Re: [OAUTH-WG] Facebook's experience with OAuth2.0 signatures
Nat Sakimura <sakimura@gmail.com> Tue, 27 July 2010 23:10 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A239F3A6985 for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 16:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rlr6tb1B0epT for <oauth@core3.amsl.com>; Tue, 27 Jul 2010 16:10:49 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id F3B413A697F for <oauth@ietf.org>; Tue, 27 Jul 2010 16:10:48 -0700 (PDT)
Received: by iwn38 with SMTP id 38so4398083iwn.31 for <oauth@ietf.org>; Tue, 27 Jul 2010 16:11:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tlcJYYuqTlYf3Ybf/XndZ+kPY98Xt9uSbL0J9CIlwRs=; b=egUX8YH2zFSPor1856Ly5UxiqmLnzb/qTryNLPtAbGPdq9+7m2UYCui5+dvo+R6m6H uxoN1mI3Q9dqtEqhdAH14Ge77xoNnMGdOZ7+0j9d8FpDfT2G9o4vQlKv6ieTax7heaKY odwtUx1gX+17/pJ9vfoRGlR+hQmMhAjKm4Tg8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=lW0hKxJRedtdQsPHxIsWMwiwu6B4C2GB+s0NQnft4vPefdTWDj000YWmV7T/AERBD2 fWQHVrHs2PRHLovGBCiOXAKCiEnfxwS7EwNdKRcWWKBRqyAUopdLEx43+0F8keJcLhSw U5bXIuseD5bzb/SuWqzsE5cMn3JGNMD6QyWzQ=
MIME-Version: 1.0
Received: by 10.231.12.76 with SMTP id w12mr10904239ibw.87.1280272218432; Tue, 27 Jul 2010 16:10:18 -0700 (PDT)
Received: by 10.231.158.67 with HTTP; Tue, 27 Jul 2010 16:10:18 -0700 (PDT)
In-Reply-To: <C3E72210-EB7C-4CB2-B6B6-0B0AA0E35B53@facebook.com>
References: <C3E72210-EB7C-4CB2-B6B6-0B0AA0E35B53@facebook.com>
Date: Wed, 28 Jul 2010 08:10:18 +0900
Message-ID: <AANLkTikfaMYgZcs3SfrBtbF9cj-CgTcc75mEVsNu1k4n@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Paul Tarjan <paul.tarjan@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Facebook's experience with OAuth2.0 signatures
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 23:10:51 -0000
Thanks for sharing! One question: Was there a particular reason for having signature first instead of the payload? On Tue, Jul 27, 2010 at 7:18 AM, Paul Tarjan <paul.tarjan@facebook.com> wrote: > Facebook released an early version of the proposed signature method, with the aim of getting real-life implementation experience. We are not currently using this for protected resource requests, but rather more like if the authorization server returned signed data as part of the access token response. > > It was generally a success with many people really liking the scheme. > > Our main takeaway is that MANY developers used normal base64 instead of base64url encoding either because they didn't read the spec thoroughly or just recognized the scheme and started decoding it. This caused weird errors which they weren't ready for (sometimes working when - and _ weren't present, sometimes cutting off some json characters when their language needed padding =, etc). > > We created an open source set of examples that developers have found helpful, and which could be incorporated into the OAuth example set: http://github.com/ptarjan/base64url > > So, I suggest to keep the signature scheme, but message the fact that it isn't normal base64 VERY loudly and clearly in the spec, and to use examples that will fail hard with normal base64. > > > Our implementation followed the OAuth2.0 signature scheme except for 4 changes: > * signature came before payload > * not_after was renamed expires > * not all required parameters were present given the difference in use case > * the parameter was called signed_request instead of signed_token > > You can read our docs here: http://developers.facebook.com/docs/authentication/canvas > > > Here is a few snippets of developer feedback that we had about them not understanding to use base64url instead of base64 encoding: > > --- > We're seeing bogus JSON in the new parameter. It looks like a few characters > are being left off the end. > > --- > Imcompatible Base64 Encoding between PHP and Java (sun.misc.Base64Encoder) > > The problem was, I get an extra byte at the end of the Base64 Decoded Sig, > comparing to the result I got from Hashing the Payload with my app secret. > > My guess is that PHP is not encoding base64 strictly following the Base64 > convention, or, Facebook has removed the tailing "=" from Sig which is required > in most Java Base64 implementations. > > The sun.misc.Base64Decoder decoded the sig with a tailing ">", while another > example I found from Internet tail with "0x00". > > --- > Isn't this just turning into a total mess - telling people that they need to > refer to Wiki articles to use specific Base64 encode and decode functions and > having to post chunks of code in order to try to get it working. > > --- > The problem is actually that there library is buggy and others actually follow > the spec. Base64 is well defined. URLencoding is well defined. Unpadded base64 > with several character substitutions is now well defined :) > > > Then people started posting code to each other, some got it wrong: > > > # Ruby > > > > def base64_url_decode(str) > > return Base64.decode64(str.tr('-_', '+/')) > > end > > > > that does not account for missing padding. > > > Then someone actually read the spec: > > Facebook is following RFC. http://www.faqs.org/rfcs/rfc3548.html - > Section 4. > > That said, I don't really agree with the use of the "filename safe" style. I'd > implement base64 with the protocol and/or filesystem specific encoding > separated, because I don't think the spec should be concerned with that. Also, > not many people use this style, so most libraries don't have support for it. > But hey, I'm just one of those well-read ruby hipsters, what do I know? > > > We got lots of positive feedback about it: > > --- > I'm a fan *cough* of the new auth mechanism; > > --- > I agree that this is much cleaner. I like allowing the original request method > to be used. I just wish things followed the actual specification or had their > differences documented. As a library maintainer, I would also like to know > before things like this are released. > > --- > I'm also perfectly happy with the direction FB is going here. > > --- > I have to say too, I'm also a big fan of the new authentication system, thank > you. It has cut out a lot of code for us, and it's a lot easier to debug. This > is a good verification system too. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
- [OAUTH-WG] Facebook's experience with OAuth2.0 si… Paul Tarjan
- Re: [OAUTH-WG] Facebook's experience with OAuth2.… Nat Sakimura
- Re: [OAUTH-WG] Facebook's experience with OAuth2.… Dick Hardt
- Re: [OAUTH-WG] Facebook's experience with OAuth2.… Paul Tarjan