maintest 100713212237-phpapp02-100714080303-phpapp02

Click here to load reader

Download Maintest 100713212237-phpapp02-100714080303-phpapp02

Post on 17-May-2015




0 download

Embed Size (px)


  • 1. Open Authentication
    Protocol Workflow
    OAuth Tokens
    Security Architecture
    OAuth and Twitter
    Coding Oauth

2. OAuth?
Oaths is an authorization standard for APIs that does away with logins and passwords to grant authorization to a third-party
3. Why OAuth?
Every day a new websites are launched which tie services from different sites and offer you
4. OAuth Definitions
Service provider
The website or web-service where the restricted resources are located
User have stuff they dont want to make pubic on the service provider but they do want to share it with another site
The name for the application trying access the users resources
Protected Resources
The stuff oauth protects and allow access.
Tokens are used instead of user credentials to access resources
5. OAuth : Protocol Workflow
6. Jane wants to share some of her vacation photos with her friends. Jane uses Faji, a photo sharing site, for sharing journey photos. She signs into her account, and uploads two photos which she marks private.
Using OAuth terminology
Jane is the User
Faji is the Service Provider.
The 2 photos Jane uploaded are the Protected Resources.
OAuth Example
7. Jane wants to share them with her grandmother. But grandma doesnt have an internet connection so Jane plans to order prints and have them mailed to grandma. Being a responsible person, Jane uses Beppa, an environmentally friendly photo printing service.
Using OAuth terminology,
Beppa is the Consumer.
Beppa must use OAuth to gain access to the photos in order to print them.
8. When Beppa added support for Faji photo import, a Beppa developer known in OAuth as a Consumer Developer obtained a Consumer Key and Consumer Secret from Faji to be used with Fajis OAuth-enabled API.
Using OAuth terminology,
Consumer Key
Consumer secret
9. Beppa requests from Faji a Request Token. At this point, the Request Token is not User-specific, and can be used by Beppa to gain User approval from Jane to access her private photos.
Using OAuth terminology,
Request Token
10. When Beppa receives the Request Token, it redirects Jane to the Faji OAuth User Authorization URL with the Request Token and asks Faji to redirect Jane back once approval has been granted to
Using OAuth terminology,
Oauth User Authorization URL
Call Back URL
11. After successfully logging into Faji, Jane is asked to grant access to Beppa, the Consumer. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.
12. Jane waits for Beppa to present her with her photos fetched from her Faji account.
13. While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Janes photos.
In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.
Using OAuth terminology,
Access Token
14. Jane is very impressed how Beppa grabbed her photos without asking for her username and password. She likes what she sees and place the print order.
15. 16. Tokens
OAuth uses three types of credentials
Client credentials (consumer key and secret)
Temporary credentials (request token and secret)
Token credentials (access token and secret)
17. Client Credentials
Allows server to authenticate server
Allows server to get information about the client
18. Token Credentials
Token credentials are in place of username and password
The client uses token credentials to access resource owner protected resource
Token credentials are limited in scope and duration
19. Temporary credentials
Used to identify the authorization request
To accommodate different clients like desktop, mobile etc.
Add extra flexibility and security
20. OAuthSecurity Architecture
21. Signature and Hash
OAuth usesdigital signaturesinstead of sending the full credentials (specifically, passwords) with each request.
The sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.
22. Hash Algorithm
A common way to sign digital content is using ahash algorithm.
Hashing is the process of taking data (of any size) and condensing it to a much smaller value (digest) in a fully reproducible (one-way) manner
This means that using the same hash algorithm on the same data will always produce the same smaller value
Hashing usually does not allow going from the smaller value back to the original.
23. Shared Secret
By itself, hashing does not verify the identity of the sender, only data integrity.
In order to allow the recipient to verify that the request came from the claimed sender, the hash algorithm is combined with ashared secret
If both sides agree on some shared secret known only to them, they can add it to the content being hashed.
24. Nonce(Number used Once)
What is missing is something to prevent requests intercepted by an unauthorized party, usually bysniffing the network, from being reused. This is known as areplay attack.
Able to make the same sign request over and over again.
To prevent compromised requests from being used again (replayed), OAuth uses anonceand timestamp.
By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once
25. TimeStamp
Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever.
OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time.
When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period.
26. Signature Methods
OAuth defines 3 signature methods used to sign and verify requests
When signing requests, it is necessary to specify which signature method has been used to allow the recipient to reproduce the signature for verification
The decision of which signature method to use depends on the security requirements of each application
27. Signature Base String
Not only must they both use the same algorithm and share secret, but they must sign the same content.
This requires a consistent method for converting HTTP requests into a single string which is used as the signed content theSignature Base String..
28. Getting the Request Token
Building a reqestToken request requires the following:
HTTP Method,
Request URI,
29. Getting the Request Token

  • First build your string to sign

View more