OAuth FTW

Chris MessinaFuture of Web Apps

October 10, 2008London, England

How OAuth and portable data can revolutionize your web app

(FOR THE WIN)

OAuth |ō| |ôˌθ|Noun.

An open protocol that allows secure API authorization in a simple and standard method from desktop, web and mobile applications.

The story of OAuth starts with OpenID.

factoryjoe.com

?!X

factoryjoe.com

!

Can has OpenID?

? X

factoryjoe.com

B-b-but what about API apps?

X

(APPLICATION PROGRAMMING INTERFACE)

?

!?!

How much are your username and password worth?

wayn.com

imeem.com

PC Load Letter?! What the f...!

The Password Anti-pattern!

Passwords are not confetti.

Please stop throwing them around.

Especially if they’re not yours.

OAuth replaces the need for usernames and passwords with tokens and a hashing signature.

let’s take a look

Brightkite > pings Fire Eagle for Request Token

Fire Eagle > returns authorization realm

Brightkite > requests that user authorize Brightkite

Fire Eagle > user authenticates through Yahoo! accounts

Fire Eagle > user grants authorization to Brightkite

Fire Eagle > Fire Eagle redirects user to callback URL

Brightkite > asks FE to exchange Request Token for Access Token

Fire Eagle > checks signature; if valid, returns Access Token

...subsequent requests are signed with this Access Token

users can manage access...

...and change access

or can revoke access later without having to change their primary account password

(i.e. if they lose their phone or their computer gets stolen)

?

discovery

Identity -› Discovery -› Authorization

OpenID -› XRDS-Simple -› OAuth Endpoint

(EXTENSIBLE RESOURCE IDENTIFIER RESOLUTION)

Identity -› Discovery -› [Authentication] -› Authorization

http://will.norris.name

☟<meta http-equiv="X-XRDS-Location" content="http://will.norris.name/?xrds" />

OpenID XRDS

<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical</Type> <URI>https://pip.verisignlabs.com/server</URI> <LocalID>https://recordond.pip.verisignlabs.com/</LocalID> </Service> </XRD></xrds:XRDS>

XRDS-Simple for Portable Contacts

<?xml version="1.0" encoding="UTF-8"?><xrds:XRDS xmlns:xrds="xri://$xrds" xmlns:openid="http://openid.net/xmlns/1.0" xmlns="xri://$xrd*($v*2.0)"> <XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type> <Type>http://openid.net/srv/ax/1.0</Type> <URI>http://www.myopenid.com/server</URI> <LocalID>http://brian.myopenid.com/</LocalID> </Service> </XRD></xrds:XRDS>

XRDS-Simple for Portable Contacts

<XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://pulse.plaxo.com/pulse/pdata/contacts</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type>

...

XRDS-Simple for Portable Contacts

<XRD version="2.0"> <Type>xri://$xrds*simple</Type> <Service> <Type>http://portablecontacts.net/spec/1.0</Type> <URI>http://soocial.com/contacts.xml</URI> </Service> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/sreg/1.0</Type> <Type>http://openid.net/extensions/sreg/1.1</Type> <Type>http://schemas.openid.net/pape/policies/2007/06/... <Type>http://openid.net/srv/ax/1.0</Type>

...

adoption

•OpenSocial

•MySpace

•Google

•Yahoo! (Fire Eagle)

•Netflix

•SmugMug

•Photobucket

•Plaxo

•Soocial.com

•Meetup.com

•Ma.gnolia

•Get Satisfaction

•Agree2

•SoundCloud

•88Miles

•Pownce

•Brightkite

•Praized

http://wiki.oauth.net/ServiceProviders

code

•C#

•Coldfusion

•Java

•Javascript

•Jifty

•.NET

•Objective-C

•OCaml

•Perl

•PHP

•CakePHP

•Python

•Ruby

•...interest in XMPP

http://oauth.net/code

the pitch

fin.

oauth.netme -› factoryjoe.com