Webshell

Thibaud Arnault

Co-founder & CEO

We started at school a social network

Using more than 15 APIs

The story: humankindwall

The iNtegration

Horrible

The maintenance

Painfull

Webshell.io

Our first attempt to simplify the API integration and maintenance

A platform & an API

A shell ... for the web

We PivoteD fastly to javascript

Not "another new language"

50x faster

100x less bugs

Example

apis.facebook.auth().success(function() {
    apis.facebook.me()
})

apis.google.maps()

apis.youtube.search('bob marley')

apis.gravatar('team@webshell.io')

An API explorer

cloud IDE

Demo Time

OAUTH

OAUth

Authorization

More than 500 oauth provider

listed on programmable web

They are all different

multiple standard version, multiple implementation

To start with oauth

Create a Facebook application on developers.facebook.com

to get your client_id and client_secret

OAuth 2 protocol

OAuth 2 protocol

2- Redirection

www.facebook.com/dialog/oauth/authorize

client_id=...

response_type=code

scope=email,read_friendlists...

state=...

redirect_uri=http://myapp.com/

3 - Authorize callback

http://myapp.com/?code=...&state=...

4 - Retrieve the access token

POST graph.facebook.com/oauth/access_token

code=...

client_id=...

client_secret=...

grant_type=authorization_code

Once you have the access token

you have to pass the access_token in each API request

i.e.

https://graph.facebook.com/me?access_token=...

OAuth 2 flow

OAuth 1.a flow

Deezer OAuth2

1 - redirection

client_id -> app_id=...

response_type=code [inutile]

scope -> perms=email,read_friendlists...

state=... [non documenté]

Standard not respected

OAUTH 2 FLAWS

api.provider.com/path/action?access_token=TOKEN

api.provider.com/path/action?oauth_token=TOKEN

api.provider.com/path/action?token=TOKEN

Authorization: Bearer TOKEN

Authorization: OAuth TOKEN

OAUTH 2 flaws

scope=email%20publish

scope=email,publish

scope=email;publish

scope=email:publish

scope=email|publish

scope=read_only or scope=read_write

oauth 2 flaws

In the results of /access_token:

extra data (facultatif)

"user": {

id: "..."

name: "..."

// ...

}

extra data (requis)

"instance_url": "https://eu2.salesforce.com"

oauth 2 flaws

MailChimp

One added step: /oauth2/metadata

{
    "dc":"us1",
    "login_url":"https://login.mailchimp.com",
    "api_endpoint":"https://us1.api.mailchimp.com"
}

oauth 2 flaws

Custom signature

mail.ru, odnoklassniki.ru, renren...

sig = md5(uid + params + private_key)

oauth 2 flaws

Custom constant

Tencent weibo:

oauth_version=2.a

OAUTH 2 FLAWS

The "state" param

inexistent (dailymotion, eventbrite...)
undocumented (wordpress, deezer...)
impossible (angellist)

Multi providers oauth

Oauth.io

OAuth.io

 OAuth.popup('facebook', function(err, res) {
    if (err) {
        // do something with error
    }    // the access token is res.access_token !})

OAuth.io

 OAuth.popup('facebook', function(err, res) {
    if (err) {
        // do something with error
    }    res.get('/me')
       .done(function(data) {
        alert('Hello ' + data.name)
    })
})

OAuth.io

 OAuth.popup('twitter', function(err, res) {
    if (err) {
        // do something with error
    }    res.get('/1.1/account/verify_credentials.json')
       .done(function(data) {
        alert('Hello ' + data.name)
    })
})

OAUTH.IO

Android, iOS, Flex et Phonegap

Example timeline twitter

http://jsfiddle.net/thyb/kZExJ/5

Example google+

http://jsfiddle.net/thyb/JMTVz/5

OAuthd

Why ?

Trust
Contributions
Improve security
Improve bugs discovery
Get more providers
Company with strong security policy

Thanks

Question ?

thyb@oauth.io | @thibaud_arnault