OAuth

From Wikipedia, the free encyclopedia
Jump to: navigation, search
The OAuth logo, designed by Chris Messina

OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user. The client then uses the access token to access the protected resources hosted by the resource server.[1] OAuth is commonly used as a way for web surfers to log into third party web sites using their Google, Facebook or Twitter accounts, without worrying about their access credentials being compromised.[2]

OAuth is a service that is complementary to, and therefore distinct from, OpenID. OAuth is also distinct from OATH, which is a reference architecture for authentication, not a standard.

History[edit]

OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. Cook, Chris Messina and Larry Halff from Magnolia met with David Recordon to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standards for API access delegation.[citation needed]

The OAuth discussion group was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. DeWitt Clinton from Google learned of the OAuth project, and expressed his interest in supporting the effort. In July 2007 the team drafted an initial specification. Eran Hammer joined and coordinated the many OAuth contributions, creating a more formal specification. On October 3, 2007, the OAuth Core 1.0 final draft was released.[citation needed]

At the 73rd Internet Engineering Task Force meeting in Minneapolis in November 2008, an OAuth BoF was held to discuss bringing the protocol into the IETF for further standardization work. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.

The OAuth 1.0 Protocol was published as RFC 5849, an informational Request for Comments, in April 2010.

Since August 31, 2010, all third party Twitter applications have been required to use OAuth.[3]

The OAuth 2.0 Framework was published as RFC 6749, and the Bearer Token Usage as RFC 6750, both standards track Requests for Comments, in October 2012. Additional RFCs are still being worked on.

OAuth 2.0[edit]

OAuth 2.0 is the next evolution of the OAuth protocol and is not backwards compatible with OAuth 1.0. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification and associated RFCs are developed by the IETF OAuth WG;[4] the main framework was published in October 2012. (It was expected to be finalized by the end of 2010, according to Eran Hammer.[5] However, due to discordant views about the evolution of OAuth, Hammer left the working group.[6])

Facebook's new Graph API only supports OAuth 2.0.[7] Google supports OAuth 2.0 as the recommended authentication mechanism for all of its APIs.[8] As of 2011 Microsoft[9] has added OAuth 2.0 experimental support to their APIs.

The OAuth 2.0 Framework[10] and Bearer Token Usage[11] were published in October 2012. Other documents are still being worked on within the OAuth working group.

Security[edit]

On April 23, 2009, a session fixation security flaw in the 1.0 protocol was announced. It affects the OAuth authorization flow (also known as "3-legged OAuth") in OAuth Core 1.0 Section 6.[12] Version 1.0a of the OAuth Core protocol was issued to address this issue.[13]

OAuth 2.0 doesn't support signature, encryption, channel binding, or client verification. It relies completely on SSL for some degree of confidentiality and server authentication.[14][15]

OAuth 2.0 has had numerous security flaws exposed in implementations.[16] The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable.[17][18]

Non-interoperability[edit]

Because OAuth 2.0 is more of a framework than it is a defined protocol, OAuth 2.0 implementations are less likely to be naturally interoperable with any other OAuth 2.0 implementations. Further deployment profiling and specification is required for any interoperability.[19]

Uses[edit]

OAuth can be used as an authorizing mechanism to consume secured RSS/ATOM feeds. Consumption of RSS/ATOM feeds that require authentication has always been an issue. For example, an RSS feed from a secured Google Site cannot be consumed using Google Reader. Instead, three-legged OAuth can be used to authorize Google Reader to access the RSS feed from that Google Site.

List of OAuth service providers[edit]

Service provider OAuth protocol
AllPlayers.com 1.0[20]
Amazon 2.0[21]
AOL 2.0[22]
Basecamp 2.0[23]
Bitbucket 1.0a
bitly 2.0
blueKiwi software 2.0
Box 2.0[24]
ciValidator 1.0
cosm 2.0
Dailymotion 2.0 draft 11[25]
deviantART 2.0 drafts 10 and 15
Discogs 1.0a
Dropbox 1.0, 2.0[26]
Etsy 1.0[27]
Evernote 1.0
Facebook 2.0 draft 12[6]
Fitbit 1.0
Flickr 1.0a
Formstack 2.0
Foursquare 2.0
Fortnox 2.0
GitHub 2.0
Goodreads 1.0
Google 2.0
Google App Engine 1.0a [28]
Groundspeak 1.0
HnyB.me 2.0
Huddle 2.0
Instagram 2.0
Intel Cloud Services 2.0
Jive Software 1.0a, 2.0
LinkedIn 1.0a, 2.0[29]
Microsoft (Hotmail, Windows Live, Messenger, Xbox) 2.0
Mixi 1.0[30]
Moves 2.0[31]
MySpace 1.0a
Netflix 1.0a
OpenLink Data Spaces 1.0[32]
Noosh 2.0
OpenTable 1.0a
PayPal 2.0
Plurk 1.0a[33]
RealPeepz 1.0
Reddit 2.0[34]
Salesforce.com 1.0a, 2.0
SARE 2.0
SensioLabs Connect 2.0
Sina Weibo 2.0
StatusNet 1.0a
Strava 2.0
Stripe 2.0
Tent.io 2.0
Trello 1.0[35]
Tumblr 1.0a
Twitter 1.0a, 2.0[36]
Ubuntu One 1.0
Unbounce 2.0
Veevop 2.0
Viadeo 2.0[37]
Vimeo 1.0a
VK 2.0
Withings 1.0[38]
Xero 1.0a
XING 1.0[39]
Yahoo! 1.0a
Yammer 2.0
Yandex 2.0
Yelp 1.0a
Zendesk 2.0

OpenID vs. pseudo-authentication using OAuth[edit]

The following diagrams highlight the differences between using OpenID and OAuth for authentication. With OpenID, the process starts with the application asking the user for their identity (basically a log-in request by the application, to which the user typically provides an OpenID URI rather than actual credentials). In the case of OAuth, the application specifically requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on the user's behalf (which typically explicitly names the particular rights requested, and does not require the user to enter credentials at all). If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs. In either case, the access to the Identity Provider will involve authentication to the Identity Provider, unless some session is already in effect. The result in the OpenID case is that the application allows the user access, because it trusts the OpenID Identity provider. The result in the OAuth case is that the API provider allows the application access because it trusts its own valet keys.

OpenID vs. pseudo-authentication using OAuth

Controversy[edit]

In July 2012, Eran Hammer resigned his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification. Hammer pointed to a conflict between the web and enterprise cultures, citing the IETF as a community that is "all about enterprise use cases", that is "not capable of simple." What is now offered is a blueprint for an authorization protocol, he says, and "that is the enterprise way", providing a "whole new frontier to sell consulting services and integration solutions."[6]

Despite this, it has been noted[40][unreliable source?] that OAuth 2.0 doesn't fit enterprise cultures either. Management is unlikely to want to offer an external API upon a framework which is non-interoperable and presents unquantifiable risk.[original research?] The essential authentication design of OAuth 2.0 also clashes with the needs of enterprise level integration, making usage of a third party API authorized by OAuth 2.0 "difficult if not outright impossible."

In comparing OAuth 2.0 with 1.0, Hammer points out that it has become "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure." He explains how architectural changes for 2.0 unbound tokens from clients, removed all signatures and cryptography at a protocol level and added expiring tokens because tokens couldn't be revoked while complicating the processing of authorization. Numerous items were left unspecified or unlimited in the specification because "as has been the nature of this working group, no issue is too small to get stuck on or leave open for each implementation to decide."[6]

Eran later gave a presentation at &Yet elaborating on his views.[41]

David Recordon later also removed his name from the specifications for unspecified reasons. Dick Hardt took over the editor role, and the framework was published in October 2012.[10]

See also[edit]

References[edit]

  1. ^ http://tools.ietf.org/html/rfc6749
  2. ^ http://lifehacker.com/5918086/understanding-oauth-what-happens-when-you-log-into-a-site-with-google-twitter-or-facebook
  3. ^ Chris Crum (2010-08-31). "Twitter Apps Go OAuth Today". WebProNews.com. Retrieved 2011-03-14. 
  4. ^ "Web Authorization Protocol (oauth)". IETF. Retrieved May 8, 2013. 
  5. ^ Eran Hammer (2010-05-15). "Introducing OAuth 2.0". Retrieved 2011-03-14. 
  6. ^ a b c d "OAuth 2.0 and the Road to Hell". Eran Hammer. 28 July 2012. Retrieved 16 August 2012. 
  7. ^ "Authentication - Facebook Developers". developers.facebook.com. 
  8. ^ "Google Accounts Authentication and Authorization". developers.google.com. 
  9. ^ Dare Obasanjo (2011-05-04). "Announcing Support for OAuth 2.0". windowsteamblog.com. 
  10. ^ a b "RFC6749 - The OAuth 2.0 Authorization Framework". Dick Hardt. October 2012. Retrieved 10 October 2012. 
  11. ^ "RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage". Michael Jones, Dick Hardt. October 2012. Retrieved 10 October 2012. 
  12. ^ "OAuth Security Advisory: 2009.1". 2009-04-23. Retrieved 2009-04-23. 
  13. ^ OAuth Core 1.0a
  14. ^ "Is OAuth 2.0 Bad for the Web?". 2010-09-20. Retrieved 2010-09-21. 
  15. ^ "an unwarranted bashing of Twitter’s oAuth". 2011-08-03. Retrieved 2011-08-03. 
  16. ^ "Hacking Facebook with OAuth 2.0 and Chrome". 2013-02-12. Retrieved 2013-03-06. 
  17. ^ "Re: OAUTH-WG OAuth2 attack surface....". 2013-02-28. Retrieved 2013-03-06. 
  18. ^ "OAuth1, OAuth2, OAuth...?". 2013-03-01. Retrieved 2013-03-06. 
  19. ^ Dick Hardt, ed. "Interoperability". The OAuth 2.0 Authorization Framework. IETF. sec. 1.8. RFC 6749. https://tools.ietf.org/html/rfc6749#section-1.8. Retrieved 8 May 2013. "as a rich and highly extensible framework with many optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations."
  20. ^ "OAuth". Develop AllPlayers.com. Retrieved 2013-09-21. 
  21. ^ "Home - Login with Amazon Developer Center". Login.amazon.com. Retrieved 2013-09-21. 
  22. ^ "Aol Identity". identity.aol.com. Retrieved 2013-09-21. 
  23. ^ / (2012-09-11). "api/sections/authentication.md at master 路 37signals/api 路 GitHub". Github.com. Retrieved 2013-09-21. 
  24. ^ "Box Platform Developer Documentation". Developers.box.com. Retrieved 2013-09-21. 
  25. ^ "Authentication — Dailymotion APIs". www.dailymotion.com. Retrieved 2014-06-19. 
  26. ^ Retry-After. "Core API - endpoint reference". Dropbox. Retrieved 2013-12-19. 
  27. ^ "OAuth Authentication - Etsy Developers". Etsy. Retrieved 2014-05-12. 
  28. ^ "Google App Engine — Google Developers" (in Italian). Developers.google.com. Retrieved 2013-09-21. 
  29. ^ "Authentication | LinkedIn Developer Network". Developer.linkedin.com. 2011-01-12. Retrieved 2013-09-21. 
  30. ^ "2-legged OAuthによるAPIアクセス << mixi Developer Center (ミクシィ デベロッパーセンター)". Developer.mixi.co.jp. Retrieved 2013-09-21. 
  31. ^ "Documentation - Moves for Developers". Dev.moves-app.com. 2013-11-26. Retrieved 2014-03-06. 
  32. ^ "ODS: ODS as an OAuth Provider". Web.ods.openlinksw.com. 1970-01-01. Retrieved 2013-09-21. 
  33. ^ "Plurk API 2.0". Plurk.com. Retrieved 2013-09-21. 
  34. ^ / (2013-08-12). "OAuth2 路 reddit/reddit Wiki 路 GitHub". Github.com. Retrieved 2013-09-21. 
  35. ^ "Authorizing via OAuth - Trello documentation". 
  36. ^ "POST oauth2/token | Twitter Developers". Dev.twitter.com. 2013-03-11. Retrieved 2013-09-21. 
  37. ^ "OAuth 2.0 Authentication | Viadeo API". Dev.viadeo.com. Retrieved 2013-09-21. 
  38. ^ "Withings - API developer center documentation". www.withings.com. Retrieved 2014-03-16. 
  39. ^ "Authentication | XING Developer". Dev.xing.com. 1970-01-01. Retrieved 2013-09-21. 
  40. ^ "OAuth - A great way to cripple your API". Insane Coding. March 19, 2013. Retrieved March 21, 2013. 
  41. ^ "OAuth 2.0 - Looking Back and Moving On". Eran Hammer. 23 October 2012. Retrieved 22 November 2012. 

External links[edit]