Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying OAuth 2.0 Cookbook
  • Table Of Contents Toc
  • Feedback & Rating feedback
OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento
3.7 (3)
Buy this Book
close
close
OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

3.7 (3)
By: Adolfo Eloy Nascimento
Buy this Book

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.
Table of Contents (9 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Sections
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
OAuth 2.0 Foundations
Icon
OAuth 2.0 Foundations
Icon
Introduction
Icon
Preparing the environment
Icon
Reading the user's contacts from Facebook on the client side
Icon
Reading the user's contacts from Facebook on the server side
Icon
Accessing OAuth 2.0 LinkedIn protected resources
Icon
Accessing OAuth 2.0 Google protected resources bound to the user's session
2
Implementing Your Own OAuth 2.0 Provider
Icon
Implementing Your Own OAuth 2.0 Provider
Icon
Introduction
Icon
Protecting resources using the Authorization Code grant type
Icon
Supporting the Implicit grant type
Icon
Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration
Icon
Configuring the Client Credentials grant type
Icon
Adding support for refresh tokens
Icon
Using a relational database to store tokens and client details
Icon
Using Redis as a token store
Icon
Implementing client registration
Icon
Breaking the OAuth 2.0 Provider in the middle
Icon
Using Gatling to load test the token validation process using shared databases
3
Using OAuth 2.0 Protected APIs
Icon
Using OAuth 2.0 Protected APIs
Icon
Introduction
Icon
Creating an OAuth 2.0 client using the Authorization Code grant type
Icon
Creating an OAuth 2.0 client using the Implicit grant type
Icon
Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type
Icon
Creating an OAuth 2.0 client using the Client Credentials grant type
Icon
Managing refresh tokens on the client side
Icon
Accessing an OAuth 2.0 protected API with RestTemplate
4
OAuth 2.0 Profiles
Icon
OAuth 2.0 Profiles
Icon
Introduction
Icon
Revoking issued tokens
Icon
Remote validation using token introspection
Icon
Improving performance using cache for remote validation
Icon
Using Gatling to load test remote token validation
Icon
Dynamic client registration
5
Self Contained Tokens with JWT
Icon
Self Contained Tokens with JWT
Icon
Introduction
Icon
Generating access tokens as JWT
Icon
Validating JWT tokens at the Resource Server side
Icon
Adding custom claims on JWT
Icon
Asymmetric signing of a JWT token
Icon
Validating asymmetric signed JWT token
Icon
Using JWE to cryptographically protect JWT tokens
Icon
Using JWE at the Resource Server side
Icon
Using proof-of-possession key semantics on OAuth 2.0 Provider
Icon
Using proof-of-possession key on the client side
6
OpenID Connect for Authentication
Icon
OpenID Connect for Authentication
Icon
Introduction
Icon
Authenticating Google's users through Google OpenID Connect
Icon
Obtaining user information from Identity Provider
Icon
Using Facebook to authenticate users
Icon
Using Google OpenID Connect with Spring Security 5
Icon
Using Microsoft and Google OpenID providers together with Spring Security 5
7
Implementing Mobile Clients
chevron up
Icon
Implementing Mobile Clients
Icon
Introduction
Icon
Preparing an Android development environment
Icon
Creating an Android OAuth 2.0 client using an Authorization Code with the system browser
Icon
Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser
Icon
Creating an Android OAuth 2.0 client using the embedded browser
Icon
Using the Password grant type for client apps provided by the OAuth 2 server
Icon
Protecting an Android client with PKCE
Icon
Using dynamic client registration with mobile applications
8
Avoiding Common Vulnerabilities
Icon
Avoiding Common Vulnerabilities
Icon
Introduction
Icon
Validating the Resource Server audience
Icon
Protecting Resource Server with scope validation
Icon
Binding scopes with user roles to protect user's resources
Icon
Protecting the client against Authorization Code injection
Icon
Protecting the Authorization Server from invalid redirection

Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser

The specification for OAuth 2.0, which is RFC 6749, address native mobile applications with just a small section. It does not states which grant type must be used or not, although it mentions the usage of Authorization Code and Implicit grant type. The only concern when using Implicit grant type is about that a refresh token is not returned requiring the authorization processes once the access token expires. Even though, the most recent specification, OAuth 2.0 for native apps (RFC 8252) states that implicit flow isn't recommended for native apps, basically because by using this grant type the client application will not be able to use PKCE, which avoids interception attacks (we will see more about PKCE in the Protecting an Android client with PKCE recipe).

Despite these considerations, this recipe still presents you with how to use the Implicit grant type, because depending on your scenario, you might...

Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
OAuth 2.0 Cookbook
End of Section 7
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon