OAuth - Open API Authentication

33 %
67 %
Information about OAuth - Open API Authentication

Published on December 1, 2007

Author: leahculver

Source: slideshare.net

Description

http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.

OAuth Basic Introduction

What is OAuth? A simple open standard for secure API authentication.

The Love Triangle End User Service Provider Consumer Application (fake applications by EHL) http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html

Specifically OAuth is... • Authentication Need to log in to access parts of a website ex: bookmark a link, post a photo, add a friend, view a private message • Token-based Authentication Logged-in user has a unique token used to access data from the site

Similar to... • Flickr Auth • Google’s AuthSub • Yahoo’s BBAuth • Facebook Auth • and others...

Who is involved?

Goals: Be Simple • standard for website API authentication • consistent for developers • easy for users to understand * * this is hard

Goals: Be Secure • secure for users • easy to implement security features for developers • balance security with ease of use

Goals: Be Open • any website can implement OAuth • any developer can use OAuth • open source client libraries • published technical specifications

Goals: Be Flexible • don’t need a username and password • authentication method agnostic • can use OpenID (or not!) • whatever works best for the web service • developers don’t need to handle auth

What the end user sees... an example from ma.gnolia and nsyght.

OMG! Need to login!

Login with service provider

Authorize

Done!

How Does OAuth Work? (for developers)

Register a Consumer Application • Provide service provider with data about your application (name, creator, url etc...) • Service provider assigns consumer a consumer key and consumer secret • Service provider gives documentation of authorization URLs and methods

Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources

OAuth Parameters • oauth_consumer_key • oauth_token • oauth_signature • oauth_signature_method • oauth_timestamp • oauth_nonce

Where is this information passed? • HTTP Authorization header • HTTP POST request body (form params) • URL query string parameters

Security • Tokens - aren’t passing username/password • Timestamp and nonce - verify unique requests • Signature - encrypted parameters help service provider recognize consumer • Signature methods - HMAC-SHA1, RSA- SHA1, Plaintext over a secure channel (such as SSL)

Current Status of OAuth • oauth.net • Auth Core 1.0 Draft 7 • several libraries Python, Ruby, Perl, C# ...) for consumers and service providers (PHP, • Ma.gnolia and Twitter implementations • more implementations soon!

Thanks! Chris is still working on the logo...

Add a comment

Related presentations

Related pages

OAuth Community Site

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. Learn more about OAuth 2.0 »
Read more

OAuth - Wikipedia, the free encyclopedia

OAuth is an open standard for ... there were no open standards for API access ... differences between using OpenID and OAuth for authentication.
Read more

Using OAuth 2.0 to Access Google APIs | Google Identity ...

Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web ...
Read more

OAuth FAQ | Twitter Developers

General What is OAuth? OAuth is an authentication protocol that allows users to approve application to act on their behalf without sharing their ...
Read more

OAuth | Twitter Developers

Send secure authorized requests to the Twitter API Twitter uses OAuth to provide authorized access to its API.
Read more

End User Authentication with OAuth 2.0 — OAuth

User Authentication with OAuth 2.0. The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a ...
Read more

Authentication API - Single Sign On & Token Based ...

Open Source; Jobs; Help & Support; Documentation; Login; Documentation Authentication API. Documentation. Product. Overview; Applications; Rules; Identity ...
Read more

Flickr Services

User Authentication. Many of Flickr’s API methods require the user to be signed in. In the past we were using our own authentication API, but now, users ...
Read more

oauth - API needz authorized? - Google Project Hosting

API needz authorized?. An open protocol to allow API authentication in a simple and standard method from desktop and web applications. Libraries are ...
Read more