Re: [OAUTH-WG] Facebook's experience with OAuth2.0 signatures
Paul Tarjan <paul.tarjan@facebook.com> Wed, 28 July 2010 19:37 UTC
Return-Path: <paul.tarjan@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 490373A68A9 for <oauth@core3.amsl.com>; Wed, 28 Jul 2010 12:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.471
X-Spam-Level:
X-Spam-Status: No, score=-1.471 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MN7ckksj+dUt for <oauth@core3.amsl.com>; Wed, 28 Jul 2010 12:37:04 -0700 (PDT)
Received: from mx-out.facebook.com (outmail002.ash1.tfbnw.net [69.63.184.102]) by core3.amsl.com (Postfix) with ESMTP id 26FBF3A6952 for <oauth@ietf.org>; Wed, 28 Jul 2010 12:37:04 -0700 (PDT)
Received: from [10.18.255.131] ([10.18.255.131:10174] helo=mail.thefacebook.com) by mta007.ash1.facebook.com (envelope-from <paul.tarjan@facebook.com>) (ecelerity 2.2.2.45 r(34067)) with ESMTP id 4A/B7-01074-394805C4; Wed, 28 Jul 2010 12:27:16 -0700
Received: from SC-MBX04.TheFacebook.com ([169.254.3.239]) by sc-hub03.TheFacebook.com ([fe80::1cfe:1f6b:8b35:cf7f%11]) with mapi; Wed, 28 Jul 2010 12:27:15 -0700
From: Paul Tarjan <paul.tarjan@facebook.com>
To: Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Facebook's experience with OAuth2.0 signatures
Thread-Index: AQHLLlQ4R4ZrwnMX20avFqAnWxwWmZLHLnCA
Date: Wed, 28 Jul 2010 19:27:11 +0000
Message-ID: <5CAAB672-33F6-494D-98A3-5E167AFB9273@facebook.com>
References: <C3E72210-EB7C-4CB2-B6B6-0B0AA0E35B53@facebook.com> <AANLkTikfaMYgZcs3SfrBtbF9cj-CgTcc75mEVsNu1k4n@mail.gmail.com>
In-Reply-To: <AANLkTikfaMYgZcs3SfrBtbF9cj-CgTcc75mEVsNu1k4n@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_5CAAB67233F6494D98A35E167AFB9273facebookcom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Facebook's experience with OAuth2.0 signatures
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2010 19:37:06 -0000
From http://developers.facebook.com/docs/authentication/canvas Why is the signature first? Doing a left split is usually easier than a right one. It also allows us to pursue other encodings, like hex for the signature and percent encoding for the payload. Why is it called signed_request? It's the part of the HTTP request that is signed. You can remember the signature comes first in both the name of the parameter and the parameter itself. :) Paul On Jul 27, 2010, at 4:10 PM, Nat Sakimura wrote: Thanks for sharing! One question: Was there a particular reason for having signature first instead of the payload? On Tue, Jul 27, 2010 at 7:18 AM, Paul Tarjan <paul.tarjan@facebook.com<mailto:paul.tarjan@facebook.com>> wrote: Facebook released an early version of the proposed signature method, with the aim of getting real-life implementation experience. We are not currently using this for protected resource requests, but rather more like if the authorization server returned signed data as part of the access token response. It was generally a success with many people really liking the scheme. Our main takeaway is that MANY developers used normal base64 instead of base64url encoding either because they didn't read the spec thoroughly or just recognized the scheme and started decoding it. This caused weird errors which they weren't ready for (sometimes working when - and _ weren't present, sometimes cutting off some json characters when their language needed padding =, etc). We created an open source set of examples that developers have found helpful, and which could be incorporated into the OAuth example set: http://github.com/ptarjan/base64url So, I suggest to keep the signature scheme, but message the fact that it isn't normal base64 VERY loudly and clearly in the spec, and to use examples that will fail hard with normal base64. Our implementation followed the OAuth2.0 signature scheme except for 4 changes: * signature came before payload * not_after was renamed expires * not all required parameters were present given the difference in use case * the parameter was called signed_request instead of signed_token You can read our docs here: http://developers.facebook.com/docs/authentication/canvas Here is a few snippets of developer feedback that we had about them not understanding to use base64url instead of base64 encoding: --- We're seeing bogus JSON in the new parameter. It looks like a few characters are being left off the end. --- Imcompatible Base64 Encoding between PHP and Java (sun.misc.Base64Encoder) The problem was, I get an extra byte at the end of the Base64 Decoded Sig, comparing to the result I got from Hashing the Payload with my app secret. My guess is that PHP is not encoding base64 strictly following the Base64 convention, or, Facebook has removed the tailing "=" from Sig which is required in most Java Base64 implementations. The sun.misc.Base64Decoder decoded the sig with a tailing ">", while another example I found from Internet tail with "0x00". --- Isn't this just turning into a total mess - telling people that they need to refer to Wiki articles to use specific Base64 encode and decode functions and having to post chunks of code in order to try to get it working. --- The problem is actually that there library is buggy and others actually follow the spec. Base64 is well defined. URLencoding is well defined. Unpadded base64 with several character substitutions is now well defined :) Then people started posting code to each other, some got it wrong: > # Ruby > > def base64_url_decode(str) > return Base64.decode64(str.tr<http://str.tr>('-_', '+/')) > end > that does not account for missing padding. Then someone actually read the spec: Facebook is following RFC. http://www.faqs.org/rfcs/rfc3548.html - Section 4. That said, I don't really agree with the use of the "filename safe" style. I'd implement base64 with the protocol and/or filesystem specific encoding separated, because I don't think the spec should be concerned with that. Also, not many people use this style, so most libraries don't have support for it. But hey, I'm just one of those well-read ruby hipsters, what do I know? We got lots of positive feedback about it: --- I'm a fan *cough* of the new auth mechanism; --- I agree that this is much cleaner. I like allowing the original request method to be used. I just wish things followed the actual specification or had their differences documented. As a library maintainer, I would also like to know before things like this are released. --- I'm also perfectly happy with the direction FB is going here. --- I have to say too, I'm also a big fan of the new authentication system, thank you. It has cut out a lot of code for us, and it's a lot easier to debug. This is a good verification system too. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
- [OAUTH-WG] Facebook's experience with OAuth2.0 si… Paul Tarjan
- Re: [OAUTH-WG] Facebook's experience with OAuth2.… Nat Sakimura
- Re: [OAUTH-WG] Facebook's experience with OAuth2.… Dick Hardt
- Re: [OAUTH-WG] Facebook's experience with OAuth2.… Paul Tarjan