Sicurezza II A.A. 2010-2011 OAuth Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II, A.A. 2010/2011 What is OAuth? o OAuth (Open Authentication) is an open standard for authorization • Allows sharing user’s resources (photos, videos, contact lists) between different websites • The user credentials (username and password) are not shared • Websites share tokens instead of credentials • Each token grants access • to a specific website • for specific resources • for a defined duration • OAuth is a service that is complementary to, but distinct from, OpenID. Sicurezza II, A.A. 2010/2011 OAuth vs OpenID o They both live in the general domain of security, identity, and authorization o They are open web standards o They both celebrate decentralization o They both involve browser redirects from the website you’re trying to use o But they’re different: they let you do different things Sicurezza II, A.A. 2010/2011 OAuth vs OpenID o Open ID gives you one login for multiple sites » OAuth lets you authorize one website – the consumer – to access your data from another website – the provider o With Open ID, there is no suggestion of two webapps sharing your data » With OAuth, any information you hold on any website can be shared with another website o With OAuth, you still need to log into the provider Sicurezza II, A.A. 2010/2011 OAuth Protocol Sicurezza II, A.A. 2010/2011 Example Provider: Twitter o Twitter (twitter.com) shut off completely Basic Auth on August 30th 2010 http://techcrunch.com/2010/08/13/oauthpocalypse/ o If you have a Twitter account, you can become a Twitter developer: • Go to dev.twitter.com • Click “Your apps” • Register a new application • • • • Choose Application Name, Description, Website Application Type: Browser … Register Application Sicurezza II, A.A. 2010/2011 Example Provider: Twitter o Registered parameters: • API key • Consumer key • Consumer secret • Request token URL: https://api.twitter.com/oauth/request_token • Access token URL: https://api.twitter.com/oauth/access_token • Authorize URL: https://api.twitter.com/oauth/authorize o Twitter supports hmac-sha1 signatures, does not support the plaintext signature method Sicurezza II, A.A. 2010/2011 Obiettivo del laboratorio o Sviluppare un sito web minimale che effettui un controllo degli accessi tramite OAuth • Integrazione con un OAuth consumer • Interazione con un OAuth provider Sicurezza II, A.A. 2010/2011 Preparazione del laboratorio o Server Apache 2.2.13 sotto la cartella $HOME/apache + PHP Sicurezza II, A.A. 2010/2011 OAuth Libraries o Sito ufficiale: http://oauth.net/ o Installeremo un provider interno implementato in PHP • Source code per diversi linguaggi: http://code.google.com/p/oauth/ • Disponibile in pachetto su http://www.di.unito.it/~panisson/public/oauth-code.tar.gz • Scaricare ed estrarre il file oauth-code.tar.gz: tar -xvzf oauth-code.tar.gz • Coppiare tutta la cartella php nella document root cp code/php $HOME/apache/htdocs/oauth -R • Accedere ai esempi: http://localhost:8080/oauth/example/ Sicurezza II, A.A. 2010/2011 OAuth Test Server o Leggere le istruzioni e provare: • Getting a Request Token • Getting an Access Token • Making Authenticated Calls o Provare con diversi tipi di firme: • HMAC-SHA1 • PLAINTEXT • RSA-SHA1 Sicurezza II, A.A. 2010/2011 OAuth Test Client o Leggere le istruzioni e provare a fare delle chiamate al provider: • Request Token • Authorize • Access Token o Provare con diverse firme: • HMAC-SHA1 • PLAINTEXT • RSA-SHA1 Sicurezza II, A.A. 2010/2011 OAuth Test Client o Provare con i parametri di Twitter: • API key • Consumer key • Consumer secret • Request token URL: https://api.twitter.com/oauth/request_token • Access token URL: https://api.twitter.com/oauth/access_token • Authorize URL: https://api.twitter.com/oauth/authorize Sicurezza II, A.A. 2010/2011 OAuth 2.0 OAuth 2.0: http://oauth.net/2/ o Not backward compatible with OAuth 1.0 o o Facebook's Graph API only supports OAuth 2.0 and is its largest implementation o As of 2011, Google added OAuth 2.0 experimental support to its APIs Sicurezza II, A.A. 2010/2011 OAuth: Altre implementazioni o Provare con l’implementazione in python • • • • sh export PYTHONPATH=$HOME/code/python python $HOME/code/python/oauth/example/server.py python $HOME/code/python/oauth/example/client.py Sicurezza II, A.A. 2010/2011 Sicurezza II A.A. 2010-2011 OAuth Grazie per l’attenzione! Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II, A.A. 2010/2011 ©2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. Sicurezza II, A.A. 2010/2011