Book Image

Mastering OAuth 2.0

Book Image

Mastering OAuth 2.0

Overview of this book

OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user's LinkedIn feed? This is all achievable through the power of OAuth. With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way. At the beginning, you will learn what OAuth is, how it works at a high level, and the steps involved in creating an application. After obtaining an overview of OAuth, you will move on to the second part of the book where you will learn the need for and importance of registering your application and types of supported workflows. You will discover more about the access token, how you can use it with your application, and how to refresh it after expiration. By the end of the book, you will know how to make your application architecture robust. You will explore the security considerations and effective methods to debug your applications using appropriate tools. You will also have a look at special considerations to integrate with OAuth service providers via native mobile applications. In addition, you will also come across support resources for OAuth and credentials grant.

Related Content you might be interested in

Current Title:

Small book image
Mastering OAuth 2.0
Dec, 2015 | 238 pages
No titles found
Table of Contents (22 chapters)
Mastering OAuth 2.0
Mastering OAuth 2.0
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Why Should I Care About OAuth 2.0?
Why Should I Care About OAuth 2.0?
Authentication versus authorization
What problems does it solve?
How does OAuth 2.0 actually solve the problem?
Who uses OAuth 2.0?
Introducing "The World's Most Interesting Infographic Generator"
Summary
2
A Bird's Eye View of OAuth 2.0
A Bird's Eye View of OAuth 2.0
How does it work?
First look at the client-side flow
First look at the server-side flow
What are the differences?
What about mobile?
Summary
3
Four Easy Steps
Four Easy Steps
Let's get started
Step 1 – Register your client application
Step 2 – Get your access token
Step 3 – Use your access token
Step 4 – Refresh your access token
Putting it all together
Summary
4
Register Your Application
Register Your Application
Recap of registration process
Registering your application with Facebook
Putting it all together!
Summary
5
Get an Access Token with the Client-Side Flow
Get an Access Token with the Client-Side Flow
Refresher on the implicit grant flow
A closer look at the implicit grant flow
Let's build it!
Summary
Reference pages
6
Get an Access Token with the Server-Side Flow
Get an Access Token with the Server-Side Flow
Refresher on the authorization code grant flow
A closer look at the authorization code grant flow
Let's build it!
Summary
Reference pages
7
Use Your Access Token
Use Your Access Token
Refresher on access tokens
Use your access token to make an API call
Let's build it!
Creating the world's most interesting infographic
Summary
Reference pages
8
Refresh Your Access Token
Refresh Your Access Token
A closer look at the refresh token flow
What if I have no refresh token? Or my refresh token has expired?
The ideal workflow
Summary
Reference pages
9
Security Considerations
Security Considerations
What's at stake?
Security best practices
Common attacks
Summary
10
What About Mobile?
What About Mobile?
What is a mobile application?
What flow should we use for mobile applications?
Hybrid architectures
Authorization via application instead of user-agent
Summary
11
Tooling and Troubleshooting
Tooling and Troubleshooting
Tools
Troubleshooting
Summary
12
Extensions to OAuth 2.0
Extensions to OAuth 2.0
Extensions to the OAuth 2.0 framework
OpenID Connect
Summary
Resource Owner Password Credentials Grant
Resource Owner Password Credentials Grant
When should you use it?
Reference pages
Client Credentials Grant
Client Credentials Grant
When should you use it?
Reference pages
Overview of the client credentials grant
Reference Specifications
Reference Specifications
The OAuth 2 Authorization Framework
The OAuth 2 Authorization Framework: Bearer Token Usage
OAuth 2.0 Token Revocation
OAuth 2.0 Thread Model and Security Considerations
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
JSON Web Token (JWT)
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
OpenID Connect Core 1.0
HTTP Authentication: Basic and Digest Access Authentication
Index
Index

How does OAuth 2.0 actually solve the problem?

In order to see how OAuth 2.0 solves this problem of sharing resources, let's look at how this problem was solved before OAuth 2.0 was created.

Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends

Imagine that you have just signed up for the service GoodApp. As a new user, you don't have any contacts. GoodApp wants to suggest contacts for you to add by looking at your Facebook friends. If any of your Facebook friends are on GoodApp, it will suggest that you add them.

Before the creation of OAuth 2.0, this was solved in a very insecure way. GoodApp would ask you for your username and password for Facebook. GoodApp would then log into Facebook on your behalf to get your friends. This interaction can be looked at like this:

Here is how it works:

  1. You ask GoodApp to suggest contacts to you.

  2. GoodApp responds by saying, "Sure! Just give me your Facebook username and password please!"

  3. You give GoodApp your username and password for your Facebook account.

  4. GoodApp then logs into Facebook using your credentials, effectively impersonating you, to request your friend list.

  5. Facebook happily obliges, giving GoodApp your friend list.

  6. GoodApp then uses this information to tailor suggested contacts for you.

Why is this a bad idea? There are five key reasons:

  • You have given GoodApp the power to do *anything* with your account: This is known proverbially as giving it the "keys to the city". You have essentially given GoodApp access to everything in your account, as if they were you. Now imagine it wasn't GoodApp. Instead it was NewUnknownApp. It's easy to see how this becomes very dangerous.

  • GoodApp may save your password, and may do so insecurely: In order for GoodApp to maintain access to your account, they would need to store your credentials. The act of storing your password is an extremely bad practice and should be avoided at all times. To make things worse, different companies enforce different standards of security, some of which are shockingly low.

  • You are giving more chances for your password to get stolen: You are sending your username and password across the Internet. The more times you do this, the more risk there is for someone to steal it.

  • You have to change your Facebook password if GoodApp ever gets hacked: If GoodApp somehow got compromised, your Facebook credentials will also have been compromised. You would then need to change your Facebook password as a result of GoodApp getting owned.

  • There is no way to revoke access: If GoodApp was acquired by EvilCorp and started doing things that you didn't like, the only way to revoke access would be to change your Facebook credentials.

With OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends

Now, let's take a look at that interaction, but this time utilizing the OAuth 2.0 protocol. In this scenario, GoodApp would "ask" Facebook for your friend list. You give permission to this by logging into Facebook and approving the request. Once the request is approved, GoodApp would then be able to fetch your friend list from Facebook on your behalf.

Let's have a look at the flow:

  1. You ask GoodApp to suggest contacts to you.

  2. GoodApp says, "Sure! But you'll have to authorize me first. Go here…"

  3. GoodApp sends you to Facebook to log in and authorize GoodApp.

  4. Facebook asks you directly for authorization to see if GoodApp can access your friend list on your behalf.

  5. You say "yes".

  6. Facebook happily obliges, giving GoodApp your friend list. GoodApp then uses this information to tailor suggested contacts for you.

Why is this better? Five key reasons to contrast the five points in the previous example:

  • You aren't giving it the "keys to the city" anymore: Notice, in this example, you aren't giving your Facebook username and password to GoodApp. Instead, you are giving it directly to Facebook. Now, GoodApp doesn't have to even worry about your Facebook credentials.

  • Since you aren't giving your credentials, GoodApp no longer needs to store them: With your authority delegated from Facebook, you don't need to worry that GoodApp is storing, or even seeing, your Facebook password.

  • You send your password across the Internet less frequently: If you already had an active session with Facebook, you actually wouldn't need to reauthenticate with them. If GoodApp has federated identities with Facebook, you would have to send your password even less frequently.

  • You don't have to change your Facebook password if GoodApp ever gets hacked: This is because of the next point.

  • There is a way to revoke access: OAuth 2.0 provides the ability for a service provider to revoke access to a client. If GoodApp ever got compromised, or got acquired by Evil Corp, you could go to Facebook and revoke GoodApp's access.

Previous Section
End of Section 4
Next Section