uses a Provider’s function
  12. The summary of each process • Describe the following processes

    a. Register a service as Consumer b. Authorize Consumer c. Authenticate “Authorized” Consumer d. Use Provider’s function • Don’t describe other processes a. How these processes are done depend on each Provider very much
  13. Register a service as Consumer Consumer Provider 1) Visit Registration

    URI 2) List of functions exported to Consumers 3) Declare functions to use on behalf of Users 4) The information for authenticating Consumer
  14. Register a service as Consumer 1. Consumer: Visit Provider’s registration

    URI 2. Consumer: Give the list of function exported to Consumers 3. Consumer: Declare what kind of functions will it use, from the list of functions which Provider offers 4. Provider: Give Consumer the following tokens ◦ consumer_key: Used for identifying Consumer ◦ consumer_secret: Used for authenticating Consumer
  15. Prepare to authorize Consumer Consumer Provider 1) Make and sign

    a request 2) Send the signed request 3) Authenticate Consumer 4) Give the information needed by authorization request
  16. Prepare to authorize Consumer 1. Consumer: Make a request from

    the following information ◦ consumer_key ◦ etc 2. Consumer: Sign the request with consumer_secret 3. Consumer: Send the request to Provider’s request token URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give the following information to Consumer ◦ request token: Used for identifying the authorizing request ◦ request token secret: Used for the authorizing request
  17. Authorize Consumer User Consumer Provider 4) Give ID/password 1) Redirect

    to Provider’s authorization URI with callback URI 5) Ask for authorizing Consumer to use the list of functions 2) Redirected 3) Request ID/password 6) Answer “Yes” 7) Redirect to callback URI with information for identifying “Authorized” Consumer 8) Redirected
  18. Authorize Consumer 1. Consumer: Make a request with the following

    information ◦ request key ◦ Callback: URI to which should be redirected after authorization ◦ etc 2. Consumer: Sign the request with request token secret 3. Consumer: Redirect User to Provider’s authorization URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate User, typically with ID and password 5. Provider: Ask for User whether authorize Consumer to use a subset of Provider’s functions on behalf of User 6. Provider: Give Consumer the following token ◦ oauth_verifier: Used for identifying authorized Consumer 7. Provider: Redirect User to callback URI
  19. Authenticate “Authorized” Consumer Consumer Provider 1) Make and sign a

    request 2) Send the signed request 3) Authenticate Consumer 4) Give the information needed by using Provider’s functions
  20. Authenticate “authorized” Consumer 1. Consumer: Make a request from the

    following information ◦ consumer_key ◦ request token ◦ oauth_verifier ◦ etc 2. Consumer: Sign the request with the key constructed from consumer_secret and request token secret 3. Consumer: Send the request to Provider’s access Token URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give Consumer the following tokens ◦ access token: Used for identifying authorized Consumer ◦ access token secret: Used for authenticating “authorized” Consumer
  21. Use Provider’s functions User Consumer Provider 2) Make and sign

    a request 1) Use Consumer’s function 3) Send the signed request to Provider’s API URI 4) Authenticate Consumer 5) Execute a requested function 6) Return the result 7) Return the result
  22. Use Provider’s functions 1. User: Use Consumer’s function requires Provider’s

    function 2. Consumer: Make a request from the following information ◦ API’s parameters ◦ access token ◦ etc 3. Consumer: Sign the request with the key constructed from consumer_secret and access token secret 4. Consumer: Send the request to Provider’s API URI 5. Provider: Authenticate Consumer 6. Provider: Execute a requested function 7. Provider: Give the result of the API call to Consumer 8. Consumer: Achieve its function with the result
  23. References • [1] OAuth Core 1.0 Revision A ◦ http://oauth.net/core/1.0a

    • [2] Zero to Hero ~ The Linkedin OAuth Dance by Taylor Singletary ◦ http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero • [3] OAuth Ruby example ◦ http://wiki.openstreetmap.org/wiki/OAuth_ruby_examples