SlideShare a Scribd company logo

O auth how_to

V
vivaqa

OAuth is an open protocol that allows secure authorization for API access. It works by issuing access tokens that grant access to specific resources without sharing login credentials. The OAuth flow involves 3 steps - obtaining a request token, user authentication, and exchanging the request token for an access token. The request and access tokens are used to sign API requests by calculating a signature based on the token secret and other parameters. This allows APIs to verify the identity of the requesting application and user without exposing sensitive credentials.

TechnologyBusiness
1 of 43
Downloaded 38 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
OAuth An Open Protocol to allow Secure API Authorization
Oauth is not OpenID Oauth Is Like OpenID
Data Authorization Plaxo
OAuth OAuth is like a Valet Key
OAuth OAuth is like a Hotel Keycard
M as ter K ey 101 103 105 107 102 104 106 108
Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
Oauth C lients
OAuth and Netf ix l developer.netf ix.com l
Netf ix API l
Netf ix API: Us er R es ources l
Netf ix Applications ... and many more l
Obtaining a C ons umer K ey / S ecret
Obtaining a C ons umer K ey / S ecret
3-Leg g ed OAuth “The OAuth Dance”
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
S tep 2: Us er Authentication Determined by needs of Service Provider
Oauth Trus t A Matter Of Trust
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
Acces s ing R es ources (R es pons e)
M anag ing Acces s Tokens
2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org

More Related Content

PPTX
OAuth1.0
G Jayendra Kartheek
 
PDF
Introduction to OAuth
Paul Osman
 
PPTX
OAuth 2 at Webvisions
Aaron Parecki
 
PDF
Building a Microgateway in Ballerina_KubeCon 2108
Ballerina
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PDF
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
OAuth1.0
G Jayendra Kartheek
 
Introduction to OAuth
Paul Osman
 
OAuth 2 at Webvisions
Aaron Parecki
 
Building a Microgateway in Ballerina_KubeCon 2108
Ballerina
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
2016 pycontw web api authentication
Micron Technology
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 

What's hot (18)

PDF
The Current State of OAuth 2
Aaron Parecki
 
PPTX
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
PDF
OAuth 2.0 and Library
Kenji Otsuka
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
Brecht Ryckaert
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PDF
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
PDF
Some OAuth love
Nicolas Blanco
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
PDF
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
HTTPS and YOU
Eric Lewis
 
PDF
Implementing OAuth
leahculver
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
Using OAuth with PHP
David Ingram
 
PDF
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
The Current State of OAuth 2
Aaron Parecki
 
Esquema de pasos de ejecución IdM
Fernando Lopez Aguilar
 
OAuth 2.0 and Library
Kenji Otsuka
 
OAuth 2.0
Uwe Friedrichsen
 
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
Brecht Ryckaert
 
An Introduction to OAuth2
Aaron Parecki
 
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
Some OAuth love
Nicolas Blanco
 
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Demystifying OAuth 2.0
Karl McGuinness
 
HTTPS and YOU
Eric Lewis
 
Implementing OAuth
leahculver
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Using OAuth with PHP
David Ingram
 
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
Ad

Similar to O auth how_to (20)

PPTX
Maintest3
Mohan Kumar Tadikimalla
 
PPTX
MainFinalOAuth
Mohan Kumar Tadikimalla
 
PDF
Secure Webservices
Matthias Käppler
 
PDF
OAuth and OEmbed
leahculver
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
PPTX
OAuth
Mohan Kumar Tadikimalla
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
PDF
Oauth Php App
Abdullah Mamun
 
PDF
Implementing OAuth with PHP
Lorna Mitchell
 
PPTX
Maintest2
Mohan Kumar Tadikimalla
 
PPTX
Oauth 2.0 security
vinoth kumar
 
PPTX
OAuth [noddyCha]
noddycha
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
PPTX
OAuth
Tom Elrod
 
PDF
Draft Ietf Oauth V2 12
Vishal Shah
 
PDF
test3
Matthew Chun-Lum
 
PDF
test10
Matthew Chun-Lum
 
PDF
baz
Matthew Chun-Lum
 
PDF
baz
Matthew Chun-Lum
 
Maintest3
Mohan Kumar Tadikimalla
 
MainFinalOAuth
Mohan Kumar Tadikimalla
 
Secure Webservices
Matthias Käppler
 
OAuth and OEmbed
leahculver
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
OAuth
Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Mohan Kumar Tadikimalla
 
Oauth Php App
Abdullah Mamun
 
Implementing OAuth with PHP
Lorna Mitchell
 
Maintest2
Mohan Kumar Tadikimalla
 
Oauth 2.0 security
vinoth kumar
 
OAuth [noddyCha]
noddycha
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
OAuth
Tom Elrod
 
Draft Ietf Oauth V2 12
Vishal Shah
 
test3
Matthew Chun-Lum
 
test10
Matthew Chun-Lum
 
baz
Matthew Chun-Lum
 
baz
Matthew Chun-Lum
 
Ad

Recently uploaded (20)

PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Teaching material agriculture food technology
LiaRayya
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Encapsulation theory and applications.pdf
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

O auth how_to

  • 1. Authorization with OAuth Rob Richards October 22, 2009 cdatazone.org http://xri.net/=rob.richards
  • 2. Authentication • HTTP Authentication • Basic • Digest • TLS/SSL • WS-Security • Developer Keys • 3rd Party Authentication • Yahoo BBAuth • AOL OpenAuth
  • 3. OAuth An Open Protocol to allow Secure API Authorization
  • 4. Oauth is not OpenID Oauth Is Like OpenID
  • 6. OAuth OAuth is like a Valet Key
  • 7. OAuth OAuth is like a Hotel Keycard
  • 8. M as ter K ey 101 103 105 107 102 104 106 108
  • 9. Gues t K ey: Granting Acces s 101 103 105 107 102 104 106 108
  • 10. Gues t K ey: R evoking Acces s 101 103 105 107 102 104 106 108
  • 11. M as ter K ey M aintains Full Acces s 101 103 105 107 102 104 106 108
  • 13. OAuth and Netf ix l developer.netf ix.com l
  • 15. Netf ix API: Us er R es ources l
  • 16. Netf ix Applications ... and many more l
  • 17. Obtaining a C ons umer K ey / S ecret
  • 18. Obtaining a C ons umer K ey / S ecret
  • 19. 3-Leg g ed OAuth “The OAuth Dance”
  • 20. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token Signed Request Request Token & Secret
  • 21. S tep 1: Obtaining a R eques t Token http://api.netfix.com/oauth/request_token? oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback &oauth_consumer_key=1234567890123456789012345 &oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e &oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255631744 &oauth_version=1.0
  • 22. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Frequest_token&oauth_callback%3Dhttp%253A%252F %252Fwww.example.com%252Fcallback %26oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D3eb496472d2a46ceb71d65fc1b7341ae359f932c %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp %3D1255631744%26oauth_version%3D1.0
  • 23. C alculating The S ig nature • Parameters are collected, sorted and concatenated into a normalized string • Parameters in the OAuth HTTP Authorization header excluding the realm parameter. • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). • HTTP GET parameters added to the URLs in the query part (as defned by [RFC3986] section 3) • The oauth_signature parameter MUST be excluded • Parameters are sorted by name, using lexicographical byte value ordering
  • 24. C alculating The S ig nature (Authorization Header) GET /oauth/request_token HTTP/1.1 User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10) Host: api.netfix.com Accept: */* Authorization: OAuth oauth_callback="http%3A%2F %2Fwww.example.com%2Fcallback", oauth_consumer_key="1234567890123456789012345", oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e", oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1255631744", oauth_version="1.0"
  • 25. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345& Sign Base String using algorithm specifed HMAC(1234567890123456789012345&,<Base String>) Base64 encode then URL encode result: oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
  • 26. S tep 1: Obtaining a R eques t Token (R es pons e) oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_token_secret=EZ2mBk6rC2vZ &oauth_callback_confrmed=true &login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth %2Flogin
  • 27. S tep 2: Us er Authentication Determined by needs of Service Provider https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
  • 28. S tep 2: Us er Authentication Determined by needs of Service Provider Callback oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
  • 29. S tep 2: Us er Authentication Determined by needs of Service Provider
  • 30. Oauth Trus t A Matter Of Trust
  • 31. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token Signed Request Access Token & Secret
  • 32. S tep 3: Obtaining an Acces s Token http://api.netfix.com/oauth/access_token? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a &oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255704433 &oauth_token=bqba9rku48yacfatjxjw3fkc &oauth_verifer=abcdefg &oauth_version=1.0
  • 33. C alculating The S ig nature Calculate Base String <HTTP method>&<canonicalized URL path>&<parameters> GET&http%3A%2F%2Fapi.netfix.com%2Foauth %2Faccess_token&oauth_consumer_key %3D1234567890123456789012345%26oauth_nonce %3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a %26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1255704433%26oauth_token %3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg %26oauth_version%3D1.0
  • 34. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&EZ2mBk6rC2vZ Sign Base String using algorithm specifed HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>) Base64 encode then URL encode result: oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
  • 35. S tep 3: Obtaining an Acces s Token (R es pons e) oauth_token=5432109876543210987654321 &user_id=123myuserid456 &oauth_token_secret=543210987654321
  • 36. Acces s ing R es ources http://api.netfix.com/<path to resource> Signed Request Resource
  • 37. Acces s ing R es ources http://api.netfix.com/users/123myuserid456/queues? oauth_consumer_key=1234567890123456789012345 &oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2 &oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1255712310 &oauth_token=5432109876543210987654321 &oauth_version=1.0 &v=1.5
  • 38. C alculating The S ig nature Create Secret <consumer secret>&<token secret> 1234567890123456789012345&543210987654321 Sign Base String using algorithm specifed HMAC(1234567890123456789012345&543210987654321,<Base String>) Base64 encode then URL encode result: oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
  • 39. Acces s ing R es ources (R es pons e) <?xml version="1.0" standalone="yes"?> <resource> <link href="http://api.netfix.com/users/123myuserid456/queues/disc" rel="http://schemas.netfix.com/queues.disc" title="disc queue" /> <link href="http://api.netfix.com/users/123myuserid456/queues/instant" rel="http://schemas.netfix.com/queues.instant" title="instant queue" /> </resource>
  • 40. Acces s ing R es ources (R es pons e)
  • 41. M anag ing Acces s Tokens
  • 42. 2-Leg g ed OAuth • No Dance Required • Only Consumer Key and Secret required • Application making requests on its own behalf • Direct Access / No Delegation • Replacement for HTTP Basic Authentication • Sign request just as if they were requests for Request Tokens
  • 43. Ques tions ? Authorization with OAuth Rob Richards http://xri.net/=rob.richards www.cdatazone.org