260 likes | 630 Views
The How of OAuth. or: How I learned to stop worrying and fall in love with Factory Joe. OAuth's Goal. Website X can access your protected data at API YAll without sharing your password off-site especially when there isn't one like with OpenID. OAuth gives you:. Signed HTTP RequestsSafe, Password-less Token Exchange.
E N D
1. The How of OAuth OAuth Hackathon – 4/26 @ Six Apart
http://icanhaz.com/oauth
2. Hi, my name is Scott Fleckenstein. I write code for GetSatisfaction.
As you can read there, im going to talk about the How of OAuth today.
It’s a bit funny I’m giving this talk, since I was skeptical about at first.
Hence the subtitle.
When I was first starting on the API, things were too early with OAuth
Libraries were still in the oven.
No sites (maybe just magnolia)
I was actually forced into it because of specific used case for our api.
Lot to get through so I’ll go a bit fast
hopefully we have some time for question
Today we’re going to talk about building OAuth into you Web App.
First I’ll give a little quick-ish overview OAuth Hi, my name is Scott Fleckenstein. I write code for GetSatisfaction.
As you can read there, im going to talk about the How of OAuth today.
It’s a bit funny I’m giving this talk, since I was skeptical about at first.
Hence the subtitle.
When I was first starting on the API, things were too early with OAuth
Libraries were still in the oven.
No sites (maybe just magnolia)
I was actually forced into it because of specific used case for our api.
Lot to get through so I’ll go a bit fast
hopefully we have some time for question
Today we’re going to talk about building OAuth into you Web App.
First I’ll give a little quick-ish overview OAuth
3. OAuth’s Goal Website X can access your protected data at API Y
All without sharing your password off-site
especially when there isn’t one like with OpenID If you’ve ever used a application the uses the Flickr API, you are familiar with what OAuth achieves
Share protected data, no password
Inspiration: Twitter wanted to implement OpenID, but their API relies on user’s having a Password
That’s the public line: *anecdote*
And that really is what OAuth is in laymens terms. It’s a means to acquire stuffed rats without having the purchase show up on your bank statement.
So lets translate that into a little more technical terms.
If you’ve ever used a application the uses the Flickr API, you are familiar with what OAuth achieves
Share protected data, no password
Inspiration: Twitter wanted to implement OpenID, but their API relies on user’s having a Password
That’s the public line: *anecdote*
And that really is what OAuth is in laymens terms. It’s a means to acquire stuffed rats without having the purchase show up on your bank statement.
So lets translate that into a little more technical terms.
4. OAuth gives you: Signed HTTP Requests
Safe, Password-less Token Exchange In Essence, OAuth gives you:
Signed HTTP Requests, signed with tokens and a shared secret and a method to
Token exchange procedure to safely get credentials around an insecure internet
As far as using OAuth, I would recommend using/contributing the existing libraries for signing requests
Constructing signatures and such are the most fiddly pieces
Most of your work will go into building token exchange process
Being a process (with a human element), the libraries can’t help as completely as with signing requestsIn Essence, OAuth gives you:
Signed HTTP Requests, signed with tokens and a shared secret and a method to
Token exchange procedure to safely get credentials around an insecure internet
As far as using OAuth, I would recommend using/contributing the existing libraries for signing requests
Constructing signatures and such are the most fiddly pieces
Most of your work will go into building token exchange process
Being a process (with a human element), the libraries can’t help as completely as with signing requests
5. The Three Actors User – My Buddy (not me)
Service Provider – Chuck E. Cheese
Consumer – 10 yr old kids So let’s talk about that process.
There are three actors involved in this little dance
The User: wants to access their data on a bunch of different websites and have them interact
The Service Provider: stores juicy bits of protected data about the user
The Consumer: wants to get at those juicy bits, without doing gross things like asking for the user’s password and scraping the SP
So let’s talk about that process.
There are three actors involved in this little dance
The User: wants to access their data on a bunch of different websites and have them interact
The Service Provider: stores juicy bits of protected data about the user
The Consumer: wants to get at those juicy bits, without doing gross things like asking for the user’s password and scraping the SP
6. The Three Tokens Access Tokens – Chuck E. Cheese Tickets
Request Tokens – Chuck E. Cheese Tokens
Consumer Keys To let the user give access to their protected data,
we leverage three credential sets (a public token, and a shared secret)
Our end goal is to get an Access Token into the consumer’s DB, which it will use to sign requests and access the User’s protected data
Request tokens are chuck e cheese token
Consumer keys don’t really fit into the analogy, but they are used to uniquely identify the consumer,
.To let the user give access to their protected data,
we leverage three credential sets (a public token, and a shared secret)
Our end goal is to get an Access Token into the consumer’s DB, which it will use to sign requests and access the User’s protected data
Request tokens are chuck e cheese token
Consumer keys don’t really fit into the analogy, but they are used to uniquely identify the consumer,
.
7. The Three URLS Request Token Issuer
Authorization Page
Access Token Exchanger After you get your head wrapped around OAuth and are an implementing machine,
you’ll only need to know 3 things to integrate OAuth.
First, the request token url is used by the consumer to get a new request token to kick start the OAuth process
As a consumer, you will redirect users to the Authorization URLs so they can authorize your application to access their data.
Flickr “Yes, allow it” page
Finally, the access token url is used by the consumer to exchange the request token authorized by the user for a permanent access token
Note, the end-user will only ever worry about the authorization url, the other two are used for server to server communications.
These three URLS must exist to be an OAuth SP, but what they actually are is up to you.
Maximum flexibility for different web frameworks.
You need to communicate these URLs to your developers
Let’s jump into the meat of it, shall we?
As a developer, you’ll only worry about either being a consumer, or being a service provider (or both!)
After you get your head wrapped around OAuth and are an implementing machine,
you’ll only need to know 3 things to integrate OAuth.
First, the request token url is used by the consumer to get a new request token to kick start the OAuth process
As a consumer, you will redirect users to the Authorization URLs so they can authorize your application to access their data.
Flickr “Yes, allow it” page
Finally, the access token url is used by the consumer to exchange the request token authorized by the user for a permanent access token
Note, the end-user will only ever worry about the authorization url, the other two are used for server to server communications.
These three URLS must exist to be an OAuth SP, but what they actually are is up to you.
Maximum flexibility for different web frameworks.
You need to communicate these URLs to your developers
Let’s jump into the meat of it, shall we?
As a developer, you’ll only worry about either being a consumer, or being a service provider (or both!)
8. Building a Consumer Let’s first build a consumer.
The sample code I’ll be working off of is in Ruby, but there are other libraries at OAuth.net, most likely for you fav language as well.
It’s worth that some of this is psuedo code, since I won’t be specific about what Web Framework we use.
Let’s first build a consumer.
The sample code I’ll be working off of is in Ruby, but there are other libraries at OAuth.net, most likely for you fav language as well.
It’s worth that some of this is psuedo code, since I won’t be specific about what Web Framework we use.
9. Get a consumer key and secret So, we aren’t quite yet into implementing OAuth in our app.
First, we’ll need to get a Consumer key and secret from the Service Provider we are intending to use.
The OAuth Core spec doesn’t define how a consumer should get a key and secret from the SP, you’ll have to find out for each service how to obtain one.
In most cases, there should be a developer’s section that you can get the credential set from.
Note: OAuth discovery, a very new standard can be used to express where you should go to get a consumer key and secret, keep an eye out for that in the future.
So, we aren’t quite yet into implementing OAuth in our app.
First, we’ll need to get a Consumer key and secret from the Service Provider we are intending to use.
The OAuth Core spec doesn’t define how a consumer should get a key and secret from the SP, you’ll have to find out for each service how to obtain one.
In most cases, there should be a developer’s section that you can get the credential set from.
Note: OAuth discovery, a very new standard can be used to express where you should go to get a consumer key and secret, keep an eye out for that in the future.
10. Simple enough, eh? First, we need to install the rubygem.
Simple enough.First, we need to install the rubygem.
Simple enough.
11. Get a Request Token So, first we configure our consumer object to help us.
We provide it with the consumer key and secret that we got from the SP
And we also configure it with the three urls provided by the SP
Behind the scenes, the ruby library then signs a call to the request token url just with the consumer key and interprets the response
In this case, the library created a RequestToken object from the response that we can use to further the processSo, first we configure our consumer object to help us.
We provide it with the consumer key and secret that we got from the SP
And we also configure it with the three urls provided by the SP
Behind the scenes, the ruby library then signs a call to the request token url just with the consumer key and interprets the response
In this case, the library created a RequestToken object from the response that we can use to further the process
12. Authorize the Request Token We’ve go the request token.
Now we need to let the user give access to our application
To do this, we redirect them into the Service providers website.
As you can see above, the RequestToken object from before gives us a helper method to get the proper url to redirect the user to.
At this point, control jumps out of your hands. The user get’s to tell the SP whether you get access or not to the protected data.
If the user says yes, you can then complete the exchange process and get an access token.
If your consumer is a WebApp, the SP will redirect back into you application so you can finish the process.
We’ve go the request token.
Now we need to let the user give access to our application
To do this, we redirect them into the Service providers website.
As you can see above, the RequestToken object from before gives us a helper method to get the proper url to redirect the user to.
At this point, control jumps out of your hands. The user get’s to tell the SP whether you get access or not to the protected data.
If the user says yes, you can then complete the exchange process and get an access token.
If your consumer is a WebApp, the SP will redirect back into you application so you can finish the process.
13. Exchange for an Access Token So now we finish the process.
As you can see here, the ruby library makes the actual exchange trivial.
Behind the scenes, it signs a request to the SP’s access_token url using the Request token and gets the response.
You’ll then want to keep this access token around, either in a file or in your database.
It will be used to make authenticated calls and get access to the protected data So now we finish the process.
As you can see here, the ruby library makes the actual exchange trivial.
Behind the scenes, it signs a request to the SP’s access_token url using the Request token and gets the response.
You’ll then want to keep this access token around, either in a file or in your database.
It will be used to make authenticated calls and get access to the protected data
14. Making Authenticated Calls Finally, we’re at the point where we can get at the protected data.
The ruby library makes it very easy to make signed requests, once you get the access token.
Behind the scenes, it is signing these requests using the AccessToken and the Consumer credentials.
This will uniquely identify the user and the consumer together so that the SP can ensure the call is allowed Finally, we’re at the point where we can get at the protected data.
The ruby library makes it very easy to make signed requests, once you get the access token.
Behind the scenes, it is signing these requests using the AccessToken and the Consumer credentials.
This will uniquely identify the user and the consumer together so that the SP can ensure the call is allowed
15. Building a Service Provider
So now let’s talk about building a service provider.
In my experience is simpler since you don’t have to manage the token exchange.
Rather you just need to implement three separate steps to be successful
On the “It’s more complex side”, you’ve got build your own database to store the various pieces of the OAuth puzzle.
So now let’s talk about building a service provider.
In my experience is simpler since you don’t have to manage the token exchange.
Rather you just need to implement three separate steps to be successful
On the “It’s more complex side”, you’ve got build your own database to store the various pieces of the OAuth puzzle.
16. Data to store Consumers:
key, secret, callback_url
Request Token:
token, secret, consumer, authorizing_user
Access Token:
token, secret, consumer, user
The data you need to save boils down to the 3 credential sets used in the process.
We store consumers to verify signed requests, but also to data about the consumer service. Things like callback urls or application descriptions, etc.
The data you need to save boils down to the 3 credential sets used in the process.
We store consumers to verify signed requests, but also to data about the consumer service. Things like callback urls or application descriptions, etc.
17. Registering Consumers The process of registering consumers on your service is entirely up to you.
It isn’t defined by the OAuth spec, but in most cases you can just have a simple registration form that collected the data you want from the consumer. The process of registering consumers on your service is entirely up to you.
It isn’t defined by the OAuth spec, but in most cases you can just have a simple registration form that collected the data you want from the consumer.
18. Issuing Request Tokens Verify using only the consumer credential
First, you need to issue request tokens from your service.
Only registered consumers should be able to get request tokens, and so the consumer signs the request with their consumer key and secret
The code shown here verifies that the call has been successfully signed with the consumer data.
The important part is that we don’t use a token; none exists at this point, we only want to confirm the identity of the consumerFirst, you need to issue request tokens from your service.
Only registered consumers should be able to get request tokens, and so the consumer signs the request with their consumer key and secret
The code shown here verifies that the call has been successfully signed with the consumer data.
The important part is that we don’t use a token; none exists at this point, we only want to confirm the identity of the consumer
19. Issuing Request Tokens Issue the request token
After we verify the request, we then issue the token.
The request token needs to be connected with the consumer, so we don’t give access to the wrong application
Also not the response format: this oauth_token and oauth_secret parameters are defined by the spec.
One piece down, two to go. After we verify the request, we then issue the token.
The request token needs to be connected with the consumer, so we don’t give access to the wrong application
Also not the response format: this oauth_token and oauth_secret parameters are defined by the spec.
One piece down, two to go.
20. Authorizing Request Tokens Ask the user to accept the authorization Sometime after you’ve issued a request token, the consumer will redirect to user into your site.
The psuedo code above reflects ideally what you would do when this happens.
If the user is logged in, ask them whether they want to allow access
The flickr “Yes, Allow it” button
If the user isn’t logged in you’ll want to let them log in first before they get to answer your questionSometime after you’ve issued a request token, the consumer will redirect to user into your site.
The psuedo code above reflects ideally what you would do when this happens.
If the user is logged in, ask them whether they want to allow access
The flickr “Yes, Allow it” button
If the user isn’t logged in you’ll want to let them log in first before they get to answer your question
21. Authorizing Request Tokens Connecting the logged in user
go back to consumer
After the user has said “Yes, I’ll allow it”, you need to do several things.
First, you assign the currently logged in user.
We do this so that when the consumer exchanges the request token for an access token we know which user to assign the access token to
Then,
You need to get the notify the consumer that it can complete the exchange and get an access token.
By default, you would redirect back into the consumer application using a url they specify in the oauth_callback parameter,
Or we use a url that was saved when the consumer was registered with your site
Or, in the case of thea desktop application, we simply notify the user to tell the consumer for us After the user has said “Yes, I’ll allow it”, you need to do several things.
First, you assign the currently logged in user.
We do this so that when the consumer exchanges the request token for an access token we know which user to assign the access token to
Then,
You need to get the notify the consumer that it can complete the exchange and get an access token.
By default, you would redirect back into the consumer application using a url they specify in the oauth_callback parameter,
Or we use a url that was saved when the consumer was registered with your site
Or, in the case of thea desktop application, we simply notify the user to tell the consumer for us
22. Exchange for an Access Token Validate using Request Token and Consumer Similar to issuing a request token, our first step to giving out an access token is first validate that the request has been signed correctly.
You can see the difference here is that we use the request token secret in addition to the consumer secret to validate the call.Similar to issuing a request token, our first step to giving out an access token is first validate that the request has been signed correctly.
You can see the difference here is that we use the request token secret in addition to the consumer secret to validate the call.
23. Exchange for an Access Token Issue the Access Token
Destroy the Request Token Our next step is to create the Our next step is to create the
24. Protecting Resources Validate Access Token
25. OAuth Hackathon – 4/26 @ Six Apart http://icanhaz.com/oauth
And that’s that!
Tomorrow we’re having a Hackathon at the Six Apart offices.
The url there is to the upcoming event.
You’re all invited, I’d love to help you guys get OAuth running in your application
I’ll hang around outside to answer questions if you’ve got them.
And that’s that!
Tomorrow we’re having a Hackathon at the Six Apart offices.
The url there is to the upcoming event.
You’re all invited, I’d love to help you guys get OAuth running in your application
I’ll hang around outside to answer questions if you’ve got them.
26. Thanks!