OAuth: the spec, the dance, and drupal

Chris Christensen

@imetchrischris

AllPlayers.com

The Web: HTTP/1.0

Auth experience

Example with Basic Auth:

curl -u "username:password" https://www.example.com/special

Auth experience

Example with cookies holding state through a session:

curl -c cookiejar.txt https://www.example.com/login
curl -b cookiejar.txt https://www.example.com/special

Auth experience

Example of a signed OAuth request:

<special signing sauce>
curl -v -H 'Authorization: OAuth
 oauth_consumer_key="zsQpwbL3AGRNV4272Xc8Msi3hxhQWGrS",
 oauth_signature_method="HMAC-SHA1",
 oauth_timestamp="1346887460",
 oauth_nonce="1548267549",
 oauth_version="1.0",
 oauth_token="wvokahqtGMLS5o4AvVvokGZaA9pZjBcW",
 oauth_signature="tvHRw2fLNxYE2FR62EfH6tAfBW4%3D"'
https://www.example.com/special

So what's so special about OAuth?

Authorization has meaning

So what's so special about OAuth?

Halt!

What about that guy on the internet (Eran Hammer) that was like "OAuth 2.0 sucks" !!rage quit!! ?!!

Agree or disgree … most importantly: he's an expert and is prosthelytizing great information - Listen to him! (and read carefully)

The takeaway: dont throw the baby out with the bathwater and his commentary is directed at the 2.0 draft

Let's Dance

Footloose dance

What OAuth looks like

Facebook Twitter AllPlayers

What OAuth looks like: Protocol workflow

faji: photo gallery site

beppa: photo printing site

What OAuth looks like: Protocol workflow

Access faji from beppa's site

Redirection to get access on faji

What OAuth looks like: Protocol workflow

Approve/Authorize faji to give tokens to beppa to access as you

Redirect to Beppa

What OAuth looks like: Protocol workflow

Ask again using temp tokens and get real live access tokens

Request from the API with real live access tokens

Technical pieces

Terminology

URL pattern(s)

(Related to protocol workflow)

(Ref: URL patterns for Twitter, AllPlayers.com)

Demo Time

Refs

/

#