SlideShare a Scribd company logo

Mohanraj - Securing Your Web Api With OAuth

F
fossmy

OAuth is an open standard for authorization that allows users to share private resources, such as photos or email, stored on one website with another website or application without having to share their passwords. It allows third party applications to access protected resources by obtaining temporary access tokens from the resource owner by authenticating with the resource server. The document discusses the roles, security aspects, implementations, and advantages of using the OAuth standard for authorization in web APIs and applications.

Technology
1 of 29
Downloaded 204 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Securing your Web API with OAuth Mohanaraj Gopala Krishnan MYOSS Meetup 4 Dec 2008 mohangk.org/blog
Questions for you Experience with OAuth? Developed, read spec, heard of ? Application that exposes a Web API ? Authentication ? Experience using BBAuth, Authsub, Flickr Auth etc. ?
What is OAuth? A simple open standard for Web API authorization End Users Share information between online services without disclosing passwords Web service (Service providers) Allow for secure access to your API in a user controlled, secure manner 3rd Party application (Consumers) A standard authorization scheme for the web
Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
VS
http://www.flickr.com/photos/leelefever/133949029/
OpenID vs OAuth Goals are different OpenID is about sharing a single identity with different consumers OAuth is about sharing your data with different consumers without sharing your identity Not mutually exclusive
OpenID vs OAuth Commonality Open protocols - community driven Involves 3 parties Involves moving the users between consumer and service provider Involves laying a claim that is verified by the service/identity provider OpenID - “I own this URL” OAuth - “I own this resource”
Love triangle End user Service provider Consumer
WTF ?!
“ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
OAuth interaction demo Simple demo http://oauth.kg23.com /
OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
OAuth dance steps http://www.googlecodesamples.com/oauth_playground/
 
OAuth roles Service provider Implement three service endpoints Get request token Authenticate request token Exchange request token for access token Provides a form of authentication Validates following requests (post OAuth dance) Provides a mechanism to maintain authorization Additional API services e.g. Access token lifecycle management - revocation, extension
Service providers need to allow for end users to manage their authorizations
OAuth roles Consumer Acquire consumer key / consumer secret Communication with service provider Over HTTP - header, POST, GET query Signing requests HMAC-SHA1,RSA-SHA1,PLAINTEXT Keep track of access tokens Store association of users to access token Service providers have different policy as to token lifetime-e.g. Goog vs Y! Must be treated as securely as passwords
OAuth security http://icanhascheezburger.com/2007/11/27/meh-security-system-let-me-showz-u-him/
OAuth security Signing - allows for security beyond HTTP basic auth No secret over the wire beyond the dance Request is verifiable - untampered Nonce & timestamps - mitigate replay attacks Delegation of credentials instead of direct credentials HTTPS still required for mitigating MITM - but if not too critical, request signing should suffice
Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
OAuth usage environments Web application Standard case Gadgets contained within a larger consumer - OAuth Gadget extension 2-legged OAuth No user involved - the consumer has been put in a position of trust - e.g. Google domain administrator or accessing public data Extension implemented by Goog - Only HMAC-SHA1, no oauth_token, additional - xoauth_requestor_id - user to imitate, must be explicitly enabled Desktop apps / JS apps Consumer secret can be easily compromised - trust levels Doesn’t compromise authorization
Why bother? Large adoption - Goog, Y!, MySpace Interop - Leverage the services Can be used as a replacement for HTTP basic auth SSL might not be always necessary Part of the Open web stack Atompub + OpenID + OAuth + XRDS +OpenSocial
Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
State of OAuth OAuth Core 1.0, IETF Draft Different use environments being worked out via extensions Library support - extensive, but varying quality OpenID + OAuth hybrid models Usability funkiness
Implementations Libraries oauth.net/code http://github.com/search?q=oauth&x=0&y=0 Server implementations PHP - http://code.google.com/p/oauth-php/ Ruby - http://github.com/pelle/oauth/tree/master
Thanks

More Related Content

What's hot (19)

PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
PDF
Spring security oauth2
axykim00
 
PPT
A A A
Cristian Vat
 
PPT
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
PDF
OpenID and OAuth
Andrea Chiodoni
 
PPTX
O auth2 with angular js
Bixlabs
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PDF
Learn with WSO2 - API Security
WSO2
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
DOCX
AAA server
hetvi naik
 
PPTX
The State of OAuth2
Aaron Parecki
 
PPTX
Security
Akram Salih
 
PDF
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
Open authentication (oauth)
Michael Maurice
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
ODP
Interface Drupal with desktop or webapp via OAuth & REST
Nicolas Froment
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
Spring security oauth2
axykim00
 
A A A
Cristian Vat
 
OAuth2 Protocol with Grails Spring Security
NexThoughts Technologies
 
OpenID and OAuth
Andrea Chiodoni
 
O auth2 with angular js
Bixlabs
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Learn with WSO2 - API Security
WSO2
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
AAA server
hetvi naik
 
The State of OAuth2
Aaron Parecki
 
Security
Akram Salih
 
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Demystifying OAuth 2.0
Karl McGuinness
 
Open authentication (oauth)
Michael Maurice
 
OAuth 2.0
Uwe Friedrichsen
 
Interface Drupal with desktop or webapp via OAuth & REST
Nicolas Froment
 

Similar to Mohanraj - Securing Your Web Api With OAuth (20)

PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPT
UserCentric Identity based Service Invocation
guestd5dde6
 
PPTX
Api security
teodorcotruta
 
PDF
OAuth and OEmbed
leahculver
 
PPT
Oauth2.0
Yasmine Gaber
 
PPTX
Oauth 2.0 security
vinoth kumar
 
PPTX
OAuth
Adi Challa
 
PPT
Oauth
Aakanksha Bhardwaj
 
ODP
Oauth
ehuard
 
PPTX
Introduction to SMART on FHIR
Nishit Charania
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
PDF
Some OAuth love
Nicolas Blanco
 
PDF
O auth2.0 guide
Dilip Mohapatra
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PPTX
Oauth 2.0
Manish Kumar Singh
 
PPTX
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
PDF
Secure Webservices
Matthias Käppler
 
PPTX
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
UserCentric Identity based Service Invocation
guestd5dde6
 
Api security
teodorcotruta
 
OAuth and OEmbed
leahculver
 
Oauth2.0
Yasmine Gaber
 
Oauth 2.0 security
vinoth kumar
 
OAuth
Adi Challa
 
Oauth
Aakanksha Bhardwaj
 
Oauth
ehuard
 
Introduction to SMART on FHIR
Nishit Charania
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
Sirris
 
Some OAuth love
Nicolas Blanco
 
O auth2.0 guide
Dilip Mohapatra
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Oauth 2.0
Manish Kumar Singh
 
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Secure Webservices
Matthias Käppler
 
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Ad

Recently uploaded (20)

PPTX
Curietech AI in action - Accelerate MuleSoft development
shyamraj55
 
PDF
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
PDF
Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...
ScyllaDB
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
UiPath Agentic AI ile Akıllı Otomasyonun Yeni Çağı
UiPathCommunity
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PDF
Python Conference Singapore - 19 Jun 2025
ninefyi
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PDF
Unlocking FME Flow’s Potential: Architecture Design for Modern Enterprises
Safe Software
 
PDF
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
yosra Saidani
 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PDF
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
PPTX
Smarter Governance with AI: What Every Board Needs to Know
OnBoard
 
PPTX
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
PPTX
𝙳𝚘𝚠𝚗𝚕𝚘𝚊𝚍—Wondershare Filmora Crack 14.0.7 + Key Download 2025
sebastian aliya
 
Curietech AI in action - Accelerate MuleSoft development
shyamraj55
 
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...
ScyllaDB
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
My Journey from CAD to BIM: A True Underdog Story
Safe Software
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
UiPath Agentic AI ile Akıllı Otomasyonun Yeni Çağı
UiPathCommunity
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
Python Conference Singapore - 19 Jun 2025
ninefyi
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
Unlocking FME Flow’s Potential: Architecture Design for Modern Enterprises
Safe Software
 
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
yosra Saidani
 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
Kubernetes - Architecture & Components.pdf
geethak285
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
Smarter Governance with AI: What Every Board Needs to Know
OnBoard
 
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
𝙳𝚘𝚠𝚗𝚕𝚘𝚊𝚍—Wondershare Filmora Crack 14.0.7 + Key Download 2025
sebastian aliya
 
Ad

Mohanraj - Securing Your Web Api With OAuth

  • 1. Securing your Web API with OAuth Mohanaraj Gopala Krishnan MYOSS Meetup 4 Dec 2008 mohangk.org/blog
  • 2. Questions for you Experience with OAuth? Developed, read spec, heard of ? Application that exposes a Web API ? Authentication ? Experience using BBAuth, Authsub, Flickr Auth etc. ?
  • 3. What is OAuth? A simple open standard for Web API authorization End Users Share information between online services without disclosing passwords Web service (Service providers) Allow for secure access to your API in a user controlled, secure manner 3rd Party application (Consumers) A standard authorization scheme for the web
  • 4. Valet key for your web http://toyotaownersclub.com/forums/index.php?showtopic=77384
  • 5. VS
  • 7. OpenID vs OAuth Goals are different OpenID is about sharing a single identity with different consumers OAuth is about sharing your data with different consumers without sharing your identity Not mutually exclusive
  • 8. OpenID vs OAuth Commonality Open protocols - community driven Involves 3 parties Involves moving the users between consumer and service provider Involves laying a claim that is verified by the service/identity provider OpenID - “I own this URL” OAuth - “I own this resource”
  • 9. Love triangle End user Service provider Consumer
  • 11. “ Passwords are not confetti. Please stop throwing them around. Especially if they’re not yours ” Chris Messina http://www.slideshare.net/carsonified/how-oauth-and-portable-data-can-revolutionize-your-web-app-chris-messina-presentation/
  • 12. OAuth interaction demo Simple demo http://oauth.kg23.com /
  • 13. OAuth dance steps http://flickr.com/photos/wigwam/2255831538/
  • 14. OAuth dance steps consumer key An identifier for the consumer to the service provider consumer secret Secret used to establish ownership of the consumer key request token A value that is used to obtain authorization from the user. Finally traded in for an access token. access token Value used to gain access to a protected resource on behalf of the user without requiring the users credentials token secret Secret used to establish ownership of a given token
  • 15. OAuth dance steps http://www.googlecodesamples.com/oauth_playground/
  • 16.  
  • 17. OAuth roles Service provider Implement three service endpoints Get request token Authenticate request token Exchange request token for access token Provides a form of authentication Validates following requests (post OAuth dance) Provides a mechanism to maintain authorization Additional API services e.g. Access token lifecycle management - revocation, extension
  • 18. Service providers need to allow for end users to manage their authorizations
  • 19. OAuth roles Consumer Acquire consumer key / consumer secret Communication with service provider Over HTTP - header, POST, GET query Signing requests HMAC-SHA1,RSA-SHA1,PLAINTEXT Keep track of access tokens Store association of users to access token Service providers have different policy as to token lifetime-e.g. Goog vs Y! Must be treated as securely as passwords
  • 21. OAuth security Signing - allows for security beyond HTTP basic auth No secret over the wire beyond the dance Request is verifiable - untampered Nonce & timestamps - mitigate replay attacks Delegation of credentials instead of direct credentials HTTPS still required for mitigating MITM - but if not too critical, request signing should suffice
  • 22. Signature HMAC-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature = HMAC-SHA1(text,secret) consumer_secret & oauth_token_secret *also base64 encoded + urlencoded
  • 23. Signature RSA-SHA1 HTTP method Base URL Normalized parameters oauth parameters oauth_consumer_key, oauth_token, oauth_nonce, oauth_timestamp, oauth_signature_mothod, oauth_version request parameters param1,param2 oauth_signature* = RSA-SHA1(text,secret) consumer_secret (consumer private key ) *also base64 encoded + urlencoded
  • 24. OAuth usage environments Web application Standard case Gadgets contained within a larger consumer - OAuth Gadget extension 2-legged OAuth No user involved - the consumer has been put in a position of trust - e.g. Google domain administrator or accessing public data Extension implemented by Goog - Only HMAC-SHA1, no oauth_token, additional - xoauth_requestor_id - user to imitate, must be explicitly enabled Desktop apps / JS apps Consumer secret can be easily compromised - trust levels Doesn’t compromise authorization
  • 25. Why bother? Large adoption - Goog, Y!, MySpace Interop - Leverage the services Can be used as a replacement for HTTP basic auth SSL might not be always necessary Part of the Open web stack Atompub + OpenID + OAuth + XRDS +OpenSocial
  • 26. Why bother ? “ OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion” Dare Obsanjo http:// www.25hoursaday.com/weblog/2007/11/12/OpenIDOAuthIsTheFinalNailInTheCoffinOfTheWSVsRESTDiscussion.aspx
  • 27. State of OAuth OAuth Core 1.0, IETF Draft Different use environments being worked out via extensions Library support - extensive, but varying quality OpenID + OAuth hybrid models Usability funkiness
  • 28. Implementations Libraries oauth.net/code http://github.com/search?q=oauth&x=0&y=0 Server implementations PHP - http://code.google.com/p/oauth-php/ Ruby - http://github.com/pelle/oauth/tree/master