1. Securing your Web API with OAuth

• Mohanaraj Gopala Krishnan

MYOSS Meetup 4 Dec 2008

mohangk.org/blog

2. Questions for you

Experience with OAuth?

• Developed, read spec, heard of ?

Application that exposes a Web API ?

• Authentication ?

Experience using BBAuth,Authsub, Flickr Auth etc. ?

3. What is OAuth?

A simple open standard for Web API authorization

End Users

• Share information between online services without disclosing passwords

Web service (Service providers)

• Allow for secure access to your API in a user controlled, secure manner

3rd Party application (Consumers)

• A standard authorization scheme for the web

4. Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384 5. VS 6. http://www.flickr.com/photos/leelefever/133949029/ 7. OpenID vs OAuth

Goals are different

• OpenID is about sharing a single identity with different consumers

• OAuth is about sharing your data with different consumers without sharing your identity

Not mutually exclusive

8. OpenID vs OAuth

Commonality

• Open protocols - community driven

• Involves 3 parties

• Involves moving the users between consumer and service provider

• Involves laying a claim that is verified by the service/identity provider

• • OpenID - I own this URL

• • OAuth - I own this resource

9. Love triangle End user Serviceprovider Consumer 10. WTF ?! 11. Passwords are not confetti.Please stop throwing them around. Especially if theyrenot yours Chris Messinahttp://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/ 12. OAuth interaction demo

Simple demo

• http://oauth.kg23.com /

13. OAuth dance steps http://flickr.com/photos/wigwam/2255831538/ 14. OAuth dance steps consumer key An identifier for the consumer to the service providerconsumersecret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token 15. OAuth dance steps

http://www.googlecodesamples.com/oauth_playground/

16. 17. OAuth roles

Service provider

• Implement three service endpoints

• • Get request token

• • Authenticate request token

• • Exchange request token for access token

• Provides a form of authentication

• Validates following requests (post OAuth dance)

• Provides a mechanism to maintain authorization

• Additional API services

• • e.g. Access token lifecycle management - revocation, extension

18.

Service providers need to allow for end users to manage their authorizations

19. OAuth roles

Consumer

• Acquire consumer key / consumer secret

• Communication with service provider

• • Over HTTP - header, POST, GET query

• Signing requests

• • HMAC-SHA1,RSA-SHA1,PLAINTEXT

• Keep track of access tokens

• • Store association of users to access token

• • Service providers have different policy as to token lifetime-e.g. Goog vs Y!

• • Must be treated as securely as passwords

20. OAuth security http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/ 21. OAuth security

Signing- allows for security beyond HTTP basic auth

• No secret over the wire beyond the dance

• Request is verifiable - untampered

Nonce & timestamps - mitigate replay attacks

Delegation of credentials instead of direct credentials

HTTPS still required for mitigating MITM - but if not too critical, request signing should suffice

22. Signature HMAC-SHA1 HTTPmethod Base URL Normalizedparameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce,oauth_timestamp,oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded 23. Signature RSA-SHA1 HTTPmethod Base URL Normalizedparameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce,oauth_timestamp,oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded 24. OAuth usage environments

Web application

• Standard case

Gadgets

• contained within a larger consumer - OAuth Gadget extension

2-legged OAuth

• No user involved - the consumer has been put in a position of trust - e.g. Google domain administrator or accessing public data

• Extension implemented by Goog - Only HMAC-SHA1, no oauth_token, additional - xoauth_requestor_id - user to imitate, must be explicitly enabled

Desktop apps / JS apps

• Consumer secret can be easily compromised - trust levels

• Doesnt compromise authorization

25. Why bother?

Large adoption - Goog, Y!, MySpace

Interop - Leverage the services

Can be used as a replacement for HTTP basic auth

• SSL might not be always necessary

Part of the Open web stack

• Atompub + OpenID + OAuth + XRDS +OpenSocial

26. Why bother ? OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion Dare Obsanjohttp:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx 27. State of OAuth

OAuth Core 1.0, IETF Draft

Different use environments being worked out via extensions

Library support - extensive, but varying quality

OpenID + OAuth hybrid models

Usability funkiness

28. Implementations

Libraries

• oauth.net/code

• http://github.com/search?q=oauth&x=0&y=0

Server implementations

• PHP - http://code.google.com/p/oauth-php/

• Ruby - http://github.com/pelle/oauth/tree/master

29. Thanks