Web and Mobile Development: OAuth
Bill Mongan
Making a Web Service Call
- We need:
- An HTTP request
- A JSON parsing library
- Documentation of the service interface and response
- Sometimes, we need an API key to access our account
Making a Web Service Call
- How do we get and store this key?
- Store it in the program? (No!)
- Ask them to type it in? (No!)
- Save it in a file? (OK, just protect the file!)
OAuth
- A protocol for authenticating a user against a trusted service provider
- The user logs into their service with our app ID as a parameter
- The user authorizes our app to access their account
- We are provided with an access token or “key”
From SAML to OAuth
- Security Assertion Markup Language (SAML) provided an initial standard
- OAuth has evolved the protocol
OAuth
OAuth
OAuth
OAuth
- These are accomplished with RESTful calls.
- Users can paste the resulting key, but we can automate this by providing server-side service endpoints of our own that receive the key directly.
Example: Twitter
- Add a Developer App to get an application key
- This is what identifies our app to Twitter when a user first authenticates to give us permission
- OAuth 1.0 Reference
Example: Twitter
- Step 1: Initiate a Request for our app with Twitter:
POST https://api.twitter.com/oauth/request_token
Header:
OAuth oauth_nonce="K7ny27JTpKVsTgdyLdDfmQQWVLERj2zAK5BslRsqyw", oauth_callback="http%3A%2F%2Fmyapp.com%3A3005%2Ftwitter%2Fprocess_callback", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1300228849", oauth_consumer_key="OqEqJeafRSF11jBMStrZz", oauth_signature="Pc%2BMLdv028fxCErFyi8KXFM%2BddU%3D", oauth_version="1.0"
- Response is passed to the server
oauth_callbackas anoauth_token
oauth_token=Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik&oauth_token_secret=Kd75W4OQfb2oJTV0vzGzeXftVAwgMnEK9MumzYcM&oauth_callback_confirmed=true
Example: Twitter
-
Step 2: User Login:
GET https://api.twitter.com/oauth/authenticate?oauth_token=<OAUTH TOKEN> -
A callback is made to your initial callback with an
oauth_tokenandoauth_verifieras parameters
Example: Twitter
-
Step 3: Get Token:
POST https://api.twitter.com/oauth/access_token?oauth_token=<OAUTH TOKEN>&oauth_verifier=<OAUTH VERIFIER> -
When should we make this call?
-
Response:
oauth_token=6253282-eWudHldSbIaelX7swmsiHImEL4KinwaGloHANdrY&oauth_token_secret=2EEfA6BG5ly3sR3XjE0IBSnlQu4ZrUzPiYTmrkVU&user_id=6253282&screen_name=twitterapi
Example: Twitter
- Parse url query arguments into json:
require('url');
// ...
function (req, res) {
const queryObject = url.parse(req.url,true).query;
// this is now json
}
Example: Twitter
curl -XPOST
--url 'https://api.twitter.com/1.1/statuses/update.json?status=hello'
--header 'authorization: OAuth
oauth_consumer_key="oauth_customer_key",
oauth_nonce="generated_oauth_nonce",
oauth_signature="generated_oauth_signature",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="generated_timestamp",
oauth_token="oauth_token",
oauth_version="1.0"'
- How might we use the previous response to facilitate user logins to our application, without requiring a password of our own?
OAuth 2.0 Bearer Tokens
- If you are just accessing general data, and not manipulating / accessing a specific uesr’s account, the process is simplified.
- No login is required
- Request a “Bearer Token” that you pass in the header of each subsequent request
Example: Twitter
- Application-only Bearer Token
- Obtaining a Token
POST https://api.twitter.com/oauth2/token- Header:
Authorization Basic <INPUT> - Header:
application/x-www-form-urlencoded;charset=UTF-8
- Header:
- Body:
grant_type=client_credentials
Example: Twitter
-
<INPUT>is the Base-64 encoded app consumer key concatenated with a colon, concatenated with the consumer secret. -
Response:
{"token_type":"bearer","access_token":"AAAA..."}
Using Bearer Tokens
- Include a header in subsequent calls that includes the token/key you’ve obtained:
Authorization: Bearer <KEY>