OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

Buy this Book

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Buy this Book

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Title Page

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

Free Chapter

OAuth 2.0 Foundations

Introduction

Preparing the environment

Reading the user's contacts from Facebook on the client side

Reading the user's contacts from Facebook on the server side

Accessing OAuth 2.0 LinkedIn protected resources

Accessing OAuth 2.0 Google protected resources bound to the user's session

Implementing Your Own OAuth 2.0 Provider

Introduction

Protecting resources using the Authorization Code grant type

Supporting the Implicit grant type

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration

Configuring the Client Credentials grant type

Adding support for refresh tokens

Using a relational database to store tokens and client details

Using Redis as a token store

Implementing client registration

Breaking the OAuth 2.0 Provider in the middle

Using Gatling to load test the token validation process using shared databases

Using OAuth 2.0 Protected APIs

Introduction

Creating an OAuth 2.0 client using the Authorization Code grant type

Creating an OAuth 2.0 client using the Implicit grant type

Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type

Creating an OAuth 2.0 client using the Client Credentials grant type

Managing refresh tokens on the client side

Accessing an OAuth 2.0 protected API with RestTemplate

OAuth 2.0 Profiles

Introduction

Revoking issued tokens

Remote validation using token introspection

Improving performance using cache for remote validation

Using Gatling to load test remote token validation

Dynamic client registration

Self Contained Tokens with JWT

Introduction

Generating access tokens as JWT

Validating JWT tokens at the Resource Server side

Adding custom claims on JWT

Asymmetric signing of a JWT token

Validating asymmetric signed JWT token

Using JWE to cryptographically protect JWT tokens

Using JWE at the Resource Server side

Using proof-of-possession key semantics on OAuth 2.0 Provider

Using proof-of-possession key on the client side

OpenID Connect for Authentication

Introduction

Authenticating Google's users through Google OpenID Connect

Obtaining user information from Identity Provider

Using Facebook to authenticate users

Using Google OpenID Connect with Spring Security 5

Using Microsoft and Google OpenID providers together with Spring Security 5

Implementing Mobile Clients

Introduction

Preparing an Android development environment

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser

Creating an Android OAuth 2.0 client using the embedded browser

Using the Password grant type for client apps provided by the OAuth 2 server

Protecting an Android client with PKCE

Using dynamic client registration with mobile applications

Avoiding Common Vulnerabilities

Introduction

Validating the Resource Server audience

Protecting Resource Server with scope validation

Binding scopes with user roles to protect user's resources

Protecting the client against Authorization Code injection

Protecting the Authorization Server from invalid redirection

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Supporting the Implicit grant type

This recipe shows you how to configure the Implicit grant type, which is appropriate for web applications which run directly on web browsers (such as JavaScript applications). This recipe will provide everything needed to allow the client to use resources in the name of the Resource Owner by accessing an OAuth 2.0 protected API.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. As this grant type run totally on the web browser, you don't need to run commands to retrieve access tokens as if they were being performed on the server side. Here the access token will be retrieved implicitly when the user grants permissions for third-party applications. This recipe will use Spring Security OAuth2 Framework and, to keep it as straight as possible, we will not add any database support. The source code for this recipe can be downloaded from https://github.com/PacktPublishing/OAuth-2.0-Cookbook/tree/master/Chapter02...

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

Related Content you might be interested in

Current Title:

OAuth 2.0 Cookbook

Hands-On Spring Security 5 for Reactive Applications

Spring 5.0 Projects

Spring Security

Supporting the Implicit grant type

Getting ready