SlideShare a Scribd company logo

Mohanraj - Securing Your Web Api With OAuth

F
fossmy

OAuth is an open standard for authorization that allows users to share private resources, such as photos or email, stored on one website with another website or application without having to share their passwords. It allows third party applications to access protected resources by obtaining temporary access tokens from the resource owner by authenticating with the resource server. The document discusses the roles, security aspects, implementations, and advantages of using the OAuth standard for authorization in web APIs and applications.

Technology
1 of 29
Downloaded 204 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Securing your Web API with OAuth Mohanaraj Gopala Krishnan MYOSS Meetup 4 Dec 2008 mohangk.org/blog
Questions for you Experience with OAuth? Developed, read spec, heard of ? Application that exposes a Web API ? Authentication ? Experience using BBAuth, Authsub, Flickr Auth etc. ?
What is OAuth? A simple open standard for Web API authorization End Users Share information between online services without disclosing passwords Web service (Service providers) Allow for secure access to your API in a user controlled, secure manner 3rd Party application (Consumers) A standard authorization scheme for the web
Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
VS
http://www.flickr.com/photos/leelefever/133949029/
OpenID vs OAuth Goals are different OpenID is about sharing a single identity with different consumers OAuth is about sharing your data with different consumers without sharing your identity Not mutually exclusive
OpenID vs OAuth Commonality Open protocols - community driven Involves 3 parties Involves moving the users between consumer and service provider Involves laying a claim that is verified by the service/identity provider OpenID - “I own this URL” OAuth - “I own this resource”
Love triangle End user Service provider Consumer
WTF ?!
“ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
OAuth interaction demo Simple demo http://oauth.kg23.com /
OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
OAuth dance steps http://www.googlecodesamples.com/oauth_playground/
 
OAuth roles Service provider Implement three service endpoints Get request token Authenticate request token Exchange request token for access token Provides a form of authentication Validates following requests (post OAuth dance) Provides a mechanism to maintain authorization Additional API services e.g. Access token lifecycle management - revocation, extension
Service providers need to allow for end users to manage their authorizations
OAuth roles Consumer Acquire consumer key / consumer secret Communication with service provider Over HTTP - header, POST, GET query Signing requests HMAC-SHA1,RSA-SHA1,PLAINTEXT Keep track of access tokens Store association of users to access token Service providers have different policy as to token lifetime-e.g. Goog vs Y! Must be treated as securely as passwords
OAuth security http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/
OAuth security Signing - allows for security beyond HTTP basic auth No secret over the wire beyond the dance Request is verifiable - untampered Nonce & timestamps - mitigate replay attacks Delegation of credentials instead of direct credentials HTTPS still required for mitigating MITM - but if not too critical, request signing should suffice
Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
OAuth usage environments Web application Standard case Gadgets contained within a larger consumer - OAuth Gadget extension 2-legged OAuth No user involved - the consumer has been put in a position of trust - e.g. Google domain administrator or accessing public data Extension implemented by Goog - Only HMAC-SHA1, no oauth_token, additional - xoauth_requestor_id - user to imitate, must be explicitly enabled Desktop apps / JS apps Consumer secret can be easily compromised - trust levels Doesn’t compromise authorization
Why bother? Large adoption - Goog, Y!, MySpace Interop - Leverage the services Can be used as a replacement for HTTP basic auth SSL might not be always necessary Part of the Open web stack Atompub + OpenID + OAuth + XRDS +OpenSocial
Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
State of OAuth OAuth Core 1.0, IETF Draft Different use environments being worked out via extensions Library support - extensive, but varying quality OpenID + OAuth hybrid models Usability funkiness
Implementations Libraries oauth.net/code http://github.com/search?q=oauth&x=0&y=0 Server implementations PHP - http://code.google.com/p/oauth-php/ Ruby - http://github.com/pelle/oauth/tree/master
Thanks

More Related Content

What's hot (19)

PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
PDF
Spring security oauth2
axykim00
 
PPT
A A A
Cristian Vat
 
PPT
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
PDF
OpenID and OAuth
Andrea Chiodoni
 
PPTX
O auth2 with angular js
Bixlabs
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PDF
Learn with WSO2 - API Security
WSO2
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
DOCX
AAA server
hetvi naik
 
PPTX
The State of OAuth2
Aaron Parecki
 
PPTX
Security
Akram Salih
 
PDF
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
Open authentication (oauth)
Michael Maurice
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
ODP
Interface Drupal with desktop or webapp via OAuth & REST
Nicolas Froment
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
Spring security oauth2
axykim00
 
A A A
Cristian Vat
 
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
OpenID and OAuth
Andrea Chiodoni
 
O auth2 with angular js
Bixlabs
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Learn with WSO2 - API Security
WSO2
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
AAA server
hetvi naik
 
The State of OAuth2
Aaron Parecki
 
Security
Akram Salih
 
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Demystifying OAuth 2.0
Karl McGuinness
 
Open authentication (oauth)
Michael Maurice
 
OAuth 2.0
Uwe Friedrichsen
 
Interface Drupal with desktop or webapp via OAuth & REST
Nicolas Froment
 

Similar to Mohanraj - Securing Your Web Api With OAuth (20)

PDF
OAuth and OEmbed
leahculver
 
PDF
OAuth - Open API Authentication
leahculver
 
PPTX
Maintest3
Mohan Kumar Tadikimalla
 
PPTX
MainFinalOAuth
Mohan Kumar Tadikimalla
 
PDF
oauth-for-credentials-security-in-rest-api-access
idsecconf
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
PPTX
OAuth
Mohan Kumar Tadikimalla
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
PPT
UserCentric Identity based Service Invocation
guestd5dde6
 
PPT
Openid & Oauth: An Introduction
Steve Ivy
 
PDF
Integrating services with OAuth
Luca Mearelli
 
PPTX
Maintest2
Mohan Kumar Tadikimalla
 
PPTX
OAuth [noddyCha]
noddycha
 
PDF
Oauth Php App
Abdullah Mamun
 
PDF
Implementing OAuth with PHP
Lorna Mitchell
 
PPT
Open Id, O Auth And Webservices
Myles Eftos
 
PDF
Implementing OAuth
leahculver
 
PPTX
OAuth
Adi Challa
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
PPTX
Api security
teodorcotruta
 
OAuth and OEmbed
leahculver
 
OAuth - Open API Authentication
leahculver
 
Maintest3
Mohan Kumar Tadikimalla
 
MainFinalOAuth
Mohan Kumar Tadikimalla
 
oauth-for-credentials-security-in-rest-api-access
idsecconf
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
OAuth
Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
UserCentric Identity based Service Invocation
guestd5dde6
 
Openid & Oauth: An Introduction
Steve Ivy
 
Integrating services with OAuth
Luca Mearelli
 
Maintest2
Mohan Kumar Tadikimalla
 
OAuth [noddyCha]
noddycha
 
Oauth Php App
Abdullah Mamun
 
Implementing OAuth with PHP
Lorna Mitchell
 
Open Id, O Auth And Webservices
Myles Eftos
 
Implementing OAuth
leahculver
 
OAuth
Adi Challa
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Api security
teodorcotruta
 
Ad

Recently uploaded (20)

PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PPTX
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
PDF
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
“Voice Interfaces on a Budget: Building Real-time Speech Recognition on Low-c...
Edge AI and Vision Alliance
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Ad

Mohanraj - Securing Your Web Api With OAuth

  • 1. Securing your Web API with OAuth Mohanaraj Gopala Krishnan MYOSS Meetup 4 Dec 2008 mohangk.org/blog
  • 2. Questions for you Experience with OAuth? Developed, read spec, heard of ? Application that exposes a Web API ? Authentication ? Experience using BBAuth, Authsub, Flickr Auth etc. ?
  • 3. What is OAuth? A simple open standard for Web API authorization End Users Share information between online services without disclosing passwords Web service (Service providers) Allow for secure access to your API in a user controlled, secure manner 3rd Party application (Consumers) A standard authorization scheme for the web
  • 4. Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
  • 5. VS
  • 7. OpenID vs OAuth Goals are different OpenID is about sharing a single identity with different consumers OAuth is about sharing your data with different consumers without sharing your identity Not mutually exclusive
  • 8. OpenID vs OAuth Commonality Open protocols - community driven Involves 3 parties Involves moving the users between consumer and service provider Involves laying a claim that is verified by the service/identity provider OpenID - “I own this URL” OAuth - “I own this resource”
  • 9. Love triangle End user Service provider Consumer
  • 11. “ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
  • 12. OAuth interaction demo Simple demo http://oauth.kg23.com /
  • 13. OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
  • 14. OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
  • 15. OAuth dance steps http://www.googlecodesamples.com/oauth_playground/
  • 16.  
  • 17. OAuth roles Service provider Implement three service endpoints Get request token Authenticate request token Exchange request token for access token Provides a form of authentication Validates following requests (post OAuth dance) Provides a mechanism to maintain authorization Additional API services e.g. Access token lifecycle management - revocation, extension
  • 18. Service providers need to allow for end users to manage their authorizations
  • 19. OAuth roles Consumer Acquire consumer key / consumer secret Communication with service provider Over HTTP - header, POST, GET query Signing requests HMAC-SHA1,RSA-SHA1,PLAINTEXT Keep track of access tokens Store association of users to access token Service providers have different policy as to token lifetime-e.g. Goog vs Y! Must be treated as securely as passwords
  • 21. OAuth security Signing - allows for security beyond HTTP basic auth No secret over the wire beyond the dance Request is verifiable - untampered Nonce & timestamps - mitigate replay attacks Delegation of credentials instead of direct credentials HTTPS still required for mitigating MITM - but if not too critical, request signing should suffice
  • 22. Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
  • 23. Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
  • 24. OAuth usage environments Web application Standard case Gadgets contained within a larger consumer - OAuth Gadget extension 2-legged OAuth No user involved - the consumer has been put in a position of trust - e.g. Google domain administrator or accessing public data Extension implemented by Goog - Only HMAC-SHA1, no oauth_token, additional - xoauth_requestor_id - user to imitate, must be explicitly enabled Desktop apps / JS apps Consumer secret can be easily compromised - trust levels Doesn’t compromise authorization
  • 25. Why bother? Large adoption - Goog, Y!, MySpace Interop - Leverage the services Can be used as a replacement for HTTP basic auth SSL might not be always necessary Part of the Open web stack Atompub + OpenID + OAuth + XRDS +OpenSocial
  • 26. Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
  • 27. State of OAuth OAuth Core 1.0, IETF Draft Different use environments being worked out via extensions Library support - extensive, but varying quality OpenID + OAuth hybrid models Usability funkiness
  • 28. Implementations Libraries oauth.net/code http://github.com/search?q=oauth&x=0&y=0 Server implementations PHP - http://code.google.com/p/oauth-php/ Ruby - http://github.com/pelle/oauth/tree/master