簡單易懂的 OAuth 2.0

ᾏẪၞ׭֥ OAuth 2 ⇯௾ 2013/11/26, Ruby Tuesday Taipei #27 (?)

• ⇯௾č⊫ტӵĎ • Rails Developer at KKBOX, working at the
KKTIX team • chitsaou, @yorkxin, blog.yorkxin.org

Today’s Target • ୆὜ᆩ֡ OAuth 2 Protocol ᄸ喁஝ • ୆὜ु֤׭
99% ࠎᧄ OAuth 2 ֻ֥೘ٚ API ໓ࡱ • ୆὜ᆩ֡ᄸ喁Ⴈ OAuth 2 ⅞୆֥ API

Agenda • OAuth 2 ൞മ喁ĤॖၛଦῲἓખĤ • OAuth 2 ๙⇫⇐קᄸ喁஝ •
⚧ᄯ OAuth 2 Provider ֥ٚم • ֻ၂ՑႨ Rails + Grape API ᆜކ OAuth 2 ࣼഈ൭

OAuth 2 ൞മ喁Ĥݺӹ⁯Ĥ

OAuth 2.0 • ಆ଀ “The OAuth 2.0 Authorization Framework” •
Authorization (n.) ൱⃴

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx User

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx User App

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx User Website App

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx User Website App API

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx User Website App API Sounds
Familiar?

You Facebook API ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx Sounds
Familiar?

The Old-School Way… • App ေ୆℻ೆ≷ὂૡ⁫đὕ℥ૼ҂὜⁙۞ • ୆ေྐ಩ App ҂὜ଦ୆֥ૡ⁫⁙۞
• ࣼෘ App ޓܭđФἓሼὕ൞㢻ࣷ • ҂ܵ୆ྐ҂ྐđ໡ّᆞ൞҂ྐ……

OAuth ೂޅࢳ㢯≾ἠ↜ⅳ • ↌ᅟิ܂ܲٚࢸ૫đ⃸୆ॖၛ൱⃴ӱൔ൐Ⴈ⊷ਘ • ӱൔթ֥൞ Token ط٤≷ὂૡ⁫  ္Ⴈ Token
ಀյ API • Token ॖၛἲקթ౼ữ↏čscopes, ೂğݺႶਙіĎ • Token Ⴕ௹ཋط౏ॖၛ⅗ℭӜ⇍č҂ஃФἓሼĎ

OAuth 2 䥰૫֥࢘೤ • Resource Owner - ⊷ਘ∭Ⴕᆀđ๙ӈ൞ದ (User) •
Client - ࠧ App đေթ౼ User ֥⊷ਘ֥ӱൔ • Authorization Server - ⊺ܵ၂్൱⃴൙↩ • Resource Server - Client ạ≾䥰ଦ⊷ਘđࠧ API

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx You Facebook API

ದ ๩Ἶ¯¯ ൱⃴ἡ ӱൔ 䪌w୆ॖၛಀ۵ଛᅟଦ໡֥⊷ਘx You Facebook API Resource
Owner Client Resource Server Authorization Server

Resource Owner

Resource Owner = User • ࣼ൞୆↌ᅟ֥ User • API ঘ֥֞൞۵
User ႵἬ֥⊷ਘ • ২ೂݺႶ଀Ẫaྐࡱ⤨ಸ • ൱⃴с⇜ῂႮЧದ⃤ሱ⃷⃾

Resource Owner = Client • ≾⊕౦㣐㢻Ⴕದ֥թᄝb • ২ğ஁܄Ῐ⊷ਘ • Twitter
Ẁ㬪 App-Only Authorization • Facebook Ẁ㬪 App Access Token

Client

Client • User ൱⃴ἡֻ೘ٚӱൔđ≾ἠӱൔࣼ൞ Client • ২ğFacebook ഈ֥䵔↰a൭Ὠഈ֥ App •
ܲٚӱൔ္ෘč২ೂ൭Ὠ App aም૫ AppĎ

Client с⇜൙༵䩏⤳ • “Client Registration” • Client ID • Client
Secret čℶ㬪ૡ⁫Ď • Redirect URI ← ≾ἠޓᇗေ

Client ID

Client Secret

Redirect URI

Redirect URI • User Чದ⃤ሱ⃷⃾ᆭᗥđْ߭᾵ݔ֞ Client • ေ൙༵ᆷקđ೏҂၂ᇁ≣҂ॖ Redirect Ἶಀ
• ॖၛᆷק؟⊾đ֌๙ӈ൞၂⊾đࠇ൞Ῐⅽ၂ᇁ • ቋݺ൞ HTTPS č҂ルᇅđ২ೂ൭Ὠ App ࣼḰ҂֞Ď

Redirect URI • https://kktix.com/users/auth/facebook/callback • http://kktix.dev/users/auth/facebook/callback • kktix-app:oauth2/callback

Public v.s. Confidential Client • ۴ῌwି҂ିЌὊ⊷ਘxῲ⃯ٳ • Confidential - Server-Side
Application • Public - ൭Ὠ App / ም૫ӱൔ / JavaScript App / Browser Extension

Client Authorization (⃾⊈) • ԛൕ Client ID + Secret ཟ
Auth. Server ⃾⊈ሱ࠭ • ္ࣼ൞䪌 Client ေ֨ೆ֞ Auth. Server • ᆺℳႨ Confidential Client

Client • Ⴕ ID / Secret Ⴈᧄ⃾⊈ • Ⴈ Redirect
URI ⃷Ќ⏟´ఖ⊨ᆶ֞ᆞ⃷֥ Client • Public / Confidential Ⴕ۲ሱℳႨ֥൱⃴ੀӱ

Endpoints

Endpoints • Authorization Endpoint - Ⴈῲἡ User Чದ⃷⃾൱⃴ • Token
Endpoint - Ⴈῲ⃸ Client ౼֤ᆇᆞ֥ Token • Redirection Endpoint - Client Ⴈῲ൬⊷ਘႨ

Authorization Endpoint • ἡ User Чದ⃷⃾൱⃴ • ൞၂ἠ↌∉ • ଦ֥֞൞
“Grant” č൱⃴⊯Ďط҂൞ Token • User ճڭᆭᗥđ὜⊨߭ Client ֥ Redirect URI

Token Endpoint • ἡ Client ౼֤ᆇᆞ֥ Token • JSON API
Ὠྀ߄ࢸ૫đ↥↌∉

Redirection Endpoint • Ⴈῲạ⏟´ఖࢤ൬ Auth. Server ῲ֥⊷ਘ • Ῐᄝ Client
ط҂൞ Auth. Server • Client 䩏⤳ℭေ⇔֥ “Callback URL” • Auth. Server ὜⇼⊈ Redirect URI ൞ڎཌྷژҌ⊨ᆶ

SSL! SSL! SSL! • Auth. Server ഈ૫֥ Endpoints с⇜ഈ HTTPS
• Client с⇜⇼⊈ SSL Certificate ൞ڎކ۬ • Client Redirection Endpoint ҂ルᇅđ֌ିഈቋݺഈ  ↌ᅟ → ቋݺഈ  ൭Ὠ / ም૫ App → 㢻Ḱمॖၛ҂ေഈ

Resource Server

Resource Server • Client с⇜ԛൕ Token ҌିΆಀଦ⊷ਘ • Client ᆺေԛൕ
Token ࣼିΆಀଦ⊷ਘ • ॖၛႨ Scope ཋᇅ Token ିⴺ౼Ⴈ֥⊷ਘữ↏

Resource Server • Password-Free API • Login via YourWebsite™

OAuth 2 Protocol ᄸ喁஝

wᾏẪάđồ Spec άx* *ս䩽҂൞Чದ෮མ֥≾喁ᾏẪ ݠ`ದ

• RFC 6749: The OAuth 2.0 Authorization Framework • 77
pages (PDF) • RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage • 19 pages (PDF) tl;dr

• Ⴈಀ 3 ἠ‎Ϩ • ⇔ਔ 13 ௉ṁὸ → /me
ၘồb

OAuth 2.0 Spec(s) • RFC 6749 - ק∕∻ Token ނứႵἬ֥
Protocol • RFC 6750 - ק∕wBearer Tokenxᄸ喁Ⴈ

RFC 6749: OAuth 2 Protocol • ק∕ਔ OAuth 2 ֥࢘೤a޺ọٚൔ
• ק∕ਔ⊷ਘႵଧུaᄸ喁஝ • ק∕ਔނứa㍤ứ Token ֥֩ Protocol • ἲ὎ਔ 4 ⊕ӈᾖwℳކ൐Ⴈ OAuth 2 ֥ੀӱx

RFC 6750: Bearer Token • RFC 6749 ᆺἲק൱⃴ٚൔđ㢻ἲק API ᄸ喁Ẳ
• RFC 6750 ק∕၂⊕ࢡቓ “Bearer” ֥ Token Type • ۲⊕ type Ⴕ҂๝Ẳمđ Bearer ൞ᆰࢤ == ᾋҰ • ၂ओὐࢳℴğwᆰࢤଦῲࣼିႨđ҂Ⴈ⃐ῲ⃐ಀx

Parameters & Data

Client ID / Secret • Ⴈᧄ Client ⃾⊈čClient ֨ೆ֞ Auth.
ServerĎ • 䩏⤳֥ℭީứἡđ⁙⁫ࣼྛ • HTTP Basic Auth ࠇЇᄝ Form 䥰૫č࣌Ⴈ URLĎ

HTTP Basic Auth ID = abc, Secret = 123 abc:123
concat with `:` YWJjOjEyMw== base64() Authorization: Basic YWJjOjEyMw== Basic Auth Header

Token(s) • Access Token - յ API Ⴈ֥ • Refresh
Token - Access Token Ἶ௹ॖၛ㍤ứྍ֥

Access Token • ཟ Resource Server ေ⊷ਘđႨ Access Token •
ॖၛḳ၂⊾ Scope • ॖၛ℟௹ཋđॖၛӜ⇍ (Revoke) • ൱⃴ੀӱ֥ଢṌࣼ൞ေଦ֞ Access Token

Refresh Token • ㍤ứ Access Token Ⴈđᆺ὜ẖ֞ Auth. Server •
ḳק၂ἠ Access Tokenđ⅗ Access Token ၂ఏނứ • ႨἾࣼാི  ྍ֥ Access Token ὜ḳྍ֥ Refresh Token

Scopes • Ⴈῲіൕwॖၛթ౼ଧུ⊷ਘx֥⃴ཋữ↏ • ೂwݺႶ଀Ẫxawཌྷோx • ॖၛ A cover B
đằಖ Set ൞ቋᾏẪ֥ቓم

Scopes • ണ⃪൱⃴ℭॖၛἲק  w၂קေἡxࠇw㢻ἡࣼ≁℟ᆴx • Ⴈॢ۬’ఏῲđ২ೂ "friends_list photos" • ֌ޓ؟↌ᅟႨ׹ὂ
`,` △

State • Ⴈῲٝᆸ CSRF ۾ὧ • Client 㲗 Browser 㲗
Auth. Server ൞ޓາ↿ˀ • State ẖ֞ Auth. Server ࣼေჰٿ҂ọْ߭ • Client ⇼⊈ᆭ • ⁙⁫ᆴࣼྛđ္ॖၛႨ HMAC ⃐

Protocol: ೂޅ౼֤൱⃴ ạ Client ֥ℶ࢘

౼֤൱⃴֥ੀӱ 1. Client ཟ Res. Owner ౼֤ “Grant” č൱⃴⊯Ď 2.
Client Ⴈ “Grant” ཟ Authorization Server ㍤ Token 3. Token ଦ֞ਔđॖၛಀյ API ᆜἠ Protocol ቋₒ֥ᄝ≾䥰

ቋӈᾖ֥ Scenario Ⴕ↌ᅟ Facebook đ୆༐ຬᄝପഈ૫֥ User   ἡ୆֥↌ᅟ⃴ཋđॖၛồ౼ପ User ֥⊷ਘ
Resource Owner Client Token Resource Server ๩Ἶ Facebook ֥ Authorization Server

նࡅ׻ԱἾ ※Ⴈ Library Ա

“Authorization Code Grant Flow”

Auth Code Grant Flow • Grant ൞ऎⅴ֥ሳԱđẀቔ Code • ླေῂἾ
Browser • ℳႨᧄw↌ᅟx≾⊕ Client

Resource Owner Client ! Authorization Server ※Ӓሱ spec

Resource Owner Browser Client ! Authorization Server ※Ӓሱ spec

Resource Owner Browser Client ! Authorization Server ※Ӓሱ spec Authorization
Endpoint Token Endpoint Redirection Endpoint

Resource Owner Browser Client ! Authorization Server (A) (A) ID,
Redirect URI, Scope, State ※Ӓሱ spec Authorization Endpoint Token Endpoint Redirection Endpoint

Redirect URI, Scope, State (B) (B) ↜ Resource Owner ※Ӓሱ spec Authorization Endpoint Token Endpoint Redirection Endpoint

Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Grant Code, Scope, State ※Ӓሱ spec Authorization Endpoint Token Endpoint Redirection Endpoint

Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Grant Code, Scope, State (D) Grant Code, Client Auth ※Ӓሱ spec Authorization Endpoint Token Endpoint Redirection Endpoint

Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Grant Code, Scope, State (D) Grant Code, Client Auth (E) Token ※Ӓሱ spec Authorization Endpoint Token Endpoint Redirection Endpoint

(A) ứԛ൱⃴ണ⃪ Client Ῐ၂ἠ↌ᆶἡ User ề Login with Facebook

(A) ứԛ൱⃴ണ⃪ https://graph.facebook.com/oauth/authorize? response_type=code&client_id=567672586646825& redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook %2Fcallback&state=446c63696b24b4b6687cdff62ea bce3a9c9d6333d7c807e6&scope=email (GET Request)

https://graph.facebook.com/oauth/authorize? response_type=code &client_id=567672586646825 &redirect_uri=http://localhost:3000/users/ auth/facebook/callback &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &scope=email

https://graph.facebook.com/oauth/authorize? response_type=code &client_id=567672586646825 &redirect_uri=http://localhost:3000/users/ auth/facebook/callback &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &scope=email Authorization Endpoint

https://graph.facebook.com/oauth/authorize? response_type=code &client_id=567672586646825 &redirect_uri=http://localhost:3000/users/ auth/facebook/callback &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &scope=email іൕ Authorization
Code Grant Flow Authorization Endpoint

Code Grant Flow Client ID Authorization Endpoint

Code Grant Flow Client ID Redirect URI Authorization Endpoint

Code Grant Flow Client ID Redirect URI Client ֥ State čٝ CSRF Ď Authorization Endpoint

Code Grant Flow Client ID Redirect URI Client ֥ State čٝ CSRF Ď མေ⃪౰֥⃴ཋữ↏čScopesĎ Authorization Endpoint

Authorization Server ֥ọቔ 1. ۴ῌ Client ID ᅳ Client 2.
⃷⃾ Redirect URI ۵൙༵䩏⤳֥ཌྷژ • ೏҂ᆞ⃷≣ေ₵ấ↪đ҂ॖ⊨߭ἐ URI 3. ⃷⃾མണ⃪֥ scope ᆞ⃷č۬ൔa⤨ಸ֩Ď 4. 㢻↜ⅳࣼ↜ Resource Owner ေ҂ေ൱⃴ (B)

(B) Auth. Server ↜ Res. Owner

Authorization Server ֥ọቔ • ೏ᄍ⇝đ≣⊨߭ Client đڸഈ Grant Code •
೏҂ᄍ⇝đ≣⊨߭ Client đ❣ڸഈấ↪⇫༏ • ೏἗἗Ⴕẖ state Ἶῲđ≣ჰٿ҂ọڸഈ

(C) Client ൬֞ Grant Code (GET Request)

HTTP/1.1 302 Found Location: http://localhost:3000/users/auth/ facebook/callback? code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)&state=446c636 96b24b4b6687cdff62eabce3a9c9d6333d7c807e6

http://localhost:3000/users/auth/facebook/ callback? code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...) &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6

http://localhost:3000/users/auth/facebook/ callback? code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...) &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint

http://localhost:3000/users/auth/facebook/ callback? code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...) &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint ൱⃴⊯ (Grant
Code)

http://localhost:3000/users/auth/facebook/ callback? code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...) &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint ൱⃴⊯ (Grant
Code) ჰٿ҂ọ֥ State ᆴ

Client ֥ọቔ • ༵ᾋҰ state ۵ session 䥰૫թ֥Ⴕ㢻Ⴕ၂ᇁ • 㢻↜ⅳࣼಀ㍤
Token ਔ

(D) ଦ Code ㍤ Token • Client ᄝᗥ෻ቓ≾ࡱ൙ • POST
֞ Auth. Server ֥ Token Endpoint ㍤ Token • Client Authentication • grant_type=code, code, redirect_uri, client_id (Ᾱ Public Client)

POST /oauth/access_token HTTP/1.1  Host: graph.facebook.com  Authorization: Basic YWJjOjEyMw==  Content-Type: application/x-www-form-
urlencoded    grant_type=authorization_code    &code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)    &redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback ※ ൙ℯഈ Facebook Ⴈ GET đ҂ކṌ⊵đ༯ⅾ⃪ሱྛₔṘ

urlencoded    grant_type=authorization_code    &code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)    &redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback Token Endpoint ※ ൙ℯഈ Facebook Ⴈ GET đ҂ކṌ⊵đ༯ⅾ⃪ሱྛₔṘ

urlencoded    grant_type=authorization_code    &code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)    &redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback Token Endpoint Client Authentication ※ ൙ℯഈ Facebook Ⴈ GET đ҂ކṌ⊵đ༯ⅾ⃪ሱྛₔṘ

urlencoded    grant_type=authorization_code    &code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)    &redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback Token Endpoint іൕw໡ଦ֥֞൱⃴⊯൞ Grant Codex Client Authentication ※ ൙ℯഈ Facebook Ⴈ GET đ҂ކṌ⊵đ༯ⅾ⃪ሱྛₔṘ

urlencoded    grant_type=authorization_code    &code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)    &redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback Token Endpoint іൕw໡ଦ֥֞൱⃴⊯൞ Grant Codex Grant Code Client Authentication ※ ൙ℯഈ Facebook Ⴈ GET đ҂ކṌ⊵đ༯ⅾ⃪ሱྛₔṘ

urlencoded    grant_type=authorization_code    &code=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...)    &redirect_uri=http%3A%2F%2Flocalhost %3A3000%2Fusers%2Fauth%2Ffacebook%2Fcallback Token Endpoint іൕw໡ଦ֥֞൱⃴⊯൞ Grant Codex Grant Code ჰ Redirect URI Client Authentication ※ ൙ℯഈ Facebook Ⴈ GET đ҂ކṌ⊵đ༯ⅾ⃪ሱྛₔṘ

Authorization Server ֥ọቔ • ⃷⃾ Client Authentication (ID / Secret)
ᆞ⃷ • ᅳ֞ἐ Grant Code đ⃷⃾ః Redirect URI ၂ଆ၂∄ • 㢻↜ⅳ֥ὐࣼứ Token

(E) ứ Token • Client ֥ Token Request ֥ Response
• ൞ JSON Response • ॖၛ၂⟸ứ Refresh Token • User ൱⃴֥ Scope ೏∻ണ⃪ℭ҂၂ᇁ≣ေڸഈ

HTTP/1.1 200 OK  Content-Type: application/json;charset=UTF-8  Cache-Control: no-store  Pragma: no-cache  { 
"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  }

"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  } Access Token

"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  } Access Token іൕ≾ἠ Token ൞ Bearer Token

"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  } Access Token іൕ≾ἠ Token ൞ Bearer Token 3600 ૰ᆭᗥἾ௹

"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  } Access Token іൕ≾ἠ Token ൞ Bearer Token 3600 ૰ᆭᗥἾ௹ Access Token Ớ∣֥ Refresh Token

"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  } Access Token іൕ≾ἠ Token ൞ Bearer Token 3600 ૰ᆭᗥἾ௹ Access Token Ớ∣֥ Refresh Token ೏ scope ∻ണ⃪ℭ ҂၂ᇁ≣ေڸഈ

൭Ὠ App / ም૫ App • ℶ㬪 Public đClient Authentication
҂ॖྐ • Token Request ေڸഈ Client ID  ⃷Ќ Token ứἡᆞ⃷֥ Client • App ⅹܥק URI đೂ  kktix-app:oauth2-callback

What about JavaScript App • “User-Agent-Based Client” • Public Client
• Redirect Endpoint ္㢻Ḱمⅹሱị Protocol • Auth. Code Grant Flow ҂ॖႨđᄸ喁ḰĤ

“Implicit Grant Flow”

Implicit Grant Flow • ⊦⁽ἡ Public Client Ⴈ • Grant
҂ẖ֞ Client đᆰࢤứ Token • ҂ῂἾ Token Endpoint • ứ֥ Token ๙ӈ൞؋ི௹đࢆ֮Ф๦֥ἀ↿ • ҂ἡ Refresh TokenđἾ௹ᇗྍ஝ണ⃪ੀӱ

Resource Owner Client (JS) ! Authorization Server ※Ӓሱ spec

Resource Owner Browser Client (JS) ! Authorization Server ※Ӓሱ spec

Client’  (Web Server)

Authorization Endpoint Client’  (Web Server) Redirection Endpoint

Resource Owner Browser Client (JS) ! Authorization Server (A) (A)
ID, Redirect URI, Scope, State ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint

ID, Redirect URI, Scope, State (B) (B) ↜ Resource Owner ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint

ID, Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Token (in Frag.), Scope, State ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint

ID, Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Token (in Frag.), Scope, State ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint (D) GET Redirect URI (no Token)

ID, Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Token (in Frag.), Scope, State (E) JavaScript (to Decode Token) ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint (D) GET Redirect URI (no Token)

ID, Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Token (in Frag.), Scope, State (E) JavaScript (to Decode Token) ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint (D) GET Redirect URI (no Token) (F)

ID, Redirect URI, Scope, State (B) (B) ↜ Resource Owner (C) Token (in Frag.), Scope, State (E) JavaScript (to Decode Token) ※Ӓሱ spec Authorization Endpoint Client’  (Web Server) Redirection Endpoint (D) GET Redirect URI (no Token) (G) Assign Access Token (F)

(C) ~ (G) ޽ളസଊℿ • (C) Auth. Server ࢡ Browser
⊨߭ Redirect URI • https://client.com/oauth2/callback#access_token=… • (D) Browser ὜ಀ GET ἐ URL đ֌҂ݣ # č฿ྟĎ • Token ሱọЌ਽ᄝ Browser ֥ Fragment Part 䥰૫

(C) ~ (G) ޽ളസଊℿ • (E) ᄜ❟߭၂ἠ JavaScript Ⴈῲࢳԛ #
䥰૫֥ Token • (F) Browser ሱọ run ≾ἠ JavaScript ࢳԛ Token • (G) Ϝࢳԛῲ֥ Token ❟ἡ JavaScript App

෮ၛ㬪൉喁ླေ Client’ ٳദ • JavaScript ҂ିῘ Redirection Endpoint  ෮ၛႨ Web
Server Ῐ • 䥰૫ࣼ൞၂ἠ JavaScript code Ⴈῲࢳԛ Token  ❣ẖἡ JavaScript App (ᆇ Client)

https://graph.facebook.com/oauth/authorize? response_type=token &client_id=567672586646825 &redirect_uri=http://localhost:3001/jsapp/ facebook/callback &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &scope=email

https://graph.facebook.com/oauth/authorize? response_type=token &client_id=567672586646825 &redirect_uri=http://localhost:3001/jsapp/ facebook/callback &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &scope=email Authorization Endpoint

https://graph.facebook.com/oauth/authorize? response_type=token &client_id=567672586646825 &redirect_uri=http://localhost:3001/jsapp/ facebook/callback &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &scope=email іൕ Implicit
Grant Flow Authorization Endpoint

Grant Flow Client ID Authorization Endpoint

Grant Flow Client ID Redirect URI Authorization Endpoint

Grant Flow Client ID Redirect URI Client ֥ State čٝ CSRF Ď Authorization Endpoint

Grant Flow Client ID Redirect URI Client ֥ State čٝ CSRF Ď མေ⃪౰֥⃴ཋữ↏čScopesĎ Authorization Endpoint

HTTP/1.1 302 Found Location: http://localhost:3001/jsapp/ facebook/ callback#access_token=AQABIWdeO3miePq0uH2VCUv hGr(...)&state=446c63696b24b4b6687cdff62eabce 3a9c9d6333d7c807e6 &token_type=bearer&expires_in=3600

http://localhost:3000/jsapp/facebook/ callback# token=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...) &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &token_type=Bearer &expires_in=3600

http://localhost:3000/jsapp/facebook/ callback# token=AQABIWdeO3miePq0uH2VCUvhGr- voXz3zunrCiX5Bz9IFF8m82bmP(...) &state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 &token_type=Bearer &expires_in=3600 Redirection Endpoint

Access Token

Access Token ჰٿ҂ọ֥ State ᆴ

Access Token ჰٿ҂ọ֥ State ᆴ іൕ≾ἠ Token ൞ Bearer Token

Access Token ჰٿ҂ọ֥ State ᆴ іൕ≾ἠ Token ൞ Bearer Token 3600 ૰ᆭᗥἾ௹

Redirection Endpoint ֥⤨ಸ <script>  var access_token = [extract token from
frag];  // store token in local storage or cookie  </script>

Implicit Grant Flow Usage • Facebook JavaScript SDK • ൭Ὠ
App aም૫ App ္ℳႨ  Facebook: WebView ᾄⅹܥק Redirect URI  ሂԛ #access_token

ห⦁ᇿၩ൙⇊ • 㬪ࢆ֮ Token Ф๦ἀ↿đ๙ӈ὜ứ؋ི௹֥ Token • ၹ㬪ॖି⢔ᄯ Token 刈ἡ
Client đ෮ၛс⇜⇼⊈ᆭ • Facebook: “Token Debug Endpoint”

What if ሱ㸗ሱႨĤ • ሱ࠭⇔֥ script མေႨ Token ಀյ API
• Server App ၘῂթਔ≷ὂૡ⁫đམڿӮ OAuth 2

“Resource Owner Password Credentials Grant Flow”

Resource Owner Client ! Authorization Server ※Ӓሱ spec

Resource Owner Client ! Authorization Server ※Ӓሱ spec Token Endpoint

Resource Owner Client ! Authorization Server ※Ӓሱ spec Token Endpoint
(A) Username, Password

Resource Owner Client ! Authorization Server (B) Client Auth, Username,
Password, Scopes ※Ӓሱ spec Token Endpoint (A) Username, Password

Resource Owner Client ! Authorization Server (B) Client Auth, Username,
Password, Scopes (C) Token ※Ӓሱ spec Token Endpoint (A) Username, Password

Resource Owner Password Credentials Grant Flow • ླေ൞ Resource Owner
ۚ؇ྐῳ Client • ቔ∊༢ⅼ⤨ࡹ֥∣ႨӱൔčOS X ֥ Twitter ᆜކĎ • ܲٚ∣ႨӱൔčGitHub.appĎ • ౏ః෰⦁֥ੀӱ׻҂ℳႨ

Resource Owner Password Credentials Grant Flow • No “state” ၹ㬪҂ῂἾ
Browser • No “Redirect URI” ၹ㬪㢻Ⴕ redirection • ᆰࢤ POST ಀ Token Endpoint ଦ Token

POST /token HTTP/1.1  Host: oauth.example.com  Authorization: Basic YWJjOjEyMw==  Content-Type: application/x-www-form-
urlencoded    grant_type=password    &username=chitsaou  &password=12345678    &scope=email

urlencoded    grant_type=password    &username=chitsaou  &password=12345678    &scope=email Token Endpoint

urlencoded    grant_type=password    &username=chitsaou  &password=12345678    &scope=email Token Endpoint Client Authentication

urlencoded    grant_type=password    &username=chitsaou  &password=12345678    &scope=email Token Endpoint іൕw໡ଦ֥֞൱⃴⊯൞  User ֥ Passwordx Client Authentication

urlencoded    grant_type=password    &username=chitsaou  &password=12345678    &scope=email Token Endpoint іൕw໡ଦ֥֞൱⃴⊯൞  User ֥ Passwordx Credentials Client Authentication

urlencoded    grant_type=password    &username=chitsaou  &password=12345678    &scope=email Token Endpoint іൕw໡ଦ֥֞൱⃴⊯൞  User ֥ Passwordx Credentials Client Authentication མေ⃪౰֥⃴ཋữ↏čScopesĎ

Password ֥↜ⅳ • Token Endpoint ေٝВ৯௥ࢳ • Client ҂ሙϜ≷ૡթఏῲ

What if ҂ླေ UserĤ • ᆺթ౼܄Ῐ⊷ਘ • Data-Mining Twitter Public
Timeline

“Client Credentials Grant Flow”

Client ! Authorization Server ※Ӓሱ spec

Client ! Authorization Server ※Ӓሱ spec Token Endpoint

Client ! Authorization Server (A) Client Auth, Scopes ※Ӓሱ spec
Token Endpoint

Client ! Authorization Server (A) Client Auth, Scopes (B) Token
※Ӓሱ spec Token Endpoint

urlencoded    grant_type=client_credentials    &scope=search_timeline

urlencoded    grant_type=client_credentials    &scope=search_timeline Token Endpoint

urlencoded    grant_type=client_credentials    &scope=search_timeline Token Endpoint Client Authentication

urlencoded    grant_type=client_credentials    &scope=search_timeline Token Endpoint іൕw໡ Client ေണ⃪ Token ሱႨx Client Authentication

urlencoded    grant_type=client_credentials    &scope=search_timeline Token Endpoint іൕw໡ Client ေണ⃪ Token ሱႨx Client Authentication མေ⃪౰֥⃴ཋữ↏čScopesĎ

4 built-in grant flows • Authorization Code • Implicit •
Resource Owner Password Credentials • Client Credentials

ứളấ↪ℭ֥߭∣ٚൔ

Errors on Authorization Endpoint

Errors on Authorization Endpoint 1. ⃾҂ԛ ClientaRedirect URI ҂ژ 2.
Ṛ⅂ẖấ / Authorization Server 㢻ℯቔଖུۿି 3. Resource Owner ऋ䌉൱⃴ 4. Internal Server Error

Client ⃾҂֤aRedirect URI ҂ژ • Redirect URI 㢻ἡ / ҂ᆞ⃷
/ 㢻൙༵䩏⤳ • ေℶ㬪۾ὧđ҂ॖၛ Redirect ֞ἐ Redirect URI • ေิൕࣞۡ⇫༏ἡ Resource Owner

ః෰ấ↪ • ေ⊨߭ Redirect URI ཟ Client ۡᆩấ↪ • ᄝ
URI ᗥ૫ڸഈ error parameters • Auth Code Grant Flow - Ⴈ Query ?error=... • Implicit Grant Flow - Ⴈ Fragment #error=...

Error Parameters • error - Error Code đсแđ༯⇈ • error_description
- ᾏẪ䪌ૼấ↪ • error_uri - ၂ἠ↌ᆶᆷ֞⇈↱䪌ૼ↌∉ • state - ẖ߭ Client ֥ state ჰᆴđᆭభႵἡࣼсแ • ଖུὕ὜ἡ error_subcode čႭఃᇏἽ֥↌ᅟĎ

http://localhost:3000/users/auth/facebook/ callback? error=access_denied    &error_description=User Denies Authrization    &error_uri=https://doc.example.com/...   
&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6

&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint

&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint ấ↪⁫

&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint ấ↪⁫ ᾏඍấ↪൞൉喁

&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint ấ↪⁫ ᾏඍấ↪൞൉喁 ु⇈↱䪌ૼ֥ URL

&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 Redirection Endpoint ấ↪⁫ ჰٿ҂ọ֥ State ᆴ ᾏඍấ↪൞൉喁 ु⇈↱䪌ૼ֥ URL

&state=446c63696b24b4b6687cdff62eabce3a9c9d63 33d7c807e6 # Implicit Flow: ㍤Ӯ Fragment Parameter

error = Meaning invalid_request 㢻ἡсေṚ⅂aἡਔ҂ᆞ⃷֥Ṛ⅂a  ᇗ♶ἡṚ⅂aࠇః෰ჰၹẹᇁ↥مࢳồb unauthorized_client Client ҂ሙႨ≾⊕ Response
Type  ῲ౼֤ Authorization Codeb unsupported_response_type Authorization Server ҂ᆦჱ൐Ⴈ≾⊕ Response Typeb invalid_scope ෮ေ౰֥ scope ҂ᆞ⃷a  ҂ૼa↥مࢳồb Client ᄯӮ֥ấ↪

error = Meaning access_denied Resource Owner ࠇ Authorization Owner  ऋ䌉൱⃴֥ണ⃪b
൱⃴ാḮ

error = Meaning server_error Authorization Server მ֞ၩຓ֥౦㣐ط  ↥مẕ৘⃪౰b temporarily_unavailable Authorization
Server ӑ≘ࠇ→ྩᇏđ  ↥مẕ৘b Authorization Server Internal Server Error

error = Meaning server_error Authorization Server მ֞ၩຓ֥౦㣐ط  ↥مẕ৘⃪౰b temporarily_unavailable Authorization
Server ӑ≘ࠇ→ྩᇏđ  ↥مẕ৘b Q: 㬪൉喁҂ିႨ 500 ߭Ĥ Authorization Server Internal Server Error A: ၹ㬪 500 ҂ᆦჱ Location ⊨ᆶđerror ẖ҂߭ Client

Errors on Token Endpoint

Errors on Token Endpoint 1. Auth. Server ⃾҂֤ Client 2.
Ṛ⅂ẖấ / Authorization Server 㢻ℯቔଖུۿି 3. ൱⃴⊯ (Grant) ҂ᆞ⃷ 4. Internal Server Error

߭∣ٚൔ • ၂ੰЇΆ JSON ߭ • ๙ӈ߭ 400 Bad Request
• ೏ Client ⃾⊈ാḮ & Ⴈ Authorization Header ⃾⊈  → ೖ WWW-Authenticate header

Error Parameters (≅ Auth E.P.) • error • error_description •
error_uri • ଖུὕ὜ἡ error_subcode čႭఃᇏἽ֥↌ᅟĎ • No state (ၹ㬪㢻Ⴕ state ẖΆῲά)

HTTP/1.1 401 Unauthorized  Content-Type: application/json;charset=UTF-8  WWW-Authenticate: Basic  Cache-Control: no-store  Pragma:
no-cache  {  "error":"invalid_client",  "error_description":"Client Authentication Failed",  "error_uri":"https://doc.example.com/..."  }

no-cache  {  "error":"invalid_client",  "error_description":"Client Authentication Failed",  "error_uri":"https://doc.example.com/..."  } ۲Ⴕࡹ∗֥ Response Code

no-cache  {  "error":"invalid_client",  "error_description":"Client Authentication Failed",  "error_uri":"https://doc.example.com/..."  } ۲Ⴕࡹ∗֥ Response Code Client ๩Ἶ Basic Auth  ⃾⊈ാḮ≣ೖ≾ἠ header

no-cache  {  "error":"invalid_client",  "error_description":"Client Authentication Failed",  "error_uri":"https://doc.example.com/..."  } ۲Ⴕࡹ∗֥ Response Code Client ๩Ἶ Basic Auth  ⃾⊈ാḮ≣ೖ≾ἠ header ấ↪⁫

no-cache  {  "error":"invalid_client",  "error_description":"Client Authentication Failed",  "error_uri":"https://doc.example.com/..."  } ۲Ⴕࡹ∗֥ Response Code Client ๩Ἶ Basic Auth  ⃾⊈ാḮ≣ೖ≾ἠ header ấ↪⁫ ᾏඍấ↪൞൉喁

error = Meaning invalid_client Client ⃾⊈ാḮ Authorization Server ⃾҂ԛ Client
ေ߭ 401 Unauthorized ೂݔ൞Ⴈ Basic Auth ෂԛ Client Auth đ≣ေڸഈ WWW-Authenticate: Basic

error = Meaning invalid_grant ิԛ֥ Grant ࠇ൞ Refresh Token ҂ᆞ⃷a
Ἶ௹aФӜ⇍đࠇ Redirection URI ҂ژđ ࠇ۴Чࣼ҂൞ἡ୆≾ἠ Clientb ൱⃴⊯҂ᆞ⃷

error = Meaning invalid_request 㢻ἡсေṚ⅂aἡਔ҂ᆞ⃷֥Ṛ⅂a  ᇗ♶ἡṚ⅂aࠇః෰ჰၹẹᇁ↥مࢳồb unauthorized_client Client ҂ሙႨ≾⊕ Response
Type  ῲ౼֤ Authorization Codeb unsupported_grant_type Authorization Server ҂ᆦჱ൐Ⴈ≾⊕  Grant Typeb invalid_scope ෮ေ౰֥ scope ҂ᆞ⃷a  ҂ૼa↥مࢳồb Client ᄯӮ֥ấ↪

error = Meaning — — Authorization Server Internal Server Error

error = Meaning — — Q: 㬪൉喁㢻ႵĤ Authorization Server Internal
Server Error A: ၹ㬪൞ Client ᆰࢤứ Request ֞ Serverđᆰࢤ₵ 500 ࣼྛ

ଦ֞ Token ਔđೂޅյ API RFC 6750 “Bearer Token Usage”

"access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",  "expires_in":3600,  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",  "scopes":"email"  }

Bearer Token • RFC 6750 ק∕đ၂⊕ OAuth 2.0 ֥ Token
• ႨمቋᾏẪğԛൕ Token ἡ Resource Server • Token ⤨ಸ⁙⁫ࣼྛ • Spec ᆺἲקԛൕ Token ֥ٚൔ & ấ↪⇫༏

ԛൕ Token ֥ٚم • (in Header) Authorization: Bearer 2YotnFZF... •
(in Body) &access_token=2YotnFZF... • (in URL) ?access_token=2YotnFZF... ҂๷ᾑ ቋ๷ᾑ

Authorization: Basic XXXXXXXX • с⇜ᆦჱ • ᆰࢤϜ Token ሳԱ٢Ά Header
ࣼྛਔ ቋ๷ᾑ GET /me.json HTTP/1.1  Host: api.example.com  Authorization: Bearer 2YotnFZF...

in Request Body • ℳႨᧄ "Form" ᆭ ֥ request (POST, PATCH
etc.) • ҂ॖၛ൞ multi-part • Content-Type: application/x-www-form-urlencoded

POST /api/articles HTTP/1.1  Host: api.example.com  Content-Type: application/x-www-form- urlencoded    title=Test%20Article 
&content=%28ry%0A%0D  &access_token=2YotnFZF...

҂๷ᾑ in URL Query Param • ҂๷ᾑđၹ㬪ॖି὜Фὸᄝ log 䥰 •
ေ⃷Ќ response ൞ non-cacheable • Ⴕ Form ିႨࣼ᾽ਈႨ Form Body

GET /api/articles?access_token=2YotnFZF... HTTP/1.1  Host: api.example.com HTTP/1.1 200 OK  Content-Type: application/json;charset=UTF-8 
Cache-Control: private (or no-store if not 200)

ứളấ↪ℭ֥߭∣ٚൔ

Bearer Token Error 1. Ṛ⅂ẖấ 2. Token ҂ᆞ⃷ 3. Scope
⃴ཋ҂ቀ

߭∣ٚൔ • ၂ੰႨ WWW-Authenticate header ߭ấ↪ • Ⴕԛൕ Token đҌିڸഈః෰
Error Parameters • ※ 㢻ἲק҂ିᄜႨ JSON ߭

error = Status Meaning invalid_request 400 㢻ἡсေṚ⅂aἡਔ҂ᆞ⃷֥Ṛ⅂  ᇗ♶ἡṚ⅂aᇗ♶ԛൕ Access Token 
ࠇః෰ჰၹẹᇁ↥مࢳồb invalid_token 401 Access Token Ἶ௹aФӜ߭a↥مࢳồb Client ॖၛᇗྍണ⃪၂ἠ Token ᄜℷb insufficient_scope 403 Token ֥ scope ⃴ཋ҂ቀb Error ॖၛڸഈ scope= ῲิൕ෮ླ⃴ཋb

HTTP/1.1 401 Unauthorized  WWW-Authenticate: Bearer realm="The API"  error="invalid_token"  error_description="Token is
not usable." HTTP/1.1 403 Forbidden  WWW-Authenticate: Bearer realm="The API",  error="insufficient_scope",  error_description="Scope not sufficient.",  scope="friend_list photo"

ປಆ㢻ԛൕ Access Token HTTP/1.1 401 Unauthorized  WWW-Authenticate: Bearer realm="The API"
GET /api/articles HTTP/1.1  Host: api.example.com

Token Ἶ௹ → ㍤ứ Token Refresh

Token Refresh • ଦ Access Token ނứℭ֥ Refresh Token ಀ㍤ứ
• ჰЧ㢻Ⴕứ Refresh Token đࣼ҂ି㍤ứ • POST ֞ Token Endpoint

urlencoded    grant_type=refresh_token    &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA    &scope=search_timeline

urlencoded    grant_type=refresh_token    &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA    &scope=search_timeline Token Endpoint

urlencoded    grant_type=refresh_token    &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA    &scope=search_timeline Token Endpoint Client Authentication

urlencoded    grant_type=refresh_token    &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA    &scope=search_timeline Token Endpoint іൕw໡ Client ေ㍤ứྍ֥ Tokenx Client Authentication

urlencoded    grant_type=refresh_token    &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA    &scope=search_timeline Token Endpoint іൕw໡ Client ေ㍤ứྍ֥ Tokenx Client Authentication scope ॖസ੻đ҂ॖնᧄ  Access Token ണ⃪Ἶ֥⃴ཋ

⚧ᄯ OAuth 2 Provider ֥ٚم

= ᄯ Authorization Server

Service spec ཌྷಸ ᆦჱ֥ Grant Types scope ٳۯ Refresh Token
Client ⃾⊈ Facebook ✕ Auth Code, Implicit, Client Cred. comma △ (ሱ⚧) GET GitHub ✕ Auth Code, Password (ሱ⚧) comma ✕ POST Twitter ̋ Client Cred. (↥ scope) ✕ Basic Google ✕ Auth Code, Implicit space ̋ POST Microsoft ✕ Auth Code, Implicit ĤĤĤ ̋ POST Dropbox ̋ Auth Code, Implicit (↥ scope) ✕ Basic, POST Amazon ̋ Auth Code, Implicit space ̋ Basic, POST Bitly ✕ Auth Code (϶ሱ⚧), Password (↥ scope) ✕ POST (Auth Code), Basic (Password) ྍশັѰ ✕ Auth Code comma ✕ Basic, GET ׸ϵ ✕ Auth Code, Implicit comma ̋ POST BOX ✕ Auth Code (↥ scope) ̋ POST Basecamp ✕ Auth Code (↥ scope) ̋ POST

⦁ದᄸ喁ቓ • ҂၂קေᆦჱ෮Ⴕ 4 ⊕ Grant Flow • ҂၂קေႵ Scope
• ҂၂קေႵ Refresh Token

⦁ದᄸ喁ቓč҂ݺ֥ٚ૫Ď ✘ ్ Scope ޓ؟ದႨ `,` ✘ Client ⃾⊈҂ᾖ֤׻ᆦჱ HTTP
Basic Auth ✘ Bearer Token ҂၂ק൞Ⴈ  “Bearer” Authorization Header

Ⴕ Spec ॖၛ Follow ࣼ Follow ✔ ్ Scope Ⴈॢ۬
✔ Client ⃾⊈ᇀഒေᆦჱ Basic Auth ✔ Bearer Token ࣼႨ  “Bearer” Authorization Header

Step 1: ק∕ Resource Owner

Resource Owner • ࣼק∕Ӯ↌ᅟഈ֥ User ϔ

Step 2: ℟ί Client ܵ৘ࢸ૫

Client Registration (CRUD) • id • secret čℶ㬪ૡ⁫Ď • Redirect
URI ّᆞ҂൞ἡದὸ֥ ෮ၛള⁙⁫ࣼྛ } ← ေ౰ Developer ൙༵ᆷק

Step 3: Ῐ Endpoints

Authorization Endpoint • ๙ӈῘᄝᇶᅟđٚьᆰࢤ⃸ User Ⴈ Cookie ֨ೆ • ⚧ቔ၂ἠ
Dialog ⃸ User 㢯קေ҂ေᄍ⇝൱⃴ • User ߭ճᆭᗥđRedirect ߭ Client • ὜ Redirect ߭ Client đ෮ၛေ༵⃷Ќ Client ᆞ⃷

Authorization Endpoint halt if !(client_id and redirect_uri matches) error(invalid_scope) if
!(valid_scope?) error(unsupported_response_type)  if !(valid_response_type?) # other errors (incomplete pseudo code)

Authorization Endpoint result = ask_user_for_authorization! if result == Authorized then 
if response_type == Code  callback_params = generate_grant_code()  else if response_type == Token  callback_params = generate_token() else if result == Denied then  callback_params = generate_error_code(access_denied)

Authorization Endpoint if response_type == Code  redirect_to_client_with_query(callback_params) else if response_type
== Token  redirect_to_client_with_fragment(callback_params)

Token Endpoint • ๙ӈῘᄝ API subdomain • ᅶ Spec ቓ
JSON Response ࣼྛ

Token Endpoint authorize_client! or error(invalid_client) verify_redirect_uri! or error(invalid_request) error(invalid_scope) if
scope_given and !valid_scope? # other errors token = issue_token(expires_in: 30.days) token_response_by_json(token)

Step 4: Ẳ API

“Resource Server Guard” • Ẳᄝ API ቋຓ૫֥wЌಆx(Guard) • ⇼⊈ૄἠ Request
׻с⇜Ⴕᆞ⃷֥ Token

“Resource Server Guard” fetch_token(from: header, form, query) error(401) if !(token_given?)
error(400) if !(token_decodable?) error(invalid_token) if expired? or revoked? error(insufficient_scope) if scope_sufficient? yield to API

ֻ၂ՑႨ Rails + Grape API ᆜކ OAuth 2 ࣼഈ൭

ֻ၂Ցč੻Ďࣼഈ൭ • Ⴈ Devise ള User (Resource Owner) • Ⴈ
Doorkeeper ἒ Authorization Server • Ⴈ Grape ἒ API (Resource Server) • ሱ࠭ख़ Resource Server Guard ῲ⅞ API

Why ሱ࠭ख़ Guard • doorkeeper_for ൞ Rails-Only • Rack::OAuth2 ປӮ؇ޓۚđ֌с⇜ሱ࠭ᆜކ
• Warden::OAuth2 ۵ Devise वᄝ၂ఏ໡҂὜ࢳ • Grape::Middleware::Auth::Oauth2 ۴Ч㢻ቓປ ✔ Best Choice

Source Available on GitHub GitHub.com/chitsaou/oauth2-sample-api

Step 1: ק∕ Resource Owner

ק∕ Resource Owner $ rails g devise:install # ປ

Step 1.5: ᄯ API

ᄯ API class SecretAPI < Grape::API  namespace "secret"  format :json 
get "hello" do  {  greeting: "Hi,#{current_user.email}"  }  end  end

Step 2: ℟ί Client ܵ৘ࢸ૫

Step 3: Ῐ Endpoints

Step 2 + 3:  Ῐ Authorization Server

Ῐ Authorization Server $ gem install doorkeeper  $ rails g
doorkeeper:install  $ rails g doorkeeper:migration  $ rake db:migrate

℟ק⃾⊈ Resource Owner ֥ٚൔ # ⃾⊈ Resource Owner ֥ٚمđᆰࢤࢤ Devise 
resource_owner_authenticator do  current_user ||  warden.authenticate!(:scope => :user)  end config/initializers/doorkeeper.rb ※ Ӓܲٚ໓ࡱ

New Tables • oauth_application - Clients Registration • oauth_access_grant -
Stores Auth Grant Codes • oauth_access_token -  ᆇᆞނứԛಀ֥ Access Tokensđ  ЇݣỚ∣֥ Refresh Token č≁℟ἬṅĎ

New Routes Action(s) Path Ⴈ๯ new /oauth/authorize Authorization Endpoint create
/oauth/authorize User ⇝ॖ൱⃴ℭ֥ action destroy /oauth/authorize User ऋ䌉൱⃴ℭ֥ action show /oauth/authorize/:code Local ṦℷႨ update /oauth/authorize Ĥ create /oauth/token Token Endpoint show /oauth/token/info Token Debug Endpoint resources /oauth/applications Clients ܵ৘ࢸ૫ (CRUD) index /oauth/authorized_applications User ܵ৘൱⃴Ἶ֥ Clients destroy /oauth/authorized_applications/:id

Doorkeeper Built-In™ ✔ Authorization Endpoint & Token Endpoint ✔ Token
Debug Endpoint  čᄝ Implicit Flow ⇼⊈ Token ֥ᆇℯྟĎ ✔ Client Registration Interface (CRUD) ✔ User ܵ৘൱⃴Ἶ֥ Clients ֥ࢸ૫čॖ RevokeĎ

Let’s Create a Client http://localhost:12345/auth/demo/callback

Let’s Get an Access Token

(A) ứԛ൱⃴ണ⃪ http://localhost:3000/oauth/authorize? client_id=4a407c6a8d3c75e17a5560d0d0e4507c77b 047940db6df882c86aaeac2c788d6 &redirect_uri=http://localhost:12345/auth/ demo/callback &response_type=code

(B) Auth. Server ↜ User

(C) ൱⃴⊯༯ῲਔ http://localhost:12345/auth/demo/callback? code=9e0ad73f94669d9743bb0c2e65c4784f723c11c7 61852477a4d37d0cc9bb914d

(D) ଦ Code ㍤ Token

Token ֞൭ 4ead67fc8917761a7f0cd1f0cae30e905fc93e0d25430 32f58395e5a55b9869e

Step 4: Ẳ API The Most Hard Part

api/concerns/api_guard.rb module APIGuard extend ActiveSupport::Concern end

Building Resource Server Guard • Fetch Access Token via Rack::OAuth2
• Find Access Token from Model • Validate if Token is not Expired && not Revoked • Validate if Token has Sufficient Scopes • If All Valid, Pass to Grape API

Fetch Access Token via Rack::OAuth2 • use Rack::OAuth2::Server::Resource::Bearer • ൙ℯഈᆺἌ≡Ϝ
yield ԛῲ֥ Token թᄝଖẕ • ೂݔ Request ҂ầ Token ࣼᆰࢤ Pass ֞༯ἠ stack • ෮ၛ໡ᆺଦ෱ῲ Fetch Token

included do |base|  # OAuth2 Resource Server Authentication  use Rack::OAuth2::Server::Resource::Bearer, 
'The API' do |request|  # Authenticator only fetches the raw token string    # Must yield access token to store it in the env  request.access_token  end  end

def get_token_string  request.env[Rack::OAuth2::Server::Resource::  ACCESS_TOKEN]  end (in helpers block)

Find Access Token Instance • Doorkeeper::AccessToken.authenticate • → #find •
returns nil if not found

def find_access_token(token_string)  Doorkeeper::AccessToken.authenticate(token_string)  end (in helpers block)

Validate the Token • OAuth2::AccessTokenValidationService.validate • ᾋҰႵ㢻Ⴕ Expired a Revoked
• ॖၛẖ scopes Ṛ⅂ΆಀᾋҰ scope Ⴕ㢻Ⴕ⃆

def validate_access_token(access_token, scopes)  OAuth2::AccessTokenValidationService  .validate(access_token, scopes: scopes)  end (in helpers
block)

def validate(token, scopes: [])  if token.expired?  return EXPIRED    elsif
token.revoked?  return REVOKED    elsif !self.sufficent_scope?(token, scopes)  return INSUFFICIENT_SCOPE    else  return VALID  end  end Token#expired?, Token#revoked?  ൞ Doorkeeper ⤨ࡹ֥

def sufficent_scope?(token, scopes)  if scopes.blank?  # no scope required =>
any token is valid  return true  else  # scopes required  #=> Check sufficiently by Set comparison  required_scopes = Set.new(scopes)  authorized_scopes = Set.new(token.scopes)    return authorized_scopes >= required_scopes  end  end ≾൞ቋᾏẪ֥ࠢކбᾱ ୆ॖၛ၇ླ౰ℯቔဆෘم

ቓ guard! ᄝ Grape 䥰૫Ẳᇾ class SecretAPI < Grape::API  get
"hello" do  guard!  {  greeting: "Hi,#{current_user.email}"  }  end  end

def guard!(scopes: [])  token_string = get_token_string()    if token_string.blank?  raise
MissingTokenError    elsif (  access_token = find_access_token(token_string)  ).nil?  raise TokenNotFoundError (in helpers block)

MissingTokenError    elsif (  access_token = find_access_token(token_string)  ).nil?  raise TokenNotFoundError ༵ሂԛ Token String (in helpers block)

MissingTokenError    elsif (  access_token = find_access_token(token_string)  ).nil?  raise TokenNotFoundError ༵ሂԛ Token String ሂ֥֞൞ॢሳԱđіൕ㢻ἡ Token (in helpers block)

MissingTokenError    elsif (  access_token = find_access_token(token_string)  ).nil?  raise TokenNotFoundError ༵ሂԛ Token String ሂ֥֞൞ॢሳԱđіൕ㢻ἡ Token Ⴕἡ֌ᅳ҂֞đ൞ Invalid Token (in helpers block)

else  case validate_access_token(access_token, scopes)  when Oauth2::AccessTokenValidationService  ::INSUFFICIENT_SCOPE  raise InsufficientScopeError.new(scopes)  when
Oauth2::AccessTokenValidationService::EXPIRED  raise ExpiredError  when Oauth2::AccessTokenValidationService::REVOKED  raise RevokedError  when Oauth2::AccessTokenValidationService::VALID  @current_user = User.find(access_token  .resource_owner_id)  ennnd

Oauth2::AccessTokenValidationService::EXPIRED  raise ExpiredError  when Oauth2::AccessTokenValidationService::REVOKED  raise RevokedError  when Oauth2::AccessTokenValidationService::VALID  @current_user = User.find(access_token  .resource_owner_id)  ennnd Scope ҂ژ

Oauth2::AccessTokenValidationService::EXPIRED  raise ExpiredError  when Oauth2::AccessTokenValidationService::REVOKED  raise RevokedError  when Oauth2::AccessTokenValidationService::VALID  @current_user = User.find(access_token  .resource_owner_id)  ennnd Scope ҂ژ Ἶ௹ਔ

Oauth2::AccessTokenValidationService::EXPIRED  raise ExpiredError  when Oauth2::AccessTokenValidationService::REVOKED  raise RevokedError  when Oauth2::AccessTokenValidationService::VALID  @current_user = User.find(access_token  .resource_owner_id)  ennnd Scope ҂ژ Ἶ௹ਔ Ӝ⇍ਔ

Oauth2::AccessTokenValidationService::EXPIRED  raise ExpiredError  when Oauth2::AccessTokenValidationService::REVOKED  raise RevokedError  when Oauth2::AccessTokenValidationService::VALID  @current_user = User.find(access_token  .resource_owner_id)  ennnd Scope ҂ژ Ἶ௹ਔ Ӝ⇍ਔ ׻ OK ࣼ℟ current_user

ቋᗥ൞ Error Response • Rack::OAuth2 䥰૫֥ᆰࢤଦῲႨ • ಌềğinsufficient_scope ҂὜ἡ WWW-Authenticate
• ၹ㬪ᅶ RFC 2617 ᆺႵ 401 ླေ߭≾ἠ Header

error_classes = [MissingTokenError,  TokenNotFoundError, ExpiredError,  RevokedError, InsufficientScopeError]    rescue_from *error_classes, 
oauth2_bearer_token_error_handler (in included block)

def oauth2_bearer_token_error_handler  Proc.new {|e|  response = case e  when MissingTokenError 
Rack::OAuth2::Server::Resource  ::Bearer::Unauthorized.new  when TokenNotFoundError  Rack::OAuth2::Server::Resource  ::Bearer::Unauthorized.new(  :invalid_token,"Bad Access Token.")  # etc. etc.  end  response.finish  }  end (in ClassMethods module)

guard_all! class SecretAPI < Grape::API  guard_all!  get "hello" do  { 
greeting: "Hi,#{current_user.email}"  }  end  end

module ClassMethods  def guard_all!(scopes: [])  before do  guard! scopes: scopes 
end  end  end (in ClassMethods module)

$ curl -i http://localhost:3000/api/v1/sample/secret  HTTP/1.1 401 Unauthorized  WWW-Authenticate: Bearer realm="The
API"  Content-Type: application/json  Cache-Control: no-cache  {"error":"unauthorized"}

$ curl -i http://localhost:3000/api/v1/sample/secret \  > -H "Authorization: Bearer XXXXXXXX" 
HTTP/1.1 401 Unauthorized  WWW-Authenticate: Bearer realm="Protected by OAuth 2.0", error="invalid_token", error_description="Token is expired. You can either do re-authorization or token refresh."  Content-Type: application/json  Cache-Control: no-cache  {"error":"unauthorized"} č⁙แ TokenĎ

$ curl -i http://localhost:3000/api/v1/sample/secret \  > -H "Authorization: Bearer 4ead67fc8917761a7f0cd1f0cae30e905fc93e0d2543032f58395e
5a55b9869e"  HTTP/1.1 200 OK  Content-Type: application/json    {"greeting":"Hi, [email protected]"}

Final Notes • Doorkeeper ≁℟㢻Ⴕ⅞Ῐ Client ֥⃴ཋđ୆ὸ֤ေ⅞ • Doorkeeper ҂ିᆷקᆺῘଧུ
Flows  ໡Ῐਔ PR ὕ㢻 merge… • 㢻Ⴕྩ insufficient_scope Error  ಌ WWW-Authenticate ֥↜ⅳ

What about Omniauth? • github.com/intridea/omniauth-oauth2 • ޓᾏẪđṚ⅂⇔၂⇔ࣼປӮਔ

Conclusion • OAuth 2 Spec ồປҌ὜ᆩ֡෰ᄝἓખ • ồປ Spec →
෮Ⴕ API ෮Ⴕ Library ୆׻ु֤׭ • ሱ࠭ᆜކ Grape ބ OAuth 2 ఃℯ㢻Ⴕޓₒ  ᆺေ׭ Spec ࣼ҂ₒ…

Final Words • ၇ಖࡹ∗୆ಀồ specđၹ㬪໡സ੻ޓ؟↱ᾳ • Ⴍః൞ Security ֥҆ٺ •
Amazon ֥ OAuth 2 Login ໓ࡱ໡ቋ๷ᾑ

References • RFC 6749 (Spec) tools.ietf.org/html/rfc6749 • RFC 6750 (Spec)
tools.ietf.org/html/rfc6750 • My Notes: blog.yorkxin.org/tags/OAuth • Many OAuth2-based API Documents

Thank You! Q&A Time

簡單易懂的 OAuth 2.0

簡單易懂的 OAuth 2.0

More Decks by Yu-Cheng Chuang

Other Decks in Programming

Featured

Transcript