BUILDING AND USING SECURE WEB SERVICES WITH OAUTH Skillswap Goes Portable, November 25, 2008
Bruce [email protected]://bruceboughton.me.uk
http://lab.madgex.com/
web services are about data let’s think about data...
DATA SHOULD BE PORTABLE(even your private data)
The Internet is awash with data(put there by our users)
why?
CONTROL YOUR DATADon't get locked into one vendor
Mash|ups < data> MORE INTERESTING
http://pipes.yahoo.com/bruceboughton/skillswapmashup
RE-PURPOSE YOUR DATAin different contexts
INTERPRET ITACCESS IT
Data is portable if you can easily
Data should be available inSTANDARD DATA FORMATS
<xml/>POSH
JSONμf
How can users let third partiesACCESS THEIR PRIVATE DATA?
User data is moving to the cloud
40-60% OF TWEETS VIA API*Blaine Cook co-authored OAuth
Why pick on Twitter?
http://kecute.wordpress.com/2007/11/05/cat-computer-geek/
we need an easy,user-friendly standard
for third party api security
GOOGLE CONTACTS DEMOhttp://lab.madgex.com/oauth-net/googlecontacts/
YOU CHOOSE who you share YOUR DATA with
OAuth puts the user back in control
NO NEED to give outyour PASSWORD
OAuth is secure
FIRE EAGLE LOCATION DEMOhttp://whereami.lab.madgex.com/
Supports FINE-GRAINED privacy controls
Lightweight and open for extension
Google YahooOpenSocial NetflixMySpace PownceMa.gnolia SmugMugGetSatisfaction and more...
Big name adoption
one thing: OAuth != OpenID
(but they do play nicely)
OpenID is authenticationOAUTH IS ACCESS CONTROL
let’s get technical
Protected resources
are exposed by service providersand used by consumer
applicationson behalf of users
e.g. My physical location
is exposed by the Fire Eagle APIand used by the Madgex Lab demo
on my behalf
Consumer identity asserted using CONSUMER KEY and SECRET
Consumer gets an ACCESS TOKEN(tied to a user, usually re-usable)
To fetch a protected resource
Consumer asks USER TO LOG IN and AUTHORIZE request
To get an access token
Requests are SIGNED and include a TIMESTAMP and NONCE
This is just PLAIN OLD HTTPwith added super powers
don’t worry, there are plenty of
open source libraries
Ruby .NETPython PHPJava JavaScriptObjective-C and more...
http://oauth.net/code
do we have time for some code?
OAuth.net libraryhttp://lab.madgex.com/oauth-net
Configuring the Fire Eagle service(without discovery)
Requesting the user’s location
Handling authorization(if we didn’t already have an access token)
Using the protected resource