Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API authorization with OAuth

Bastian Hofmann
October 17, 2012
Programming
5
880

API authorization with OAuth

Bastian Hofmann

October 17, 2012
Tweet

More Decks by Bastian Hofmann

See All by Bastian Hofmann
Monitoring in Kubernetes with Prometheus and Grafana
bastianhofmann
0
290
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
86
Highly available cross-region deployments with Kubernetes
bastianhofmann
1
130
From source to Kubernetes in 30 minutes
bastianhofmann
0
130
Introduction to Kubernetes
bastianhofmann
1
140
CI/CD with Kubernetes
bastianhofmann
0
160
Creating a fast Kubernetes Development Workflow
bastianhofmann
1
250
Deploying your first Micro-Service application to Kubernetes
bastianhofmann
2
170
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
180

Other Decks in Programming

See All in Programming
距離関数を極める! / SESSIONS 2024
gam0022
0
280
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
役立つログに取り組もう
irof
28
9.6k
Arm移行タイムアタック
qnighy
0
320
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
最新TCAキャッチアップ
0si43
0
140
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
920
エンジニアとして関わる要件と仕様(公開用)
murabayashi
0
290
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
みんなでプロポーザルを書いてみた
yuriko1211
0
260
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520

Featured

See All Featured
Building Your Own Lightsaber
phodgson
103
6.1k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
We Have a Design System, Now What?
morganepeng
50
7.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Side Projects
sachag
452
42k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Navigating Team Friction
lara
183
14k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k

Transcript

  1. API authorization with OAuth @BastianHofmann

  2. http://oauth.net/

  3. API

  4. None
  5. None
  6. None

  7. ResearchGate gives science back to the people who make it

    happen. We help researchers build reputation and accelerate scientific progress. On their terms. ‟
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None

  15. Questions? Ask!

  16. http://speakerdeck.com/u/bastianhofmann

  17. http://oauth.net/

  18. http://tools.ietf.org/html/rfc5849

  19. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Consumer Key - Shared Consumer Secret

  20. HTTP POST Connect with Twitter lanyrd.com

  21. twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key

    Redirect URI Signature (Consumer Secret) lanyrd.com

  22. twitter.com HTTP POST Connect with Twitter Request Token Request Token

    Secret lanyrd.com

  23. http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com

  24. HTTP GET twitter.com/ authorize

  25. Login twitter.com/ authorize

  26. Grant permission twitter.com/ authorize Create verifier and bind it to

    User and Request Token

  27. Redirect URI?verifier=...&requestToken=.. HTTP Redirect twitter.com/ authorize

  28. HTTP GET lanyrd.com (RedirectURI? verifier=...)

  29. HTTP GET HTTP GET Consumer Key, RequestToken Verifier Signature (Consumer

    & Request Token Secret) twitter.com lanyrd.com

  30. HTTP GET Access Token Access Token Secret twitter.com lanyrd.com

  31. HTTP GET API Request Consumer Key, Access Token Signature (Consumer

    & Access Token Secret) twitter.com lanyrd.com

  32. POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“,

    oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“

  33. HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true

  34. HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi

  35. HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw

  36. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“,

    oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“

  37. HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk

  38. POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“

    oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e

  39. Signatures

  40. GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net

  41. GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0

  42. PLAINTEXT

  43. HMAC-SHA1 Salt: consumerSecret(&tokenSecret)

  44. RSA-SHA1 Public/Private Key

  45. Problems Does not work well with non web or JavaScript

    based clients The „Invalid Signature“ Problem Complicated Flow, many requests

  46. How to fix it?

  47. http://oauth.net/

  48. 31 drafts ...

  49. ...now final!

  50. http://www.rfc-editor.org/rfc/rfc6749.txt

  51. http://www.rfc-editor.org/rfc/rfc6750.txt

  52. http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client profiles

    No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more flexible regarding extensions Mandatory TSL/SSL

  53. http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to- hell/ ‟It is the biggest professional disappointment of my

    career. Eran Hammer

  54. http://www.tbray.org/ongoing/When/201x/2012/07/28/ Oauth2-dead OAuth 2 is useful today. ‟ Tim Bray

  55. Web-Server Profile

  56. lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared

    Client ID - Shared Client Secret - Redirect URI

  57. HTTP(S) POST Connect with Twitter lanyrd.com

  58. http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com

  59. HTTPS GET twitter.com/ authorize

  60. Login twitter.com/ authorize

  61. Grant permission twitter.com/ authorize Create authorization code and bind it

    to User and ClientID

  62. Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize

  63. HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)

  64. HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret

    twitter.com lanyrd.com

  65. HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com

  66. HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com

  67. HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret

    twitter.com lanyrd.com

  68. HTTPS GET Access Token Refresh Token twitter.com lanyrd.com

  69. HTTPS GET API Request with Access Token twitter.com lanyrd.com

  70. HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write

  71. HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz

  72. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890

  73. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-

    urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl

  74. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token": "jklmno", "expires_in": 3600,

    "refresh_token": "qrstuvq", "token_type": "bearer" }

  75. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

  76. Refresh Token

  77. POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-

    urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq

  78. Authorization Types

  79. Bearer Tokens

  80. http://www.rfc-editor.org/rfc/rfc6750.txt

  81. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno

  82. SSL not possible?

  83. Signatures

  84. http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac

  85. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,

    "expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }

  86. GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“jklmno“, nonce=“274312:dj83hs“, mac=“.....“

  87. timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)

  88. And JavaScript?

  89. User-Agent Profile

  90. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com

  91. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize

  92. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize

  93. http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize

  94. lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken

    lanyrd.com

  95. lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it

    to opening window Close popup lanyrd.com

  96. Same Origin Policy

  97. lanyrd.com HTTPS Ajax Request to API Access Token twitter.com

  98. Same Origin Policy

  99. None

  100. JSONP

  101. Cross Origin Request Sharing (CORS)

  102. Backend api.twitter.com Client lanyrd. com AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/

  103. GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com

  104. HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600&token_type=bearer

  105. 1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =

    {}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>

  106. State

  107. Scopes Optional parameter for provider specific implementations Additional return values

    Access Control

  108. http://openidconnect.com/ Scope: „openid“ With access token additional values are returned

    UserID: URL to Portable Contacts endpoint Timestamp Signature

  109. Mobile/Desktop

  110. h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann [email protected] Did you like this talk?

    https://joind.in/7360