OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

Buy this Book

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Buy this Book

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Title Page

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

Free Chapter

OAuth 2.0 Foundations

Introduction

Preparing the environment

Reading the user's contacts from Facebook on the client side

Reading the user's contacts from Facebook on the server side

Accessing OAuth 2.0 LinkedIn protected resources

Accessing OAuth 2.0 Google protected resources bound to the user's session

Implementing Your Own OAuth 2.0 Provider

Introduction

Protecting resources using the Authorization Code grant type

Supporting the Implicit grant type

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration

Configuring the Client Credentials grant type

Adding support for refresh tokens

Using a relational database to store tokens and client details

Using Redis as a token store

Implementing client registration

Breaking the OAuth 2.0 Provider in the middle

Using Gatling to load test the token validation process using shared databases

Using OAuth 2.0 Protected APIs

Introduction

Creating an OAuth 2.0 client using the Authorization Code grant type

Creating an OAuth 2.0 client using the Implicit grant type

Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type

Creating an OAuth 2.0 client using the Client Credentials grant type

Managing refresh tokens on the client side

Accessing an OAuth 2.0 protected API with RestTemplate

OAuth 2.0 Profiles

Introduction

Revoking issued tokens

Remote validation using token introspection

Improving performance using cache for remote validation

Using Gatling to load test remote token validation

Dynamic client registration

Self Contained Tokens with JWT

Introduction

Generating access tokens as JWT

Validating JWT tokens at the Resource Server side

Adding custom claims on JWT

Asymmetric signing of a JWT token

Validating asymmetric signed JWT token

Using JWE to cryptographically protect JWT tokens

Using JWE at the Resource Server side

Using proof-of-possession key semantics on OAuth 2.0 Provider

Using proof-of-possession key on the client side

OpenID Connect for Authentication

Introduction

Authenticating Google's users through Google OpenID Connect

Obtaining user information from Identity Provider

Using Facebook to authenticate users

Using Google OpenID Connect with Spring Security 5

Using Microsoft and Google OpenID providers together with Spring Security 5

Implementing Mobile Clients

Introduction

Preparing an Android development environment

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser

Creating an Android OAuth 2.0 client using the embedded browser

Using the Password grant type for client apps provided by the OAuth 2 server

Protecting an Android client with PKCE

Using dynamic client registration with mobile applications

Avoiding Common Vulnerabilities

Introduction

Validating the Resource Server audience

Protecting Resource Server with scope validation

Binding scopes with user roles to protect user's resources

Protecting the client against Authorization Code injection

Protecting the Authorization Server from invalid redirection

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

This recipe presents you with how to create a native OAuth 2.0 client application for Android, which integrates with an OAuth 2.0 protected API using the Authorization Code grant type. The OAuth 2.0 specification (RFC 6749) states that public clients shouldn't use the Authorization Code grant type. On the other hand, the recently published RFC 8252 states that Authorization Code should be used in conjunction with dynamic client registration and PKCE validation (we will see more about both approaches later in this chapter).

Note

The application created for this recipe, uses client id and client secret issued by a pre-registered client application just for brevity of the recipe. But bear in mind that, as per OAuth 2.0 specification, the Authorization Server must not issue client secret for native client that aren't specific running on a specific device.

Getting ready

To run this recipe you need the server...

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

Related Content you might be interested in

Current Title:

OAuth 2.0 Cookbook

Hands-On Spring Security 5 for Reactive Applications

Spring 5.0 Projects

Spring Security

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

Note

Getting ready