Understanding OAuth

In this post we are going to discuss over  OAuth, it’s use and the workflow etc. Although it’s not easy to sum it up in just one post but i will try my best to cover it. I am using Oauth 1.0 to explain it.

What is OAuth

Oauth is an open standard for authorization. Today most of the third party application use this terminology for user authorization. 

As per Wikipedia 

“OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead. Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.”

Before OAuth what was happening that user had to submit access credentials, username and password, to third party site so that they can access user’s data on his/her behalf. But it cause number of problems :

1) User may have used the same username/password for other services also. For example you are using same password for gmail and facebook.

2) If user have given it’s credentials to more than 1 third party applications say A and B and user is not happy with app A service and wants to unauthorize it then the user have to change the password and if user did that then access of second application would gets declined automatically. So they will have to update app B with new credentials.

3) it also provide these application unlimited access to do as they wish. They can do anything, including changing the passwords and lock users out.

So to solve such type of problems a new terminology emerged named OAuth. One more advantage of using OAuth is that you can also restrict third party to access only limited resources.

OAuth Terminology Workflow 

As explained above OAuth is mainly used by third-party to get information on user’s behalf from his account.  Let’s explain it using a diagram :

1) Front end user directly interacts with third-party or say client application. In our case it’s zoomin.com. User wants to print some of his photos which are on facebook and are not public. So to print them zoomin have to import them and to import them it needs user’s authorization. User clicks on say ‘import photos from facebook’ link.

2) Client application use it’s application key, oauth_signature and other parameters to send request at backend to facebook(Service Provider) on behalf of user.

3) In response client application managed to get temporary credetials,request_token and request_secret, from service provider.

4) Client application (zoomin) will show a page to get restricted authorization from user. When user will authorize it, client application will use these temprary credentials to get access credentials in form of access_token and access_secret from service provider. Anytime user can withdraw it’s access from client application without changing password of any application.

5) Nowonwards client application(zoomin.com) will use these access credentials to import restricted photos from service provider (facebook.com).

6) Finally user will get printed photos from zoomin.com.

 

Important stuff from development prospective

Some important parameters used in OAuth for sending any request are : 

1) oauth_consumer_key: Whenever you are going to create an application although it’s in Flickr, Facebook or in any other environment you will get consumer key in response. As the word key indicates it’s the key part of application.

2)  oauth_secret : 2nd thing you get after creating application is consumer secret or only secret. As the name indicates keep it secret. It’s mainly used to create oauth_signature parameter.

3) oauth_timestamp :  As the name indicates it’s current timestamp.  Please make sure that your application is using the right timestamp from right timezone. For example Flickr uses UTC timezone.

4) oauth_nonce : The term nonce means ‘number used once’ and is a unique and usually random string that is meant to uniquely identify each signed request. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once. So oauth_nonce once used can’t be used again.

5) Oauth_signature : It’s send with request for verification purpose. It’s one of the crucial part of request. If it’s not generated properly then you can’t move ahead. It’s explained in detail in next section.

How to generate oauth_signature ?

It depends on which signature method you are going to use. Following three signature methods are used in OAuth request.

1) PLAINTEXT : The PLAINTEXT method does not provide any security protection and SHOULD only be used over a secure channel such as HTTPS. It does not use the Signature Base String so this method doesn’t use any signature algorithm. It also does not utilize the signature base string or the "oauth_timestamp" and   "oauth_nonce" parameters. oauth_signature is set to the concatenated encoded values of the Consumer Secret and Token Secret, separated by a ‘&’ character (ASCII code 38), even if either secret is empty. The result MUST be encoded again.

2) HMAC-SHA1 : HMAC-SHA1 offers a simple and common algorithm that is available on most platforms. HMAC-SHA1 uses HMAC signature algorithm and SHA1 hash method to generate oauth_signature. It’s not easy to explain in detail about this signature method. But to generate signature it uses base string and hash key which is set of concatenated encoded values of the Consumer Secret and Token Secret, separated by a ‘&’ character. After using HMAC method whole string is encoded using base64.

$hashkey         = $cc_secret."&".$token_secret;

$oauth_signature = base64_encode(hash_hmac('sha1', $base_string, $hashkey, true));

3) RSA-SHA1  : The "RSA-SHA1" signature method uses the RSASSA-PKCS1-v1_5 signature algorithm using SHA-1 as the hash function for EMSA-PKCS1-v1_5. To use this method, the client MUST have established client credentials with the server that included its RSA public key.

RSA-SHA1 provides enhanced security using key-pairs but is more complex and requires key generation and a longer learning curve.

Since the RSA-SHA1 method does not use the token secret (it doesn’t use the client secret either but that is adequately replaced by the client private key), the private key is the only protection against attacks. In case of web based applications it’s easy to keep secret private key but in case of desktop applications like applets in java it has to be distributed with the application, which inheritably compromises them.

 Note : Most commonly used signature method is HMAC-SHA1.

What is use of oauth_signature ? 

It’s related with security issue. Oauth_signature allow the recipient to verify that the content of the request hasn’t changed in transit. To do that, the sender uses a mathematical algorithm to calculate the signature of the request and includes it with the request.  

In turn, the recipient performs the same workflow to calculate the signature of the request and compares it to the signature value provided. If the two match, the recipient can be confident that the request has not been modified in transit. The confidence level depends on the properties of the signature algorithm used (some are stronger than others). This mechanism requires both sides to use the same signature algorithm and apply it in the same manner.

To go deeper you can also read OAuth and Flickr, my previous post.

Thanks !!!!!! Enjoy Programming :)