Book Image

Mastering OAuth 2.0

Book Image

Mastering OAuth 2.0

Overview of this book

OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user's LinkedIn feed? This is all achievable through the power of OAuth. With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way. At the beginning, you will learn what OAuth is, how it works at a high level, and the steps involved in creating an application. After obtaining an overview of OAuth, you will move on to the second part of the book where you will learn the need for and importance of registering your application and types of supported workflows. You will discover more about the access token, how you can use it with your application, and how to refresh it after expiration. By the end of the book, you will know how to make your application architecture robust. You will explore the security considerations and effective methods to debug your applications using appropriate tools. You will also have a look at special considerations to integrate with OAuth service providers via native mobile applications. In addition, you will also come across support resources for OAuth and credentials grant.

Related Content you might be interested in

Current Title:

Small book image
Mastering OAuth 2.0
Dec, 2015 | 238 pages
No titles found
Table of Contents (22 chapters)
Mastering OAuth 2.0
Mastering OAuth 2.0
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Why Should I Care About OAuth 2.0?
Why Should I Care About OAuth 2.0?
Authentication versus authorization
What problems does it solve?
How does OAuth 2.0 actually solve the problem?
Who uses OAuth 2.0?
Introducing "The World's Most Interesting Infographic Generator"
Summary
2
A Bird's Eye View of OAuth 2.0
A Bird's Eye View of OAuth 2.0
How does it work?
First look at the client-side flow
First look at the server-side flow
What are the differences?
What about mobile?
Summary
3
Four Easy Steps
Four Easy Steps
Let's get started
Step 1 – Register your client application
Step 2 – Get your access token
Step 3 – Use your access token
Step 4 – Refresh your access token
Putting it all together
Summary
4
Register Your Application
Register Your Application
Recap of registration process
Registering your application with Facebook
Putting it all together!
Summary
5
Get an Access Token with the Client-Side Flow
Get an Access Token with the Client-Side Flow
Refresher on the implicit grant flow
A closer look at the implicit grant flow
Let's build it!
Summary
Reference pages
6
Get an Access Token with the Server-Side Flow
Get an Access Token with the Server-Side Flow
Refresher on the authorization code grant flow
A closer look at the authorization code grant flow
Let's build it!
Summary
Reference pages
7
Use Your Access Token
Use Your Access Token
Refresher on access tokens
Use your access token to make an API call
Let's build it!
Creating the world's most interesting infographic
Summary
Reference pages
8
Refresh Your Access Token
Refresh Your Access Token
A closer look at the refresh token flow
What if I have no refresh token? Or my refresh token has expired?
The ideal workflow
Summary
Reference pages
9
Security Considerations
Security Considerations
What's at stake?
Security best practices
Common attacks
Summary
10
What About Mobile?
What About Mobile?
What is a mobile application?
What flow should we use for mobile applications?
Hybrid architectures
Authorization via application instead of user-agent
Summary
11
Tooling and Troubleshooting
Tooling and Troubleshooting
Tools
Troubleshooting
Summary
12
Extensions to OAuth 2.0
Extensions to OAuth 2.0
Extensions to the OAuth 2.0 framework
OpenID Connect
Summary
Resource Owner Password Credentials Grant
Resource Owner Password Credentials Grant
When should you use it?
Reference pages
Client Credentials Grant
Client Credentials Grant
When should you use it?
Reference pages
Overview of the client credentials grant
Reference Specifications
Reference Specifications
The OAuth 2 Authorization Framework
The OAuth 2 Authorization Framework: Bearer Token Usage
OAuth 2.0 Token Revocation
OAuth 2.0 Thread Model and Security Considerations
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
JSON Web Token (JWT)
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
OpenID Connect Core 1.0
HTTP Authentication: Basic and Digest Access Authentication
Index
Index

Reference pages

Use these pages as reference documentation when implementing the password credentials grant flow in your application. Adapted from The OAuth 2.0 Authorization Framework specification [RFC 6749].

An overview of the resource owner password credentials grant

Figure 5 from RFC 6749

The steps are as follows:

  • A: The user provides the client application with their username and password.

  • B: The client requests an access token from the service provider's token endpoint using the credentials received from the user. During this step, the client application authenticates with the service provider as well.

  • C: The service provider authenticates the client and validates the user credentials received, and if valid, issues an access token.

Authorization request and response

The method through which the client obtains the user's credentials is beyond the scope of the specification. Once an access token has been obtained, these credentials must then be discarded.

Access token request

The client makes a POST request to the service provider's token endpoint passing in the following parameters encoded using the application/x-www-form-urlencoded format as described in Appendix B of the specification:

  • grant_type: (Required) This is the value that must be set to password

  • username: (Required) This is the user's username

  • password: (Required) This is the user's password

  • scope: (Optional) A list of space-delimited, case-sensitive strings which represent the scope of the access request

As part of this request, the client application must also authenticate with the service provider. This is typically done using the HTTP basic authentication scheme [RFC 2617], but other authentication schemes may be supported by the service provider as well, such as HTTP digest authentication or public/private key authentication

An example access token request using HTTP basic authentication looks like:

     POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=password&username=johndoe&password=A3ddj3w

Access token response

If the access token request is valid and authorized, the response will contain an access token, an optional refresh token, and other parameters, described as follows:

  • access_token: (Required) The access token issued by the service provider.

  • token_type: (Required) The type of the token issued. This value is case-insensitive.

  • expires_in: (Optional) The lifetime of the access token given in seconds. If omitted, the service provider should communicate the expiration time via other means.

  • refresh_token: (Optional) A refresh token, which can be used to obtain new access tokens using the refresh token workflow.

  • scope: (Conditionally required) A list of space-delimited, case-sensitive strings which represent the scope of the access granted. Required only if the scope granted is different from the scope requested.

An example access token response looks like this:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"bearer",
       "expires_in":3600,
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
       "example_parameter":"example_value"
     }

Error response

If the access token request fails for any reason, the server will respond with an HTTP 400 (Bad Request) status code including the following properties:

  • error: (Required) This is a single error code representing the condition that caused the request to fail. The value must be one of the following:

    • invalid_request: The request is missing a required parameter, includes an unsupported parameter value (other than the grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.

    • invalid_client: The client authentication failed for some reason (for example, an unknown client, no client authentication included, or an unsupported authentication method).

    • invalid_grant: The provided authorization grant or the refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

    • unauthorized_client: The authenticated client is not authorized to use this authorization grant type.

    • unsupported_grant_type: The authorization grant type is not supported by the authorization server.

    • invalid_scope: The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the user.

  • error_description: (Optional) Human-readable ASCII message providing additional information regarding the error.

  • error_uri: (Optional) A URI identifying a human-readable web page providing additional information regarding the error.

An example error response looks like this:

     HTTP/1.1 400 Bad Request
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "error":"invalid_request"
     }
Previous Section
End of Chapter
Next Chapter