Authorization with OAuth - CDATA Zone
Transcript of Authorization with OAuth - CDATA Zone
![Page 1: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/1.jpg)
Authorization with OAuth
Rob Richards
October 22, 2009
cdatazone.org
http://xri.net/=rob.richards
![Page 2: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/2.jpg)
Authentication
• HTTP Authentication• Basic
• Digest
• TLS/SSL
• WS-Security
• Developer Keys
• 3rd Party Authentication• Yahoo BBAuth
• AOL OpenAuth
![Page 3: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/3.jpg)
OAuth
An Open Protocol
to allow
Secure API Authorization
![Page 4: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/4.jpg)
Oauth is not OpenID
Oauth
Is Like
OpenID
![Page 5: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/5.jpg)
Data Authorization
Plaxo
![Page 6: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/6.jpg)
OAuth
OAuth
is like a
Valet Key
![Page 7: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/7.jpg)
OAuth
OAuth
is like a
Hotel Keycard
![Page 8: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/8.jpg)
M aster Key
101 103 105 107
102 104 106 108
![Page 9: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/9.jpg)
Guest Key: Granting Access
101 103 105 107
102 104 106 108
![Page 10: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/10.jpg)
Guest Key: Revoking Access
101 103 105 107
102 104 106 108
![Page 11: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/11.jpg)
M aster Key M aintains Full Access
101 103 105 107
102 104 106 108
![Page 12: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/12.jpg)
Oauth C lients
![Page 13: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/13.jpg)
OAuth and Netfl ix
developer.netfl ix.com
![Page 14: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/14.jpg)
Netfl ix API
![Page 15: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/15.jpg)
Netfl ix API: User Resources
![Page 16: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/16.jpg)
Netfl ix Applications... and many more
![Page 17: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/17.jpg)
Obtaining a Consumer Key / Secret
![Page 18: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/18.jpg)
Obtaining a Consumer Key / Secret
![Page 19: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/19.jpg)
3-Legged OAuth“The OAuth Dance”
![Page 20: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/20.jpg)
S tep 1: Obtaining a Request Token
http://api.netfix.com/oauth/request_token
Signed Request
Request Token & Secret
![Page 21: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/21.jpg)
S tep 1: Obtaining a Request Token
http://api.netfix.com/oauth/request_token?
oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback
&oauth_consumer_key=1234567890123456789012345
&oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e
&oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255631744
&oauth_version=1.0
![Page 22: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/22.jpg)
Calculating The S ignature
Calculate Base String
<HTTP method>&<canonicalized URL path>&<parameters>
GET&http%3A%2F%2Fapi.netfix.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Fwww.example.com%252Fcallback%26oauth_consumer_key%3D1234567890123456789012345%26oauth_nonce%3D3eb496472d2a46ceb71d65fc1b7341ae359f932c%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1255631744%26oauth_version%3D1.0
![Page 23: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/23.jpg)
Calculating The S ignature
• Parameters are collected, sorted and concatenated into a normalized string• Parameters in the OAuth HTTP Authorization header excluding the realm
parameter.
• Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded).
• HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3)
•The oauth_signature parameter MUST be excluded•Parameters are sorted by name, using lexicographical byte
value ordering
![Page 24: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/24.jpg)
Calculating The S ignature (Authorization Header)
GET /oauth/request_token HTTP/1.1
User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10)
Host: api.netfix.com
Accept: */*
Authorization: OAuth oauth_callback="http%3A%2F%2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
![Page 25: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/25.jpg)
Calculating The S ignature
Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&
Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&,<Base String>)
Base64 encode then URL encode result:
oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
![Page 26: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/26.jpg)
S tep 1: Obtaining a Request Token (Response)
oauth_token=bqba9rku48yacfatjxjw3fkc
&oauth_token_secret=EZ2mBk6rC2vZ
&oauth_callback_confrmed=true
&login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth%2Flogin
![Page 27: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/27.jpg)
S tep 2: User Authentication
Determined by needs of Service Providerhttps://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
![Page 28: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/28.jpg)
S tep 2: User Authentication
Determined by needs of Service Provider
oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
Callback
![Page 29: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/29.jpg)
S tep 2: User Authentication
Determined by needs of Service Provider
![Page 30: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/30.jpg)
Oauth Trust
A MatterOf
Trust
![Page 31: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/31.jpg)
S tep 3: Obtaining an Access Token
http://api.netfix.com/oauth/access_token
Signed Request
Access Token & Secret
![Page 32: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/32.jpg)
S tep 3: Obtaining an Access Token
http://api.netfix.com/oauth/access_token?
oauth_consumer_key=1234567890123456789012345
&oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a
&oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255704433
&oauth_token=bqba9rku48yacfatjxjw3fkc
&oauth_verifer=abcdefg
&oauth_version=1.0
![Page 33: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/33.jpg)
Calculating The S ignature
Calculate Base String
<HTTP method>&<canonicalized URL path>&<parameters>
GET&http%3A%2F%2Fapi.netfix.com%2Foauth%2Faccess_token&oauth_consumer_key%3D1234567890123456789012345%26oauth_nonce%3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1255704433%26oauth_token%3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg%26oauth_version%3D1.0
![Page 34: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/34.jpg)
Calculating The S ignature
Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&EZ2mBk6rC2vZ
Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>)
Base64 encode then URL encode result:
oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
![Page 35: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/35.jpg)
S tep 3: Obtaining an Access Token (Response)
oauth_token=5432109876543210987654321
&user_id=123myuserid456
&oauth_token_secret=543210987654321
![Page 36: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/36.jpg)
Accessing Resources
Signed Request
Resource
http://api.netfix.com/<path to resource>
![Page 37: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/37.jpg)
Accessing Resources
http://api.netfix.com/users/123myuserid456/queues?
oauth_consumer_key=1234567890123456789012345
&oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2
&oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255712310
&oauth_token=5432109876543210987654321
&oauth_version=1.0
&v=1.5
![Page 38: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/38.jpg)
Calculating The S ignature
Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&543210987654321
Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&543210987654321,<Base String>)
Base64 encode then URL encode result:
oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
![Page 39: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/39.jpg)
Accessing Resources (Response)
<?xml version="1.0" standalone="yes"?>
<resource>
<link href="http://api.netfix.com/users/123myuserid456/queues/disc"
rel="http://schemas.netfix.com/queues.disc" title="disc queue" />
<link href="http://api.netfix.com/users/123myuserid456/queues/instant"
rel="http://schemas.netfix.com/queues.instant"
title="instant queue" />
</resource>
![Page 40: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/40.jpg)
Accessing Resources (Response)
![Page 41: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/41.jpg)
M anaging Access Tokens
![Page 42: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/42.jpg)
2-Legged OAuth
• No Dance Required
• Only Consumer Key and Secret required
• Application making requests on its own behalf
• Direct Access / No Delegation
• Replacement for HTTP Basic Authentication
• Sign request just as if they were requests for Request Tokens
![Page 43: Authorization with OAuth - CDATA Zone](https://reader036.fdocuments.net/reader036/viewer/2022071523/613d08a6736caf36b75886a0/html5/thumbnails/43.jpg)
Authorization with OAuth
Rob Richards
http://xri.net/=rob.richardswww.cdatazone.org
Questions?