advanced oauth wrangling

Advanced OAuth Wrangling

Kellan Elliott-McCreaXTech 2008: The Web on the Move

Assumptions

Advanced, simple, and flexible.(choose two)

OAuth?http://oauth.net/core/1.0

OAuth is ....

... a protocol for developing password less APIs.

OAuth is ....

... a way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.

OAuth is ....

... an open, freely-implementable and generic methodology for API authorization.

OAuth is ....

... “your valet key for the Web.”

OAuth is ....

... not OpenID.

OAuth is ....

... not OpenID.

(OpenID does authentication, OAuth does authorization)

Emerging Standard• OAuth Core 1.0 released Dec 4th, 2007

• 12 months of open development on mailing lists

• Supported by Google, Yahoo, MySpace, Digg, Twitter, Magnolia, Pownce, Dopplr, Get Satisfaction, Mediamatic, Hyves, etc. (not all APIs launched yet)

• Authorization protocol for Google’s OpenSocial, and Yahoo’s Y!OS.

• Open source libraries in PHP, Python, Perl, Ruby, Java, Javascript, Objective-C, C#, ActionScript, ColdFusion

So what does it do?

A little history.

In the beginning....

.... there was Twitter

.... and there was Ma.gnolia

API.execute($username, $password)

API.execute($username, $password)

API.execute(http://myid.example.org/)

Delegated Token Auth

FlickrAuth, Google AuthSub,Yahoo’s BBAuth, Facebook Auth, Amazon AWS, etc...

Username and password are replaced with a token and

token secret that are unique to the user, the application,

and the service provider

The Love Triangle

End User

Service Provider Consumer Application

(fake applications by EHL)http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html

Two technologies:

1. OAuth auth flow (aka token dance)2. Normalized request signing

Some quick vocab• Service provider: a website that provide access via OAuth.

(i.e. the API)

• User: a person who has an account with the SP.

• Consumer: a website or application that uses OAuth to access the SP on the User’s behalf

• Consumer key and secret: Consumers are generally issued keys and secrets by the SP to uniquely identify them. (i.e. API key, and shared secret)

• Protected resource: any data or API controlled by the SP that requires authentication to access.

• Authorization URL: a web page hosted by the SP where the User is prompted to authorize or deny the Consumer

Request signing

Design Goals for Request Signing

• Prove that the Consumer is in possession of Consumer Secret, and Token Secret

• Protect against request forgery, and man-in-the-middle attacks.

• Protect against replay attacks.

• Lowest common denominator implementable. (no XML, no SSL, no PKI)

• Compatible with existing delegated auth APIs.

• Does NOT protect against eavesdropping. (Use SSL/TLS)

base64encode(hmac_sha1(33tr&77uq, GET&http%3A%2F%2Fapi.example.com%

2Fsecrets&oauth_consumer_key%3Dtr33%26oauth_nonce%3D34567%

26oauth_timestamp%3D1210171725%26oauth_token%3Dqu77))

http://api.example.com/secrets?oauth_consumer_key=tr33&oauth_token=qu77&oauth_timestamp=1210171725&oauth_nonce=34567&oauth_signature=Gcg%2F323lvAs&oauth_signature_method=HMAC-SHA1

OAuth is ....... delegated token auth which uses the the “token dance” to mint user-consumer-service provider specific credentials, verified with request signing.

OAuth is ....... plumbing..

Hows everyone doing?

OAuth Flexibility Cookbook

If Not Forbidden

Recipe #1: Expiring Tokens

Request an expiring token from the authorization url point

http://api.example.com/auth?oauth_token=request_342342&expire_in=3days

Behind the scenes, the consumer request the access token and receives:

oauth_token=qu77&oauth_token_secret=77qu&user_name=kellan&expires_on=1210478083

HTTP/1.0 401 Unauthorized

Expired Token.

Don’t fear the nonce(and timestamp)

Recipe #2: Custom authorization and permission levels

Request an expiring token from the authorization end point

http://api.example.com/auth?oauth_token=request_342342&

requested_perm=write

http://api/auth?oauth_token=rt2323&scope=http://example.com/photos/writehttp://api/auth?oauth_token=rt2323&scope=http://www.google.com/m8/feeds/read

http://api/auth?oauth_token=rt2323&rights=read-buddy-list,send-im

http://api/auth?oauth_token=rt2323&requested_perm=write

http://api/auth?oauth_token=rt2323&requested_perm=read

http://api/auth?oauth_token=rt2323&requested_perm=delete

http://api/auth?oauth_token=rt2323&role=contributor

Permissions

Scope

Rights

Role

Recipe #3: OAuth on the Desktop

Behind the scenes: oauth_token=qu77&oauth_token_secret=77qu&user_name=kellan&granted_permission=write

1. Once you’ve distributed your secret, is it a secret?2. The user experience sucks!

Umm, really?

OAuth on the desktop: 2-factor authenticationand the Ritual Coffee attack.

OAuth on the desktop: 2-factor authenticationand the Ritual Coffee attack.

this is why OAuth defines both a Consumer Key/Secret pair and the Token/Secret pair

so make sure your authorization page is CSRF safe

OAuth on the Desktop: “Worst possible user experience

except for all the others”

Recipe #4: “Two legged APIs”

3 legged 2 leggedFireEagle.setLocationTwitter.privateTimelineFlickr.uploadFlickr.search

FireEagle.nearbyTwitter.friendsTimelineFlickr.search

Solution #1:use a constant instead of the access token and access secret.http://api.example.com/secrets?oauth_consumer_key=tr33&oauth_token=DUMMY_TOKEN&oauth_timestamp=1210171725&oauth_nonce=34567&oauth_signature=Gcg%2F323lvAs&oauth_signature_method=HMAC-SHA1

base64encode(hmac_sha1(33tr&DUMMY_SECRET, GET&http%3A%2F%2Fapi.example.com%2Fsecrets&oauth_consumer_key%3Dtr33%26oauth_nonce%3D34567%26oauth_timestamp%3D1210171725%26oauth_token%3DDUMMY_TOKEN))

Solution #2:FireEagle issues an “application access token” that can be used to sign application scoped APIs.

Recipe #5: At ScaleAvoid hitting the database,

and distributing secrets

Avoid hitting the database.Tokens need not be opaque.

$token = base64encode(encrypt( $super_secret, “$consumer_key; $user_id; $expiration_date; $permissions;”));

Better Tokens

Avoid distributing the secret

$oauth_signature = base64encode(hmac_sha1( “$consumer_secret&$token_secret”, $signature_base_string))

HMAC-SHA1 signaturesare symmetric

Alternate signing algorithm: RSA-SHA1

(asymmetric)

$oauth_signature = base64encode(openssl_sign( openssl_get_privatekey($cert), $signature_base_string))

Building the signature with RSA-SHA1

$sig = base64encode(openssl_sign( openssl_get_publickey($cert), $signature_base_string));$sig == $oauth_sig

Checking the RSA-SHA1 signature

Recipe #6: No encryption!I only want the token dance

What if your API clients had to run inside of Excel?

What if your API clients had to run inside of Excel?

Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL

What if your API clients had to run inside of Excel?

Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL

Use the PLAINTEXT signing algorithm

Recipe #7: Mobile OAuth/OAuth on the device

Text

Multi-media device is very small desktop

This is a web browser

http://ericasadun.com/ftp/TUAW/findme/

Devices

Recipe #8: Identity-less services?(your access token is your only identifier)

Extending the Core

http://groups.google.com/group/oauth-extensions

In Process• Body signing

• Discovery

• Gadgets

• Key Rotation

• Language Preference

• http://oauth.googlecode.com/svn/spec/

Potential extensions and future directions

• Response signing

• XMLSig signing algorithm

• OAuth over Jabber - what needs to be signed?

• OAuth on a chip - expect to see devices shipping in the next 6 months with OAuth stacks

Photo Creditshttp://flickr.com/photos/laughingsquid/249911160/

http://flickr.com/photos/therealdevildoll/2238476894/

http://flickr.com/photos/stevegarfield/369172004/

http://flickr.com/photos/mbiddulph/1269991677/

http://flickr.com/photos/chromogenic/1053204718/

http://flickr.com/photos/darwinbell/428581415/

http://flickr.com/photos/85182154@N00/45736898/

http://flickr.com/photos/tracylee/30892867/

http://flickr.com/photos/evapro/305689596/

http://flickr.com/photos/earthandeden/395466458/

http://flickr.com/photos/thomashawk/136611116/

http://flickr.com/photos/altammar_q8/2352893870/

Questions?

Flickr will be offering OAuth by June 1st.(also we’re hiring)