Book Image

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento
Book Image

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Related Content you might be interested in

Current Title:

Small book image
OAuth 2.0 Cookbook
Adolfo Eloy Nascimento
Oct, 2017 | 420 pages
Small book image
Hands-On Spring Security 5 for Reactive Applications
Tomcy John
Jul, 2018 | 268 pages
Small book image
Spring 5.0 Projects
Nilang Patel
Feb, 2019 | 442 pages
Small book image
Spring Security
ROBERT WILLIAM WINCH | Peter Mularien | Mick Knutson
Nov, 2017 | 542 pages
Table of Contents (16 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
OAuth 2.0 Foundations
OAuth 2.0 Foundations
Introduction
Preparing the environment
Reading the user's contacts from Facebook on the client side
Reading the user's contacts from Facebook on the server side
Accessing OAuth 2.0 LinkedIn protected resources
Accessing OAuth 2.0 Google protected resources bound to the user's session
2
Implementing Your Own OAuth 2.0 Provider
Implementing Your Own OAuth 2.0 Provider
Introduction
Protecting resources using the Authorization Code grant type
Supporting the Implicit grant type
Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration
Configuring the Client Credentials grant type
Adding support for refresh tokens
Using a relational database to store tokens and client details
Using Redis as a token store
Implementing client registration
Breaking the OAuth 2.0 Provider in the middle
Using Gatling to load test the token validation process using shared databases
3
Using OAuth 2.0 Protected APIs
Using OAuth 2.0 Protected APIs
Introduction
Creating an OAuth 2.0 client using the Authorization Code grant type
Creating an OAuth 2.0 client using the Implicit grant type
Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type
Creating an OAuth 2.0 client using the Client Credentials grant type
Managing refresh tokens on the client side
Accessing an OAuth 2.0 protected API with RestTemplate
4
OAuth 2.0 Profiles
OAuth 2.0 Profiles
Introduction
Revoking issued tokens
Remote validation using token introspection
Improving performance using cache for remote validation
Using Gatling to load test remote token validation
Dynamic client registration
5
Self Contained Tokens with JWT
Self Contained Tokens with JWT
Introduction
Generating access tokens as JWT
Validating JWT tokens at the Resource Server side
Adding custom claims on JWT
Asymmetric signing of a JWT token
Validating asymmetric signed JWT token
Using JWE to cryptographically protect JWT tokens
Using JWE at the Resource Server side
Using proof-of-possession key semantics on OAuth 2.0 Provider
Using proof-of-possession key on the client side
6
OpenID Connect for Authentication
OpenID Connect for Authentication
Introduction
Authenticating Google's users through Google OpenID Connect
Obtaining user information from Identity Provider
Using Facebook to authenticate users
Using Google OpenID Connect with Spring Security 5
Using Microsoft and Google OpenID providers together with Spring Security 5
7
Implementing Mobile Clients
Implementing Mobile Clients
Introduction
Preparing an Android development environment
Creating an Android OAuth 2.0 client using an Authorization Code with the system browser
Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser
Creating an Android OAuth 2.0 client using the embedded browser
Using the Password grant type for client apps provided by the OAuth 2 server
Protecting an Android client with PKCE
Using dynamic client registration with mobile applications
8
Avoiding Common Vulnerabilities
Avoiding Common Vulnerabilities
Introduction
Validating the Resource Server audience
Protecting Resource Server with scope validation
Binding scopes with user roles to protect user's resources
Protecting the client against Authorization Code injection
Protecting the Authorization Server from invalid redirection
Index
Index

Introduction

The main purpose of this chapter is to help you integrate with popular web applications and social media, although at the same time allow you to get familiarized with the foundational principles of OAuth 2.0 specification.

Before diving into the recipes for several use cases, let's look at the big picture of the most scenarios which will be covered. This will give you the opportunity to review some important concepts about OAuth 2.0 specification so we can stay on the same page with the terminologies used throughout the book.

The preceding diagram shows the four main components of the OAuth 2.0 specification:

  • Resource Owner
  • Authorization Server
  • Resource Server
  • Client

Just to review the purpose of these components, remember that the Resource Owner is the user which delegates authority for third-party applications to use resources on its behalf. The third-party application mentioned is represented by the client which I depicted as Mobile client and Web Client. The user's resources are usually maintained and protected by the Resource Server which might be implemented together with the Authorization Server as a single component, for example. The composition of the Authorization Server and Resource Server are referred to as the OAuth 2.0 Provider to simplify the terminology given to the application which is protected by OAuth 2.0.

Previous Section
End of Section 2
Next Section