Presentation is loading. Please wait.

Presentation is loading. Please wait.

OAuth Security for Gateways Zhenhua (Gerald) Guo and Marlon Pierce Indiana University.

Published byIsmael Bottom Modified over 10 years ago

Similar presentations

Presentation on theme: "OAuth Security for Gateways Zhenhua (Gerald) Guo and Marlon Pierce Indiana University."— Presentation transcript:

1 OAuth Security for Gateways Zhenhua (Gerald) Guo and Marlon Pierce Indiana University

2 OAuth and Gateways OAuth is a security protocol for Web applications. Security for REST and XML-RPC services. Three-legged OAuth – Human-application-application security – Security flaw, currently being revised – http://oauth.net/advisories/2009-1 Two-legged OAuth – Application-to-application security with no human interactions.

3 OAuth in the Wild ProviderDescription TwitterTwitter allows you to access private data through OAuth as an alternative to standard HTTP Authentication Google2-legged OAuth is used by Open Socials REST/RPC API. Allows gadgets in different containers to exchange data (Orkut LinkedIn, for example). Ma.gnoliaSocial bookmarking service, now defunct. OAuth was co-developed by these guys. FlickrPassword protected services can be accessed via OAuth instead. DrupalUsed for Drupal-to-Drupal interoperability

4 Delegation through Authentication User: this is the human Service Provider: a Web service that provides access to the Users data. Consumer: a Web application needing access to the Users data on the Service Provider The basic idea is that the User delegates authority to the Consumer to access his/her personal data on the Service Provider.

5 Parameter NameDescription oauth_consumer_keyConsumer uses this to prove identity to the Server. oauth_tokenRequest and access tokens (optional). oauth_signature_methodMethod (like HMAC-SHA1) used to sign the request. oauth_signatureContains a hash or signing of the request parameters using the consumers private key or a shared secret. oauth_timestampThe time of the invocation. oauth_nonceA random string that allows the service provider to verify that the invocation is unique to stop replay attacks. oauth_versionThe protocol version number. You can send these in HTTP Authorization Headers, in HTTP POST, or in HTTP GET

6 OAuth REST Example URL http://sandbox.orkut.com/social/rest/people/08354253340777199997/@self ?oauth_consumer_key =orkut.com%3A623061448914 &oauth_nonce =1231537930162003000 &oauth_timestamp =1231537930 &oauth_signature =0h%2FU49KtBplnmnc%2BhDKsDxFPR9%3D &oauth_signature_method =HMACSHA1 &oauth_token= &xoauth_requestor_id =03067092798963641994&oauth_version=1.0 That is, the API is all about generating, invoking, and managing the response of the above URL. The example is taken from two-legged OAuth. The optional token parameter is blank.

7 3-Legged, from http://oauth.net/core/1.0/

8 Getting Tutorial Examples

9 Tutorial Example Code We provide example Consumer and Service Provider codes. – In Java The Consumer example can also work with third party applications (Twitter). The Service Provider example supports both 2- and 3-legged OAuth.

10 Building the Examples Check out from OGCE SourceForge SVN – svn checkout https://ogce.svn.sourceforge.net/svnroot/ogce/incuba tor/OGCE-OAuth https://ogce.svn.sourceforge.net/svnroot/ogce/incuba tor/OGCE-OAuth Build with Apache Maven 2 – cd OGCE-Oauth – mvn clean install Fire up the server: –./portal_deploy/apache-tomcat-5.5.20/bin/startup.sh

11 Creating a Public/Private Key Pair Youll need a key pair for the Service Provider demo. – Openssl tools wont work with Java very easily. – Use Javas keytool instead. Use something like this: – keytool -genkey -keyalg RSA -keysize 1024 -alias oauth-demo - dname "cn=156-56-104-143.dhcp-bl.indiana.edu, ou=OGCE, o=OAuth, c=US – The cn value must be the DN of your server. Next export the public key. – keytool -alias oauth-demo-rsa -export -rfc -file mycert.pem Finally export the private key with the convenient code (keytool wont do this). – java ExportPrivateKey $HOME/.keystore JKS changeit oauth- demo-rsa mykey.pem

12 A Quick FAQ Can I use this code? – Yes, feel free. But give us credit. What do I need for my development environment? – Computer with Java 1.5 or greater and a real domain name/IP. Can I use http://localhost:8080 in my URLs?http://localhost:8080 – No, you need to use your computerss full DN for both the consumer and server pieces. Is there extensive, professionally written documentation with artistically appealing pictures somewhere? – Not yet.

13 Using Demo OAuth Consumer with Twitter

14 Provide some descriptive metadata about yourself Callback URL should point to your callback service. It must be a DN (not IP). For example: http://your.service/oauthConsumer/Oau th/Callback

15 Youll need this to use the Twitter service from the Consumer interface. Note you should not normally put secret keys in power point slides. This one has been disabled.

16 This is one example service. See more at http://apiwiki.twitter.com/Twitter-API-Documentation

17 Log in to the Consumer interface to get to the Account management interface

18 Add a consumer. The key, secret, and URLs all come from Twitters Application Details page.

19 Bind a private key to your account on the consumer. This is a demo implementation detail.

20 Redirected for authorization Retrieve illegible XML.

21 Using the Service Provider Interface

22 Log in to the server. Choose Developer Account Add or edit an existing application

23 Register a service. This is equivalent to the Twitter registration process.

24 Set privileges for a given user.

25 As Consumer, now add the Echo Service. We did the same thing earlier for Twitter service.

26 A)Invoke the service from the client, B)Authorize the client, C)Gaze upon the output.

Download ppt "OAuth Security for Gateways Zhenhua (Gerald) Guo and Marlon Pierce Indiana University."

Similar presentations

The How of OAuth OAuth Hackathon – Six Apart

The How of OAuth OAuth Hackathon – Six Apart
Written by Liron Blecher

Written by Liron Blecher
Overview of Twitter API Nathan Liu. Twitter API Essentials Twitter API is a Representational State Transfer(REST) style web services exposed over HTTP(S).

Overview of Twitter API Nathan Liu. Twitter API Essentials Twitter API is a Representational State Transfer(REST) style web services exposed over HTTP(S).
Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).

Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
Developing Grid User Interface Components Portlets, gadgets, etc.

Developing Grid User Interface Components Portlets, gadgets, etc.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Scale Up Access to your 4GL Application using Web Services

Scale Up Access to your 4GL Application using Web Services
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.
Certificates, SSL and IPsec Ahmed Muaydh Sara Bin Saif Shi-Jey Chou Advisor:Dr. Leszek Lilien.

Certificates, SSL and IPsec Ahmed Muaydh Sara Bin Saif Shi-Jey Chou Advisor:Dr. Leszek Lilien.

Similar presentations

Ads by Google