Book Image

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento
Book Image

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Related Content you might be interested in

Current Title:

Small book image
OAuth 2.0 Cookbook
Adolfo Eloy Nascimento
Oct, 2017 | 420 pages
Small book image
Hands-On Spring Security 5 for Reactive Applications
Tomcy John
Jul, 2018 | 268 pages
Small book image
Spring 5.0 Projects
Nilang Patel
Feb, 2019 | 442 pages
Small book image
Spring Security
ROBERT WILLIAM WINCH | Peter Mularien | Mick Knutson
Nov, 2017 | 542 pages
Table of Contents (16 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
OAuth 2.0 Foundations
OAuth 2.0 Foundations
Introduction
Preparing the environment
Reading the user's contacts from Facebook on the client side
Reading the user's contacts from Facebook on the server side
Accessing OAuth 2.0 LinkedIn protected resources
Accessing OAuth 2.0 Google protected resources bound to the user's session
2
Implementing Your Own OAuth 2.0 Provider
Implementing Your Own OAuth 2.0 Provider
Introduction
Protecting resources using the Authorization Code grant type
Supporting the Implicit grant type
Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration
Configuring the Client Credentials grant type
Adding support for refresh tokens
Using a relational database to store tokens and client details
Using Redis as a token store
Implementing client registration
Breaking the OAuth 2.0 Provider in the middle
Using Gatling to load test the token validation process using shared databases
3
Using OAuth 2.0 Protected APIs
Using OAuth 2.0 Protected APIs
Introduction
Creating an OAuth 2.0 client using the Authorization Code grant type
Creating an OAuth 2.0 client using the Implicit grant type
Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type
Creating an OAuth 2.0 client using the Client Credentials grant type
Managing refresh tokens on the client side
Accessing an OAuth 2.0 protected API with RestTemplate
4
OAuth 2.0 Profiles
OAuth 2.0 Profiles
Introduction
Revoking issued tokens
Remote validation using token introspection
Improving performance using cache for remote validation
Using Gatling to load test remote token validation
Dynamic client registration
5
Self Contained Tokens with JWT
Self Contained Tokens with JWT
Introduction
Generating access tokens as JWT
Validating JWT tokens at the Resource Server side
Adding custom claims on JWT
Asymmetric signing of a JWT token
Validating asymmetric signed JWT token
Using JWE to cryptographically protect JWT tokens
Using JWE at the Resource Server side
Using proof-of-possession key semantics on OAuth 2.0 Provider
Using proof-of-possession key on the client side
6
OpenID Connect for Authentication
OpenID Connect for Authentication
Introduction
Authenticating Google's users through Google OpenID Connect
Obtaining user information from Identity Provider
Using Facebook to authenticate users
Using Google OpenID Connect with Spring Security 5
Using Microsoft and Google OpenID providers together with Spring Security 5
7
Implementing Mobile Clients
Implementing Mobile Clients
Introduction
Preparing an Android development environment
Creating an Android OAuth 2.0 client using an Authorization Code with the system browser
Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser
Creating an Android OAuth 2.0 client using the embedded browser
Using the Password grant type for client apps provided by the OAuth 2 server
Protecting an Android client with PKCE
Using dynamic client registration with mobile applications
8
Avoiding Common Vulnerabilities
Avoiding Common Vulnerabilities
Introduction
Validating the Resource Server audience
Protecting Resource Server with scope validation
Binding scopes with user roles to protect user's resources
Protecting the client against Authorization Code injection
Protecting the Authorization Server from invalid redirection
Index
Index

Introduction

This chapter introduces how JSON Web Tokens (JWT) can be safely used to carry client information to allow Resource Servers to locally validate access tokens. This chapter will guide you through the usage of JWT and its corresponding representations such as JWS and JWE that respectively define integrity protection and confidentiality of the JWT payload. There are also some advanced topics being covered, such as how to use asymmetric signatures and how the client can prove the possession of a given access token.

Note

It's important to bear in mind that even though we are signing or encrypting the JWT payload, all the connections must be performed using TLS/SSL in production. We are not using TLS/SSL just because of didactical reasons.

Previous Section
End of Section 2
Next Section