Tuesday, June 1, 2010

Open Source Bridge - OAuth: an Open Specification for Web Services

John Jawed - jawed@php.net
  • talk is about oauth at a high level and the problems it tries to solve
  • won't get low-level into the spec, etc.
  • problem - rasmus has private photos on flickr but wants to print them out using kodak's online photo printing service?
  • before oauth: have to give kodak your flickr user name and password
    • too powerful
      • can change passwords, delete photos, delete account
  • e.g. has anyone had to share their twitter u/p with another site to gain access?
  • how about some identifier issued by flickr to kodak?
    • would allow someone else to access your account but only with certain permissions and only for a certain length of time
  • for a few years we've had ...
    • yahoo bbauth
    • google authsub
    • aol openauth
    • windows live id
    • flickr token auth
    • many others
  • equivalent but different model -- drove the creation of oauth
  • the oauth dance
    • kodak sends rasmus to flickr
    • flickr asks rasmus: kodak wants to access your private photos
    • rasmus: sure!
    • flickr gives kodak a token with a secret
    • kodak makes api requests to flickr using the token/secret
    • fin
  • behind the scenes ...
    • timestamps
    • nonces
    • tokens
    • secrets
    • refresh tokens
    • signatures -- "ssl bastardized"
      • handy if requests aren't over https
  • yahoo big on openid and oauth
    • internal implementers at yahoo found oauth difficult to use
    • php.net/oauth designed to address problems with working with oauth
      • open source (bsd)
      • mature
      • supports tlaking to oauth apis
      • supports creating oauth apis
      • available as a php extension
  • code sample -- using oauth in php
    • start the session
    • create a new oauth object using api key
    • get request token using endpoint, e.g. twitter's request token url
    • redirect user to authentication url
    • after authentication, get an access token for interaction with the target service, e.g. twitter
    • fetch method in the oauth object handles all the token negotiation for you
  • to use oauth you don't need to understand the spec, just need to understand the flow
    • get request token (throw-away token)
    • get access token (token used to sign requests)
  • netflix example
    • pretty similar to twitter, but also need to pass user id
  • financial services example - wepay (paypal for groups)
    • similar paradigm--get request token, authorize access, get access token, interact with service
    • wepay also includes a verifier in addition to the tokens
  • example with no user
    • sign request with secret and api key--consumer key and consumer secret
  • what about accepting oauth in your API?
    • create oauthprovider object in php
    • get consumer key from caller, make sure it's still valid
    • three handlers
      • $provider->is2LeggedEndpoint()
      • $provider->consumerHandler()
      • $provider->timestampNonceHandler()
    • google: rasmus oauth to see full example walkthrough
  • oauth for php supports
    • all oauth paramer types
    • hmac-sha1, rsa-sha1
    • 1.0a
    • oauth extensions: session, problem reporting
    • setting millisecond request timeouts
    • and much more
  • oauth 2.0
    • still a work in progress
    • same token paradigm
    • profile-based (web, client, etc.)
    • oauth 1.0 with session extension
    • oauth 1.0 implementations will be around for a long time
    • will be supported in pecl/oauth
    • problem oauth 2.0 tries to solve is that oauth 1.0 is very browser-focused, lots of requests/redirects
      • support for non-browser flow, native client flow, etc.

No comments: