Upload
satoru-takeuchi
View
422
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Introduction to OAuth 1.0a. Intend to be a preparation for reading OAuth Core 1.0 Revision A. Changelog: - 0.2: Add figures - 0.3: Some minor fixes for improving readability. In addition, add the reference which explains how to use ruby's oauth library.
Citation preview
Introduction to OAuth 1.0aver 0.3
Satoru Takeuchi <[email protected]>
Introduction● This document intends to be used for preparation for reading the
specification of OAuth 1.0a [1]○ OAuth 1.0a is *very complex* (at least for me) and hard to understand○ Although there is simpler OAuth2.0, OAuth1.0a still be used by many
web services● Omit some of features for simplicity
○ e.g. Out-of-bound authentication● Please let me know if you have any comments
Agenda● What is it● Advantages● Processing flow
What is it● The authorization way that a web service (Provider) permits third-party
services (Consumers) to use its functions on behalf of its users (Users)● Basic terms
Name Meaning Typical example
Provider An arbitrary web service Famous SNS services like Facebook and Twitter
Consumer A service requires Provider’s function to implement its function
Facebook clients and Twitter clients
User User of both Provider and Consumer You
Advantages● Can reduce security risks compare with password authentication
○ Don’t need to give Consumer unnecessary information and authorization
password authentication OAuth
The information which User gives Consumers
User ID and password The tokens only used for using the subset of Provider’s function
Authorized Provider’s functions
All functions The subset of Provider’s functions that Consumer requests and user permits
Processing flow● Describe the processing flow as the following order
a. Overview of all processesb. When each process is usedc. The summary of each process
■ Sequence diagram■ The explanation for each sequence
Processing flow: overviewUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per starting service of a Consumer
Used once per stopping service of a Consumer
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per a User starts to use a Consumer
Used once per a User stops using a Consumer
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per a User starts to use a Consumer, or previous authentication timed out
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per a Consumer uses a Provider’s function
The summary of each process● Describe the following processes
a. Register a service as Consumerb. Authorize Consumerc. Authenticate “Authorized” Consumerd. Use Provider’s function
● Don’t describe other processesa. How these processes are done depend on each Provider very much
Register a service as ConsumerConsumer Provider
1) Visit Registration URI
2) List of functions exported to Consumers
3) Declare functions to use on behalf of Users
4) The information for authenticating Consumer
Register a service as Consumer1. Consumer: Visit Provider’s registration URI2. Consumer: Give the list of function exported to Consumers3. Consumer: Declare what kind of functions will it use, from the list of
functions which Provider offers4. Provider: Give Consumer the following tokens
○ consumer_key: Used for identifying Consumer○ consumer_secret: Used for authenticating Consumer
Prepare to authorize ConsumerConsumer Provider
1) Make and sign a request
2) Send the signed request
3) Authenticate Consumer4) Give the information needed by authorization request
Prepare to authorize Consumer1. Consumer: Make a request from the following information
○ consumer_key○ etc
2. Consumer: Sign the request with consumer_secret3. Consumer: Send the request to Provider’s request token URI
○ How to get this URI depends on each Provider4. Provider: Authenticate Consumer5. Provider: Give the following information to Consumer
○ request token: Used for identifying the authorizing request○ request token secret: Used for the authorizing request
Authorize ConsumerUser Consumer Provider
4) Give ID/password
1) Redirect to Provider’s authorization URI with callback URI
5) Ask for authorizing Consumer to use the list of functions
2) Redirected
3) Request ID/password
6) Answer “Yes”7) Redirect to callback URI with information for identifying “Authorized” Consumer
8) Redirected
Authorize Consumer1. Consumer: Make a request with the following information
○ request key○ Callback: URI to which should be redirected after authorization○ etc
2. Consumer: Sign the request with request token secret3. Consumer: Redirect User to Provider’s authorization URI
○ How to get this URI depends on each Provider4. Provider: Authenticate User, typically with ID and password5. Provider: Ask for User whether authorize Consumer to use a subset of
Provider’s functions on behalf of User6. Provider: Give Consumer the following token
○ oauth_verifier: Used for identifying authorized Consumer7. Provider: Redirect User to callback URI
Authenticate “Authorized” Consumer
Consumer Provider
1) Make and sign a request
2) Send the signed request
3) Authenticate Consumer4) Give the information needed by using Provider’s functions
Authenticate “authorized” Consumer1. Consumer: Make a request from the following information
○ consumer_key○ request token○ oauth_verifier○ etc
2. Consumer: Sign the request with the key constructed from consumer_secret and request token secret
3. Consumer: Send the request to Provider’s access Token URI○ How to get this URI depends on each Provider
4. Provider: Authenticate Consumer5. Provider: Give Consumer the following tokens
○ access token: Used for identifying authorized Consumer○ access token secret: Used for authenticating “authorized” Consumer
Use Provider’s functionsUser Consumer Provider
2) Make and sign a request
1) Use Consumer’s function
3) Send the signed request to Provider’s API URI
4) Authenticate Consumer
5) Execute a requested function
6) Return the result
7) Return the result
Use Provider’s functions1. User: Use Consumer’s function requires Provider’s function2. Consumer: Make a request from the following information
○ API’s parameters○ access token○ etc
3. Consumer: Sign the request with the key constructed from consumer_secret and access token secret
4. Consumer: Send the request to Provider’s API URI5. Provider: Authenticate Consumer6. Provider: Execute a requested function7. Provider: Give the result of the API call to Consumer8. Consumer: Achieve its function with the result
References● [1] OAuth Core 1.0 Revision A
○ http://oauth.net/core/1.0a● [2] Zero to Hero ~ The Linkedin OAuth Dance by Taylor Singletary
○ http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero● [3] OAuth Ruby example
○ http://wiki.openstreetmap.org/wiki/OAuth_ruby_examples