Intro to OAuth
-
Upload
mfrost503 -
Category
Technology
-
view
131 -
download
0
description
Transcript of Intro to OAuth
Who Am I?• Community Member
• Author
• OSS Contributor
• Mentoring Proponent
• Podcast co-host
What is OAuth?
Tokens
Statelessness
Applications have tokens too
So what you’re saying is…
Yep!
Tokens can be stolen though
This is bad
Good news though!
There are different versions
Technically OAuth 1 is deprecated
Just like the mysql extension
You’re probably going to run into it at some point anyway….
So here’s the plan
OAuth 1.0Client
So we need tokens, right?
Token Definitions
Consumer Tokens
Temporary Credentials
Access Tokens
Token Request Flow
Super simple right?
https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
Let’s break this down, eh?
You need an application
Request the temporary tokens
If you signed it right…
You’ll have temporary credentials
You now use these to request Access Tokens
If you sign that request right…
You’ll have your actual Access Tokens!
You can store them in a session or database and use them now!
Remember all that signing talk?
This is the hardest part…
Base String
<?php!!
$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => '1.0',!];
<?php!!
$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => ‘1.0',!! ‘oauth_verifier’ => ‘xxxxxxxxx’!];
If you have an OAuth Verifier
HTTP Method and URI
Let’s see how this actually works
<?php!$httpMethod = 'POST';!$uri = ‘http://api.example.com/request_tokens';!!$params = [! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',!];!!$tempArray = [];!ksort($params);!foreach($params as $key => $value) {!! $tempArray[] = $key . '=' . rawurlencode($value);!}!!$baseString = $httpMethod . '&';!$baseString .= rawurlencode($uri) . '&';!$baseString .= implode('&', $tempArray);
Composite KeyThis is way easier…
Cram the 2 secrets together…
$consumer_secret = 'VERYSECRETZ';!$access_secret = 'SUCHSECURITY';!!
$composite_key = rawurlencode($consumer_secret) .'&'. rawurlencode($access_secret);
Signing with HMAC-SHA1
$signature = base64_encode(hash_hmac(!! 'sha1',!! $baseString,!! $compositeKey,!! true!));
Here’s your signature!
There are other signature types but…
However…
Authorization Header
$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => '1.0',!];!!
$params[‘oauth_signature’] = $signature;
You probably remember this array?
$header = “Authorization: OAuth “;!$tempArray = [];!!
foreach($params as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);!}!!
$header .= implode(‘,’, $tempArray);!
We’ve seen similar code before…
Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"
This is the final result
Whew! That was some work
OAuth 2Client
Good news!
No signatures
Must use SSL/TLS
Consumer Credentials
Access Token
Grants
Authorization Code Grant
Authorization example - Foursquare
http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=code&redirect_uri=htt
p://oauth.dev/examples/Foursquare/callback.php
Token Request
http://oauth.dev/examples/Foursquare/callback.php?
code=<CODE>
https://foursquare.com/oauth2/access_token?client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&code=<CODE>&callback=http://oauth.dev/examples/Foursquare/callback.php&grant_type=authorization_code
If you can use this, you should
Implicit Grant
http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=token&redirect_uri=ht
tp://oauth.dev/examples/Foursquare/callback.php
Resource Owner Credentials Grant
Client Credentials Grant
Scopes
“Scopes” in OAuth 1
Scopes in OAuth 2
Important Note on Scopes
Provides an ACL Framework
Refresh Tokens
Same Scope
What can we do with this?
Access data from APIs
Move Authentication Elsewhere a.k.a Single Sign On
So this works everywhere right?
Well…sorta
Useful reading OAuth 1 https://tools.ietf.org/html/rfc5849 OAuth 2 https://tools.ietf.org/html/rfc6749
Thanks! Questions?