SPA Conference session: Keeping Passwords Private with OAuth

One-line description:This hands-on tutorial will explain how the OAuth security protocol allows developers to offer cloud services to users without requiring them to provide their usernames and passwords
 
Session format: Tutorial (150 minutes) [read about the different session types]
 
Abstract:There are many third-party programs which access cloud-based services (such as Dropbox, Amazon or Facebook) which are secured using usernames and passwords. However trusting such a program with your user credentials is risky: you have no way of knowing how the program will keep them secure, and no way of preventing the program from using them maliciously.
This problem is known as cross-domain authentication, and one way of solving it is to use an open standard called OAuth. A client which implements the OAuth protocol uses a specially-negotiated key and secret to gain access to secured services or data. The program never sees the user’s credentials, which are submitted only to the service as part of the one-off authorisation process. OAuth also allows the server to restrict the services or data which the client has access to.
OAuth is supported by a large number of cloud service providers, including Github, Dropbox, Facebook, Google and Amazon (see http://bit.ly/1hPBgT4). Many of these providers publish open APIs which allow you to use OAuth in your own programs.
In this tutorial we will explain why OAuth is needed, how the protocol works, and how it is used in client programs. The tutorial includes a hands-on exercise in which you will implement a simple OAuth client to access the Dropbox file-sharing service.
 
Audience background:- Competent programmer (we will use Python in the slides and exercises, but attendees can use any Dropbox-supported SDK such as Ruby, Java, or Objective-C)
- General understanding of computer security (authentication and authorization)
- No prior knowledge of OAuth is required.
Participants will need a validated Dropbox account, and an Internet-connected laptop, preferably with the Dropbox SDK for their chosen language already installed.
 
Benefits of participating:You will gain an understanding of the risks of sharing user credentials with third-party applications, and how OAuth mitigates these risks. You will also get the chance to build a simple OAuth client and walk through the OAuth workflow with a real service provider, Dropbox.
 
Materials provided:We will use Python for the slides and exercises, and will provide Python code fragments and Python code for the completed solution.
 
Process:The session will start with a short explanation of the problem and how OAuth works. We will then move into the practical exercise, in which attendees will implement a simple command-line program to access Dropbox files having authenticated using OAuth. Attendees can work on their own or in pairs.
 
Detailed timetable:- 00:00 - 00:05 Presenter introduction
- 00:05 - 00:15 Problem statement (why sharing security credentials with third-party applications is undesirable)
- 00:15 – 00:45 OAuth overview (history; OAuth 1 vs OAuth 2; explanation of how OAuth works; the Dropbox native OAuth API; the Dropbox Python API)
- 00:45 – 01:00 Environment setup and break (ensure Python is installed and working; download and install the Dropbox Python API; download and unzip the session materials)
- 01:00 – 01:45 Exercise 1: Granting access to Dropbox programmatically
- 01:45 – 02:00 break
- 02:00 – 02:30 Exercise 2: Using the Dropbox API to read and write files
 
Outputs:We will post the code fragments, completed code and any other session materials to the SPA website.
 
History:We have not presented this session before.
 
Presenters
1. Nick Rozanski
Barclays Investment Bank
2. Eoin Woods
UBS
3. Chris Cooper-Bland
Endava (UK) Ltd