how oauth and portable data can revolutionize your web app - chris messina
DESCRIPTION
TRANSCRIPT
OAuth FTW
Chris MessinaFuture of Web Apps
October 10, 2008London, England
How OAuth and portable data can revolutionize your web app
(FOR THE WIN)
OAuth |ō| |ôˌθ|Noun.
An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.
The story of OAuth starts with OpenID.
factoryjoe.com
?!X
factoryjoe.com
!
Can has OpenID?
? X
factoryjoe.com
B-b-but what about API apps?
X
(APPLICATION PROGRAMMING INTERFACE)
?
!?!
How much are your username and password worth?
wayn.com
imeem.com
PC Load Letter?! What the f...!
The Password Anti-pattern!
Passwords are not confetti.
Please stop throwing them around.
Especially if they’re not yours.
OAuth replaces the need for usernames and passwords with tokens and a hashing signature.
let’s take a look
Brightkite > pings Fire Eagle for Request Token
Fire Eagle > returns authorization realm
Brightkite > requests that user authorize Brightkite
Fire Eagle > user authenticates through Yahoo! accounts
Fire Eagle > user grants authorization to Brightkite
Fire Eagle > Fire Eagle redirects user to callback URL
Brightkite > asks FE to exchange Request Token for Access Token
Fire Eagle > checks signature; if valid, returns Access Token
...subsequent requests are signed with this Access Token
users can manage access...
...and change access
or can revoke access later without having to change their primary account password
(i.e. if they lose their phone or their computer gets stolen)
?
discovery
Identity -› Discovery -› Authorization
OpenID -› XRDS-Simple -› OAuth Endpoint
(EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)
Identity -› Discovery -› [Authentication] -› Authorization
http://will.norris.name
☟<meta http-equiv="X-XRDS-Location" content="http://will.norris.name/?xrds" />
OpenID XRDS
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD></xrds:XRDS>
XRDS-Simple for Portable Contacts
<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD></xrds:XRDS>
XRDS-Simple for Portable Contacts
<XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type>
...
XRDS-Simple for Portable Contacts
<XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type>
...
adoption
•OpenSocial
•MySpace
•Yahoo! (Fire Eagle)
•Netflix
•SmugMug
•Photobucket
•Plaxo
•Soocial.com
•Meetup.com
•Ma.gnolia
•Get Satisfaction
•Agree2
•SoundCloud
•88Miles
•Pownce
•Brightkite
•Praized
http://wiki.oauth.net/ServiceProviders
code
•C#
•Coldfusion
•Java
•Javascript
•Jifty
•.NET
•Objective-C
•OCaml
•Perl
•PHP
•CakePHP
•Python
•Ruby
•...interest in XMPP
http://oauth.net/code
the pitch
fin.
oauth.netme -› factoryjoe.com