1. Auth
Presentation to Singapore Ruby Brigade
at SMU, School of Information System
29 November 2007
Chew Choon Keat
sharedcopy.com
http://flickr.com/photos/lachlanhardy/1400641336/
6. Giving away access
• quot;Giving your email account
password to a social network site so
they can look up your friends is the same
thing as going to dinner and giving your
ATM card and PIN code to the
waiter when it’s time to pay.quot;
- oauth.net
17. Consumer Registration
Consumer
Protected Resources
Service Provider
“Let’s work together
here are my details”
End User
http://flickr.com/photos/marcroberts/1484118790/
19. Consumer Registration
Service Provider
Protected Resources
Consumer
“These are our secrets. Use it
every time you talk to me”
End User
http://flickr.com/photos/9458565@N07/760773574/
21. Use Case
Consumer
Protected Resources
Service Provider
End User
“Print my pictures from SP”
22. Get Request Tokens
Consumer
Protected Resources
Service Provider
“I have someone
who needs you”
End User
23. Get Request Tokens
Service Provider
Protected Resources
Consumer
“Pass this to him, and
bring him to me”
End User
http://flickr.com/photos/9458565@N07/760773574/
24. Get Authorization
Consumer
Protected Resources
Service Provider
“Go to there.
Bring this along”
End User
25. Get Authorization
Service Provider
Protected Resources Consumer
“Hi, remember me?”
End User
26. Get Authorization
Service Provider
Protected Resources Consumer
“Silver coin! You need
Consumer to do things for you?”
End User
27. Get Authorization
Service Provider
Protected Resources Consumer
“Yes”
End User
28. Get Authorization
Service Provider
Protected Resources Consumer
“Your wish is my command. Return there”
End User
30. Get Access Token
Consumer
Protected Resources
Service Provider
“He said ok? Gimme the keys”
End User
31. Get Access Token
Service Provider
Protected Resources
Consumer
“Ignore that silly silver coin...
Use this from now and I will
always treat you as he”
End User
http://flickr.com/photos/azuric/150520121/
32. Get Access Token
Consumer
Protected Resources
Service Provider
End User
33. Use Access Token
Consumer
Protected Resources
Service Provider
“Gimme MY pictures”
End User
34. Using Access Token
Service Provider
Protected Resources
Consumer
End User
35. Using Access Token
• Whenever Consumer calls SP’s API
• GET /photos.xml
• bring consumer key, access token
• sign with consumer secret & access
secret
• Service Provider verifies signature
• treats request as End User
36. Using Access Token
• User at Service Provider website can
choose to invalidate the access for
Consumer at any time
45. Introducing OAuth4R
• Forget the protocol, just fill in the blanks
• Provides code generators to allow
Rails website to support OAuth easily
• Generated scaffolds does the
OAuth dance out of the box
• Only need developers to link tokens
to their Users
47. OAuth4R: Provider
cd example_apps/oauth_provider
rake db:create:all
rake db:migrate
./script/server -p 5001
• Users controller at http://localhost:5001/users
• with primitive login implemented
• Users’ Addressbook controller at
http://localhost:5001/contacts
• with primitive permissions based on
user’s login
48. OAuth4R: Consumer
cd ../oauth_consumer/
rake db:create:all
rake db:migrate
./script/server -p 5000
• Users controller at http://localhost:5000/users
• even more primitive login implementation
• For this demo, create a new user, “Tommy”
49. OAuth4R: Provider
cd ../oauth_provider/
./script/generate oauth_provider GetContact
rake db:migrate
patch -p0 < TODO.patch
./script/server -p 5001
• Generate a “scaffold controller”
• Controller does the OAuth dance
• Modify to linkup with your own user
models
51. • Modify your User model to
has_many oauth_user
• Modify controller guarding Protected
Resources to requires_oauth
52. OAuth4R: Consumer
cd ../oauth_consumer/
./script/generate oauth_consumer UseGetContact
rake db:migrate
patch -p0 < TODO1.patch
./script/server -p 5000
• Generate a “scaffold controller”
• Controller can do OAuth dance with one
service provider
• Modify to linkup with your User models
57. User Authorization
• Go to http://localhost:5000/users
• Click on “Tommy > Show” to login
• Click on quot;Establish OAuth...quot;
58. User Authorization
• Click “Create” and you’ll arrive at provider
site (http://localhost:5001) to Login
• Authorization prompt will appear
• Click “Yes” & you’ll be redirected back to
consumer site (http://localhost:5000)
59. All done, then what?
• Scripts accessing APIs on behalf of End User
• This demo uses a simple ActiveResource
60. All done, then what?
$ ruby script/fetch_contacts.rb
/example_apps/oauth_consumer/vendor/rails/
activeresource/lib/active_resource/connection.rb:
124:in `handle_response': Failed with 500 Internal
Server Error (ActiveResource::ServerError)
• OAuth blocks our unauthenticated access
• We need to modify our API callers slightly
patch -p0 < TODO2.patch
61. Modify ActiveResource
• Add acts_as_oauth_resource
• underlying http connection will be
automatically padded with OAuth
credentials