introduction to oauth 1.0a
DESCRIPTION
Introduction to OAuth 1.0a. Intend to be a preparation for reading OAuth Core 1.0 Revision A. Changelog: - 0.2: Add figures - 0.3: Some minor fixes for improving readability. In addition, add the reference which explains how to use ruby's oauth library.TRANSCRIPT
![Page 2: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/2.jpg)
Introduction● This document intends to be used for preparation for reading the
specification of OAuth 1.0a [1]○ OAuth 1.0a is *very complex* (at least for me) and hard to understand○ Although there is simpler OAuth2.0, OAuth1.0a still be used by many
web services● Omit some of features for simplicity
○ e.g. Out-of-bound authentication● Please let me know if you have any comments
![Page 3: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/3.jpg)
Agenda● What is it● Advantages● Processing flow
![Page 4: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/4.jpg)
What is it● The authorization way that a web service (Provider) permits third-party
services (Consumers) to use its functions on behalf of its users (Users)● Basic terms
Name Meaning Typical example
Provider An arbitrary web service Famous SNS services like Facebook and Twitter
Consumer A service requires Provider’s function to implement its function
Facebook clients and Twitter clients
User User of both Provider and Consumer You
![Page 5: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/5.jpg)
Advantages● Can reduce security risks compare with password authentication
○ Don’t need to give Consumer unnecessary information and authorization
password authentication OAuth
The information which User gives Consumers
User ID and password The tokens only used for using the subset of Provider’s function
Authorized Provider’s functions
All functions The subset of Provider’s functions that Consumer requests and user permits
![Page 6: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/6.jpg)
Processing flow● Describe the processing flow as the following order
a. Overview of all processesb. When each process is usedc. The summary of each process
■ Sequence diagram■ The explanation for each sequence
![Page 7: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/7.jpg)
Processing flow: overviewUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
![Page 8: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/8.jpg)
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per starting service of a Consumer
Used once per stopping service of a Consumer
![Page 9: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/9.jpg)
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per a User starts to use a Consumer
Used once per a User stops using a Consumer
![Page 10: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/10.jpg)
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per a User starts to use a Consumer, or previous authentication timed out
![Page 11: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/11.jpg)
When each process is usedUser Consumer Provider
1) Register itself as Consumer2) Authorize Consumer
3) Authenticate “Authorized” Consumer
4) Use Provider’s functions5) Rescind Customer’s Authorization
6) Unregister itself
Used once per a Consumer uses a Provider’s function
![Page 12: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/12.jpg)
The summary of each process● Describe the following processes
a. Register a service as Consumerb. Authorize Consumerc. Authenticate “Authorized” Consumerd. Use Provider’s function
● Don’t describe other processesa. How these processes are done depend on each Provider very much
![Page 13: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/13.jpg)
Register a service as ConsumerConsumer Provider
1) Visit Registration URI
2) List of functions exported to Consumers
3) Declare functions to use on behalf of Users
4) The information for authenticating Consumer
![Page 14: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/14.jpg)
Register a service as Consumer1. Consumer: Visit Provider’s registration URI2. Consumer: Give the list of function exported to Consumers3. Consumer: Declare what kind of functions will it use, from the list of
functions which Provider offers4. Provider: Give Consumer the following tokens
○ consumer_key: Used for identifying Consumer○ consumer_secret: Used for authenticating Consumer
![Page 15: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/15.jpg)
Prepare to authorize ConsumerConsumer Provider
1) Make and sign a request
2) Send the signed request
3) Authenticate Consumer4) Give the information needed by authorization request
![Page 16: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/16.jpg)
Prepare to authorize Consumer1. Consumer: Make a request from the following information
○ consumer_key○ etc
2. Consumer: Sign the request with consumer_secret3. Consumer: Send the request to Provider’s request token URI
○ How to get this URI depends on each Provider4. Provider: Authenticate Consumer5. Provider: Give the following information to Consumer
○ request token: Used for identifying the authorizing request○ request token secret: Used for the authorizing request
![Page 17: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/17.jpg)
Authorize ConsumerUser Consumer Provider
4) Give ID/password
1) Redirect to Provider’s authorization URI with callback URI
5) Ask for authorizing Consumer to use the list of functions
2) Redirected
3) Request ID/password
6) Answer “Yes”7) Redirect to callback URI with information for identifying “Authorized” Consumer
8) Redirected
![Page 18: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/18.jpg)
Authorize Consumer1. Consumer: Make a request with the following information
○ request key○ Callback: URI to which should be redirected after authorization○ etc
2. Consumer: Sign the request with request token secret3. Consumer: Redirect User to Provider’s authorization URI
○ How to get this URI depends on each Provider4. Provider: Authenticate User, typically with ID and password5. Provider: Ask for User whether authorize Consumer to use a subset of
Provider’s functions on behalf of User6. Provider: Give Consumer the following token
○ oauth_verifier: Used for identifying authorized Consumer7. Provider: Redirect User to callback URI
![Page 19: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/19.jpg)
Authenticate “Authorized” Consumer
Consumer Provider
1) Make and sign a request
2) Send the signed request
3) Authenticate Consumer4) Give the information needed by using Provider’s functions
![Page 20: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/20.jpg)
Authenticate “authorized” Consumer1. Consumer: Make a request from the following information
○ consumer_key○ request token○ oauth_verifier○ etc
2. Consumer: Sign the request with the key constructed from consumer_secret and request token secret
3. Consumer: Send the request to Provider’s access Token URI○ How to get this URI depends on each Provider
4. Provider: Authenticate Consumer5. Provider: Give Consumer the following tokens
○ access token: Used for identifying authorized Consumer○ access token secret: Used for authenticating “authorized” Consumer
![Page 21: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/21.jpg)
Use Provider’s functionsUser Consumer Provider
2) Make and sign a request
1) Use Consumer’s function
3) Send the signed request to Provider’s API URI
4) Authenticate Consumer
5) Execute a requested function
6) Return the result
7) Return the result
![Page 22: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/22.jpg)
Use Provider’s functions1. User: Use Consumer’s function requires Provider’s function2. Consumer: Make a request from the following information
○ API’s parameters○ access token○ etc
3. Consumer: Sign the request with the key constructed from consumer_secret and access token secret
4. Consumer: Send the request to Provider’s API URI5. Provider: Authenticate Consumer6. Provider: Execute a requested function7. Provider: Give the result of the API call to Consumer8. Consumer: Achieve its function with the result
![Page 23: Introduction to OAuth 1.0a](https://reader034.vdocuments.mx/reader034/viewer/2022051400/558761c2d8b42a3b378b4603/html5/thumbnails/23.jpg)
References● [1] OAuth Core 1.0 Revision A
○ http://oauth.net/core/1.0a● [2] Zero to Hero ~ The Linkedin OAuth Dance by Taylor Singletary
○ http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero● [3] OAuth Ruby example
○ http://wiki.openstreetmap.org/wiki/OAuth_ruby_examples