advanced oauth wrangling

85
Advanced OAuth Wrangling Kellan Elliott-McCrea XTech 2008: The Web on the Move

Upload: kellan

Post on 14-Jan-2015

9.673 views

Category:

Technology


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Advanced OAuth Wrangling

Advanced OAuth Wrangling

Kellan Elliott-McCreaXTech 2008: The Web on the Move

Page 2: Advanced OAuth Wrangling

Assumptions

Page 3: Advanced OAuth Wrangling

Advanced, simple, and flexible.(choose two)

Page 4: Advanced OAuth Wrangling

OAuth?http://oauth.net/core/1.0

Page 5: Advanced OAuth Wrangling

OAuth is ....

... a protocol for developing password less APIs.

Page 6: Advanced OAuth Wrangling

OAuth is ....

... a way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.

Page 7: Advanced OAuth Wrangling

OAuth is ....

... an open, freely-implementable and generic methodology for API authorization.

Page 8: Advanced OAuth Wrangling

OAuth is ....

... “your valet key for the Web.”

Page 9: Advanced OAuth Wrangling

OAuth is ....

... not OpenID.

Page 10: Advanced OAuth Wrangling

OAuth is ....

... not OpenID.

(OpenID does authentication, OAuth does authorization)

Page 11: Advanced OAuth Wrangling

Emerging Standard• OAuth Core 1.0 released Dec 4th, 2007

• 12 months of open development on mailing lists

• Supported by Google, Yahoo, MySpace, Digg, Twitter, Magnolia, Pownce, Dopplr, Get Satisfaction, Mediamatic, Hyves, etc. (not all APIs launched yet)

• Authorization protocol for Google’s OpenSocial, and Yahoo’s Y!OS.

• Open source libraries in PHP, Python, Perl, Ruby, Java, Javascript, Objective-C, C#, ActionScript, ColdFusion

Page 12: Advanced OAuth Wrangling

So what does it do?

Page 13: Advanced OAuth Wrangling

A little history.

Page 14: Advanced OAuth Wrangling

In the beginning....

.... there was Twitter

.... and there was Ma.gnolia

Page 15: Advanced OAuth Wrangling

API.execute($username, $password)

Page 16: Advanced OAuth Wrangling

API.execute($username, $password)

API.execute(http://myid.example.org/)

Page 17: Advanced OAuth Wrangling

Delegated Token Auth

FlickrAuth, Google AuthSub,Yahoo’s BBAuth, Facebook Auth, Amazon AWS, etc...

Page 18: Advanced OAuth Wrangling

Username and password are replaced with a token and

token secret that are unique to the user, the application,

and the service provider

Page 19: Advanced OAuth Wrangling

The Love Triangle

End User

Service Provider Consumer Application

(fake applications by EHL)http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html

Page 20: Advanced OAuth Wrangling

Two technologies:

1. OAuth auth flow (aka token dance)2. Normalized request signing

Page 21: Advanced OAuth Wrangling

Some quick vocab• Service provider: a website that provide access via OAuth.

(i.e. the API)

• User: a person who has an account with the SP.

• Consumer: a website or application that uses OAuth to access the SP on the User’s behalf

• Consumer key and secret: Consumers are generally issued keys and secrets by the SP to uniquely identify them. (i.e. API key, and shared secret)

• Protected resource: any data or API controlled by the SP that requires authentication to access.

• Authorization URL: a web page hosted by the SP where the User is prompted to authorize or deny the Consumer

Page 22: Advanced OAuth Wrangling
Page 23: Advanced OAuth Wrangling
Page 24: Advanced OAuth Wrangling
Page 25: Advanced OAuth Wrangling
Page 26: Advanced OAuth Wrangling
Page 27: Advanced OAuth Wrangling

Request signing

Page 28: Advanced OAuth Wrangling

Design Goals for Request Signing

• Prove that the Consumer is in possession of Consumer Secret, and Token Secret

• Protect against request forgery, and man-in-the-middle attacks.

• Protect against replay attacks.

• Lowest common denominator implementable. (no XML, no SSL, no PKI)

• Compatible with existing delegated auth APIs.

• Does NOT protect against eavesdropping. (Use SSL/TLS)

Page 29: Advanced OAuth Wrangling

base64encode(hmac_sha1(33tr&77uq, GET&http%3A%2F%2Fapi.example.com%

2Fsecrets&oauth_consumer_key%3Dtr33%26oauth_nonce%3D34567%

26oauth_timestamp%3D1210171725%26oauth_token%3Dqu77))

Page 30: Advanced OAuth Wrangling

http://api.example.com/secrets?oauth_consumer_key=tr33&oauth_token=qu77&oauth_timestamp=1210171725&oauth_nonce=34567&oauth_signature=Gcg%2F323lvAs&oauth_signature_method=HMAC-SHA1

Page 31: Advanced OAuth Wrangling

OAuth is ....... delegated token auth which uses the the “token dance” to mint user-consumer-service provider specific credentials, verified with request signing.

Page 32: Advanced OAuth Wrangling

OAuth is ....... plumbing..

Page 33: Advanced OAuth Wrangling

Hows everyone doing?

Page 34: Advanced OAuth Wrangling

OAuth Flexibility Cookbook

Page 35: Advanced OAuth Wrangling

If Not Forbidden

Page 36: Advanced OAuth Wrangling

Recipe #1: Expiring Tokens

Page 38: Advanced OAuth Wrangling
Page 39: Advanced OAuth Wrangling

Behind the scenes, the consumer request the access token and receives:

oauth_token=qu77&oauth_token_secret=77qu&user_name=kellan&expires_on=1210478083

Page 40: Advanced OAuth Wrangling

HTTP/1.0 401 Unauthorized

Expired Token.

Page 41: Advanced OAuth Wrangling

Don’t fear the nonce(and timestamp)

Page 42: Advanced OAuth Wrangling

Recipe #2: Custom authorization and permission levels

Page 45: Advanced OAuth Wrangling
Page 46: Advanced OAuth Wrangling

Recipe #3: OAuth on the Desktop

Page 47: Advanced OAuth Wrangling
Page 48: Advanced OAuth Wrangling
Page 49: Advanced OAuth Wrangling
Page 50: Advanced OAuth Wrangling
Page 51: Advanced OAuth Wrangling
Page 52: Advanced OAuth Wrangling

Behind the scenes: oauth_token=qu77&oauth_token_secret=77qu&user_name=kellan&granted_permission=write

Page 53: Advanced OAuth Wrangling

1. Once you’ve distributed your secret, is it a secret?2. The user experience sucks!

Umm, really?

Page 54: Advanced OAuth Wrangling

OAuth on the desktop: 2-factor authenticationand the Ritual Coffee attack.

Page 55: Advanced OAuth Wrangling

OAuth on the desktop: 2-factor authenticationand the Ritual Coffee attack.

this is why OAuth defines both a Consumer Key/Secret pair and the Token/Secret pair

Page 56: Advanced OAuth Wrangling

so make sure your authorization page is CSRF safe

Page 57: Advanced OAuth Wrangling

OAuth on the Desktop: “Worst possible user experience

except for all the others”

Page 58: Advanced OAuth Wrangling

Recipe #4: “Two legged APIs”

Page 59: Advanced OAuth Wrangling

3 legged 2 leggedFireEagle.setLocationTwitter.privateTimelineFlickr.uploadFlickr.search

FireEagle.nearbyTwitter.friendsTimelineFlickr.search

Page 60: Advanced OAuth Wrangling

Solution #1:use a constant instead of the access token and access secret.http://api.example.com/secrets?oauth_consumer_key=tr33&oauth_token=DUMMY_TOKEN&oauth_timestamp=1210171725&oauth_nonce=34567&oauth_signature=Gcg%2F323lvAs&oauth_signature_method=HMAC-SHA1

base64encode(hmac_sha1(33tr&DUMMY_SECRET, GET&http%3A%2F%2Fapi.example.com%2Fsecrets&oauth_consumer_key%3Dtr33%26oauth_nonce%3D34567%26oauth_timestamp%3D1210171725%26oauth_token%3DDUMMY_TOKEN))

Page 61: Advanced OAuth Wrangling

Solution #2:FireEagle issues an “application access token” that can be used to sign application scoped APIs.

Page 62: Advanced OAuth Wrangling

Recipe #5: At ScaleAvoid hitting the database,

and distributing secrets

Page 63: Advanced OAuth Wrangling

Avoid hitting the database.Tokens need not be opaque.

Page 64: Advanced OAuth Wrangling

$token = base64encode(encrypt( $super_secret, “$consumer_key; $user_id; $expiration_date; $permissions;”));

Better Tokens

Page 65: Advanced OAuth Wrangling

Avoid distributing the secret

Page 66: Advanced OAuth Wrangling

$oauth_signature = base64encode(hmac_sha1( “$consumer_secret&$token_secret”, $signature_base_string))

HMAC-SHA1 signaturesare symmetric

Page 67: Advanced OAuth Wrangling

Alternate signing algorithm: RSA-SHA1

(asymmetric)

Page 68: Advanced OAuth Wrangling

$oauth_signature = base64encode(openssl_sign( openssl_get_privatekey($cert), $signature_base_string))

Building the signature with RSA-SHA1

$sig = base64encode(openssl_sign( openssl_get_publickey($cert), $signature_base_string));$sig == $oauth_sig

Checking the RSA-SHA1 signature

Page 69: Advanced OAuth Wrangling

Recipe #6: No encryption!I only want the token dance

Page 70: Advanced OAuth Wrangling

What if your API clients had to run inside of Excel?

Page 71: Advanced OAuth Wrangling

What if your API clients had to run inside of Excel?

Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL

Page 72: Advanced OAuth Wrangling

What if your API clients had to run inside of Excel?

Wesabe: bank statements as social objects, security thru HTTP Digest Auth, and SSL

Use the PLAINTEXT signing algorithm

Page 73: Advanced OAuth Wrangling

Recipe #7: Mobile OAuth/OAuth on the device

Page 74: Advanced OAuth Wrangling

Text

Multi-media device is very small desktop

Page 75: Advanced OAuth Wrangling

This is a web browser

Page 77: Advanced OAuth Wrangling

Devices

Page 78: Advanced OAuth Wrangling
Page 79: Advanced OAuth Wrangling

Recipe #8: Identity-less services?(your access token is your only identifier)

Page 80: Advanced OAuth Wrangling

Extending the Core

Page 82: Advanced OAuth Wrangling

In Process• Body signing

• Discovery

• Gadgets

• Key Rotation

• Language Preference

• http://oauth.googlecode.com/svn/spec/

Page 83: Advanced OAuth Wrangling

Potential extensions and future directions

• Response signing

• XMLSig signing algorithm

• OAuth over Jabber - what needs to be signed?

• OAuth on a chip - expect to see devices shipping in the next 6 months with OAuth stacks

Page 84: Advanced OAuth Wrangling

Photo Creditshttp://flickr.com/photos/laughingsquid/249911160/

http://flickr.com/photos/therealdevildoll/2238476894/

http://flickr.com/photos/stevegarfield/369172004/

http://flickr.com/photos/mbiddulph/1269991677/

http://flickr.com/photos/chromogenic/1053204718/

http://flickr.com/photos/darwinbell/428581415/

http://flickr.com/photos/85182154@N00/45736898/

http://flickr.com/photos/tracylee/30892867/

http://flickr.com/photos/evapro/305689596/

http://flickr.com/photos/earthandeden/395466458/

http://flickr.com/photos/thomashawk/136611116/

http://flickr.com/photos/altammar_q8/2352893870/

Page 85: Advanced OAuth Wrangling

Questions?

Flickr will be offering OAuth by June 1st.(also we’re hiring)