Book Image

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento
Book Image

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.
Table of Contents (16 chapters)
Title Page
Credits
About the Author
About the Reviewer
www.PacktPub.com
Customer Feedback
Preface
Index

Validating the Resource Server audience


Although a bearer access token can be used by anyone to access OAuth 2.0 protected resources, you can reduce the scope of access token usage just for specified resources; that's to set up the audience for an access token. If an access token has the audience for Resource Server A, it cannot be used to access resources protected by Resource Server B. This chapter will cover this important feature, so that you can use it when you have an Authorization Server serving multiple Resource Servers.

Getting ready

To run this recipe, you will need Java 8, Maven, Spring Web, and Spring Security. Because of the architecture of this solution, this recipe requires that you create three applications: one for the Authorization Server and two for the Resource Servers. The Authorization Server was created with the name authorization-server and the resources servers were created as resource-server-a and resource-server-b. The source code for these projects are all available...