OAuth - Open API Authentication

  • View

  • Download

Embed Size (px)


http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.


  • 1. OAuth Basic Introduction

2. What is OAuth? A simple open standard for secure APIauthentication. 3. The Love Triangle End User Service Provider Consumer Application (fake applications by EHL)http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html 4. Specifically OAuth is... AuthenticationNeed to log in to access parts of a websiteex: bookmark a link, post a photo, add a friend, viewa private message Token-based AuthenticationLogged-in user has a unique token used to accessdata from the site 5. Similar to... Flickr Auth Googles AuthSub Yahoos BBAuth Facebook Auth and others... 6. Who is involved? 7. Goals: Be Simple standard for website API authentication consistent for developers easy for users to understand ** this is hard 8. Goals: Be Secure secure for users easy to implement security features for developers balance security with ease of use 9. Goals: Be Open any website can implement OAuth any developer can use OAuth open source client libraries published technical specifications 10. Goals: Be Flexible dont need a username and password authentication method agnostic can use OpenID (or not!) whatever works best for the web service developers dont need to handle auth 11. What the end user sees... an example from ma.gnolia and nsyght. 12. OMG! Need to login! 13. Login with service provider 14. Authorize 15. Done! 16. How Does OAuth Work? (for developers) 17. Register a ConsumerApplication Provide service provider with data about your application (name, creator, url etc...) Service provider assigns consumer a consumer key and consumer secret Service provider gives documentation of authorization URLs and methods 18. Authorization Process 1. Obtain request token2. User authorizes request token3. Exchange request token for access token4. Use access token to obtain protected resources 19. OAuth Parameters oauth_consumer_key oauth_token oauth_signature oauth_signature_method oauth_timestamp oauth_nonce 20. Where is this information passed? HTTP Authorization header HTTP POST request body (form params) URL query string parameters 21. Security Tokens - arent passing username/password Timestamp and nonce - verify unique requests Signature - encrypted parameters help service provider recognize consumer Signature methods - HMAC-SHA1, RSA- SHA1, Plaintext over a secure channel (such as SSL) 22. Current Status ofOAuth oauth.net Auth Core 1.0 Draft 7 several libraries Python, Ruby, Perl, C# ...) for consumers and service providers (PHP, Ma.gnolia and Twitter implementations more implementations soon! 23. Thanks! Chris is still working on the logo...