oauth: trust issues
DESCRIPTION
My talk for the Dutch PHP Conference, explaining the point of oauth, the mechanics of oauth2 and the various flows, and a spot of oauth1 for completenessTRANSCRIPT
OAuth: A Question of Trust
About Me
2
• Lorna Jane Mitchell
• Twitter: @lornajane
• Web: http://lornajane.net
If OAuth is the answer, what was thequestion?
OAuth
4
username: lornajanepassword: qwerty
OAuth
5
Hi, I’m lornajane
Two Kinds of OAuth
6
• OAuth 1
• in use on many systems
• many steps: ’the oauth dance’
• encryption overhead (so use a lib)
• OAuth 2
• requires SSL
• fewer steps
• recognises trust
• recommended for new systems
OAuth 2: Performance over Paranoia
OAuth2 Relationships
8
OAuth2 Relationships
9
Before We Begin
10
Register for an API key and capture:
• application name
• callback URL(s) to use
• description
e.g. http://joind.in/user/apikey
OAuth2 Endpoints
11
Application Website API Client
api key registration auth endpoint callback URL
user grant/revoke access resource endpoint
resources
Establishing Trust
12
We need an authorisation grant for the assistant to be able to accessuser data
Authorisation Grants
Authorisation Grant: Many Choices
14
How we authorise a third party:
• authorisation code
• implicit
• resource owner credentials
• client credentials
• ... potentially further extensions
Authorisation Code
15
Use for: server-side apps
Flow: we send user to application to grant access, recieve a code inreturn. Then exchange code for access token
Features: user never sees access token
Authorisation Code Process
16
client_idredirect_urltypescopestate
Authorisation Code Process
17User must be able to visit the site and revoke later
Authorisation Code Process
18
code
codestate
Authorisation Code Process
19
client_keyclient_secretcode
code
access token
access_token
Implicit Grant
20
Use for: client-side apps
Flow: we send user to application to grant access, recieve an accesstoken in return
Features: super-simple
Implicit Process
21
client_idredirect_urltypescopestate
Implicit Process
22User must be able to visit the site and revoke later
Implicit Process
23
access token
access_tokenstate
Resource Owner Credentials
24
Use for: trusted consumers, such as same-provider apps or a script theuser writes themselves
Flow: user gives username and password to app, app exchanges foraccess token and does not store
Features: saves sending user to the main site and back
Resource Owner Credentials Process
25
username,
password
username,
password
Resource Owner Credentials Process
26
access token
Client Credentials
27
Use for: privileged consumers
Flow: client credentials act as an authorsation grant, access token isreturned
Features: ideal for applications with more than per-user-data accessrights
Client Credentials Process
28
hai
access token
How to Choose Grant Type
29
What will be consuming this data?
It isn’t unusual for applications to support some or all of these grant types
You have an access token, now what?
Using Access Tokens
31
With the access token, include it in an Authorization header:
Authorization: OAuth db141c50adb74b22
Using Access Tokens
31
With the access token, include it in an Authorization header:
Authorization: OAuth db141c50adb74b22
Everything you already knew about web APIs now applies as normal
Refresh Tokens
32
Some applications will give you two tokens
• access token (shorter expiry)
• refresh token (longer expiry)
The refresh token is an authorisation grant in its own right, to be usedwhen the access token has expired
What about access control?
Scope
34
Consumers will request a given set of permissions, usually called scope
Users usually only get to accept, or not
HTTPS (a vital OAuth2 ingredient)
HTTPS
36
HTTPS is HTTP over SSL/TLS (Secure Socket Layer/Transport LayerSecurity)
Basically, we encrypt the pipe!
OAuth 1
About OAuth 1
38
In a nutshell:
• Had its own encryption: needed a library/extension
• Involved many steps, therefore many request/response roundtrips
• leading to the phrase ’oauth dance’
• Solved exactly the same problem
• Had a single oauth endpoint
OAuth 1 Process
39
• Step 0: Register as a consumer
• Step 1: Get a request token
• Step 2: Send the user to authenticate
• Step 3: Swap their verification for an access token
• Step 4: Consume data
OAuth Today
OAuth Today
41
• New project? Use OAuth 2
• OAuth 1 is complicated and needs PECL extension
• OAuth 2 requires SSL, and decision-making
Resources and Further Reading
42
• OAuth2 Spec:http://tools.ietf.org/html/draft-ietf-oauth-v2
• Great introductory article:http://hueniverse.com/2010/05/introducing-oauth-2-0/
• Images from http://thenounproject.org
Thanks!
Thanks
44
https://joind.in/6232
@lornajane
http://lornajane.net