for reading the specification of OAuth 1.0a [1] ◦ OAuth 1.0a is *very complex* (at least for me) and hard to understand ◦ Although there is simpler OAuth2.0, OAuth1.0a still be used by many web services • Omit some of features for simplicity ◦ e.g. Out-of-bound authentication • Please let me know if you have any comments
service (Provider) permits third-party services (Consumers) to use its functions on behalf of its users (Users) • Basic terms Name Meaning Typical example Provider An arbitrary web service Famous SNS services like Facebook and Twitter Consumer A service requires Provider’s function to implement its function Facebook clients and Twitter clients User User of both Provider and Consumer You
◦ Don’t need to give Consumer unnecessary information and authorization password authentication OAuth The information which User gives Consumers User ID and password The tokens only used for using the subset of Provider’s function Authorized Provider’s functions All functions The subset of Provider’s functions that Consumer requests and user permits
itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per starting service of a Consumer Used once per stopping service of a Consumer
itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer Used once per a User stops using a Consumer
itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a User starts to use a Consumer, or previous authentication timed out
itself as Consumer 2) Authorize Consumer 3) Authenticate “Authorized” Consumer 4) Use Provider’s functions 5) Rescind Customer’s Authorization 6) Unregister itself Used once per a Consumer uses a Provider’s function
a. Register a service as Consumer b. Authorize Consumer c. Authenticate “Authorized” Consumer d. Use Provider’s function • Don’t describe other processes a. How these processes are done depend on each Provider very much
URI 2. Consumer: Give the list of function exported to Consumers 3. Consumer: Declare what kind of functions will it use, from the list of functions which Provider offers 4. Provider: Give Consumer the following tokens ◦ consumer_key: Used for identifying Consumer ◦ consumer_secret: Used for authenticating Consumer
the following information ◦ consumer_key ◦ etc 2. Consumer: Sign the request with consumer_secret 3. Consumer: Send the request to Provider’s request token URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give the following information to Consumer ◦ request token: Used for identifying the authorizing request ◦ request token secret: Used for the authorizing request
to Provider’s authorization URI with callback URI 5) Ask for authorizing Consumer to use the list of functions 2) Redirected 3) Request ID/password 6) Answer “Yes” 7) Redirect to callback URI with information for identifying “Authorized” Consumer 8) Redirected
information ◦ request key ◦ Callback: URI to which should be redirected after authorization ◦ etc 2. Consumer: Sign the request with request token secret 3. Consumer: Redirect User to Provider’s authorization URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate User, typically with ID and password 5. Provider: Ask for User whether authorize Consumer to use a subset of Provider’s functions on behalf of User 6. Provider: Give Consumer the following token ◦ oauth_verifier: Used for identifying authorized Consumer 7. Provider: Redirect User to callback URI
following information ◦ consumer_key ◦ request token ◦ oauth_verifier ◦ etc 2. Consumer: Sign the request with the key constructed from consumer_secret and request token secret 3. Consumer: Send the request to Provider’s access Token URI ◦ How to get this URI depends on each Provider 4. Provider: Authenticate Consumer 5. Provider: Give Consumer the following tokens ◦ access token: Used for identifying authorized Consumer ◦ access token secret: Used for authenticating “authorized” Consumer
a request 1) Use Consumer’s function 3) Send the signed request to Provider’s API URI 4) Authenticate Consumer 5) Execute a requested function 6) Return the result 7) Return the result
function 2. Consumer: Make a request from the following information ◦ API’s parameters ◦ access token ◦ etc 3. Consumer: Sign the request with the key constructed from consumer_secret and access token secret 4. Consumer: Send the request to Provider’s API URI 5. Provider: Authenticate Consumer 6. Provider: Execute a requested function 7. Provider: Give the result of the API call to Consumer 8. Consumer: Achieve its function with the result
• [2] Zero to Hero ~ The Linkedin OAuth Dance by Taylor Singletary ◦ http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero • [3] OAuth Ruby example ◦ http://wiki.openstreetmap.org/wiki/OAuth_ruby_examples
sat
pospome
unvalley
ryunakayama
genkiogasawara
hinakko2
kosmosebi
okashoi
hanetsuki
sonatard
hanhan1978
kishida
cocoeyes02
iamctodd
bkeepers
aki_iinuma
holman
chrislema
maggiecrowley
eileencodes
paigeccino
swwweet
schacon
morganepeng
trallard
![Introduction to OAuth 1.0a ver 0.3 Satoru Takeuchi <[email protected]>](https://files.speakerdeck.com/presentations/c037d06f5a4e4f97baa081276ad421ef/slide_0.jpg){kind=link}
![References • [1] OAuth Core 1.0 Revision A ◦ http://oauth.net/core/1.0a](https://files.speakerdeck.com/presentations/c037d06f5a4e4f97baa081276ad421ef/slide_22.jpg){kind=link}