Implementing OAuth

50 %
50 %
Information about Implementing OAuth

Published on May 22, 2008

Author: leahculver



Workshop on OAuth from MeshU 2008 in Toronto. The basics of OAuth API authentication are covered in this talk as well as some implementation examples.

OAuth Practical Implementation

Pownce and OAuth • Pownce launched (June 2007) • developers wanted an API • became involved with OAuth (Aug 2007) • public read-only API (Oct 2007) • full API with OAuth (Mar 2008) • 200+ apps built on Pownce API

Me and OAuth • an author of the specification • wrote first library (Python) • maintain Python library • maintain Pownce API OAuth implementation

What is OAuth? A simple open standard for secure API authentication.

The (API) Love Triangle End User Web Service 3rd Party App “Service Provider” “Consumer Application” Pownce AIM bot

Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site

Just like... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others...

Who is involved?

Who is it for? • Serviceauthorizationhavecertain functions Providers - an web API that needs for • Consumers -encourages) OAuth that want to use an API requires (or

Goals: Be Simple • standard for website API authentication • consistent for developers • easy for end users to understand * * this is hard

Goals: Be Secure • secure for end users • easy to implement security features for website developers • 3rd party developers don’t have access to passwords • balance security with ease of use

Goals: Be Open • any website can implement OAuth • any 3rd party developer can use OAuth • open source client libraries • community-designed technical specifications

Goals: Be Flexible • authentication method agnostic • users don’t need a username and password • can use OpenID (or not!) • whatever auth works best for the service • 3rd party developers don’t handle auth

Is OAuth different from OpenID? Yes. (short answer)

Is OAuth different from OpenID? OpenID - user identification by provider URL, login on provider site. OAuth - API authorization and permissions, any form of user identification, login on provider site. (medium answer)

Is OAuth different from OpenID? explanation-difference-between-openid-and-oauth/ (long answer)

What the end user sees... Web Consumer Ma.gnolia and Nsyght I’d like to search my Ma.gnolia bookmarks via social search engine Nsyght.

OMG! Need to log in!

Login with service provider service provider’s site! alternative login method not username/password



Web flow Request Token! Nsyght Ma.gnolia API calls asks for request token returns request token ...

Authorize! user sent http redirect to ma.gnolia with request token in URL user logs in and/or authorizes nsyght redirected back ... to nsyght with (authorized) ... request token Nsyght Ma.gnolia

Access Token! ask for access API calls token with authorized request token request token exchanged for access token nsyght stores access token Nsyght Ma.gnolia

use the access token... by Blaine Cook

What the end user sees... Desktop Consumer Pownce and PownceAIM I’d like to get alerts about new Pownce notes via AIM.

OMG! Need to log in!

Login with service provider service provider’s site!

Authorize click “Okay!”

Authorized! Return to desktop app.

Desktop flow Request Token! PownceAIM Pownce API calls asks for request token returns request token ...

Authorize! user sent user follows link to Pownce with request token in URL user logs in and/or authorizes PownceAIM user tells ... PownceAIM that auth is ... complete PownceAIM Pownce

Access Token! ask for access API calls token with authorized request token request token exchanged for access token PownceAIM stores access token PownceAIM Pownce

Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources

OAuth Setup • Service provider gives documentation of authorization URLs and methods • Consumer registers an application with the service provider

Service Provider Documentation • Request token endpoint • Authorization endpoint • Access token endpoint • Accepted request method(s) (GET, POST, PUT, etc...) • Signature method(s) • Extra parameters (non-oauth) • Any specific notes about OAuth for that provider

Pownce API Documentation

Register a Consumer Application • Consumer gives service provider data about the application (name, creator, url etc...) • Service provider assigns the application a consumer key and consumer secret

Registering a Fire Eagle Application consumer app sign up page

Registering a Fire Eagle Application Done! oooh!

OAuth Objects - Consumer consumer key • assigned during consumer registration • passed as a request parameter consumer secret • assigned during consumer registration • used for signing (e.g. HMAC-SHA1)

OAuth Objects - Consumer

OAuth Objects - Token token key • unique string granted by service provider • passed as a request parameter • same variable name (oauth_token_key) for both request and access type tokens token secret • also granted by service provider • same variable name (oauth_token_secret) for both request and access type tokens

OAuth Objects - Token

OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce • oauth_version

Where is this information passed? (in order of preference) • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters

Timestamp and Nonce oauth_timestamp • seconds since Unix epoch (unless otherwise specified by service provider) • must be equal or greater than previous request oauth_nonce • random string per timestamp / request • attempt to stop replay attacks

Signing Requests oauth_signature_method • HMAC-SHA1 • RSA-SHA1 • PLAINTEXT oauth_signature • string constructed according to the chosen signature method

Signing Requests

Signature Methods HMAC-SHA1 • construct thewith a ‘&’: base string by joining signature the following 1. http request method (e.g. GET) 2. http url (endpoint url) 3. normalized request parameters (sorted by name) • key = encoded consumer secret and token secret separated by an ‘&’

Signature Methods HMAC-SHA1

Signature Methods HMAC-SHA1 Example base string: GET & &oauth_consumer_key%3Dnbe958225r999a706d1u4qgwx2nx9e8j %26oauth_nonce%3DD81FBEDC-1050-40EE- B899-21A1E07C4EC5 %26oauth_signature_method%3DHMAC-SHA1 %26oauth_timestamp%3D1211254098 %26oauth_token%3D0qic7f318nj42ogm %26oauth_version%3D1.0 Example signature: oauth_signature=quot;UFHiNYSf++3N18oTZ864IAGlvxU%3Dquot;

Signature Methods PLAINTEXT • should be used over a secure channel (SSL) • no base string • url-encoded consumer ‘&’ and token secret secret separated by an

Signature Methods PLAINTEXT Ex: oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3

Signature Methods RSA-SHA1 • sign signature base string private key and with Consumer’s RSA the • verify with Consumer’s RSA public key • same signature base string as HMAC-SHA1 • still in development for most OAuth libraries

Big Fatty Example PownceAIM and Pownce warning: screen shots might not match text.

PownceAIM Pownce API call asks for request token Authorization: OAuth realm=quot;;, oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;7A4blmAxXMDPmCQuTBR4CocpdNo%3Dquot;, oauth_timestamp=quot;1211257266quot;, oauth_nonce=quot;9BD703ED-EBA0-4B79-B9F2-AA09C9945D4Bquot;, oauth_version=quot;1.0quot; returns request token oauth_token_secret=f23dzf5l79o2q23y&oauth_token=3fjay66o4x78j4c8

PownceAIM Pownce user follows link user sent user logs in to Pownce with and/or authorizes request token in PownceAIM URL

let’s pretend the user is logged in to the Pownce site click “Okay!”

PownceAIM cue to PownceAIM that request token has been user tells PownceAIM authorized that auth is complete

PownceAIM Pownce API calls ask for access Authorization: OAuth realm=quot;;, token with oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, authorized oauth_token=quot;3fjay66o4x78j4c8quot;, oauth_signature_method=quot;HMAC-SHA1quot;, request token oauth_signature=quot;6A87eXJ8MimMnCHfRM1hedEPHG4%3Dquot;, oauth_timestamp=quot;1211258114quot;, oauth_nonce=quot;F85482A6-B1BC-4580-95B2-0E51300CBEF7quot;, oauth_version=quot;1.0quot; request token PownceAIM stores exchanged for access token access token oauth_token_secret=3w6z92eb1s86a48t&oauth_token=oixvd0538vmw3hm2

PownceAIM Pownce API calls ask for Authorization: OAuth realm=quot;;, protected resource oauth_consumer_key=quot;nbe958225r999a706d1u4qgwx2nx9e8jquot;, oauth_token=quot;oixvd0538vmw3hm2quot;, (note list) oauth_signature_method=quot;HMAC-SHA1quot;, oauth_signature=quot;YXQ%2Fq3B1ZR4XOQf8bwSMh+tcSL8%3Dquot;, oauth_timestamp=quot;1211258746quot;, oauth_nonce=quot;DE648679-003B-42B5-806A-F185D0714EEBquot;, oauth_version=quot;1.0quot; <?xml version=quot;1.0quot; encoding=quot;utf-8quot;?> return API <notes> <note> data <body>Check out my website Leah!</body> <permalink></permalink> <sender> <user> <username>iamcal</username> ...

Managing Tokens • request token expiration • access token expiration • end user token management

Token Management

HTTP Errors • 400 Bad Request • unsupported parameter • unsupported signature method • missing required parameter • duplicate OAuth parameter • 401 Unauthorized • invalid consumer key • invalid / expired token • invalid signature (signature does not match) • invalid / used nonce

Common Errors • signature does not match • providers can show expected base string • token is invalid • expired? wrong type of token? • request token unauthorized • user needs to login to authorize the request token

Testing Tools • web-based test server and client by Andy Smith ( • Endpointr, mac desktop app by Jon Crosby

Issues • service provider documentation • files • granular permissions • timestamp and nonce verification • vague tokentokens consumers check expiration, for expired

Current Status • OAuth Core 1.0 Final (Dec 2007) • OAuth Discovery 1.0 Draft 2 • Libraries: • coldfusion • csharp • java • javascript • maven • obj-c • obj-c1 • perl • php • python • ruby

Service Provider Implementations • 88 Miles • Google Contacts API • Ma.gnolia • Pownce • Thmbnl • Yahoo! Fire Eagle

More Info • main site: • spec: • code: • mailing list: • wiki: • Pownce API:

Thanks! ugly logo!

Add a comment

Related pages

Implementing OAuth 2.0 Authentication - Google Developers

When a user first attempts to use functionality in your application that requires the user to be logged in to a Google Account or YouTube ...
Read more

OAuth: Implementing OAuth 2.0 | Apigee

OAuth: Implementing OAuth 2.0. Gregory Brail. Feb 16, 2012. In a recent OAuth post, we recommended that if your API can require HTTPS, use OAuth 2.0.
Read more

c# - Implementing OAuth 2.0 Authentication for My API ...

I've been using the Facebook Graph API (uses oauth 2.0 for authentication) successfully for a while now. I now need to write my own API which allows ...
Read more

Implementing OAuth Features in ASP.Net MVC 4 - CodeGuru

Asp.Net 4.5 comes with the support for Open Standards for Authorization, which is known in short as OAuth. In this article I will be explaining ...
Read more

Implementing OAuth , PHP - Google Groups

if you are not too far down the road with Tiis Verkoyen's class, I can send you an example using Abraham's oAuth library which will show you how to do this.
Read more

Implementing OAuth for ASP.NET Web Forms · JoeMayo ...

Implementing OAuth for WebForms Applications. Web authorization includes the entire OAuth authorization flow. This page will explain how you can implement ...
Read more

Implementing OAuth2.0 Authorization For Google In ASP.NET

This article describes how to implement Google OAuth in ASP.NET web apps.
Read more

oauth 2.0 - How to implement oauth2 server in ASP.NET MVC ...

How to implement oauth2 server in ASP.NET MVC 5 and WEB ... This will perform the OAuth and come back to your application and prompting you to register ...
Read more

OAuth Community Site

OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
Read more