(Note: the post as follows is identical to the slides)
The Web: HTTP/1.0
- Client <– –> Server
- GET, PUT, POST, DELETE, HEAD, …
- Headers
Auth experience
Example with Basic Auth:
curl -u "username:password" https://www.example.com/special
Auth experience
- Session Auth (cookies) IETF RFC 6265
- “free” with most web frameworks
- A session is usually tied to one user account and is normally authorized fully or not.
Example with cookies holding state through a session:
curl -c cookiejar.txt https://www.example.com/login
curl -b cookiejar.txt https://www.example.com/special
Auth experience
- OAuth IETF RFC 5849
- “Valet key for the web” (limited access OAuth Token)
- Scope access to resources
Example of a signed OAuth request:
<special signing sauce>
curl -v -H 'Authorization: OAuth
oauth_consumer_key="zsQpwbL3AGRNV4272Xc8Msi3hxhQWGrS",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1346887460",
oauth_nonce="1548267549",
oauth_version="1.0",
oauth_token="wvokahqtGMLS5o4AvVvokGZaA9pZjBcW",
oauth_signature="tvHRw2fLNxYE2FR62EfH6tAfBW4%3D"'
https://www.example.com/special
So what’s so special about OAuth?
So what’s so special about OAuth?
- Each client is assigned credentials granted by a resource owner to access a protected resource on a server
- Note: Client <– (stuff) –> Server
- Therefore the credentials granted to a specific client can be managed/revoked by the resource owner.
- An endpoint(s)/HTTP resource(s) can be scoped (to limit its functionality)
- “I give you (Ms. client) access to my API, but read only.”
- “Access all of my public data (Mr. client)”
- “(Mrs. Client) Is requesting access you your bank account, allow?”
Halt!
What about that guy on the internet (Eran Hammer) that was like “OAuth 2.0 sucks” !!rage quit!! ?!!
Agree or disgree … most importantly: he’s an expert and is prosthelytizing great information - Listen to him! (and read carefully)
The takeaway: dont throw the baby out with the bathwater and his commentary is directed at the 2.0 draft
Let’s Dance
What OAuth looks like
Technical pieces
- Consumer: client
- Service Provider: server
- User: resource owner
- Consumer Key and Secret: client credentials
- Request Token and Secret: temporary credentials
- Access Token and Secret: token credentials
URL pattern(s)
(Related to protocol workflow)
- https://provider.example.net/{initiate,request_token} (Temporary Credential Request)
- https://provider.example.net/authorize (Resource Owner Authorization URI)
- https://provider.example.net/{token,access_token} (Token Request UR)
- http://consumer.example.com/{oauth_redirect,ready,…}
(Ref: URL patterns for Twitter, AllPlayers.com)
Refs