Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
API authorization with OAuth
Search
Bastian Hofmann
October 17, 2012
Programming
1.2k
5
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
API authorization with OAuth
Bastian Hofmann
October 17, 2012
More Decks by Bastian Hofmann
See All by Bastian Hofmann
Monitoring in Kubernetes with Prometheus and Grafana
bastianhofmann
0
360
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
150
Highly available cross-region deployments with Kubernetes
bastianhofmann
1
170
From source to Kubernetes in 30 minutes
bastianhofmann
0
200
Introduction to Kubernetes
bastianhofmann
1
140
CI/CD with Kubernetes
bastianhofmann
0
250
Creating a fast Kubernetes Development Workflow
bastianhofmann
1
290
Deploying your first Micro-Service application to Kubernetes
bastianhofmann
2
210
Creating a fast Kubernetes Development Workflow
bastianhofmann
0
270
Other Decks in Programming
See All in Programming
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.5k
そのテスト、説明できますか?~LWテスト戦略FW~のご紹介
nakahara
0
180
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
200
スマートグラスで並列バイブコーディング
hyshu
0
270
フロントエンドとバックエンドで「1文字」を揃えよう
youkidearitai
PRO
0
770
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
610
OSもどきOS
arkw
0
600
ADKを使って簡単にAIエージェントを作ってみよう
k1mu21
0
280
作って学ぶ、 JSX (TSX) ランタイムの基本
syumai
7
1.7k
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
130
Developing with AI Agents — Codex, Claude Code & Cowork Practical Guide
x5gtrn
PRO
0
1.3k
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
560
Featured
See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
250
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
320
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
210
First, design no harm
axbom
PRO
2
1.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
440
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1.2k
Marketing to machines
jonoalderson
1
5.5k
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.3k
Transcript
API authorization with OAuth @BastianHofmann
http://oauth.net/
API
None
None
None
ResearchGate gives science back to the people who make it
happen. We help researchers build reputation and accelerate scientific progress. On their terms. ‟
None
None
None
None
None
None
None
Questions? Ask!
http://speakerdeck.com/u/bastianhofmann
http://oauth.net/
http://tools.ietf.org/html/rfc5849
lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared
Consumer Key - Shared Consumer Secret
HTTP POST Connect with Twitter lanyrd.com
twitter.com HTTP POST Connect with Twitter HTTP GET Consumer Key
Redirect URI Signature (Consumer Secret) lanyrd.com
twitter.com HTTP POST Connect with Twitter Request Token Request Token
Secret lanyrd.com
http://twitter.com/authorize? requestToken=... HTTP Redirect lanyrd.com
HTTP GET twitter.com/ authorize
Login twitter.com/ authorize
Grant permission twitter.com/ authorize Create verifier and bind it to
User and Request Token
Redirect URI?verifier=...&requestToken=.. HTTP Redirect twitter.com/ authorize
HTTP GET lanyrd.com (RedirectURI? verifier=...)
HTTP GET HTTP GET Consumer Key, RequestToken Verifier Signature (Consumer
& Request Token Secret) twitter.com lanyrd.com
HTTP GET Access Token Access Token Secret twitter.com lanyrd.com
HTTP GET API Request Consumer Key, Access Token Signature (Consumer
& Access Token Secret) twitter.com lanyrd.com
POST /oauth/request_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131200“,
oauth_nonce=“gggg“, oauth_callback=“http%3A%2F %2Fexample.com%2Fcallback“ oauth_signature=“...“
HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=defghi&oauth_token_secret=jkl mnop&oauth_callback_confirmed=true
HTTP/1.1 302 Found Location: https://api.twitter.com/oauth/ authorization?oauth_token=defghi
HTTP/1.1 302 Found Location: http://example.com/callback? oauth_token=defghi&oauth_verifier=qrstuvw
POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“defghi“ oauth_signature_method=“HMAC-SHA1“,
oauth_timestamp=“137131201“, oauth_nonce=“hhhhh“, oauth_verifier=“qrstuvw“ oauth_signature=“...“
HTTP/1.1 200 OK Content-Type: application/x-www-form- urlencode oauth_token=xzyabc&oauth_token_secret=defg hijk
POST /1/statuses/update.json HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_consumer_key=“abcdef“, oauth_token=“ xzyabc“
oauth_signature_method=“HMAC-SHA1“, oauth_timestamp=“137131203“, oauth_nonce=“iiiiiii“, oauth_signature=“...“ status=New %20Tweet&trim_user=true&include_entities=tru e
Signatures
GET /photos/vacation.jpg? oauth_consumer_key=123&oauth_nonce= 456&oauth_signature_method=HMAC- SHA1&oauth_timestamp=1191242096&oau th_token=789&oauth_version=1.0 HTTP/1.1 Host: photos.example.net
GET&http%3A%2F %2Fphotos.example.net%2Fphotos %2Fvacation.jpg&oauth_consumer_key %3D123%26oauth_nonce %3D456%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token %3D789%26oauth_version%3D1.0
PLAINTEXT
HMAC-SHA1 Salt: consumerSecret(&tokenSecret)
RSA-SHA1 Public/Private Key
Problems Does not work well with non web or JavaScript
based clients The „Invalid Signature“ Problem Complicated Flow, many requests
How to fix it?
http://oauth.net/
31 drafts ...
...now final!
http://www.rfc-editor.org/rfc/rfc6749.txt
http://www.rfc-editor.org/rfc/rfc6750.txt
http://tools.ietf.org/html/draft-ietf-oauth-v2 What‘s new in OAuth2? (Draft 10) Different client profiles
No signatures No Token Secrets Cookie-like Bearer Token No Request Tokens Much more flexible regarding extensions Mandatory TSL/SSL
http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to- hell/ ‟It is the biggest professional disappointment of my
career. Eran Hammer
http://www.tbray.org/ongoing/When/201x/2012/07/28/ Oauth2-dead OAuth 2 is useful today. ‟ Tim Bray
Web-Server Profile
lanyrd.com twitter.com Pre Registration of Client at Twitter: - Shared
Client ID - Shared Client Secret - Redirect URI
HTTP(S) POST Connect with Twitter lanyrd.com
http://twitter.com/authorize?&clientId=... HTTPS Redirect lanyrd.com
HTTPS GET twitter.com/ authorize
Login twitter.com/ authorize
Grant permission twitter.com/ authorize Create authorization code and bind it
to User and ClientID
Redirect URI?authorizationCode=... HTTPS Redirect twitter.com/ authorize
HTTPS GET lanyrd.com (RedirectURI? authorizationCode= ...)
HTTPS GET HTTPS GET Consumer Key Authorization Code Consumer Secret
twitter.com lanyrd.com
HTTPS GET Access Token (Refresh Token) twitter.com lanyrd.com
HTTPS GET HTTPS API Request Access Token twitter.com lanyrd.com
HTTPS GET HTTPS GET Consumer Key Refresh Token Consumer Secret
twitter.com lanyrd.com
HTTPS GET Access Token Refresh Token twitter.com lanyrd.com
HTTPS GET API Request with Access Token twitter.com lanyrd.com
HTTP/1.1 302 Found Location: https://api.twitter.com/oauth2/ authorize? response_type=code&client_id=abcdefg&state=x yz&scope=write
HTTP/1.1 302 Found Location: https://example.com/callback? code=ghijkl&state=xyz
POST /oauth2/token HTTP/1.1 Host: api.twitter.com Content-Type: application/x-www-form- urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl&c lient_id=12345&client_secret=7890
POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-
urlencoded;charset=UTF-8 grant_type=authorization_code&code=ghijkl
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token": "jklmno", "expires_in": 3600,
"refresh_token": "qrstuvq", "token_type": "bearer" }
GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno
Refresh Token
POST /oauth2/token HTTP/1.1 Host: api.twitter.com Authorization: Basic mnopqrs Content-Type: application/x-www-form-
urlencoded;charset=UTF-8 grant_type=refresh_token&code=qrstuvq
Authorization Types
Bearer Tokens
http://www.rfc-editor.org/rfc/rfc6750.txt
GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: Bearer jklmno
SSL not possible?
Signatures
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token“: "jklmno“, "token_type“: "mac“,
"expires_in“: 3600, "refresh_token“: "qrstuvq“ "mac_key":"adijq39jdlaska9asud", "mac_algorithm":"hmac-sha-1" }
GET /1/statuses/home_timeline HTTP/1.1 Host: api.twitter.com Authorization: MAC id=“jklmno“, nonce=“274312:dj83hs“, mac=“.....“
timestamp\n nonce\n HTTP_METHOD\n HTTP Request URI\n Hostname\n Port\n (Authorization extension)
And JavaScript?
User-Agent Profile
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com HTTPS GET twitter.co m/ authorize
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Login twitter.co m/ authorize
http://twitter.com/authorize?&clientId=... Open Popup lanyrd.com Grant Permission twitter.co m/ authorize
lanyrd.com HTTPS Redirect RedirectURI#acces sToken twitter.co m/ authorize RedirectURI# accessToken
lanyrd.com
lanyrd.com RedirectURI# accessToken Parse Access Token from Fragment Send it
to opening window Close popup lanyrd.com
Same Origin Policy
lanyrd.com HTTPS Ajax Request to API Access Token twitter.com
Same Origin Policy
None
JSONP
Cross Origin Request Sharing (CORS)
Backend api.twitter.com Client lanyrd. com AJAX Access-Control-Allow-Origin: * http://www.w3.org/TR/cors/
GET /oauth2/authorize? response_type=token&client_id=abcdefg&stat e=xyz&scope=write HTTP/1.1 Host: api.twitter.com
HTTP/1.1 302 Found Location: http://example.com/ callback#access_token=gahorha&state=xyz&exp ires_in=3600&token_type=bearer
1.<script> 2. var fragmentString = location.hash.substr(1); 3. var fragment =
{}; 4. var fragmentItemStrings = fragmentString.split('&'); 5. for (var i in fragmentItemStrings) { 6. var fragmentItem = fragmentItemStrings[i].split('='); 7. if (fragmentItem.length !== 2) { 8. continue; 9. } 10. fragment[fragmentItem[0]] = fragmentItem[1]; 11. } 12. opener.setAccessToken(fragment['access_token']); 13. window.close(); 14.</script>
State
Scopes Optional parameter for provider specific implementations Additional return values
Access Control
http://openidconnect.com/ Scope: „openid“ With access token additional values are returned
UserID: URL to Portable Contacts endpoint Timestamp Signature
Mobile/Desktop
h"p://twi"er.com/Bas2anHofmann h"ps://profiles.google.com/bashofmann h"p://lanyrd.com/people/Bas2anHofmann/ h"p://speakerdeck.com/u/bas2anhofmann
[email protected]
Did you like this talk?
https://joind.in/7360