Leah Culver OAuth OAuth: authentication method for API. Gives plug-in developers access to authenticated users. Doesn't matter for publically available information (that can just use RSS feeds, etc.) Aside: Leah is an author of the spec and wrote the first Python library (& maintains it). Pownce also acts as provider. Definitions: 3-way communication: * Service Provider: API provider * Consmer Application: 3rd party app which uses the API (e.g. Pownce AIM bot) * End user: duh OAuth allows consumer applications to access private information or to accept input. Token based, similar to Flickr, Google, Yahoo, Facebook, etc. OAuth is based off of the model of the above. Lots of people involved in the spec (Google, Yahoo, etc.). Providing a standard makes it concistent for developers, including for integrating authentication across multiple service providers (Google & Ponce). Also want to be intuitive for end users (interface shold not be inventive). Turns out thta making it easy for end users is difficult. Need standard to be secure for end users, service providers and 3rd party apps. Designed so 3rd party sites do not have to gather username & passwords (ala contact importers). OAuth is open standard with opens ource client libraries. Technoical spec is community designed. OAuth is designed to be authentication method agnostic. Usernames & Passwords, OpenID, etc. Different than OpenID. OpenID: URL that is your "identity", you log-in and then are authenticated. This logs you in. OAuth is a way to pass authentication between services. Example use (high level): 1. Nsyght: select you want to authenticate w/ Ma.gnolia 2. Log-in with Ma.gnolia (OpenID, Facebook, password, etc.) 3. Authorize/deny nsyght's use (on the ma.gnolia site) 4. Get redirected back to nsyght, now with authentication Technical: token base, so nsyght sends a request token to ma.gnolia. User logs-in and returns an access token. Access token is used for access to protecteed resources. What about non-web apps? E.g. aimbot provides a link so you can open a browser window, but no real redirection. pownce provides a message telling youyou're done, the user then specifies in pownceaim (types authdone). How does service provider document things for the 3rd party consumer? Must provide URL's and documentation. Things needed: request token endpoint, authorization endpoint, access token endpoint, which request methods (GET, POST, PUT...) signature methods (?), extra parameters, etc. Other things: token expiry, etc. How does a consumer application register? Must tell service provider things about themselves. Sign up and get back your consumer key & consumer secret. Consumer key: passed as an OAuth parameter. Consumer secret: used for signing. token key: unoique string granted by service provider, Request parameter token secret: granted by service provider It's a little confusing, both tokens have the same variable name (oath_token_key) for request and access type tokens. Annoying, but the different end-points (http;//api.../request_token/ vs. .../authroization_token). Takes severak other parameters. (elided) * oath_signature: based on the secret (SSH-1, plain text) * oath_signature_method: method for signing (must be supported by spec) ** HMAC-SHA1 ** RSA-SHA1 ** PLAINTEXT * oathe_timestamp: seconds since Unix epoch (must be monotonically increasing) * oath_nonce: random string per timestamp/request (stops replay attack) * oath_version Information should be passed in (order of preference) the HTTP authorization header, HTTP POST request bodies (form parameters), URL query string. Signature is treated string. E.g. for SHA1, '&'.join(http request method, http url, normalize request parameters (sorted by name). Then signed with key. PLAINTEXT doesn't use any base string. Url encodes consumer secret and token secret. Should only be used ofer SSL. RSA-SHA1: same base string as for SHA1 sign with consumer's RSA private key. Runthrough again (using PownceAim example 1. PownceAIM makes API call (does NOT include Request Token) 2. Pownce returns Request Token 3. PownceAPI constructs link w/ token 4. Pownce uses token and presents authentication. 5. User specifies that authentication is done (after Pownce notifies them); would be done by a callback on the web 6. PownceAIM now assumes that the RequestToken has been authorized, so it asks for an authorization token (includes a oath_token field now) 7. Pownce checks the validity of the request token and returns an access token 8. PownceAIM request protected data using access token 9. Pownce checks token and returns data if valid. There are various tokens that require management. Request tokens are only for log-in, so they often have a short expiry (e.g. Pownce allows a day). Access token is longer (2 weeks, forever). Also end-user token management for service provider, to allow user to "log-out" of third-party services. Errors supported via HTTP errors: * 400 bad request: ill-formed, unsupported parameter, signature, dupicated param, etc. * 401 Unauthorized: invalid, bad key, expired, invalid signature, used nonce, ec. Some of these aerrors are common. Signature does not match. Annoying for developers, library should show expected bsse string (which Python library does), well only public information, no secrets. (Flickr didn't do this before, which was annoying). Token is invalid: expired, wrong type. Request token unauthorized. User had never authorized the token, e.g. user tried to authorize PownceAIM but typed "authdone" before loging-in. Testing tools: web-based test: "http://term.ie/oath/example". Also a Mac desktop tool. Problems with Oath. Lots of documentation necessary for service providers (methods, expiry, etc. etc. etc.). How to handle files: OAuth is meant to work on strings, how do you handle files. Working on now. Granular permissions, currently all or nothing (multiple tokens per site). XOAuth (extensions might have them). Timestamp and Nonce verification is strange. The allowed time (increasing) can be thrown off by badly configured desktop clock. Nonces have to be checked against old Nonces... how long to store, etc. Vague token expiration, need to be clear so consumers know to check for expired tokens; consumers need to expect tokens to expire and handle expiry messages. OAuth is considered final (as of 2007-12), current work on OAuth Discovery. Lots of client libraries. There are a few of service providers: 88 Miles, Google Contacts API (avoids the "add your contacts" as specified earlier), Ma.gnolia, Pownce, Thmbnl, Yahoo! Fire Eagle. More information: oauth.net. Lots of other resources, including maiing list, reference implementation, wiki, mailing list, etc. Question: what about granular permissions? XOAuth might have it. Spec is permissive, so you can pass extra parameters (spec actually says service provider can require these parameters). Can pass parameters to specify what you want, but it's not standardized. But this presents problems (e.g. what if you have multiple levels of authentication for the same user? Additive, replacing, subtractive... ? Question: does Pownce support more than OAuth? Yes also supports HTTP Basic (username, password). Would prefer not to since it's not very secure. Mostly poltiical since 3rd party developers are lazy. Question: follow-up: what do developers actually use? Pownce specific sites tend to use OAuth, ones that reference lots of sites tend to use HTTP Basic since it's a common denominator. Question: is the registration of your app with the Service Provider a requirement? Yes, you must register an application, but this is often not very intensive and you can also use a sandbox. Question: follow-up: how does this work with things that are meant to be installed on individual servers (ala Wordpress)... do you have to register with EACH server. Flickr used to say use the same key. The consumer key is not really secret since it's sent over the wire, but the consumer secret is. From the user point of view, the tokens are per user, so it's pretty safe. Recommendation is to not distribute secret in source but in binary. But from the provider you can't shut down mis-behaving app since you don't know who particular you're shutting down. New recommendation is to have end user sign up for key independently and then use that key. (Think wpHoneyPot thing uses that). Some work going on with OAuthDiscovery about how this works. Key really needed as a way to prevent anonymous DOS against API. Question: follow-up: can OpenID help? Maybe. If a developer logs-in to register their app with OpenID, they could use that instead of a username/password. Question: can OAuth replace OpenID? The identitiy thing is different. OAuth is authorization (rights) vs. identification (who are you; do you own the URL, etc.). Question: is this used internal to the enterprise at all? Yes, at Google and Yahoo. Cal's example of Yahoo: Yahoo log-in is a central OAuth service provider that all other apps log-in against. So the log-in group is considered more trusted than the Flickr site, etc. Leah: another use would be for seperate sites: central log-in repository but provide seperate apps that are spin-offs that need authorization but you don't want to have to create your own authentication system.