Lets Build OAuth - kimschles/schlesinger-knowledge GitHub Wiki

Let's Build OAuth

Brian Schiller @ Develop Denver 2018

Vocab

Authentication: This is who I am Authorization: I am allowed to perform this action, see this data, etc.

OAuth is For...

  • Authentication
  • Delegated Authorization
    • Delegate the authority to take an action like hootsuite to post tweets on my account

Without OAuth

  1. You give another service your username and password
  • Drawbacks:
    • All or nothing (you cannot specify read only, etc.)
    • Tempting attack surface
    • Passwords can change
  • Benefits:
    • No coordination needed with the provider service
    • Simple UI and mental model
  1. Personal Access Token
  • Get your API key or token from one service, and apply it to another
  • Examples: Setting up Homebrew, Trelloro

OAuth

(see flow diagrams)

How to Build the State Param

  1. Identify the user
  2. Timestamped
  3. Bonus: which service?
  4. Signed

payload = JSON.stringify({
  issued_at: Date.now(),
  user_id: session.user_id,
  login_with: 'twitter',
});

signature = hmac(SECRET_KEY, payload);

state = (
  urlSafeBase64(payload) + '.' +
  urlSafeBase64(signature)
);```