OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

Buy this Book

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Buy this Book

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Title Page

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

Free Chapter

OAuth 2.0 Foundations

Introduction

Preparing the environment

Reading the user's contacts from Facebook on the client side

Reading the user's contacts from Facebook on the server side

Accessing OAuth 2.0 LinkedIn protected resources

Accessing OAuth 2.0 Google protected resources bound to the user's session

Implementing Your Own OAuth 2.0 Provider

Introduction

Protecting resources using the Authorization Code grant type

Supporting the Implicit grant type

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration

Configuring the Client Credentials grant type

Adding support for refresh tokens

Using a relational database to store tokens and client details

Using Redis as a token store

Implementing client registration

Breaking the OAuth 2.0 Provider in the middle

Using Gatling to load test the token validation process using shared databases

Using OAuth 2.0 Protected APIs

Introduction

Creating an OAuth 2.0 client using the Authorization Code grant type

Creating an OAuth 2.0 client using the Implicit grant type

Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type

Creating an OAuth 2.0 client using the Client Credentials grant type

Managing refresh tokens on the client side

Accessing an OAuth 2.0 protected API with RestTemplate

OAuth 2.0 Profiles

Introduction

Revoking issued tokens

Remote validation using token introspection

Improving performance using cache for remote validation

Using Gatling to load test remote token validation

Dynamic client registration

Self Contained Tokens with JWT

Introduction

Generating access tokens as JWT

Validating JWT tokens at the Resource Server side

Adding custom claims on JWT

Asymmetric signing of a JWT token

Validating asymmetric signed JWT token

Using JWE to cryptographically protect JWT tokens

Using JWE at the Resource Server side

Using proof-of-possession key semantics on OAuth 2.0 Provider

Using proof-of-possession key on the client side

OpenID Connect for Authentication

Introduction

Authenticating Google's users through Google OpenID Connect

Obtaining user information from Identity Provider

Using Facebook to authenticate users

Using Google OpenID Connect with Spring Security 5

Using Microsoft and Google OpenID providers together with Spring Security 5

Implementing Mobile Clients

Introduction

Preparing an Android development environment

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser

Creating an Android OAuth 2.0 client using the embedded browser

Using the Password grant type for client apps provided by the OAuth 2 server

Protecting an Android client with PKCE

Using dynamic client registration with mobile applications

Avoiding Common Vulnerabilities

Introduction

Validating the Resource Server audience

Protecting Resource Server with scope validation

Binding scopes with user roles to protect user's resources

Protecting the client against Authorization Code injection

Protecting the Authorization Server from invalid redirection

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Breaking the OAuth 2.0 Provider in the middle

This recipe will show how you can create an OAuth 2.0 Provider, dividing Authorization Server and Resource Server responsibilities into different projects.

Getting ready

To run this recipe, you will need to create two different applications to implement the Authorization Server and the Resource Server responsibilities. As the Authorization Server is in charge of issuing access tokens and Resource Server has to validate access tokens, both applications need a shared database. In that way, the Resource Server can query for an access token that was persisted in some database structure by the Authorization Server. For this recipe, you will need Redis as the strategy for database sharing.

How to do it...

Perform the following steps to start creating the Authorization Server and Resource Server separately:

The first thing to do is to create both applications. Go to Spring Initializr and generate the project for the Authorization Server named (Artifact)...

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

Related Content you might be interested in

Current Title:

OAuth 2.0 Cookbook

Hands-On Spring Security 5 for Reactive Applications

Spring 5.0 Projects

Spring Security

Breaking the OAuth 2.0 Provider in the middle

Getting ready

How to do it...