Scaricare la presentazione
La presentazione è in caricamento. Aspetta per favore
1
Sicurezza II, A.A. 2011/2012 OAuth Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II A.A. 2011-2012
2
What is OAuth? o OAuth (Open Authentication) is an open standard for authorization Allows sharing user’s resources (photos, videos, contact lists) between different websites The user credentials (username and password) are not shared Websites share tokens instead of credentials Each token grants access to a specific website for specific resources for a defined duration OAuth is a service that is complementary to, but distinct from, OpenID. Sicurezza II, A.A. 2011/2012
3
OAuth vs OpenID o They both live in the general domain of security, identity, and authorization o They are open web standards o They both celebrate decentralization o They both involve browser redirects from the website you’re trying to use o But they’re different: they let you do different things Sicurezza II, A.A. 2011/2012
4
OAuth vs OpenID o Open ID gives you one login for multiple sites »OAuth lets you authorize one website – the consumer – to access your data from another website – the provider o With Open ID, there is no suggestion of two webapps sharing your data »With OAuth, any information you hold on any website can be shared with another website o With OAuth, you still need to log into the provider Sicurezza II, A.A. 2011/2012
5
OAuth Protocol Sicurezza II, A.A. 2011/2012
6
Example Provider: Twitter o Twitter (twitter.com) shut off completely Basic Auth on August 30th 2010 http://techcrunch.com/2010/08/13/oauthpocalypse/ o If you have a Twitter account, you can become a Twitter developer: Go to dev.twitter.com Click “Your apps” Register a new application Choose Application Name, Description, Website Application Type: Browser … Register Application Sicurezza II, A.A. 2011/2012
7
Example Provider: Twitter o Registered parameters: API key Consumer key Consumer secret Request token URL: https://api.twitter.com/oauth/request_token Access token URL: https://api.twitter.com/oauth/access_token Authorize URL: https://api.twitter.com/oauth/authorize o Twitter supports hmac-sha1 signatures, does not support the plaintext signature method Sicurezza II, A.A. 2011/2012
8
Obiettivo del laboratorio o Sviluppare un sito web minimale che effettui un controllo degli accessi tramite OAuth Integrazione con un OAuth consumer Interazione con un OAuth provider Sicurezza II, A.A. 2011/2012
9
Preparazione del laboratorio o Server Apache 2.2.13 sotto la cartella $HOME/apache + PHP Sicurezza II, A.A. 2011/2012
10
OAuth Libraries o Sito ufficiale: http://oauth.net/ o Installeremo un provider interno implementato in PHP Source code per diversi linguaggi: http://code.google.com/p/oauth/ Disponibile in pachetto su http://www.di.unito.it/~panisson/public/oauth-code.tar.gz Scaricare ed estrarre il file oauth-code.tar.gz: tar -xvzf oauth-code.tar.gz Coppiare tutta la cartella php nella document root cp code/php $HOME/apache/htdocs/oauth -R Accedere ai esempi: http://localhost:8080/oauth/example/ Sicurezza II, A.A. 2011/2012
11
OAuth Test Server o Leggere le istruzioni e provare: Getting a Request Token Getting an Access Token Making Authenticated Calls o Provare con diversi tipi di firme : HMAC-SHA1 PLAINTEXT RSA-SHA1 Sicurezza II, A.A. 2011/2012
12
OAuth Test Client o Leggere le istruzioni e provare a fare delle chiamate al provider: Request Token Authorize Access Token o Provare con diverse firme : HMAC-SHA1 PLAINTEXT RSA-SHA1 Sicurezza II, A.A. 2011/2012
13
OAuth Test Client o Provare con i parametri di Twitter: API key Consumer key Consumer secret Request token URL: https://api.twitter.com/oauth/request_token Access token URL: https://api.twitter.com/oauth/access_token Authorize URL: https://api.twitter.com/oauth/authorize Sicurezza II, A.A. 2011/2012
14
Oauth - Exercise o Utilizzare la pagina Oauth Test Client con Twitter per: Creare request_token e request_token_secret Authorize Creare access_token e access_token_secret Sicurezza II, A.A. 2011/2012
15
Oauth - Exercise o Utilizzare i token creati per fare una request a un servizio Twitter: Creare un script php sulla stessa cartella dei esempi OAuth con il contenuto di questi due slide. Sicurezza II, A.A. 2011/2012 <?php require_once("common.inc.php"); // Classe per accedere a una URL utilizzando PHP class OAuthCurl { public function __construct() { } public static function fetchData($url) { $options = array( CURLOPT_RETURNTRANSFER => true, // return web page CURLOPT_HEADER => false, // don't return headers CURLOPT_FOLLOWLOCATION => true, // follow redirects CURLOPT_PROXY =>"http://172.16.0.254:3128", //proxy address CURLOPT_PROXYPORT => 3128, // proxy port ); $ch = curl_init($url); curl_setopt_array($ch, $options); $content = curl_exec($ch); $err = curl_errno($ch); $errmsg = curl_error($ch); $header = curl_getinfo($ch); curl_close($ch); $header['errno'] = $err; $header['errmsg'] = $errmsg; $header['content'] = $content; return $header; }
16
Oauth – Exercise (cont.) Sicurezza II, A.A. 2011/2012 $consumer_key = “key"; // put your key here $consumer_secret = “secret"; // put your secret here $access_token = “token"; // put the generated token here $access_token_secret = “token_secret"; // put the generated token secret here // the service URL; see dev.twitter.com $service = "https://api.twitter.com/1/statuses/home_timeline.json"; $sig_method = new OAuthSignatureMethod_HMAC_SHA1(); $consumer = new OAuthConsumer($consumer_key, $consumer_secret, $callback_url); $token = new OAuthToken($access_token, $access_token_secret); $request = OAuthRequest::from_consumer_and_token($consumer, $token, "GET", $service); $request->sign_request($sig_method, $consumer, $token); $oc = new OAuthCurl(); $reqData = $oc->fetchData($request->to_url()); $timeline = json_decode($reqData['content']); foreach ($timeline as $status) { print $status->text.' '; } ?>
17
OAuth 2.0 o OAuth 2.0: http://oauth.net/2/ o Not backward compatible with OAuth 1.0 o Facebook's Graph API only supports OAuth 2.0 and is its largest implementation o As of 2011, Google added OAuth 2.0 experimental support to its APIs Sicurezza II, A.A. 2011/2012
18
OAuth: Altre implementazioni o Provare con l’implementazione in python sh export PYTHONPATH=$HOME/code/python python $HOME/code/python/oauth/example/server.py python $HOME/code/python/oauth/example/client.py Sicurezza II, A.A. 2011/2012
19
Esercizi o Google OAuth Playground: http://googlecodesamples.com/oauth_playground/ Creare un documento (rapporto) con tutti i passi per accedere ai servizi Google utilizzando OAuth in questa pagina Fare la correlazione con i passi dello slide “ OAuth Protocol ” Elencare il contenuto della HTTP Request/Response per ogni passo Da consegnare (in formato doc o pdf) dopo la lezione teorica su OAuth Sicurezza II, A.A. 2011/2012
20
OAuth Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II A.A. 2010-2011 Grazie per l’attenzione! Sicurezza II, A.A. 2011/2012
21
© 2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. Sicurezza II, A.A. 2011/2012
Presentazioni simili
