OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

Buy this Book

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Buy this Book

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Title Page

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

Free Chapter

OAuth 2.0 Foundations

Introduction

Preparing the environment

Reading the user's contacts from Facebook on the client side

Reading the user's contacts from Facebook on the server side

Accessing OAuth 2.0 LinkedIn protected resources

Accessing OAuth 2.0 Google protected resources bound to the user's session

Implementing Your Own OAuth 2.0 Provider

Introduction

Protecting resources using the Authorization Code grant type

Supporting the Implicit grant type

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration

Configuring the Client Credentials grant type

Adding support for refresh tokens

Using a relational database to store tokens and client details

Using Redis as a token store

Implementing client registration

Breaking the OAuth 2.0 Provider in the middle

Using Gatling to load test the token validation process using shared databases

Using OAuth 2.0 Protected APIs

Introduction

Creating an OAuth 2.0 client using the Authorization Code grant type

Creating an OAuth 2.0 client using the Implicit grant type

Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type

Creating an OAuth 2.0 client using the Client Credentials grant type

Managing refresh tokens on the client side

Accessing an OAuth 2.0 protected API with RestTemplate

OAuth 2.0 Profiles

Introduction

Revoking issued tokens

Remote validation using token introspection

Improving performance using cache for remote validation

Using Gatling to load test remote token validation

Dynamic client registration

Self Contained Tokens with JWT

Introduction

Generating access tokens as JWT

Validating JWT tokens at the Resource Server side

Adding custom claims on JWT

Asymmetric signing of a JWT token

Validating asymmetric signed JWT token

Using JWE to cryptographically protect JWT tokens

Using JWE at the Resource Server side

Using proof-of-possession key semantics on OAuth 2.0 Provider

Using proof-of-possession key on the client side

OpenID Connect for Authentication

Introduction

Authenticating Google's users through Google OpenID Connect

Obtaining user information from Identity Provider

Using Facebook to authenticate users

Using Google OpenID Connect with Spring Security 5

Using Microsoft and Google OpenID providers together with Spring Security 5

Implementing Mobile Clients

Introduction

Preparing an Android development environment

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser

Creating an Android OAuth 2.0 client using the embedded browser

Using the Password grant type for client apps provided by the OAuth 2 server

Protecting an Android client with PKCE

Using dynamic client registration with mobile applications

Avoiding Common Vulnerabilities

Introduction

Validating the Resource Server audience

Protecting Resource Server with scope validation

Binding scopes with user roles to protect user's resources

Protecting the client against Authorization Code injection

Protecting the Authorization Server from invalid redirection

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Generating access tokens as JWT

Even though JSON web tokens are largely used to represent self contained access tokens through OAuth 2.0 solutions, its specifications (defined by RFC 7519 that's available at https://tools.ietf.org/html/rfc7519) clearly define that its purpose is to represent claims to be transferred between parties. Briefly, this means that JWTs can be used both for authentication or information exchange as described at https://jwt.io/introduction. Because of the structure of a JWT, it is possible for the Resource Server to extract client information and even data about the subject (which commonly means the Resource Owner) and validate the access token locally, instead of having to use a shared database or validate remotely through the usage of token introspection strategy. The claims at JWT are represented as JSON payload, which can be HMAC signed or encrypted.

Note

The hash-based message authentication code (HMAC) is a portion of information that can be used to verify some...

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

Related Content you might be interested in

Current Title:

OAuth 2.0 Cookbook

Hands-On Spring Security 5 for Reactive Applications

Spring 5.0 Projects

Spring Security

Generating access tokens as JWT

Note