advanced oauth wrangling
DESCRIPTION
TRANSCRIPT
Advanced OAuth Wrangling
Kellan Elliott-McCreaXTech 2008: The Web on the Move
Assumptions
Advanced, simple, and flexible.(choose two)
OAuth?http://oauth.net/core/1.0
OAuth is ....
... a protocol for developing password less APIs.
OAuth is ....
... a way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.
OAuth is ....
... an open, freely-implementable and generic methodology for API authorization.
OAuth is ....
... “your valet key for the Web.”
OAuth is ....
... not OpenID.
OAuth is ....
... not OpenID.
(OpenID does authentication, OAuth does authorization)
Emerging Standard• OAuth Core 1.0 released Dec 4th, 2007
• 12 months of open development on mailing lists
• Supported by Google, Yahoo, MySpace, Digg, Twitter, Magnolia, Pownce, Dopplr, Get Satisfaction, Mediamatic, Hyves, etc. (not all APIs launched yet)
• Authorization protocol for Google’s OpenSocial, and Yahoo’s Y!OS.
• Open source libraries in PHP, Python, Perl, Ruby, Java, Javascript, Objective-C, C#, ActionScript, ColdFusion
So what does it do?
A little history.
In the beginning....
.... there was Twitter
.... and there was Ma.gnolia
API.execute($username, $password)
API.execute($username, $password)
API.execute(http://myid.example.org/)
Delegated Token Auth
FlickrAuth, Google AuthSub,Yahoo’s BBAuth, Facebook Auth, Amazon AWS, etc...
Username and password are replaced with a token and
token secret that are unique to the user, the application,
and the service provider
The Love Triangle
End User
Service Provider Consumer Application
(fake applications by EHL)http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
Two technologies:
1. OAuth auth flow (aka token dance)2. Normalized request signing
Some quick vocab• Service provider: a website that provide access via OAuth.
(i.e. the API)
• User: a person who has an account with the SP.
• Consumer: a website or application that uses OAuth to access the SP on the User’s behalf
• Consumer key and secret: Consumers are generally issued keys and secrets by the SP to uniquely identify them. (i.e. API key, and shared secret)
• Protected resource: any data or API controlled by the SP that requires authentication to access.
• Authorization URL: a web page hosted by the SP where the User is prompted to authorize or deny the Consumer
Request signing
Design Goals for Request Signing
• Prove that the Consumer is in possession of Consumer Secret, and Token Secret
• Protect against request forgery, and man-in-the-middle attacks.
• Protect against replay attacks.
• Lowest common denominator implementable. (no XML, no SSL, no PKI)
• Compatible with existing delegated auth APIs.
• Does NOT protect against eavesdropping. (Use SSL/TLS)
base64encode(hmac_sha1(33tr&77uq, GET&http%3A%2F%2Fapi.example.com%
2Fsecrets&oauth_consumer_key%3Dtr33%26oauth_nonce%3D34567%
26oauth_timestamp%3D1210171725%26oauth_token%3Dqu77))
http://api.example.com/secrets?oauth_consumer_key=tr33&oauth_token=qu77&oauth_timestamp=1210171725&oauth_nonce=34567&oauth_signature=Gcg%2F323lvAs&oauth_signature_method=HMAC-SHA1
OAuth is ....... delegated token auth which uses the the “token dance” to mint user-consumer-service provider specific credentials, verified with request signing.
OAuth is ....... plumbing..
Hows everyone doing?
OAuth Flexibility Cookbook
If Not Forbidden
Recipe #1: Expiring Tokens
Request an expiring token from the authorization url point
http://api.example.com/auth?oauth_token=request_342342&expire_in=3days
Behind the scenes, the consumer request the access token and receives:
oauth_token=qu77&oauth_token_secret=77qu&user_name=kellan&expires_on=1210478083
HTTP/1.0 401 Unauthorized
Expired Token.
Don’t fear the nonce(and timestamp)
Recipe #2: Custom authorization and permission levels
Request an expiring token from the authorization end point
http://api.example.com/auth?oauth_token=request_342342&
requested_perm=write
http://api/auth?oauth_token=rt2323&scope=http://example.com/photos/writehttp://api/auth?oauth_token=rt2323&scope=http://www.google.com/m8/feeds/read
http://api/auth?oauth_token=rt2323&rights=read-buddy-list,send-im
http://api/auth?oauth_token=rt2323&requested_perm=write
http://api/auth?oauth_token=rt2323&requested_perm=read
http://api/auth?oauth_token=rt2323&requested_perm=delete
http://api/auth?oauth_token=rt2323&role=contributor
Permissions
Scope
Rights
Role
Recipe #3: OAuth on the Desktop
Behind the scenes: oauth_token=qu77&oauth_token_secret=77qu&user_name=kellan&granted_permission=write
1. Once you’ve distributed your secret, is it a secret?2. The user experience sucks!
Umm, really?
OAuth on the desktop: 2-factor authenticationand the Ritual Coffee attack.
OAuth on the desktop: 2-factor authenticationand the Ritual Coffee attack.
this is why OAuth defines both a Consumer Key/Secret pair and the Token/Secret pair
so make sure your authorization page is CSRF safe
OAuth on the Desktop: “Worst possible user experience
except for all the others”
Recipe #4: “Two legged APIs”
3 legged 2 leggedFireEagle.setLocationTwitter.privateTimelineFlickr.uploadFlickr.search
FireEagle.nearbyTwitter.friendsTimelineFlickr.search
Solution #1:use a constant instead of the access token and access secret.http://api.example.com/secrets?oauth_consumer_key=tr33&oauth_token=DUMMY_TOKEN&oauth_timestamp=1210171725&oauth_nonce=34567&oauth_signature=Gcg%2F323lvAs&oauth_signature_method=HMAC-SHA1
base64encode(hmac_sha1(33tr&DUMMY_SECRET, GET&http%3A%2F%2Fapi.example.com%2Fsecrets&oauth_consumer_key%3Dtr33%26oauth_nonce%3D34567%26oauth_timestamp%3D1210171725%26oauth_token%3DDUMMY_TOKEN))
Solution #2:FireEagle issues an “application access token” that can be used to sign application scoped APIs.
Recipe #5: At ScaleAvoid hitting the database,
and distributing secrets
Avoid hitting the database.Tokens need not be opaque.
$token = base64encode(encrypt( $super_secret, “$consumer_key; $user_id; $expiration_date; $permissions;”));
Better Tokens
Avoid distributing the secret
$oauth_signature = base64encode(hmac_sha1( “$consumer_secret&$token_secret”, $signature_base_string))
HMAC-SHA1 signaturesare symmetric
Alternate signing algorithm: RSA-SHA1
(asymmetric)
$oauth_signature = base64encode(openssl_sign( openssl_get_privatekey($cert), $signature_base_string))
Building the signature with RSA-SHA1
$sig = base64encode(openssl_sign( openssl_get_publickey($cert), $signature_base_string));$sig == $oauth_sig
Checking the RSA-SHA1 signature
Recipe #6: No encryption!I only want the token dance
What if your API clients had to run inside of Excel?
What if your API clients had to run inside of Excel?
Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL
What if your API clients had to run inside of Excel?
Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL
Use the PLAINTEXT signing algorithm
Recipe #7: Mobile OAuth/OAuth on the device
Text
Multi-media device is very small desktop
This is a web browser
http://ericasadun.com/ftp/TUAW/findme/
Devices
Recipe #8: Identity-less services?(your access token is your only identifier)
Extending the Core
http://groups.google.com/group/oauth-extensions
In Process• Body signing
• Discovery
• Gadgets
• Key Rotation
• Language Preference
• http://oauth.googlecode.com/svn/spec/
Potential extensions and future directions
• Response signing
• XMLSig signing algorithm
• OAuth over Jabber - what needs to be signed?
• OAuth on a chip - expect to see devices shipping in the next 6 months with OAuth stacks
Photo Creditshttp://flickr.com/photos/laughingsquid/249911160/
http://flickr.com/photos/therealdevildoll/2238476894/
http://flickr.com/photos/stevegarfield/369172004/
http://flickr.com/photos/mbiddulph/1269991677/
http://flickr.com/photos/chromogenic/1053204718/
http://flickr.com/photos/darwinbell/428581415/
http://flickr.com/photos/85182154@N00/45736898/
http://flickr.com/photos/tracylee/30892867/
http://flickr.com/photos/evapro/305689596/
http://flickr.com/photos/earthandeden/395466458/
http://flickr.com/photos/thomashawk/136611116/
http://flickr.com/photos/altammar_q8/2352893870/
Questions?
Flickr will be offering OAuth by June 1st.(also we’re hiring)