Implementing 2-Legged OAuth in Javascript (and CloudTest)



Similar documents
OAuth. Network Security. Online Services and Private Data. A real-life example. Material and Credits. OAuth. OAuth

E*TRADE Developer Platform. Developer Guide and API Reference. October 24, 2012 API Version: v0

Programming Autodesk PLM 360 Using REST. Doug Redmond Software Engineer, Autodesk

Enterprise Access Control Patterns For REST and Web APIs

Setting up single signon with Zendesk Remote Authentication

Traitware Authentication Service Integration Document

Five Strategies for Performance Testing Mobile Applications

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

OPENID AUTHENTICATION SECURITY

HireDesk API V1.0 Developer s Guide

Using Foundstone CookieDigger to Analyze Web Session Management

SOASTA CloudTest Performance Data Retention and Security Policy. Whitepaper

Force.com REST API Developer's Guide

Cloud Powered Mobile Apps with Azure

Salesforce Files Connect Implementation Guide

Fairsail REST API: Guide for Developers

From Delphi to the cloud

itds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22

AT&T Synaptic Storage as a Service SM Getting Started Guide

Salesforce1 Mobile Security Guide

Authorization and Authentication

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

Cloud Testing Production Applications CloudTest Strategy and Approach

Secure Authentication and Session. State Management for Web Services

ivvy Events Software API

Version 1.0. ASAM CS Single Sign-On

Using SAML for Single Sign-On in the SOA Software Platform

Measure What Matters. don t Track What s Easy, track what s Important. kissmetrics.com

The increasing popularity of mobile devices is rapidly changing how and where we

OAuth: Where are we going?

STABLE & SECURE BANK lab writeup. Page 1 of 21

Copyright: WhosOnLocation Limited

SSO Eurécia. and external Applications. Purpose

Microsoft Office 365 Using SAML Integration Guide

Communication Security for Applications

Qualtrics Single Sign-On Specification

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Lecture Notes for Advanced Web Security 2015

Criteria for web application security check. Version

What Are Certificates?

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

KMx Enterprise: Integration Overview for Member Account Synchronization and Single Signon

Project 2: Web Security Pitfalls

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

How to pull content from the PMP into Core Publisher

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

So you want to create an a Friend action

Single Sign-On Implementation Guide

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

LBA API Manual Ver.1.0.1

CONTRACT MODEL IPONZ DESIGN SERVICE VERSION 2. Author: Foster Moore Date: 20 September 2011 Document Version: 1.7

mkryptor allows you to easily send secure s. This document will give you a technical overview of how. mkryptor is a software product from

Is your data safe out there? -A white Paper on Online Security

Configuring Single Sign-on for WebVPN

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Onegini Token server / Web API Platform

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Principles of Continuous Integration

Integrating Single Sign-on Across the Cloud By David Strom

Single Sign-On Implementation Guide

Multi Factor Authentication API

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

User-password application scripting guide

How to Time Stamp PDF and Microsoft Office 2010/2013 Documents with the Time Stamp Server

GravityLab Multimedia Inc. Windows Media Authentication Administration Guide

Single Sign-On Implementation Guide

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

Salesforce Mobile Push Notifications Implementation Guide

Salesforce Opportunities Portlet Documentation v2

OCRA Validation Server Profile

Login with Amazon. Developer Guide for Websites

e-filing Secure Web Service User Manual

Mashery OAuth 2.0 Implementation Guide

Lab 7. Answer. Figure 1

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

OpenID Connect 1.0 for Enterprise

Salesforce Mobile Push Notifications Implementation Guide

How To Use Salesforce Identity Features

Installation and usage of SSL certificates: Your guide to getting it right

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Whitepaper. Continuous Integration Tools Applying Best Practices to the Toolchain

Mastering health IT complexity with Fine-Grained REST APIs

Introducing DocumentDB

INTRODUCING AZURE SEARCH

The Secure Sockets Layer (SSL)

EHR OAuth 2.0 Security

Dashlane Security Whitepaper

Everything is Terrible

Connected Data. Connected Data requirements for SSO

Web Security. Mahalingam Ramkumar

Chapter 7 Transport-Level Security

Lab 4.4 Secret Messages: Indexing, Arrays, and Iteration

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Transcription:

Implementing 2-Legged OAuth in Javascript (and CloudTest) Introduction If you re reading this you are probably looking for information on how to implement 2-Legged OAuth in Javascript. I recently had to implement 2-legged OAuth into a CloudTest performance test for one of our customers. Because 2-legged OAuth is not part of the official OAuth spec yet (as of 6/15/2011) there is relatively little information out there about how to make this all work. Where there is information unfortunately it doesn t universally work for all implementations since there isn t a specification for it. I hope this saves you some time it definitely would have helped me out. You will need a working knowledge of Javascript to find the implementation details in this article useful. Without an understanding of Javascript you may find just the general OAuth overview interesting. High Level OAuth Overview OAuth is a way for applications to authenticate with one-another. In essence a client application encrypts a string of values and passes that encrypted string, along with the values it used to encrypt it (except one, your secret key), to the server. The server then uses the values you sent across to look up your secret key and attempt to generate the same encrypted string you did. The server then compares the two encrypted strings together. If they match, it s a success. If not, it s a failure. The difference between 3-Legged OAuth and 2-Legged OAuth is that in the 3-Legged variant, the client first passes some credentials to the server and gets an access token back if authentication is successful. Then this token is passed along in subsequent requests. This is commonly called the dance in OAuth developer circles. When you authenticate with Netflix through various platforms (AppleTV, iphone, Netflix.com), you do a 3-Legged OAuth dance. This allows for users, applications, and authentication to be abstracted out into separate tiers. Some other types of applications may be better suited for the authentication and message passing to happen in 1 request and 1 request only. This is where 2-legged comes in. In 2-legged OAuth you pass the encrypted string, the values used for encryption, and the message payload in 1 GET or POST. If it is rejected, the message fails. If it s accepted then the message is processed. This particular app that I was working on testing was a central logging system. Every message was a log event. There was no time (or functional need) for a three-way handshake in this app and also no notion of a maintained state. 2-Legged OAuth cuts out the middleman. If authentication is successful the message is processed, no dancing around.

Diving Deeper OAuth messaging can be done in two ways: in an authorization header or right on the query string. I m going to focus on the query string method here because I think it s easier to debug by swapping values around in a URL instead of trying to mess with request headers. That s just my preference though. The process for encrypting your signature string sounds easy but in reality it s much more challenging to get right. In short, the process goes like this: 1) Build a long string called a signature blob made up of sets of key/value pairs 2) Run that signature blob through a standard encryption function, using your consumer secret key and end up with a signature 3) URLEncode the signature (it s getting passed on the query string so it needs encoded) 4) Pass all of the key/value pairs and the signature along in the query string (in alphabetical order very important) 5) Pass or fail ;) The challenge is that if the signature blob you build is off by even one character before you encrypt it then it s not going to match what the server generates when it creates a signature to compare to yours. All that matters is what the server gets when it creates it s sigblob and signature. Your sigblob and signature HAS to match what is generated on the server side. A HUGE help is if you can have a developer on the server side give you a sample sigblob string and the signature that was created from encrypting that sigblob, this will help you immensely. If you have this, you can construct your sigblob to look exactly like what the server side will process. You can also compare the signature you get from encrypting it and make sure those match. Implementation First off here is the official OAuth documentation: http://oauth.net/core/1.0/ There are really great explanations and definitions in there for the things I m about to cover if you still have questions. Here is an example of a 2 legged OAuth request using the query string instead of an auth header (against a fictitious site obviously): http://www.blahblahblah.com/made-up-uri/restful-webservice- CALL?oauth_consumer_key=905324be-d7e0-4f1f-bff7-9892c6c37a73&oauth_nonce= rmexln&oauth_signature=hr8gu95dbqhan4v0qqpgrn%2b%2bjaq%3d&oauth_sig nature_method=hmac-sha1&oauth_timestamp=1302308307&oauth_token=&oauth_ version=1.0 Note that all of the query string parameters are in alphabetical order. This is important because doing this is mandatory it s required as part of the OAuth specification.

Let s break down this long URL: 1) http://www.blahblahblah.com/made-up-uri/restful-webservice-call This is your standard run of the mill RESTful web service URI. You would be posting something to this URI most likely. OAuth will be on the query string, and the payload will be in the POST body. 2)? A URI is always separated from the query string by a question mark this is standard HTTP formatting and you probably already know this. 3) oauth_consumer_key=905324be-d7e0-4f1f-bff7-9892c6c37a73 The consumer_key is given to you by the service provider. This is basically your user ID for making authentication requests to the server. You pass it along with your request and the server will use it to look up your consumer_secret_key and use that for encrypting the whole sigblob. You will also be given the consumer_secret_key by the service provider because you have to use it when encrypting your signature string. You don t, however, pass this secret key along in the URL. That would be very insecure and defeat the purpose ;) Instead you pass your consumer_key along and the server will look you up and use your secret encryption key from the database. 4) oauth_nonce=rmexln A nonce is basically a random alphanumeric string. It s an id tag for the request. It s required but there s not much to it so I wont spend much time on it. The OAuth class provided a bit later has a function for randomly generating a nonce value. 5) oauth_signature=hr8gu95dbqhan4v0qqpgrn%2b%2bjaq%3d This is the result of encrypting the sigblob (signature blob.. all of the values here formed into a string and then encrypted generate the signature) with your consumer_secret_key. Notice some values are URLEncoded (%2B, %3D, etc.) 6) oauth_signature_method=hmac-sha1 This is the encryption method used in the particular OAuth implementation your server is using. The most common method is HMAC-SHA1. Make sure you get the right signature method from the service endpoint you re trying to call. 7) oauth_timestamp=1302308307 Timestamp from when the signature was encrypted. Another security measure that ensures stale requests cannot be processed. 8) oauth_token= This is required on the query string but since it isn t used in 2-legged OAuth it is left blank. If this were 3-legged OAuth, there would have been a preceding request that would have resulted in you getting an oauth_token to use in future calls. 9) oauth_version=1.0 The version of oauth being used on the server side. As of the time this post was written 1.0 is the only version.

Resources You ll Need First Let s get down to building some sigblobs (I love this word). There are three Javascript snippets that you will need to grab first. 1) This is a javascript implementation of the sha1 hash algorithm. You ll need it for encrypting the sigblob. http://pajhome.org.uk/crypt/md5/sha1.js 2) This is an Oauth class written in Javascript that provides various utilities like creating a nonce value, etc. http://code.google.com/p/oauth/source/browse/code/javascript/oauth.js?r=1136 3) This is a nice function called makesignedrequest() that implements the Oauth class above. I found it useful for piecing everything together. http://paul.donnelly.org/2008/10/31/2-legged-oauth-javascript-function-for-yql/ Making it All Work Below is the code that I used to implement everything we ve talked about. Extra comments abound so that it s pretty clear what s going on. In order for this to work you need to have included the 3 blocks of code referenced in the previous section. /* Implementation of the SHA-1 encryption code and the OAuth code snippets referenced in the blog post at www.soasta.com The CK, CKS, and URL in the makesignedrequest method call below are fictitious. */ var signedurl = makesignedrequest( consumer_key_123456789","consumerkeys ecret/987654321","http://www.blahblahblah.com/made-up-ur i/restful-webservice-call // Slice the query string off of the end of the returned URL var fulllocation = signedurl; var beginning = fulllocation.indexof("?"); var querystring = fulllocation.substring(beginning + 1, fulllocation.length); //*** Begin splitting out each OAuth param out of the

query string that was generated above *** //Consumer Key var beginning = fulllocation.indexof("oauth_consumer_key="); var consumer_key = fulllocation.substring(beginning, fulllocation.length); //Nonce var beginning = fulllocation.indexof("oauth_nonce="); var end = fulllocation.indexof("&oauth_signature"); var nonce = fulllocation.substring(beginning + 12, end); //Sig method var beginning = fulllocation.indexof("oauth_signature_method="); var end = fulllocation.indexof("&oauth_timestamp"); var signature_method = fulllocation.substring(beginning, end); //Timestamp var beginning = fulllocation.indexof("oauth_timestamp="); var end = fulllocation.indexof("&oauth_version"); var timestamp = fulllocation.substring(beginning + 16, end); //Version var beginning = fulllocation.indexof("oauth_version="); var end = fulllocation.indexof("&oauth_signature="); var version = fulllocation.substring(beginning, end); // Generate the signature string and encrypt it to be passed along in the final URL /* The signature blob Things to note: 1) There is a required & between the URL and the oauth parameters 2) The ordering is significant - OAuth spec requires that the oauth parameters are in alphabetical order 3) Consumer key is hard coded should probably parameterized later 4) oauth_token is on the URL but there is no value The real secret to making this work is to know exactly what parameters and order of parameters that the server expects. This could be different depending on implementation but I ve found that it s usually close to this. */

var sigblob = "POST&http%3A%2F%2Fwww.blahblahblah.com%2Fmade-up-uri%2FR ESTFUL-WEBSERVICE-CALL&oauth_consumer_key% consumer_key_123456789%26oauth_nonce%3d" + nonce + "%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp% 3D" + timestamp + "%26oauth_token%3D%26oauth_version%3D1.0"; // The consumer key secret, parameter 1 in the function call below, is URLEncoded. Should use a URLEncode function on the real key but it was hard coded it in a time crunch (note the %2F which is a '/'). // Use the b64 sha1 function from the code included above to sign the sigblob and generate oauth_signature signature = b64_hmac_sha1("consumerkeysecret%2f987654321", sigblob); //URLEncode the resulting signature - since it's passed along on the querystring if it's not URLEncoded then the signatures wont match between client/server encodedsignature = encodeuricomponent(signature); //Generate the final query string to send along in the message request var reorderedoauthquerystring = consumer_key + "&oauth_nonce=" + nonce + "&oauth_signature=" + encodedsignature + "&" + signature_method + "&" + "oauth_timestamp=" + timestamp + "&" + "oauth_token=&" + version; More Resources Official OAuth spec. http://oauth.net/core/1.0/ For more information about SOASTA, please visit http://www.soasta.com. SOASTA, Inc. 2010. SOASTA, SOASTA CloudTest, and SOASTA CloudTest On-Demand, are trademarks or registered trademarks of SOASTA, Inc. All other trademarks are the property of their respective owners. About SOASTA SOASTA's CloudTest products and services leverage the power of cloud computing to quickly and affordably test consumer-facing Web and mobile applications at scale, providing customers with the confidence that their business-critical applications will be reliable and scalable, even under extreme loads. SOASTA s customers include many of today s most successful brands, including American Girl, Chegg, Gilt Groupe, Hallmark, Intuit, Microsoft and Netflix.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information