SlideShare a Scribd company logo

Integrating OAuth Services

Luca Mearelli
Luca Mearelli

1. The document discusses the OAuth protocol which allows secure authorization for consumers to access user data from service providers without having to share the user's credentials. 2. OAuth uses a three-step process where a consumer first requests a request token, then directs the user to authorize access, and finally exchanges the request token for an access token to access the user's data on the service provider. 3. The document provides details on OAuth parameters, signing requests, security considerations, and implementing OAuth for mobile and XMPP applications. It emphasizes that OAuth allows integration of services while maintaining user control over authorization and access to their data.

TechnologyBusiness
1 of 64
Download to read offline
Integrating services with Luca Mearelli Web2Expo - Berlin 2008
Web 2.0 means sharing data, through API
Users want to access their data using many services
Developers want to satisfy their users (and make it easy for them)
Service providers need to keep their users data secure
welcome the password antipattern
Image from http://www.codinghorror.com/blog/archives/001072.html
Passwords are precious
Stop asking them Stop the antipattern
How to delegate access?
Your valet key for the web
a play in 3 acts (to exchange authorization)
Actors on the scene User Consumer Service Provider
Prologue Where the Consumer presents himself to the Service Provider
Consumer (to Service Provider): here i am, this is what i do
consumer service provider Consumer key Consumer secret
First act Where the Consumer obtains an unauthorized Request Token
Consumer (to Service Provider): give me a request token
consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
Service Provider (to consumer): here is the request token (you can use it only once!)
service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
Second act Where the User authorizes the Request Token
Consumer (to the User): Please go to the Service Provider and authorize this request
consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
Service Provider (to the User): Do you authorize consumer to access your data?
User (to the Service Provider): YES! (or maybe NO :-) )
Service Provider (to the User): You can go back to the consumer
service providerservice provider user user consumer oauth_token (request token)
Third act Where the Consumer exchanges the Request Token for an Access Token
Consumer (to the Service Provider): Please give me the acces token for the user
consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Service Provider (to the Consumer): here is the access token for the user
service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
Epilogue Where the consumer accesses the resources
Consumer (to the Service Provider): Here i am again on behalf of the user
consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
The details...
OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
Signature base string a consistent reproducible concatenation of the request elements into a single string
Other security measures Nonces Timestamps
Service setup OAuth discovery (XRDS)
<?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
Benefits Granular authorization Easy grant and revoke Tracking of use
Many open/free libraries use them, contribute to them
Challenges
UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
Beyond the browser Mobile devices Installable applications
The sequel OAuth over XMPP
<iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
Links! http://oauth.net http://oauth.net/core/1.0/ http://code.google.com/p/oauth/ http://groups.google.com/group/oauth/ http://oauth.net/discovery/1.0
Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com

Recommended

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magicguestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the worldTimo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mixDieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksTom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 

Recommended

Search Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black MagicSearch Engines and Flash: Secrets, Tricks, and Black Magic
Search Engines and Flash: Secrets, Tricks, and Black Magicguestb1f3a
 
SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08SoundCloud, Web2Expo 08
SoundCloud, Web2Expo 08Alexander Ljung
 
The web in the world
The web in the worldThe web in the world
The web in the worldTimo Arnall
 
Adding emerging Media to the marketing mix
Adding emerging Media to the marketing mixAdding emerging Media to the marketing mix
Adding emerging Media to the marketing mixDieter Rappold
 
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksElectricity 2.0 - Using The Lessons Of the Web To Improve Our Energy Networks
Electricity 2.0 - Using The Lessons Of the Web To Improve Our Energy NetworksTom Raftery
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
O auth
O authO auth
O authfaisalqau
 
OAuth
OAuthOAuth
OAuthAslam Jarwar
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth loveNicolas Blanco
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxKasaTiga
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure WebservicesMatthias Käppler
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 

More Related Content

Viewers also liked

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 

Viewers also liked (6)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 

Similar to Integrating OAuth Services

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxKasaTiga
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 

Similar to Integrating OAuth Services (20)

UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
O auth
O authO auth
O auth
 
OAuth
OAuthOAuth
OAuth
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
DAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsxDAY_ONE_2017AM_SingleSignOn_II.ppsx
DAY_ONE_2017AM_SingleSignOn_II.ppsx
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
OAuth2
OAuth2OAuth2
OAuth2
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 

More from Luca Mearelli

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two ProblemsLuca Mearelli
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographicLuca Mearelli
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del webLuca Mearelli
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To BatchLuca Mearelli
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your AppLuca Mearelli
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With PythonLuca Mearelli
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On RailsLuca Mearelli
 

More from Luca Mearelli (11)

And Now You Have Two Problems
And Now You Have Two ProblemsAnd Now You Have Two Problems
And Now You Have Two Problems
 
The anatomy of an infographic
The anatomy of an infographicThe anatomy of an infographic
The anatomy of an infographic
 
L'altra meta del web
L'altra meta del webL'altra meta del web
L'altra meta del web
 
To Batch Or Not To Batch
To Batch Or Not To BatchTo Batch Or Not To Batch
To Batch Or Not To Batch
 
A Little Backbone For Your App
A Little Backbone For Your AppA Little Backbone For Your App
A Little Backbone For Your App
 
WorseSoftware
WorseSoftwareWorseSoftware
WorseSoftware
 
Controlling The Cloud With Python
Controlling The Cloud With PythonControlling The Cloud With Python
Controlling The Cloud With Python
 
Open Web
Open WebOpen Web
Open Web
 
Capistrano2
Capistrano2Capistrano2
Capistrano2
 
Wikierp
WikierpWikierp
Wikierp
 
Introduzione a Ruby On Rails
Introduzione a Ruby On RailsIntroduzione a Ruby On Rails
Introduzione a Ruby On Rails
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Integrating OAuth Services

  • 1. Integrating services with Luca Mearelli Web2Expo - Berlin 2008
  • 2. Web 2.0 means sharing data, through API
  • 3. Users want to access their data using many services
  • 4. Developers want to satisfy their users (and make it easy for them)
  • 5. Service providers need to keep their users data secure
  • 7.
  • 8.
  • 9.
  • 12. Stop asking them Stop the antipattern
  • 13. How to delegate access?
  • 14. Your valet key for the web
  • 15. a play in 3 acts (to exchange authorization)
  • 16. Actors on the scene User Consumer Service Provider
  • 17. Prologue Where the Consumer presents himself to the Service Provider
  • 18. Consumer (to Service Provider): here i am, this is what i do
  • 19. consumer service provider Consumer key Consumer secret
  • 20.
  • 21. First act Where the Consumer obtains an unauthorized Request Token
  • 22. Consumer (to Service Provider): give me a request token
  • 23. consumer service provider oauth_consumer_key oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 24. Service Provider (to consumer): here is the request token (you can use it only once!)
  • 25. service provider consumer oauth_token (request token) oauth_token_secret [additional parameters]
  • 26.
  • 27. Second act Where the User authorizes the Request Token
  • 28. Consumer (to the User): Please go to the Service Provider and authorize this request
  • 29. consumer user service provider oauth_token (request token) oauth_callback [additional parameters]
  • 30. Service Provider (to the User): Do you authorize consumer to access your data?
  • 31.
  • 32. User (to the Service Provider): YES! (or maybe NO :-) )
  • 33. Service Provider (to the User): You can go back to the consumer
  • 34. service providerservice provider user user consumer oauth_token (request token)
  • 35. Third act Where the Consumer exchanges the Request Token for an Access Token
  • 36. Consumer (to the Service Provider): Please give me the acces token for the user
  • 37. consumer service provider oauth_consumer_key oauth_token (request token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 38. Service Provider (to the Consumer): here is the access token for the user
  • 39. service provider consumer oauth_token (access token) oauth_token_secret [additional parameters]
  • 40.
  • 41. Epilogue Where the consumer accesses the resources
  • 42. Consumer (to the Service Provider): Here i am again on behalf of the user
  • 43. consumer service provider oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]
  • 44.
  • 46. OAuth parameters exchange HTTP Authorization header HTTP Post body URL query parameters
  • 47. Request signing algorithm PLAINTEXT HMAC-SHA1 RSA-SHA1
  • 48. Signature base string a consistent reproducible concatenation of the request elements into a single string
  • 49. Other security measures Nonces Timestamps
  • 51. <?xml version=quot;1.0quot; encoding=quot;UTF-8quot;?> <XRDS xmlns=quot;xri://$xrdsquot;> <XRD xml:id=quot;oauthquot; xmlns:simple=quot;http://xrds-simple.net/core/1.0quot; xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Expires>2008-12-31T23:59:59Z</Expires> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0/consumer-identity/static</Type> <LocalID>0685bd9184jfhq22</LocalID> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/resource</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/HMAC-SHA1</Type> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/authorize</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <URI>https://api.example.com/session/login</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/access</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/activate</URI> </Service> <Service priority=quot;10quot;> <Type>http://oauth.net/core/1.0/endpoint/request</Type> <Type>http://oauth.net/core/1.0/parameters/auth-header</Type> <Type>http://oauth.net/core/1.0/parameters/uri-query</Type> <Type>http://oauth.net/core/1.0/signature/PLAINTEXT</Type> <URI>https://api.example.com/session/request</URI> </Service> </XRD> <XRD xmlns=quot;xri://$XRD*($v*2.0)quot; version=quot;2.0quot;> <Type>xri://$xrds*simple</Type> <Service priority=quot;10quot;> <Type>http://oauth.net/discovery/1.0</Type> <URI>#oauth</URI> </Service> </XRD> </XRDS>
  • 52. Benefits Granular authorization Easy grant and revoke Tracking of use
  • 53. Many open/free libraries use them, contribute to them
  • 55. UI/UX for the Service Provider Provide basic informations to the user Ease the user’s choice Link / enable getting deeper info
  • 56. UI/UX for the Consumer Explain what’s happening Educate the user Use the right language
  • 57. Security considerations Confidentiality of Requests Spoofing, Proxying, Phishing Secrecy of credentials Cryptographic issues Denial of Service / Resource Exhaustion
  • 58. Beyond the browser Mobile devices Installable applications
  • 59.
  • 61. <iq from='travelbot@findmenow.tld/bot' id='sub1' to='feeds.worldgps.tld' type='set'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe node='bard_geoloc'/> <oauth xmlns='urn:xmpp:tmp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> <oauth_signature_method>HMAC-SHA1</oauth_signature_method> <oauth_timestamp>1218137833</oauth_timestamp> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_version>1.0</oauth_version> </oauth> </pubsub> </iq>
  • 62. The morale Integrating services can be done without asking or storing the user’s credentials while at the same time gaining flexibility and control.
  • 64. Thanks for listening!! Luca Mearelli http://spazidigitali.com l.mearelli@spazidigitali.com