How to handle third party Oauth 1.0 authenticatio...

archanachowdary · 09-19-2016 09:37 PM

My Backend service uses OAuth 1.0, I have Consumer Key ,Secrete,oauth token ans secrete.how to configure proxy service for the backend services and How to generate Oauth_Signature for the backend service using HMAC-SHA1 oauth_signature_method. Could you explain how could i achieve that? @JP Aragon

rdeandrade

Since you are talking about OAuth 1.0 in the backend, you'll have to sign it directly inside the proxy, regardless of the security scheme chosen for the 'client side' of the API.

You will also have to manage the acquisition and lifecycle of the token inside the proxy and across multiple requests. You can use a cache for the token for example, and if not in cache you'll need to request a new token (including all the steps to secure one, such as the verifier code and any error handling.

For the backend request, there are some tips on building the signature here: https://oauth1.wp-api.org/docs/basics/Signing.html and https://tools.ietf.org/html/rfc5849#section-3.4.1

Once you have the base string built, you will need to encrypt it using HMAC-SHA1 and for that you can use a library such as cryptojs (https://code.google.com/archive/p/crypto-js/) that can be imported into the proxy to do the hashing.

Sample steps in js (not the complete code):

//sample base string
//
// POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q
//     %26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_
//     key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_m
//     ethod%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk
//     9d7dh3k39sjv7
//

var verb = context.getVariable("request.verb");
var url = context.getVariable("target.url"); // make sure it is only the url without any added parameters


// do not hardcode key and secret in the code!! - it must be stored and come from a safe location 
 
var o1_key = "abracadabra"; 
var o1_secret = "shhh!!!";

var o1_method = "HMAC-SHA1";
var o1_nonce = context.getVariable("request.messageid");
var o1_tstamp = 
var o1_token = context.getVariable("oauth1.token"); // retrieved from cache fro example


var base_string = verb + "&" + url + "&" + o1_key + "&" + nonce + "&" + o1_method + "&" + o1_tstamp + "&" + o1_token;

// note that if you pass any parameters via query or form, they'll need to be in the base string as well!!!

// crypto-js must be included in the js policy definition with <IncludeURL>
var hash = CryptoJS.HmacSHA1(base_string, o1_key+"&"+o1_secret)

// once you have all the above, you'll need to build the Authorization header:
//
// Authorization: OAuth realm="Example",
//               oauth_consumer_key="jd83jd92dhsh93js",
//               oauth_token="hdk48Djdsa",
//               oauth_signature_method="HMAC-SHA1",
//               oauth_timestamp="123456789",
//               oauth_nonce="7d8f3e4a",
//               oauth_verifier="473f82d3",
//               oauth_signature="<hash goes here>"

Hopefully this gives you an idea on what's needed to get started. It is far from production ready and will give you a good jump start.

Ricardo

Report Inappropriate Content

@archana - Attached you can also find an example of an API Proxy enabled with OAuth 1.0a. For more details on how this API Proxy works, check out this thread on Apigee Community. https://community.apigee.com/questions/18207/how-to-set-up-api-proxy-with-an-external-oauth-10a.html

archanachowdary

@Diego Zuluaga Thanks so much .I will work on this proxy and will get back to you if any quries.

How to handle third party Oauth 1.0 authentication?