OAuth4 (and OAuth4R)
-
Upload
choon-keat-chew -
Category
Design
-
view
10.291 -
download
0
Transcript of OAuth4 (and OAuth4R)
Presentation to Singapore Ruby Brigadeat SMU, School of Information System29 November 2007
http://flickr.com/photos/lachlanhardy/1400641336/
AuthChew Choon Keatsharedcopy.com
Why OAuth
• Web 2.0
• APIs
• Mashups
Giving away access
• Mint “an impressive personal finance application”
• Mint Terms of Service
http://flickr.com/photos/brianoberkirch/1092087510/
• "Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay."- oauth.net
Giving away access
Alternatives: Hidden Public
• Random URLs
• Security by obscurity
Alternatives: Proprietary
• Google AuthSub
• AOL OpenAuth
• Yahoo BBAuth
• Upcoming API
• Flickr API
• Amazon Web Services API
What is OAuth
• “An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.”
OAuth Flow
• Registration (server to server)
• Request Token
• Authorization
• Access Token
http://flickr.com/photos/petromyzon/26252991/
End User
http://flickr.com/photos/andreasnilsson1976/433173596/
Protected Resource
http://flickr.com/photos/annettepedrosian/2071523294/
Service Provider
http://flickr.com/photos/spectrasensors/322545693/
Consumer
http://flickr.com/photos/infidelic/147930477/
Tokens
http://flickr.com/photos/kt/364996966/
Service Provider
ConsumerProtected Resources
End User
Consumer
End User
“Let’s work togetherhere are my details”
Protected ResourcesService Provider
http://flickr.com/photos/marcroberts/1484118790/
Consumer Registration
Consumer
End User
Protected Resources Service Provider
Consumer Registration
Consumer
End User
http://flickr.com/photos/9458565@N07/760773574/
Protected Resources
“These are our secrets. Use it every time you talk to me”
Service Provider
Consumer Registration
Consumer
End User
Protected Resources Service Provider
Consumer Registration
Use CaseConsumer
End User
Protected Resources
“Print my pictures from SP”
Service Provider
Get Request TokensConsumer
End User
“I have someonewho needs you”
Protected ResourcesService Provider
Consumer
End User
http://flickr.com/photos/9458565@N07/760773574/
Protected Resources
“Pass this to him, and bring him to me”
Service Provider
Get Request Tokens
Get AuthorizationConsumer
“Go to there. Bring this along”
Protected Resources
End User
Service Provider
Consumer
“Hi, remember me?”
End User
Service ProviderProtected Resources
Get Authorization
Consumer
End User
Protected Resources Service Provider
Get Authorization
“Silver coin! You need Consumer to do things for you?”
Consumer
“Yes”
Protected Resources
End User
Service Provider
Get Authorization
Consumer
End User
Protected Resources
Get Authorization
“Your wish is my command. Return there”
Service Provider
Get Access TokenConsumerProtected Resources
“Its done!”
End User
Service Provider
End User
Consumer
“He said ok? Gimme the keys”
Protected ResourcesService Provider
Get Access Token
Consumer
End User
Protected Resources
“Ignore that silly silver coin... Use this from now and I will
always treat you as he”
Service Provider
http://flickr.com/photos/azuric/150520121/
Get Access Token
End User
Protected Resources ConsumerService Provider
Get Access Token
End User
Protected Resources ConsumerService Provider
Use Access Token
“Gimme MY pictures”
End User
Protected Resources
Using Access TokenConsumerService Provider
• Whenever Consumer calls SP’s API
• GET /photos.xml
• bring consumer key, access token
• sign with consumer secret & access secret
• Service Provider verifies signature
• treats request as End User
Using Access Token
• User at Service Provider website can choose to invalidate the access for Consumer at any time
Using Access Token
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Desktop Flow
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Desktop Flow
http://flickr.com/photos/factoryjoe/sets/72157601300877805/detail/
Introducing OAuth4R
• Forget the protocol, just fill in the blanks
• Provides code generators to allow Rails website to support OAuth easily
• Generated scaffolds does the OAuth dance out of the box
• Only need developers to link tokens to their Users
OAuth4Rsvn checkout http://oauth4r.googlecode.com/svn/trunk/example_apps
• “Provider” site contains
• users
• users’ contacts
• “Consumer” site contains
• only users
• Users controller at http://localhost:5001/users
• with primitive login implemented
• Users’ Addressbook controller at http://localhost:5001/contacts
• with primitive permissions based on user’s login
OAuth4R: Providercd example_apps/oauth_providerrake db:create:allrake db:migrate./script/server -p 5001
• Users controller at http://localhost:5000/users
• even more primitive login implementation
• For this demo, create a new user, “Tommy”
OAuth4R: Consumercd ../oauth_consumer/rake db:create:allrake db:migrate./script/server -p 5000
OAuth4R: Providercd ../oauth_provider/./script/generate oauth_provider GetContactrake db:migratepatch -p0 < TODO.patch ./script/server -p 5001
• Generate a “scaffold controller”
• Controller does the OAuth dance
• Modify to linkup with your own user models
• Modifying generated OAuth controller
• oauth_user = User.find(session..)
• Modify your User model to has_many oauth_user
• Modify controller guarding Protected Resources to requires_oauth
OAuth4R: Consumercd ../oauth_consumer/./script/generate oauth_consumer UseGetContactrake db:migratepatch -p0 < TODO1.patch./script/server -p 5000
• Generate a “scaffold controller”
• Controller can do OAuth dance with one service provider
• Modify to linkup with your User models
• Modify generated OAuth controller
• oauth_user = User.find(session..)
• Modify user to has_many oauth_user
• Add a link to kick-start OAuth authorization
link_to .. new_use_get_contact_path
• Go to http://localhost:5000/use_get_contacts
• Copy “Callback URL”
Registering Consumer
• http://localhost:5001/get_contacts/new
• Paste “Callback URL” & click Register
• Update config/use_get_contacts.oauth.yml
Registering Consumer
• Go to http://localhost:5000/users
• Click on “Tommy > Show” to login
• Click on "Establish OAuth..."
User Authorization
• Click “Create” and you’ll arrive at provider site (http://localhost:5001) to Login
• Authorization prompt will appear
• Click “Yes” & you’ll be redirected back to consumer site (http://localhost:5000)
User Authorization
All done, then what?
• Scripts accessing APIs on behalf of End User
• This demo uses a simple ActiveResource
• OAuth blocks our unauthenticated access
• We need to modify our API callers slightly
$ ruby script/fetch_contacts.rb /example_apps/oauth_consumer/vendor/rails/activeresource/lib/active_resource/connection.rb:124:in `handle_response': Failed with 500 Internal Server Error (ActiveResource::ServerError)
patch -p0 < TODO2.patch
All done, then what?
• Add acts_as_oauth_resource
• underlying http connection will be automatically padded with OAuth credentials
Modify ActiveResource
• Wrap ActiveResource activity inside with_oauth code blocks
Backend API Access?
$ ruby script/fetch_contacts.rb --- - !ruby/object:Contact attributes: name: Dick updated_at: 2007-11-29 08:11:35 Z id: 1 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: &id001 {}
- !ruby/object:Contact attributes: name: Harry updated_at: 2007-11-29 08:11:35 Z id: 2 user_id: 1 created_at: 2007-11-29 08:11:35 Z prefix_options: *id001
Done
Ruby Links
• OAuth4Rhttp://oauth4r.googlecode.com/
• OAuth Rails Pluginhttp://oauth-plugin.googlecode.com/http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider
• OAuth Gemsudo gem install oauth
• OAuth (was Twitter)http://oauth.googlecode.com/svn/code/ruby/
• Google Group: oauth-rubyhttp://groups.google.com/group/oauth-ruby
Thank you!