SlideShare a Scribd company logo
1 of 31
Download to read offline
Some OAuth love <3
       by Nicolas Blanco
     twitter.com/slainer68
WHY ?
THE STORY
OAuth

• 2006 by Blaine Cook (Twitter)
• OpenID for API access
• Delegation of access
• IETF - final protocol in 2010
OAuth

• 3-legged authentication
 • Resource owner (Mme Michu)
 • Server / Resource provider (vimeo)
 • Client / Consumer (dvdtrololol.com)
OAuth - Resource
   provider




             YOU !
OAuth - Resource
    owner
OAuth - workflow
                    Temporary
                    credentials


trolololdvd.com                               vimeo
          Redirection

                                  Authorization page
OAuth - Authorization page
OAuth - Workflow
   Authorized request token




         Access token




         Access token
OAuth - Signature

• Must sign all requests
 • Base string
 • Consumer key
 • Consumer secret
 • The signature
OAuth - Base string
   The HTTP Method is GET
   The URL is http://vimeo.com/api/rest/v2/
   The method is vimeo.people.getInfo
   There is only one API parameter for vimeo.people.getInfo: user_id is brad
   The oauth_consumer_key is abcdef0123456
   The oauth_nonce is r4nd0m1234
   The oauth_timestamp is 1328533189
   The oauth_signature_method is HMAC
   The oauth_version is 1.0




     GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D
 vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce
%3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
          %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
OAuth - Ruby
 • At least some Ruby!
 • ruby gem install oauth
@callback_url = "http://www.dvdtrololol.com/oauth/callback"

@consumer = OAuth::Consumer.new("key","secret", :site => "https://
vimeo.com/auth")

@request_token = @consumer.get_request_token(:oauth_callback =>
@callback_url)
session[:request_token] = @request_token
redirect_to @request_token.authorize_url(:oauth_callback =>
@callback_url)

@access_token = @request_token.get_access_token
@videos = @access_token.get('/videos.json')
OAuth - signature
• Here comes Faraday ! Middleware like Rack
 • https://github.com/technoweenie/faraday
builder.use Faraday::Request::OAuth, {
        :consumer_key => @consumer_key,
        :consumer_secret => @consumer_secret,
        :token => @atoken,
        :token_secret => @asecret
       }
OAuth - Faraday
 middleware
OAuth2
• The next evolution : OAuth2
• Not backward-compatible
• IETF Draft
• Use it now!!!
• Facebook OpenGraph - Google - Microsoft
Why <3 OAuth2
• Clients don’t need cryptography anymore (HTTPS)
• Less complicated signatures
• Better support for non-browser apps
• Access tokens are short-lived
• Clean separation between auth server and request
  server
OAuth 2 - Debug with
          Curl!
curl -H "Authorization: Bearer
ACCESS_TOKEN" https://gdata.youtube.com/
feeds/api/users/default/uploads
OAuth2 - Gem
client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://www.youtube.com/
auth')

client.auth_code.authorize_url(:redirect_uri => 'http://www.dvdtrololol.com/oauth2/callback')

# => "https://example.org/oauth/authorization?
response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback"

token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http://
www.dvdtrololol.com/oauth2/callback')

videos = token.get('/videos.json')
OAuth2 - Faraday middleware
module Faraday
  class Request::OAuth2 < Faraday::Middleware
    def call(env)
      env[:request_headers]['Authorization'] = "Bearer
#{@access_token.token}"

      @app.call(env)
    end

    def initialize(app, access_token)
      @app, @access_token = app, access_token
    end
  end
end
Omniauth love <3
    • Rack standardized multi-provider
       authentication
    • Very flexible
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer unless Rails.env.production?
  provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']
end
Omniauth - Authentication
        Lifecycle


• Setup phase
• Request phase
• Callback phase
Omniauth basic
    strategy
module OmniAuth
  module Strategies
    class Developer
      include OmniAuth::Strategy

      option :fields, [:name, :email]
      option :uid_field, :email
    end
  end
end
Omniauth base OAuth
     strategies

• omniauth-oauth
• omniauth-oauth2
Write a custom
OAuth2 strategy
    Dailymotion ?
Omniauth default stack

• omniauth-oauth2
• multi-json
• multi-xml
• faraday
Omniauth custom OAuth2 strategy

require 'omniauth/strategies/oauth2'

module OmniAuth
  module Strategies
    class Dailymotion < OmniAuth::Strategies::OAuth2
      DEFAULT_SCOPE = 'email userinfo'
      
      option :name, "dailymotion"
      
      option :client_options, {
        :site => 'https://api.dailymotion.com',
        :authorize_url => '/oauth/authorize',
        :token_url => '/oauth/token'
      }

    # ...
Omniauth custom OAuth2 strategy

                 Give more info for free!
      uid { raw_info['id'] }
      
      info do
        prune!({
          'screenname' => raw_info['screenname'],
          'url' => raw_info['url'],
          'email' => raw_info['email'],
          'fullname' => raw_info['fullname'],
          'description' => raw_info['description'],
          'gender' => raw_info['gender']
        })
      end
      
      def raw_info
        @raw_info ||= access_token.get('/me', :params => { :fields =>
%w(id,url,email,fullname,description,gender).join(",") }).parsed
      end
Omniauth in Rails
            Lier un compte uniquement (pas d’auth)


     = link_to "Link to Dailymotion", "/auth/dailymotion"


match '/auth/:provider/callback', to: 'profiles#link_provider'
class ProfilesController < AuthenticatedController
  def show
  end

  def link_provider
    current_user.update_attributes_for_provider(params[:provider],
auth_hash.credentials)

    redirect_to profile_path, notice: "Successfully linked to provider"
  end

  protected
  def auth_hash
    request.env['omniauth.auth']
  end
end




class User
  # ...
  def update_attributes_for_provider(provider, credentials)
    credentials.each do |key, val|
      send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")
    end

    save
  end
end
Omniauth in Rails -
       Authentication with Devise
class Users::OmniauthCallbacksController < ApplicationController
  def create
    @user = User.find_or_create_for_provider(params[:provider],
auth_hash)
    sign_in_and_redirect(@user, :event => :authentication)
  end
end
Thank you !




Follow me : twitter.com/slainer68

More Related Content

What's hot

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 

What's hot (18)

REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017What the Heck is OAuth and Open ID Connect? - UberConf 2017
What the Heck is OAuth and Open ID Connect? - UberConf 2017
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 

Viewers also liked

Découplez votre appli en micro-APIs
Découplez votre appli en micro-APIsDécouplez votre appli en micro-APIs
Découplez votre appli en micro-APIsNicolas Blanco
 
Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Revath S Kumar
 
Backbone identity map
Backbone identity mapBackbone identity map
Backbone identity mapBen Teese
 
Breaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynoteBreaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynoteChristian Heilmann
 
Rich Object Models & Angular.js
Rich Object Models & Angular.jsRich Object Models & Angular.js
Rich Object Models & Angular.jsBen Teese
 
An app on the shoulders of giants
An app on the shoulders of giantsAn app on the shoulders of giants
An app on the shoulders of giantsJeroen van Dijk
 

Viewers also liked (7)

Découplez votre appli en micro-APIs
Découplez votre appli en micro-APIsDécouplez votre appli en micro-APIs
Découplez votre appli en micro-APIs
 
Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02Prateek dayal backbonerails-110528024926-phpapp02
Prateek dayal backbonerails-110528024926-phpapp02
 
Iffy
IffyIffy
Iffy
 
Backbone identity map
Backbone identity mapBackbone identity map
Backbone identity map
 
Breaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynoteBreaking out of the endless callback look - #jsday Italy keynote
Breaking out of the endless callback look - #jsday Italy keynote
 
Rich Object Models & Angular.js
Rich Object Models & Angular.jsRich Object Models & Angular.js
Rich Object Models & Angular.js
 
An app on the shoulders of giants
An app on the shoulders of giantsAn app on the shoulders of giants
An app on the shoulders of giants
 

Similar to Some OAuth love

Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -Naoki Nagazumi
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground UpMichael Bleigh
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuthLuca Mearelli
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 

Similar to Some OAuth love (20)

Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Api security
Api security Api security
Api security
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground Up
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Integrating services with OAuth
Integrating services with OAuthIntegrating services with OAuth
Integrating services with OAuth
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 

Recently uploaded

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 

Recently uploaded (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 

Some OAuth love

  • 1. Some OAuth love <3 by Nicolas Blanco twitter.com/slainer68
  • 3. OAuth • 2006 by Blaine Cook (Twitter) • OpenID for API access • Delegation of access • IETF - final protocol in 2010
  • 4. OAuth • 3-legged authentication • Resource owner (Mme Michu) • Server / Resource provider (vimeo) • Client / Consumer (dvdtrololol.com)
  • 5. OAuth - Resource provider YOU !
  • 7. OAuth - workflow Temporary credentials trolololdvd.com vimeo Redirection Authorization page
  • 9. OAuth - Workflow Authorized request token Access token Access token
  • 10. OAuth - Signature • Must sign all requests • Base string • Consumer key • Consumer secret • The signature
  • 11. OAuth - Base string The HTTP Method is GET The URL is http://vimeo.com/api/rest/v2/ The method is vimeo.people.getInfo There is only one API parameter for vimeo.people.getInfo: user_id is brad The oauth_consumer_key is abcdef0123456 The oauth_nonce is r4nd0m1234 The oauth_timestamp is 1328533189 The oauth_signature_method is HMAC The oauth_version is 1.0 GET&http%3A%2F%2Fvimeo.com%2Fapi%2Frest%2Fv2%2F&method%3D vimeo.people.getInfo%26oauth_consumer_key%3Dabcdef0123456%26oauth_nonce %3Dr4nd0m1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1328533189%26oauth_version%3D1.0%26user_id%3Dbrad
  • 12. OAuth - Ruby • At least some Ruby! • ruby gem install oauth @callback_url = "http://www.dvdtrololol.com/oauth/callback" @consumer = OAuth::Consumer.new("key","secret", :site => "https:// vimeo.com/auth") @request_token = @consumer.get_request_token(:oauth_callback => @callback_url) session[:request_token] = @request_token redirect_to @request_token.authorize_url(:oauth_callback => @callback_url) @access_token = @request_token.get_access_token @videos = @access_token.get('/videos.json')
  • 13. OAuth - signature • Here comes Faraday ! Middleware like Rack • https://github.com/technoweenie/faraday builder.use Faraday::Request::OAuth, {         :consumer_key => @consumer_key,         :consumer_secret => @consumer_secret,         :token => @atoken,         :token_secret => @asecret        }
  • 14. OAuth - Faraday middleware
  • 15. OAuth2 • The next evolution : OAuth2 • Not backward-compatible • IETF Draft • Use it now!!! • Facebook OpenGraph - Google - Microsoft
  • 16. Why <3 OAuth2 • Clients don’t need cryptography anymore (HTTPS) • Less complicated signatures • Better support for non-browser apps • Access tokens are short-lived • Clean separation between auth server and request server
  • 17. OAuth 2 - Debug with Curl! curl -H "Authorization: Bearer ACCESS_TOKEN" https://gdata.youtube.com/ feeds/api/users/default/uploads
  • 18. OAuth2 - Gem client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://www.youtube.com/ auth') client.auth_code.authorize_url(:redirect_uri => 'http://www.dvdtrololol.com/oauth2/callback') # => "https://example.org/oauth/authorization? response_type=code&client_id=client_id&redirect_uri=http://localhost:8080/oauth2/callback" token = client.auth_code.get_token('authorization_code_value', :redirect_uri => 'http:// www.dvdtrololol.com/oauth2/callback') videos = token.get('/videos.json')
  • 19. OAuth2 - Faraday middleware module Faraday   class Request::OAuth2 < Faraday::Middleware     def call(env)       env[:request_headers]['Authorization'] = "Bearer #{@access_token.token}"       @app.call(env)     end     def initialize(app, access_token)       @app, @access_token = app, access_token     end   end end
  • 20. Omniauth love <3 • Rack standardized multi-provider authentication • Very flexible Rails.application.config.middleware.use OmniAuth::Builder do provider :developer unless Rails.env.production? provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET'] end
  • 21. Omniauth - Authentication Lifecycle • Setup phase • Request phase • Callback phase
  • 22. Omniauth basic strategy module OmniAuth module Strategies class Developer include OmniAuth::Strategy option :fields, [:name, :email] option :uid_field, :email end end end
  • 23. Omniauth base OAuth strategies • omniauth-oauth • omniauth-oauth2
  • 24. Write a custom OAuth2 strategy Dailymotion ?
  • 25. Omniauth default stack • omniauth-oauth2 • multi-json • multi-xml • faraday
  • 26. Omniauth custom OAuth2 strategy require 'omniauth/strategies/oauth2' module OmniAuth   module Strategies     class Dailymotion < OmniAuth::Strategies::OAuth2       DEFAULT_SCOPE = 'email userinfo'              option :name, "dailymotion"              option :client_options, {         :site => 'https://api.dailymotion.com',         :authorize_url => '/oauth/authorize',         :token_url => '/oauth/token'       } # ...
  • 27. Omniauth custom OAuth2 strategy Give more info for free! uid { raw_info['id'] }              info do         prune!({           'screenname' => raw_info['screenname'],           'url' => raw_info['url'],           'email' => raw_info['email'],           'fullname' => raw_info['fullname'],           'description' => raw_info['description'],           'gender' => raw_info['gender']         })       end              def raw_info         @raw_info ||= access_token.get('/me', :params => { :fields => %w(id,url,email,fullname,description,gender).join(",") }).parsed       end
  • 28. Omniauth in Rails Lier un compte uniquement (pas d’auth) = link_to "Link to Dailymotion", "/auth/dailymotion" match '/auth/:provider/callback', to: 'profiles#link_provider'
  • 29. class ProfilesController < AuthenticatedController   def show   end   def link_provider     current_user.update_attributes_for_provider(params[:provider], auth_hash.credentials)     redirect_to profile_path, notice: "Successfully linked to provider"   end   protected   def auth_hash     request.env['omniauth.auth']   end end class User # ... def update_attributes_for_provider(provider, credentials)     credentials.each do |key, val|       send("#{provider}_#{key}=", val) if respond_to?("#{provider}_#{key}=")     end     save   end end
  • 30. Omniauth in Rails - Authentication with Devise class Users::OmniauthCallbacksController < ApplicationController   def create     @user = User.find_or_create_for_provider(params[:provider], auth_hash)     sign_in_and_redirect(@user, :event => :authentication)   end end
  • 31. Thank you ! Follow me : twitter.com/slainer68