OAuth: the spec, the dance, and drupal

Chris Christensen

@imetchrischris

AllPlayers.com

The Web: HTTP/1.0

• Client <-- --> Server
• GET, PUT, POST, DELETE, HEAD, ...
• Headers

Auth experience

• HTTP Basic Auth - IETF RFC 1945
  • Simple!
  • Plaintext (SSL can "help")
  • Relys on client/browser authentication popup

Example with Basic Auth:

curl -u "username:password" https://www.example.com/special

Auth experience

• Session Auth (cookies) IETF RFC 6265
  • "free" with most web frameworks
  • A session is usually tied to one user account and is normally authorized fully or not.

Example with cookies holding state through a session:

curl -c cookiejar.txt https://www.example.com/login
curl -b cookiejar.txt https://www.example.com/special

Auth experience

• OAuth IETF RFC 5849
  • "Valet key for the web" (limited access OAuth Token)
  • Scope access to resources

Example of a signed OAuth request:

<special signing sauce>
curl -v -H 'Authorization: OAuth
 oauth_consumer_key="zsQpwbL3AGRNV4272Xc8Msi3hxhQWGrS",
 oauth_signature_method="HMAC-SHA1",
 oauth_timestamp="1346887460",
 oauth_nonce="1548267549",
 oauth_version="1.0",
 oauth_token="wvokahqtGMLS5o4AvVvokGZaA9pZjBcW",
 oauth_signature="tvHRw2fLNxYE2FR62EfH6tAfBW4%3D"'
https://www.example.com/special

So what's so special about OAuth?

So what's so special about OAuth?

• Each client is assigned credentials granted by a resource owner to access a protected resource on a server
  • Note: Client <-- (stuff) --> Server
  • Therefore the credentials granted to a specific client can be managed/revoked by the resource owner.
• An endpoint(s)/HTTP resource(s) can be scoped (to limit its functionality)
  • "I give you (Ms. client) access to my API, but read only."
  • "Access all of my public data (Mr. client)"
  • "(Mrs. Client) Is requesting access you your bank account, allow?"

Halt!

What about that guy on the internet (Eran Hammer) that was like "OAuth 2.0 sucks" !!rage quit!! ?!!

Agree or disgree … most importantly: he's an expert and is prosthelytizing great information - Listen to him! (and read carefully)

The takeaway: dont throw the baby out with the bathwater and his commentary is directed at the 2.0 draft

Let's Dance

What OAuth looks like

What OAuth looks like: Protocol workflow

What OAuth looks like: Protocol workflow

What OAuth looks like: Protocol workflow

What OAuth looks like: Protocol workflow

Technical pieces

Terminology

• Consumer: client
• Service Provider: server
• User: resource owner
• Consumer Key and Secret: client credentials
• Request Token and Secret: temporary credentials
• Access Token and Secret: token credentials

URL pattern(s)

(Related to protocol workflow)

• https://provider.example.net/{initiate,request_token} (Temporary Credential Request)
• https://provider.example.net/authorize (Resource Owner Authorization URI)
• https://provider.example.net/{token,access_token} (Token Request UR)
• http://consumer.example.com/{oauth_redirect,ready,...}

(Ref: URL patterns for Twitter, AllPlayers.com)

Demo Time

Refs

• http://tools.ietf.org/html/rfc1945#section-10.16 / http://en.wikipedia.org/wiki/Basic_access_authentication
• http://tools.ietf.org/html/rfc6265 / http://en.wikipedia.org/wiki/HTTP_cookie
• http://tools.ietf.org/html/rfc5849 / http://en.wikipedia.org/wiki/OAuth
• OAuth Checklist
• Build out and scratch pad notes
• Public Key Cryptography: Diffie-Hellman Key Exchange