ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

OAuth and OEmbed

L
leahculver

OAuth is an open standard for authentication that allows users to log into third party applications using their existing credentials from another service, without having to expose their password. OEmbed is a format for converting URLs into embeddable rich content like photos or videos. It allows websites to display content from other sites without having to manually embed HTML or write custom code. Both standards aim to simplify authentication and content embedding while keeping users' data and identities secure.

1 of 50
Leah Culver Six Apart
OAuth and OEmbed Dec 2009
? Pownce ? Six Apart ? OAuth co-author ? OAuth Python library ? OEmbed co-author
A simple open standard for secure API authentication. http://oauth.net
The (API) Love Triangle End User Web Service 3rd Party App ¡°Service Provider¡± ¡°Consumer Application¡±
Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
Just like... ? Flickr Auth ? Google¡¯s AuthSub ? Yahoo¡¯s BBAuth ? Facebook Auth ? and others...
Who is involved?
Who is involved?
Goals Be Simple ? standard for website API authentication ? consistent for developers ? easy for end users to understand * * this is hard
Goals Be Secure ? secure for end users ? easy to implement security features ? 3rd party developers don¡¯t have access to passwords ? balance security with ease of use
Goals Be Open ? any website can implement OAuth ? any 3rd party developer can use OAuth ? open source client libraries ? community-designed technical specifications
Goals Be Flexible ? authentication method agnostic ? don¡¯t need a username and password ? can use OpenID ? 3rd party developers don¡¯t handle auth
OAuth Setup
OAuth Setup ? Service provider gives documentation of endpoint URLs and signature method ? Consumer registers an application with the service provider and gets a consumer key/secret
OAuth Setup
OAuth Setup
OAuth Flow
1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
2. User authorizes request token
3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
Where is this information passed? ? HTTP Authorization header ? HTTP POST request body (form parameters) ? URL query string parameters
Timestamp and nonce oauth_timestamp ? seconds since Unix epoch ? must be greater than last request oauth_nonce ? ¡°number used once¡± ? ensure unique requests
Signature methods oauth_signature_method ? HMAC-SHA1 ? RSA-SHA1 ? PLAINTEXT oauth_signature ? string constructed based on signature method
HTTP Errors 400 Bad Request ? unsupported parameter ? unsupported signature method ? missing required parameter ? duplicate OAuth parameter 401 Unauthorized ? invalid consumer key ? invalid / expired token ? invalid signature (signature does not match) ? invalid / used nonce
Security considerations ? PLAINTEXT needs to be encrypted ? Secrecy of consumer secret (desktop consumers) ? Phishing attacks ? Repeat authorizations ? and more...
Session fixation attack Attacker gets victim to authorize attacker¡¯s request token. April 2009 http://oauth.net/advisories/2009-1
1.0a ? Consumer must specify oauth_callback during the request token phase ? Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ? oauth_verifier used when exchanging request token for access token
Current status ? 1.0 final (Dec 2007) ? 1.0a (24 June 2009) ? IETF draft phase ? 2.0 coming soon! ? Lots of client libraries
Questions?
OEmbed API format for converting a URL into an embed code. http://oembed.com
Who is involved?
Goals ? Embed content from any site ? Standard API for embeds ? Support many photo/video providers
Embed types ? photo ? video ? rich ? link (can be used if content is not embeddable)
Request params ? URL ? format (XML, JSON) ? maxwidth ? maxheight
Response params ? type (photo, video, rich or link)
Response params photo ? url (img src) ? width ? height video / rich ? html (embed) ? width ? height
Response params ? version (always 1.0) ? author_name ? author_url ? provider_name ? provider_url ? cache_age ? thumbnail_url, thumbnail_width, thumbnail height
plus any addional parameters...
YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value=/slideshow/o-auth-oembednyc09/3289610/"http:/www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src=/slideshow/o-auth-oembednyc09/3289610/"http:/www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
OAuth and OEmbed
Discovery ? white-lists ? HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
Proposed discovery ? HTTP HEAD requests ? URL templates e.g. url.to.resource.json
Issues ? trust (white-lists and iFrames) ? discovery ? multiple requests (for discovery) ? REST-based as opposed to inline semantic markup
Current status ? Supported by lots of providers! ? Not as many consumers ? Need an embed code from a URL?
Questions?

Recommended

Instabilidade do Canto P¨®sterolateral do joelhoInstabilidade do Canto P¨®sterolateral do joelho
Instabilidade do Canto P¨®sterolateral do joelho
David Sadigursky
?
Atualiza??o em les?es da cartilagem do joelhoAtualiza??o em les?es da cartilagem do joelho
Atualiza??o em les?es da cartilagem do joelho
David Sadigursky
?
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPIPure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign Breakfast Presentations - Drupal FieldAPI
Pure Sign
?
§²§Ö§Ü§à§Þ§Ö§ß§Õ§Ñ§ä§Ö§Ý§î§ß§í§Û §Ñ§ß§ß§à§ä§Ú§â§à§Ó§Ñ§ß§ß§í§Û §Ò§Ú§Ò§Ý§Ú§à§Ô§â§Ñ§æ§Ú§é§Ö§ã§Ü§Ú§Û §å§Ü§Ñ§Ù§Ñ§ä§Ö§Ý§î. §á§ã§Ú§ç§à§Ý§à§Ô§Ú§é§Ö§ã§Ü§Ñ§ñ ...
§²§Ö§Ü§à§Þ§Ö§ß§Õ§Ñ§ä§Ö§Ý§î§ß§í§Û §Ñ§ß§ß§à§ä§Ú§â§à§Ó§Ñ§ß§ß§í§Û §Ò§Ú§Ò§Ý§Ú§à§Ô§â§Ñ§æ§Ú§é§Ö§ã§Ü§Ú§Û §å§Ü§Ñ§Ù§Ñ§ä§Ö§Ý§î. §á§ã§Ú§ç§à§Ý§à§Ô§Ú§é§Ö§ã§Ü§Ñ§ñ ...§²§Ö§Ü§à§Þ§Ö§ß§Õ§Ñ§ä§Ö§Ý§î§ß§í§Û §Ñ§ß§ß§à§ä§Ú§â§à§Ó§Ñ§ß§ß§í§Û §Ò§Ú§Ò§Ý§Ú§à§Ô§â§Ñ§æ§Ú§é§Ö§ã§Ü§Ú§Û §å§Ü§Ñ§Ù§Ñ§ä§Ö§Ý§î. §á§ã§Ú§ç§à§Ý§à§Ô§Ú§é§Ö§ã§Ü§Ñ§ñ ...
§²§Ö§Ü§à§Þ§Ö§ß§Õ§Ñ§ä§Ö§Ý§î§ß§í§Û §Ñ§ß§ß§à§ä§Ú§â§à§Ó§Ñ§ß§ß§í§Û §Ò§Ú§Ò§Ý§Ú§à§Ô§â§Ñ§æ§Ú§é§Ö§ã§Ü§Ú§Û §å§Ü§Ñ§Ù§Ñ§ä§Ö§Ý§î. §á§ã§Ú§ç§à§Ý§à§Ô§Ú§é§Ö§ã§Ü§Ñ§ñ ...
ZabGU
?
Distribuciones drupal
Distribuciones drupalDistribuciones drupal
Distribuciones drupal
Pedro Cambra
?
oEmbed in Drupal
oEmbed in DrupaloEmbed in Drupal
oEmbed in Drupal
Pure Sign
?
Handling the media
Handling the mediaHandling the media
Handling the media
Tallat Satti
?
Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)Media handling in Drupal (Drupalcamp Leuven 2013)
Media handling in Drupal (Drupalcamp Leuven 2013)
Pure Sign
?
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
?
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
?
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
?
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
?
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
?
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdfKeeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Sirris
?
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
?
Api security
Api security Api security
Api security
teodorcotruta
?
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
?
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
?
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
?
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern
?
Single Page Applications - Where Security Goes to Die
Single Page Applications - Where Security Goes to DieSingle Page Applications - Where Security Goes to Die
Single Page Applications - Where Security Goes to Die
Curity
?
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
?
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
?lvaro Alonso Gonz¨¢lez
?
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
?
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
?
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
Jeff Fontas
?
OAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 ¨C A standard is coming of age by Uwe FriedrichsenOAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
Codemotion
?
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
?
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTSMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
TanmaiArni
?
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
?

More Related Content

Similar to OAuth and OEmbed (20)

Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
?
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
?
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
?
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
?
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
?
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdfKeeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Sirris
?
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
?
Api security
Api security Api security
Api security
teodorcotruta
?
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
?
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
?
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
?
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern
?
Single Page Applications - Where Security Goes to Die
Single Page Applications - Where Security Goes to DieSingle Page Applications - Where Security Goes to Die
Single Page Applications - Where Security Goes to Die
Curity
?
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
?
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
?lvaro Alonso Gonz¨¢lez
?
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
?
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
?
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
Jeff Fontas
?
OAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 ¨C A standard is coming of age by Uwe FriedrichsenOAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
Codemotion
?
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
?
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
?
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
?
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
thariyarox
?
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
fossmy
?
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
Mohan Krishnan
?
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdfKeeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Keeping Pace with OAuth¡¯s Evolving Security Practices.pdf
Sirris
?
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
?
Api security
Api security Api security
Api security
teodorcotruta
?
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
?
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
?
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
?
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern
?
Single Page Applications - Where Security Goes to Die
Single Page Applications - Where Security Goes to DieSingle Page Applications - Where Security Goes to Die
Single Page Applications - Where Security Goes to Die
Curity
?
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
?
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
?lvaro Alonso Gonz¨¢lez
?
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
?
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
?
OAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native AppsOAuth2 Best Practices in Native Apps
OAuth2 Best Practices in Native Apps
Jeff Fontas
?
OAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 ¨C A standard is coming of age by Uwe FriedrichsenOAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 ¨C A standard is coming of age by Uwe Friedrichsen
Codemotion
?
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
¥¢¥×¥êé_°k¤ÇÖª¤Ã¤Æ¤ª¤­¤¿¤¤ÕJÔ^¼¼Ðg - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
?

Recently uploaded (20)

SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTSMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
TanmaiArni
?
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
?
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
?
Technology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptxTechnology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptx
kaylagaze
?
Field Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci ResearchField Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci Research
Vipin Mishra
?
Cloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in AviationCloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in Aviation
Assem mousa
?
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
?
1.1. Evolution-and-Scope-of-Business-Analytics.pptx
1.1. Evolution-and-Scope-of-Business-Analytics.pptx1.1. Evolution-and-Scope-of-Business-Analytics.pptx
1.1. Evolution-and-Scope-of-Business-Analytics.pptx
Jitendra Tomar
?
Q4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor PresentationQ4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor Presentation
Dropbox
?
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
ScyllaDB
?
Computational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the WorldComputational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the World
HusseinMalikMammadli
?
Fl studio crack version 12.9 Free Download
Fl studio crack version 12.9 Free DownloadFl studio crack version 12.9 Free Download
Fl studio crack version 12.9 Free Download
kherorpacca127
?
Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)
nick896721
?
FinTech - US Annual Funding Report - 2024.pptx
FinTech - US Annual Funding Report - 2024.pptxFinTech - US Annual Funding Report - 2024.pptx
FinTech - US Annual Funding Report - 2024.pptx
Tracxn
?
Brave Browser Crack 1.45.133 Activated 2025
Brave Browser Crack 1.45.133 Activated 2025Brave Browser Crack 1.45.133 Activated 2025
Brave Browser Crack 1.45.133 Activated 2025
kherorpacca00126
?
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Precisely
?
World Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a CrossroadsWorld Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a Crossroads
Joshua Randall
?
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Jonathan Bowen
?
DealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures CapitalDealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures Capital
Yevgen Sysoyev
?
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIATHE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
Srivaanchi Nathan
?
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOTSMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
SMART SENTRY CYBER THREAT INTELLIGENCE IN IIOT
TanmaiArni
?
Deno ...................................
Deno ...................................Deno ...................................
Deno ...................................
Robert MacLean
?
UiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and OpportunitiesUiPath Agentic Automation Capabilities and Opportunities
UiPath Agentic Automation Capabilities and Opportunities
DianaGray10
?
Technology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptxTechnology use over time and its impact on consumers and businesses.pptx
Technology use over time and its impact on consumers and businesses.pptx
kaylagaze
?
Field Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci ResearchField Device Management Market Report 2030 - TechSci Research
Field Device Management Market Report 2030 - TechSci Research
Vipin Mishra
?
Cloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in AviationCloud of everything Tech of the 21 century in Aviation
Cloud of everything Tech of the 21 century in Aviation
Assem mousa
?
Unlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & KeylockUnlocking DevOps Secuirty :Vault & Keylock
Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
?
1.1. Evolution-and-Scope-of-Business-Analytics.pptx
1.1. Evolution-and-Scope-of-Business-Analytics.pptx1.1. Evolution-and-Scope-of-Business-Analytics.pptx
1.1. Evolution-and-Scope-of-Business-Analytics.pptx
Jitendra Tomar
?
Q4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor PresentationQ4 2024 Earnings and Investor Presentation
Q4 2024 Earnings and Investor Presentation
Dropbox
?
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
How Discord Indexes Trillions of Messages: Scaling Search Infrastructure by V...
ScyllaDB
?
Computational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the WorldComputational Photography: How Technology is Changing Way We Capture the World
Computational Photography: How Technology is Changing Way We Capture the World
HusseinMalikMammadli
?
Fl studio crack version 12.9 Free Download
Fl studio crack version 12.9 Free DownloadFl studio crack version 12.9 Free Download
Fl studio crack version 12.9 Free Download
kherorpacca127
?
Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)Early Adopter's Guide to AI Moderation (Preview)
Early Adopter's Guide to AI Moderation (Preview)
nick896721
?
FinTech - US Annual Funding Report - 2024.pptx
FinTech - US Annual Funding Report - 2024.pptxFinTech - US Annual Funding Report - 2024.pptx
FinTech - US Annual Funding Report - 2024.pptx
Tracxn
?
Brave Browser Crack 1.45.133 Activated 2025
Brave Browser Crack 1.45.133 Activated 2025Brave Browser Crack 1.45.133 Activated 2025
Brave Browser Crack 1.45.133 Activated 2025
kherorpacca00126
?
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Stronger Together: Combining Data Quality and Governance for Confident AI & A...
Precisely
?
World Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a CrossroadsWorld Information Architecture Day 2025 - UX at a Crossroads
World Information Architecture Day 2025 - UX at a Crossroads
Joshua Randall
?
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Formal Methods: Whence and Whither? [Martin Fr?nzle Festkolloquium, 2025]
Jonathan Bowen
?
DealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures CapitalDealBook of Ukraine: 2025 edition | AVentures Capital
DealBook of Ukraine: 2025 edition | AVentures Capital
Yevgen Sysoyev
?
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIATHE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
THE BIG TEN BIOPHARMACEUTICAL MNCs: GLOBAL CAPABILITY CENTERS IN INDIA
Srivaanchi Nathan
?

OAuth and OEmbed

  • 2. OAuth and OEmbed Dec 2009
  • 3. ? Pownce ? Six Apart ? OAuth co-author ? OAuth Python library ? OEmbed co-author
  • 4. A simple open standard for secure API authentication. http://oauth.net
  • 5. The (API) Love Triangle End User Web Service 3rd Party App ¡°Service Provider¡± ¡°Consumer Application¡±
  • 6. Specifically OAuth is... Authentication Need to log in to access parts of a website ex: post a message, add a friend, view private data Token-based Authentication Logged-in user has a unique token used to access data from the site
  • 7. Just like... ? Flickr Auth ? Google¡¯s AuthSub ? Yahoo¡¯s BBAuth ? Facebook Auth ? and others...
  • 10. Goals Be Simple ? standard for website API authentication ? consistent for developers ? easy for end users to understand * * this is hard
  • 11. Goals Be Secure ? secure for end users ? easy to implement security features ? 3rd party developers don¡¯t have access to passwords ? balance security with ease of use
  • 12. Goals Be Open ? any website can implement OAuth ? any 3rd party developer can use OAuth ? open source client libraries ? community-designed technical specifications
  • 13. Goals Be Flexible ? authentication method agnostic ? don¡¯t need a username and password ? can use OpenID ? 3rd party developers don¡¯t handle auth
  • 15. OAuth Setup ? Service provider gives documentation of endpoint URLs and signature method ? Consumer registers an application with the service provider and gets a consumer key/secret
  • 19. 1. Obtain request token Request Response oauth_consumer_key oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_callback oauth_timestamp _confirmed oauth_nonce oauth_version (optional) oauth_callback
  • 20. 2. User authorizes request token Request Response oauth_token (optional) oauth_token oauth_verifier
  • 21. 2. User authorizes request token
  • 22. 3. Exchange request token for access token Request oauth_consumer_key Response oauth_token oauth_token oauth_signature_method oauth_token_secret oauth_signature oauth_timestamp oauth_nonce oauth_version (optional) oauth_callback oauth_verifier
  • 23. 4. Use access token to obtain protected resources Request Response oauth_consumer_key ... protected resources oauth_token oauth_signature_method oauth_signature oauth_timestamp oauth_nonce oauth_version (optional)
  • 24. Basic Authorization Process 1. Obtain request token 2. User authorizes request token 3. Exchange request token for access token 4. Use access token to obtain protected resources
  • 25. Where is this information passed? ? HTTP Authorization header ? HTTP POST request body (form parameters) ? URL query string parameters
  • 26. Timestamp and nonce oauth_timestamp ? seconds since Unix epoch ? must be greater than last request oauth_nonce ? ¡°number used once¡± ? ensure unique requests
  • 27. Signature methods oauth_signature_method ? HMAC-SHA1 ? RSA-SHA1 ? PLAINTEXT oauth_signature ? string constructed based on signature method
  • 28. HTTP Errors 400 Bad Request ? unsupported parameter ? unsupported signature method ? missing required parameter ? duplicate OAuth parameter 401 Unauthorized ? invalid consumer key ? invalid / expired token ? invalid signature (signature does not match) ? invalid / used nonce
  • 29. Security considerations ? PLAINTEXT needs to be encrypted ? Secrecy of consumer secret (desktop consumers) ? Phishing attacks ? Repeat authorizations ? and more...
  • 30. Session fixation attack Attacker gets victim to authorize attacker¡¯s request token. April 2009 http://oauth.net/advisories/2009-1
  • 31. 1.0a ? Consumer must specify oauth_callback during the request token phase ? Service provider returns oauth_callback_confirmed with request token and oauth_verifier after user verification ? oauth_verifier used when exchanging request token for access token
  • 32. Current status ? 1.0 final (Dec 2007) ? 1.0a (24 June 2009) ? IETF draft phase ? 2.0 coming soon! ? Lots of client libraries
  • 34. OEmbed API format for converting a URL into an embed code. http://oembed.com
  • 36. Goals ? Embed content from any site ? Standard API for embeds ? Support many photo/video providers
  • 37. Embed types ? photo ? video ? rich ? link (can be used if content is not embeddable)
  • 38. Request params ? URL ? format (XML, JSON) ? maxwidth ? maxheight
  • 39. Response params ? type (photo, video, rich or link)
  • 40. Response params photo ? url (img src) ? width ? height video / rich ? html (embed) ? width ? height
  • 41. Response params ? version (always 1.0) ? author_name ? author_url ? provider_name ? provider_url ? cache_age ? thumbnail_url, thumbnail_width, thumbnail height
  • 42. plus any addional parameters...
  • 43. YouTube Request http://www.youtube.com/oembed?url=http %3A//youtube.com/watch%3Fv %3DM3r2XDceM6A&format=json
  • 44. Response { "version": "1.0", "type": "video", "provider_name": "YouTube", "provider_url": "http://youtube.com/", "width": 425, "height": 344, "title": "Amazing Nintendo Facts", "author_name": "ZackScott", "author_url": "http://www.youtube.com/user/ZackScott", "html": "<object width="425" height="344"> <param name="movie" value=/slideshow/o-auth-oembednyc09/3289610/"http:/www.youtube.com/v/M3r2XDceM6A&fs=1"></pa <param name="allowFullScreen" value="true"></param> <param name="allowscriptaccess" value="always"></param> <embed src=/slideshow/o-auth-oembednyc09/3289610/"http:/www.youtube.com/v/M3r2XDceM6A&fs=1" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="always" allowfullscreen="true"></embed> </object>", }
  • 46. Discovery ? white-lists ? HTML head item <link rel="alternate" type="text/xml+oembed" href="http://www.youtube.com/oembed? url=http%3A//www.youtube.com/watch?v %3Di-5AMapzFWg&format=xml" title="Drunk Ewok Moonwalks &amp; Molests Al Roker on Today Show" />
  • 47. Proposed discovery ? HTTP HEAD requests ? URL templates e.g. url.to.resource.json
  • 48. Issues ? trust (white-lists and iFrames) ? discovery ? multiple requests (for discovery) ? REST-based as opposed to inline semantic markup
  • 49. Current status ? Supported by lots of providers! ? Not as many consumers ? Need an embed code from a URL?
AboutCopyright
? 2025 ºÝºÝߣ