Intro to OAuth

Tags:

Preview:

Click to see full reader

DESCRIPTION

Introduction to OAuth talk that I gave at True North PHP

Citation preview

Intro to OAuthMatt Frost

@shrtwhitebldguy https://joind.in/12717

https://joind.in/12717

Who Am I?• Community Member

• Author

• OSS Contributor

• Mentoring Proponent

• Podcast co-host

What is OAuth?

Tokens

Statelessness

Applications have tokens too

So what you’re saying is…

Yep!

Tokens can be stolen though

This is bad

Good news though!

There are different versions

Technically OAuth 1 is deprecated

Just like the mysql extension

You’re probably going to run into it at some point anyway….

So here’s the plan

OAuth 1.0Client

So we need tokens, right?

Token Definitions

Consumer Tokens

Temporary Credentials

Access Tokens

Token Request Flow

Super simple right?

https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

Let’s break this down, eh?

You need an application

Request the temporary tokens

If you signed it right…

You’ll have temporary credentials

You now use these to request Access Tokens

If you sign that request right…

You’ll have your actual Access Tokens!

You can store them in a session or database and use them now!

Remember all that signing talk?

This is the hardest part…

Base String

<?php!!

$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => '1.0',!];

<?php!!

$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => ‘1.0',!! ‘oauth_verifier’ => ‘xxxxxxxxx’!];

If you have an OAuth Verifier

HTTP Method and URI

Let’s see how this actually works

<?php!$httpMethod = 'POST';!$uri = ‘http://api.example.com/request_tokens';!!$params = [! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',!];!!$tempArray = [];!ksort($params);!foreach($params as $key => $value) {!! $tempArray[] = $key . '=' . rawurlencode($value);!}!!$baseString = $httpMethod . '&';!$baseString .= rawurlencode($uri) . '&';!$baseString .= implode('&', $tempArray);

http://api.example.com/request_tokens'

Composite KeyThis is way easier…

Cram the 2 secrets together…

$consumer_secret = 'VERYSECRETZ';!$access_secret = 'SUCHSECURITY';!!

$composite_key = rawurlencode($consumer_secret) .'&'. rawurlencode($access_secret);

Signing with HMAC-SHA1

$signature = base64_encode(hash_hmac(!! 'sha1',!! $baseString,!! $compositeKey,!! true!));

Here’s your signature!

There are other signature types but…

However…

Authorization Header

$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => '1.0',!];!!

$params[‘oauth_signature’] = $signature;

You probably remember this array?

$header = “Authorization: OAuth “;!$tempArray = [];!!

foreach($params as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);!}!!

$header .= implode(‘,’, $tempArray);!

We’ve seen similar code before…

Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"

This is the final result

Whew! That was some work

OAuth 2Client

Good news!

No signatures

Must use SSL/TLS

Consumer Credentials

Access Token

Grants

Authorization Code Grant

Authorization example - Foursquare

http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=code&redirect_uri=htt

p://oauth.dev/examples/Foursquare/callback.php

http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=code&redirect_uri=http://oauth.dev/examples/Foursquare/callback.php

Token Request

http://oauth.dev/examples/Foursquare/callback.php?

code=<CODE>

http://oauth.dev/examples/Foursquare/callback.php?code=%3CCODE%3E

https://foursquare.com/oauth2/access_token?client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&code=<CODE>&callback=http://oauth.dev/examples/Foursquare/callback.php&grant_type=authorization_code

If you can use this, you should

Implicit Grant

http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=token&redirect_uri=ht

tp://oauth.dev/examples/Foursquare/callback.php

Resource Owner Credentials Grant

Client Credentials Grant

Scopes

“Scopes” in OAuth 1

Scopes in OAuth 2

Important Note on Scopes

Provides an ACL Framework

Refresh Tokens

Same Scope

What can we do with this?

Access data from APIs

Move Authentication Elsewhere a.k.a Single Sign On

So this works everywhere right?

Well…sorta

Useful reading OAuth 1 https://tools.ietf.org/html/rfc5849 OAuth 2 https://tools.ietf.org/html/rfc6749

https://tools.ietf.org/html/rfc5849
https://tools.ietf.org/html/rfc6749

Thanks! Questions?

Recommended

OAUTH 2 UND OPENID CONNECT SECURING MICROSERVICES … · OAUTH 2.0 101 RFC 6749: The OAuth 2.0 A uthorization Frame work RFC 6750: OAuth 2.0 Bearer Token Usage RFC 6819: OAuth 2.0
Documents
OAuth 2.0 Proof-of-Possession: Authorization Server to ......OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution draft-bradley-oauth-pop-key-distribution-01.txt
Documents
[MS-OAPXBC-Diff]: OAuth 2.0 Protocol Extensions …...The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that
Documents
Introduction to OAuth 1.0a
Software
The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs
Technology
OAuth with On-Premise Report+ Web Installationdownload.infragistics.com/marketing/ReportPlus/Developer-Docs/OAuth...ReportPlus Help Reference 7 | 21 Introduction to OAuth Now that
Documents
Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as
Documents
[MS-OAUTH2EX]: OAuth 2.0 Authentication Protocol …...OAuth 2.0 Authentication Protocol Extensions describes extensions to the OAuth 2.0 Authentication Protocol. These extensions
Documents
RFC 6749 - The OAuth 2.0 Authorization Framework...The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a third-party application to obtain
Documents
[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for …...The OAuth 2.0 Protocol Extensions for Broker Clients specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that
Documents
OAuth 2 - Sesar Labsesar.di.unimi.it/corsi/SOASecurity/slide/OAuth2.0from...OAuth 2.0 From scratch What is OAuth 2 •OAuth 2 is an authorization framework that enables applications
Documents
OAuth Passport
Documents
Adapting OAuth to the Enterprise
Technology
CIS13: Introduction to OAuth 2.0
Technology
[MS-OAPX]: OAuth 2.0 Protocol Extensions... · 1 Introduction The OAuth 2.0 Protocol Extensions specify extensions to [RFC6749] (The OAuth 2.0 Authorization Framework). When no operating
Documents
WordPress + OAuth
Technology
Single-User Twitter OAuth Programming - 140Dev.com140dev.com/download/single-user-oauth.pdf · Single-User Twitter OAuth Programming 1 Welcome to Twitter OAuth The simplest way to
Documents
Oauth Tutorial
Documents
The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party
Documents
Incorporating OAuth: How to integrate OAuth into your mobile app
Technology