********************************************w***x***y***z

advertisement
Sicurezza II A.A. 2010-2011
OAuth
Speaker:
André Panisson, PhD student
Università degli Studi di Torino, Computer Science Department
Corso Svizzera, 185 – 10149, Torino, Italy
panisson@di.unito.it
Sicurezza II, A.A. 2010/2011
What is OAuth?
o
OAuth (Open Authentication) is an open standard for
authorization
• Allows sharing user’s resources (photos, videos,
contact lists) between different websites
• The user credentials (username and password) are
not shared
• Websites share tokens instead of credentials
• Each token grants access
• to a specific website
• for specific resources
• for a defined duration
• OAuth is a service that is complementary to, but
distinct from, OpenID.
Sicurezza II, A.A. 2010/2011
OAuth vs OpenID
o They both live in the general domain of security, identity, and
authorization
o They are open web standards
o They both celebrate decentralization
o They both involve browser redirects from the website you’re trying
to use
o
But they’re different:
they let you do different things
Sicurezza II, A.A. 2010/2011
OAuth vs OpenID
o Open ID gives you one login for multiple sites
» OAuth lets you authorize one website – the consumer
– to access your data from another website – the
provider
o With Open ID, there is no suggestion of two webapps sharing your
data
» With OAuth, any information you hold on any website
can be shared with another website
o With OAuth, you still need to log into the provider
Sicurezza II, A.A. 2010/2011
OAuth Protocol
Sicurezza II, A.A. 2010/2011
Example Provider: Twitter
o Twitter (twitter.com) shut off completely Basic Auth on August
30th 2010
http://techcrunch.com/2010/08/13/oauthpocalypse/
o If you have a Twitter account, you can become a Twitter developer:
• Go to dev.twitter.com
• Click “Your apps”
• Register a new application
•
•
•
•
Choose Application Name, Description, Website
Application Type: Browser
…
Register Application
Sicurezza II, A.A. 2010/2011
Example Provider: Twitter
o Registered parameters:
• API key
• Consumer key
• Consumer secret
• Request token URL:
https://api.twitter.com/oauth/request_token
• Access token URL: https://api.twitter.com/oauth/access_token
• Authorize URL: https://api.twitter.com/oauth/authorize
o Twitter supports hmac-sha1 signatures, does not support the
plaintext signature method
Sicurezza II, A.A. 2010/2011
Obiettivo del laboratorio
o Sviluppare un sito web minimale che effettui un controllo degli
accessi tramite OAuth
• Integrazione con un OAuth consumer
• Interazione con un OAuth provider
Sicurezza II, A.A. 2010/2011
Preparazione del laboratorio
o Server Apache 2.2.13 sotto la cartella $HOME/apache + PHP
Sicurezza II, A.A. 2010/2011
OAuth Libraries
o Sito ufficiale: http://oauth.net/
o Installeremo un provider interno implementato in PHP
• Source code per diversi linguaggi:
http://code.google.com/p/oauth/
• Disponibile in pachetto su
http://www.di.unito.it/~panisson/public/oauth-code.tar.gz
• Scaricare ed estrarre il file oauth-code.tar.gz:
tar -xvzf oauth-code.tar.gz
• Coppiare tutta la cartella php nella document root
cp code/php $HOME/apache/htdocs/oauth -R
• Accedere ai esempi:
http://localhost:8080/oauth/example/
Sicurezza II, A.A. 2010/2011
OAuth Test Server
o Leggere le istruzioni e provare:
• Getting a Request Token
• Getting an Access Token
• Making Authenticated Calls
o Provare con diversi tipi di firme:
• HMAC-SHA1
• PLAINTEXT
• RSA-SHA1
Sicurezza II, A.A. 2010/2011
OAuth Test Client
o Leggere le istruzioni e provare a fare delle chiamate al provider:
• Request Token
• Authorize
• Access Token
o Provare con diverse firme:
• HMAC-SHA1
• PLAINTEXT
• RSA-SHA1
Sicurezza II, A.A. 2010/2011
OAuth Test Client
o Provare con i parametri di Twitter:
• API key
• Consumer key
• Consumer secret
• Request token URL:
https://api.twitter.com/oauth/request_token
• Access token URL: https://api.twitter.com/oauth/access_token
• Authorize URL: https://api.twitter.com/oauth/authorize
Sicurezza II, A.A. 2010/2011
OAuth 2.0
OAuth 2.0: http://oauth.net/2/
o Not backward compatible with OAuth 1.0
o
o
Facebook's Graph API only supports OAuth 2.0
and is its largest implementation
o
As of 2011, Google added
OAuth 2.0 experimental support to its APIs
Sicurezza II, A.A. 2010/2011
OAuth: Altre implementazioni
o Provare con l’implementazione in python
•
•
•
•
sh
export PYTHONPATH=$HOME/code/python
python $HOME/code/python/oauth/example/server.py
python $HOME/code/python/oauth/example/client.py
Sicurezza II, A.A. 2010/2011
Sicurezza II A.A. 2010-2011
OAuth
Grazie per l’attenzione!
Speaker:
André Panisson, PhD student
Università degli Studi di Torino, Computer Science Department
Corso Svizzera, 185 – 10149, Torino, Italy
panisson@di.unito.it
Sicurezza II, A.A. 2010/2011
©2009 by André Panisson. Permission to make digital or hard copies of part or all of this
material is currently granted without fee provided that copies are made only for personal
or classroom use, are not distributed for profit or commercial advantage, and that new
copies bear this notice and the full citation.
Sicurezza II, A.A. 2010/2011
Download