OAuth

API Access Delegation Protocol

Faisal Imran, Rizwan Ali and Aslam Jarwar

URL: http://oauth.net/ 1

HistoryWhat is OAuthTerminologies used for OAuthWorking of OAuth protocolFlowLoopholes and drawbacks of OauthConsumer Implementation (Twitter & Xero)

Contents

History

OAuth started around November 2006, while Blaine Cook was working on the Twitter OpenID implementation.

In April 2007, a Google group was created with a small group of implementers to write a proposal for an open protocol.

In July 2007 the team drafted an initial specification and the group was opened to anyone interested in contributing.

What is OAuth

Oaths is an authorization standard for API’s that does away with logins and passwords to grant authorization to a third-party

Protocol that allows to share private data hosted on x web site with y web site

A way for an application to interact with an API on a user’s behalf without knowing the user’s authentication credentials.

A protocol for developing password less APIsIts just a skeleton, Implementation can be vendor specific

In Short “your valet key for the Web”

Terminologies used for OAuth

ConsumerApplication trying to access protected resource

Service Providerwebsite or web-service hosting protected resource

UserOwner of the protected data

Protected ResourceImages, Videos or documents hosted on web site or web-service which are protected by the user

TokensRandom string of letters and numbers which is unique. Request Token, Access Token

ScopeSet of data hosted on service provider that user wants to share with consumer

Working of OAuth protocol

Web 2.0 means sharing data, through APIUsers want to access their data using many servicesDevelopers want to satisfy their users (and make it easy for

them)Service providers need to keep their users data secure

Working of OAuth protocol A Play in 3 Acts (to exchange authorization)

Actors on the scene

UserConsumerService Provider

Working of OAuth protocolA Play in 3 Acts (to exchange authorization)

consumer has Consumer keyConsumer secret

Consumer (to Service Provider): “give me a request token”oauth_consumer_keyoauth_signature_methodoauth_signatureoauth_timestampoauth_nonceoauth_version (optional)[additional parameters]

A Play in 3 Acts (to exchange authorization)

Service Provider (to consumer):

“here is the request token(you can use it only once!)”

oauth_token (request token)oauth_token_secret[additional parameters]

A Play in 3 Acts (to exchange authorization)

Second ActWhere the User authorizes the Request TokenConsumer (to the User):“Please go to the Service Provider and authorize this request”consumer ->user ->service provideroauth_token (request token)oauth_callback[additional parameters]Service Provider (to the User):Do you authorize consumer to access your data?

A Play in 3 Acts (to exchange authorization)

User (to the Service Provider):YES!(or maybe NO :-) )

Service Provider (to the User): “You can go back to the consumer”

Service Provider-> User->Consumeroauth_token (request token)

A Play in 3 Acts (to exchange authorization)

Third ActWhere the Consumer exchanges the Request Token for an Access TokenConsumer (to the Service Provider): “Please give me the acces token for the user”oauth_consumer_keyoauth_token (request token)oauth_signature_methodoauth_signatureoauth_timestampoauth_nonceoauth_version (optional)

A Play in 3 Acts (to exchange authorization)Service Provider (to the Consumer):“here is the access token for the user” oauth_token (access token) oauth_token_secret [additional parameters]

Now consumer accesses the resourcesConsumer (to the Service Provider):“Here i am again on behalf of the user” oauth_consumer_key oauth_token (access token) oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) [additional parameters]

Flow

Working of OAuth protocol

Site Y is the consumer and site X is service provider Site Y has consumer ID and shared secret provided by site X to all its OAuth

consumers User accesses site Y and wants to share private data hosted on site X Site Y sends the request to site X with Consumer ID and shared secret and

asks for Request Token Site X returns Request Token to site Y Site Y redirects user to site X Login service with the request token User enters username/password or OpenID credentials to login to site X Site X validates the credentials, create Access token associated with the

request token and redirects the user to site Y with the request Token Site Y sends the request token to site X asking for Access token Site Y gets the access token to access protected resources hosted on site X

(Access token is valid only for limited period of time)

Loopholes and drawbacks of OAuth

Trust on Consumer is key Consumer redirects user to the correct service

provider Consumer uses the private only for the specific time

period OAuth specifications Skeleton does not define

resource and signing algorithms used between consumer and service provider

OAuth specifications does not talk about endpoint discovery, language support, XML-RPC support

OAuth 2.0OAuth 2.0 is the next evolution of the OAuth protocol

and is not backward compatible with OAuth 1.0, Main framework was published in October 2012.

Focuses on client developer simplicityFacebook's new Graph API only supports OAuth 2.0Google and Microsoft had added OAuth 2.0

experimental support to their APIs

In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0. He points out that it has become "more complex, less interoperable,

less useful, more incomplete, and most importantly, less secure"

18

Thank you