- 1. Securing your Web API with OAuth
- Mohanaraj Gopala Krishnan
2. Questions for you
-
- Developed, read spec, heard of ?
- Application that exposes a Web API ?
- Experience using BBAuth,Authsub, Flickr Auth etc. ?
3. What is OAuth?
- A simple open standard for Web API authorization
-
- Share information between online services without disclosing
passwords
- Web service (Service providers)
-
- Allow for secure access to your API in a user controlled,
secure manner
- 3rd Party application (Consumers)
-
- A standard authorization scheme for the web
4. Valet key for your web
http://toyotaownersclub.com/forums/index.php?showtopic=77384 5. VS
6. http://www.flickr.com/photos/leelefever/133949029/ 7. OpenID vs
OAuth
-
- OpenID is about sharing a single identity with different
consumers
-
- OAuth is about sharing your data with different consumers
without sharing your identity
8. OpenID vs OAuth
-
- Open protocols - community driven
-
- Involves moving the users between consumer and service
provider
-
- Involves laying a claim that is verified by the
service/identity provider
-
-
- OAuth - I own this resource
9. Love triangle End user Serviceprovider Consumer 10. WTF ?!
11. Passwords are not confetti.Please stop throwing them around.
Especially if theyrenot yours Chris
Messinahttp://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
12. OAuth interaction demo
13. OAuth dance steps
http://flickr.com/photos/wigwam/2255831538/ 14. OAuth dance steps
consumer key An identifier for the consumer to the service
providerconsumersecret Secret used to establish ownership of the
consumer key request token A value that is used to obtain
authorization from the user. Finally traded in for an access token.
access token Value used to gain access to a protected resource on
behalf of the user without requiring the users credentials token
secret Secret used to establish ownership of a given token 15.
OAuth dance steps
- http://www.googlecodesamples.com/oauth_playground/
16. 17. OAuth roles
-
- Implement three service endpoints
-
-
- Authenticate request token
-
-
- Exchange request token for access token
-
- Provides a form of authentication
-
- Validates following requests (post OAuth dance)
-
- Provides a mechanism to maintain authorization
-
-
- e.g. Access token lifecycle management - revocation,
extension
18.
- Service providers need to allow for end users to manage their
authorizations
19. OAuth roles
-
- Acquire consumer key / consumer secret
-
- Communication with service provider
-
-
- Over HTTP - header, POST, GET query
-
-
- HMAC-SHA1,RSA-SHA1,PLAINTEXT
-
- Keep track of access tokens
-
-
- Store association of users to access token
-
-
- Service providers have different policy as to token
lifetime-e.g. Goog vs Y!
-
-
- Must be treated as securely as passwords
20. OAuth security
http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/
21. OAuth security
- Signing- allows for security beyond HTTP basic auth
-
- No secret over the wire beyond the dance
-
- Request is verifiable - untampered
- Nonce & timestamps - mitigate replay attacks
- Delegation of credentials instead of direct credentials
- HTTPS still required for mitigating MITM - but if not too
critical, request signing should suffice
22. Signature HMAC-SHA1 HTTPmethod Base URL Normalizedparameters
oauth parameters oauth_consumer_key, oauth_token,
oauth_nonce,oauth_timestamp,oauth_signature_mothod, oauth_version
request parameters param1,param2 oauth_signature =
HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret
*also base64 encoded + urlencoded 23. Signature RSA-SHA1 HTTPmethod
Base URL Normalizedparameters oauth parameters oauth_consumer_key,
oauth_token, oauth_nonce,oauth_timestamp,oauth_signature_mothod,
oauth_version request parameters param1,param2 oauth_signature* =
RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also
base64 encoded + urlencoded 24. OAuth usage environments
-
- contained within a larger consumer - OAuth Gadget
extension
-
- No user involved - the consumer has been put in a position of
trust - e.g. Google domain administrator or accessing public
data
-
- Extension implemented by Goog - Only HMAC-SHA1, no oauth_token,
additional - xoauth_requestor_id - user to imitate, must be
explicitly enabled
-
- Consumer secret can be easily compromised - trust levels
-
- Doesnt compromise authorization
25. Why bother?
- Large adoption - Goog, Y!, MySpace
- Interop - Leverage the services
- Can be used as a replacement for HTTP basic auth
-
- SSL might not be always necessary
- Part of the Open web stack
-
- Atompub + OpenID + OAuth + XRDS +OpenSocial
26. Why bother ? OpenID + OAuth is the Final Nail in the Coffin
of the WS-* vs. REST Discussion Dare Obsanjohttp://
www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
27. State of OAuth
- OAuth Core 1.0, IETF Draft
- Different use environments being worked out via extensions
- Library support - extensive, but varying quality
- OpenID + OAuth hybrid models
28. Implementations
-
- http://github.com/search?q=oauth&x=0&y=0
-
- PHP - http://code.google.com/p/oauth-php/
-
- Ruby - http://github.com/pelle/oauth/tree/master
29. Thanks