Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2 for Me and You - 2022 Edition

OAuth 2 for Me and You - 2022 Edition

This session was given at the Adobe ColdFusion Summit 2022 in Las Vegas, Monday October 3rd, 2022.

It covered the OAuth 2 protocol, what it means to be a consumer or provider, and how to navigate the handshake communications between the service. At the end of this session all attendees walked taller, safe in the fact that they understand OAuth 2, how to use it, and what it all means.

Matt Gifford

October 07, 2022
Tweet

More Decks by Matt Gifford

Other Decks in Technology

Transcript

  1. OAUTH 2 FOR ME AND YOU
    Matt Gi
    ff
    ord - Adobe ColdFusion Summit 2022

    View Slide

  2. ABOUT ME
    @coldfumonkeh
    app developer / software architect
    writer

    View Slide

  3. View Slide

  4. View Slide

  5. THE SETLIST
    ➤ OAuth?


    ➤ Important De
    fi
    nitions


    ➤ How to be a consumer


    ➤ The Authorization Code Flow


    ➤ Useful Tools

    View Slide

  6. THE SCENARIO

    View Slide

  7. THE SCENARIO
    I am writing a web-based
    application for lovers of music.


    I want to access data from
    third-party services to enhance
    my application.

    View Slide

  8. THE SCENARIO
    I am going to use Spotify to
    build a fun project that can
    generate dynamic playlists for
    the authenticating user.

    View Slide

  9. THE SCENARIO
    My application will need to log
    into Spotify on behalf of my
    users to access their account
    information and have write
    access to their playlists.

    View Slide

  10. THE SCENARIO

    View Slide

  11. WHAT IS OAUTH?

    View Slide

  12. WHAT IS OAUTH?

    View Slide

  13. A delegation framework to allow
    secure authorization in a simple
    and standard method from web,
    mobile and desktop applications
    WHAT IS OAUTH?

    View Slide

  14. A delegation framework to allow
    secure authorization in a simple
    and standard method from web,
    mobile and desktop applications
    WHAT IS OAUTH?

    View Slide

  15. View Slide

  16. A BRIEF HISTORY

    View Slide

  17. A BRIEF HISTORY
    2006 Twitter Chief Architect looked for a better authentication method - no passwords
    2007 OpenID development group (and contributors) came up with the OAuth 1 first draft
    2007 7 updated drafts by the end of the year
    2009 OAuth 2.0 spec was started
    “.. to clear up many of the aspects of OAuth 1 that were difficult or confusing.”
    2012 OAuth 2.0 core spec was published
    There were
    MANY more revisions to the draft

    View Slide

  18. View Slide

  19. DEFINITIONS

    View Slide

  20. ROLES

    View Slide

  21. ROLES
    Resource Owner
    (The User)

    View Slide

  22. ROLES
    Resource Owner
    (The User)
    The Client
    (The App)

    View Slide

  23. ROLES
    The Client
    (The App)
    Resource Owner
    (The User)
    Resource Server

    View Slide

  24. ROLES
    The Client
    (The App)
    Resource Owner
    (The User)
    Resource Server
    Authorization Server

    View Slide

  25. ROLES
    The Client
    (The App)
    Resource Owner
    (The User)
    Resource Server Authorization Server

    View Slide

  26. SCOPE

    View Slide

  27. SCOPE

    View Slide

  28. SCOPE

    View Slide

  29. GRANT TYPES

    View Slide

  30. GRANT TYPES

    View Slide

  31. TOKENS

    View Slide

  32. TOKENS
    ACCESS TOKEN

    View Slide

  33. TOKENS
    REFRESH TOKEN

    View Slide

  34. BEING A
    CONSUMER

    View Slide

  35. REGISTERING YOUR APP

    View Slide

  36. REGISTERING YOUR APP

    View Slide

  37. REGISTERING YOUR APP

    View Slide

  38. REGISTERING YOUR APP

    View Slide

  39. REGISTERING YOUR APP

    View Slide

  40. REGISTERING YOUR APP

    View Slide

  41. REGISTERING YOUR APP

    View Slide

  42. REGISTERING YOUR APP

    View Slide

  43. REGISTERING YOUR APP

    View Slide

  44. THE WORKFLOW

    View Slide

  45. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    THE WORKFLOW
    https://accounts.spotify.com/authorize?
    client_id=0170ed62bfad4dcc90bd5b057787790e&code_challenge=1assIs_OhqosI
    koRWb8MopQ9hqHN9gj8HF4HXd06U2U&code_challenge_method=S256&state=A
    7CC19EA-D207-414D-9C6C6083A5E1237D&redirect_uri=http://
    myapp.local:10539/callback/&scope=playlist-modify-public%20playlist-modify-
    public%20user-read-email%20user-follow-modify&response_type=code

    View Slide

  46. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    THE WORKFLOW

    View Slide

  47. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    THE WORKFLOW
    LINK HREF
    https://accounts.spotify.com/authorize

    View Slide

  48. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    THE WORKFLOW
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e
    LINK HREF

    View Slide

  49. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e


    &response_type=code
    LINK HREF
    THE WORKFLOW

    View Slide

  50. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e


    &response_type=code


    &redirect_uri=https://myapp.local:10538/callback
    LINK HREF
    THE WORKFLOW

    View Slide

  51. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e


    &response_type=code


    &redirect_uri=https://myapp.local:10538/callback


    &scope=playlist-modify-public user-read-email


    LINK HREF
    THE WORKFLOW

    View Slide

  52. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e


    &response_type=code


    &redirect_uri=https://myapp.local:10538/callback


    &scope=playlist-modify-public user-read-email


    &state=9DC18EB2-3B79-4E05-904BD9E6590267C2
    LINK HREF
    THE WORKFLOW

    View Slide

  53. My


    Application
    Spotify
    Do you give permission for
    My Application to


    access your basic profile
    information?
    No
    Yes
    Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    THE WORKFLOW

    View Slide

  54. User Authorization Request
    Authorization Code Grant
    My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    https://myapp.local:10538/callback?code=AUTHORIZATION_CODE
    https://myapp.local:10538/callback?error=XXX
    THE WORKFLOW

    View Slide

  55. User Authorization Request
    Authorization Code Grant
    My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    THE WORKFLOW

    View Slide

  56. 10 mins
    30-60


    secs
    THE WORKFLOW

    View Slide

  57. THE WORKFLOW

    View Slide

  58. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    THE WORKFLOW
    Authorization Code Grant
    Access Token Request

    View Slide

  59. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request

    View Slide

  60. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    POST https://accounts.spotify.com/token

    View Slide

  61. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    POST
    grant_type=authorization_code
    https://accounts.spotify.com/token

    View Slide

  62. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    POST
    grant_type=authorization_code


    code=33160
    https://accounts.spotify.com/token

    View Slide

  63. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    POST
    grant_type=authorization_code


    code=33160


    redirect_uri=https://myapp.local:10538/callback
    https://accounts.spotify.com/token

    View Slide

  64. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    POST
    grant_type=authorization_code


    code=33160


    redirect_uri=https://myapp.local:10538/callback


    client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010
    https://accounts.spotify.com/token

    View Slide

  65. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    REQUESTING AN ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    POST
    grant_type=authorization_code


    code=33160


    redirect_uri=https://myapp.local:10538/callback


    client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010


    client_secret=e6b218b3a4cb46d8a11578b8a60f55fb
    https://accounts.spotify.com/token

    View Slide

  66. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    RECEIVING THE ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    Access Token Grant

    View Slide

  67. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    RECEIVING THE ACCESS TOKEN
    Authorization Code Grant
    Access Token Request
    Access Token Grant

    View Slide

  68. View Slide

  69. User Authorization Request
    Authorization Code Grant
    Access Token Request
    Access Token Grant
    Authenticated API Request
    Protected Resources
    My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    ACCESSING RESOURCES

    View Slide

  70. User Authorization Request
    Authorization Code Grant
    Access Token Request
    Access Token Grant
    Authenticated API Request
    Protected Resources
    My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
    ACCESSING RESOURCES

    View Slide

  71. ACCESSING RESOURCES

    View Slide

  72. User Authorization Request
    Authorization Code Grant
    Access Token Request
    Access Token Grant
    Authenticated API Request
    Protected Resources
    My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    ACCESSING RESOURCES

    View Slide

  73. View Slide

  74. REFRESH TOKENS

    View Slide

  75. REFRESH TOKENS

    View Slide

  76. REFRESHING AN ACCESS TOKEN
    POST https://accounts.spotify.com/token

    View Slide

  77. REFRESHING AN ACCESS TOKEN
    POST
    grant_type=refresh_token
    https://accounts.spotify.com/token

    View Slide

  78. REFRESHING AN ACCESS TOKEN
    POST
    grant_type=refresh_token


    refresh_token=SflKxwRJSMeKKF2QT4fwpM…
    https://accounts.spotify.com/token

    View Slide

  79. REFRESHING AN ACCESS TOKEN
    POST
    grant_type=refresh_token


    refresh_token=SflKxwRJSMeKKF2QT4fwpM…


    client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010
    https://accounts.spotify.com/token

    View Slide

  80. REFRESHING AN ACCESS TOKEN
    POST
    grant_type=refresh_token


    refresh_token=SflKxwRJSMeKKF2QT4fwpM…


    client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010


    client_secret=e6b218b3a4cb46d8a11578b8a60f55fb
    https://accounts.spotify.com/token

    View Slide

  81. REFRESHING AN ACCESS TOKEN

    View Slide

  82. REFRESHING AN ACCESS TOKEN

    View Slide

  83. USEFUL TOOLS #1

    View Slide

  84. USEFUL TOOLS #1

    View Slide

  85. USEFUL TOOLS #1

    View Slide

  86. USEFUL TOOLS #1

    View Slide

  87. USEFUL TOOLS #1

    View Slide

  88. USEFUL TOOLS #1

    View Slide

  89. USEFUL TOOLS #1

    View Slide

  90. CHANGES

    View Slide

  91. CHANGES

    View Slide

  92. CHANGES

    View Slide

  93. CHANGES

    View Slide

  94. CHANGES

    View Slide

  95. CHANGES

    View Slide

  96. CHANGES

    View Slide

  97. PKCE
    (Proof Key for Code Exchange)

    View Slide

  98. PKCE
    A-Z a-z 0-9 -._~
    1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3
    Code Veri
    fi
    er

    View Slide

  99. PKCE
    base64url( sha256( code_veri
    fi
    er ) )
    tZSYs8eBdSGBJpDo3wOPaj729KNWRMnkbG1moPcwB2Q
    Code Challenge

    View Slide

  100. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    PKCE
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e


    &response_type=code


    &redirect_uri=https://myapp.local:10538/callback


    &scope=playlist-modify-public user-read-email


    &state=9DC18EB2-3B79-4E05-904BD9E6590267C2

    View Slide

  101. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    PKCE
    https://accounts.spotify.com/authorize?


    client_id=0170ed62bfad4dcc90bd5b057787790e


    &response_type=code


    &redirect_uri=https://myapp.local:10538/callback


    &scope=playlist-modify-public user-read-email


    &state=9DC18EB2-3B79-4E05-904BD9E6590267C2


    &code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR


    &code_challenge_method=S256

    View Slide

  102. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    PKCE
    code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR


    code_challenge_method=S256

    View Slide

  103. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    PKCE
    POST
    grant_type=authorization_code


    code=10538


    redirect_uri=https://myapp.local:10538/callback


    client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010


    client_secret=e6b218b3a4cb46d8a11578b8a60f55fb
    https://accounts.spotify.com/token
    code_verifier=1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3

    View Slide

  104. My


    Application Spotify
    Authorization


    Server
    Spotify
    Resource


    Server
    User Authorization Request
    PKCE
    base64url( sha256( code_verifier ) ) = code_challenge
    ?

    View Slide

  105. USEFUL TOOLS #2

    View Slide

  106. USEFUL TOOLS #2

    View Slide

  107. USEFUL TOOLS #2

    View Slide

  108. USEFUL TOOLS #2 (AND #1)

    View Slide

  109. USEFUL TOOLS #2 (AND #1)

    View Slide

  110. USEFUL TOOLS #2

    View Slide

  111. RUNNING YOUR
    OWN OAUTH2
    SERVER

    View Slide

  112. USEFUL TOOLS #3

    View Slide

  113. USEFUL TOOLS #3

    View Slide

  114. RUNNING YOUR OWN OAUTH SERVER

    View Slide

  115. RUNNING YOUR OWN OAUTH SERVER
    gB0NV05ehAs8lkQy

    View Slide

  116. RUNNING YOUR OWN OAUTH SERVER
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MDgxNTgxMTIsImlzcyI6Imh0dHBzOi8vdGV
    zdC5tb25rZWhzZXJ2ZXIuY29tL29hdXRoL3Rva2VuIiwic3ViIjoxMDAwLCJleHAiOjE1MDgxNjE3MTIsI
    nNjb3BlIjoicmVhZC1wcml2YXRlIHdyaXRlIiwiYXVkIjoiQkYyMzQ3M0UtQTZBQS00NzdELUFEREVCM
    0E2REMyNEQyOEUifQ.n4b0VpKAgf0BPVPKxjsep9TtqyoexcnygrSekWu2KV4

    View Slide

  117. RUNNING YOUR OWN OAUTH SERVER

    View Slide

  118. JWTS FOR
    ACCESS TOKENS

    View Slide

  119. HEADER
    PAYLOAD
    SIGNATURE
    JWT
    {


    "alg": "HS256",


    "typ": "JWT"


    }
    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
    XVCJ9.

    View Slide

  120. HEADER
    PAYLOAD
    SIGNATURE
    JWT
    {


    "alg": "HS256",


    "typ": "JWT"


    }
    {


    "iat": 1508158112,


    "iss": "https://test.monkehserver.com/oauth/token",


    "sub": 1000,


    "exp": 1508161712,


    "scope": "read-private write",


    "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E"


    }
    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
    XVCJ9.
    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
    XVCJ9.eyJpYXQiOjE1MDgxNTgx
    MTIsImlzcyI6Imh0dHBzOi8vdGVz
    dC5tb25rZWhzZXJ2ZXIuY29tL29
    hdXRoL3Rva2VuIiwic3ViIjoxMDA
    wLCJleHAiOjE1MDgxNjE3MTIsIn
    Njb3BlIjoicmVhZC1wcml2YXRlIH
    dyaXRlIiwiYXVkIjoiQkYyMzQ3M0
    UtQTZBQS00NzdELUFEREVCM0E
    2REMyNEQyOEUifQ.

    View Slide

  121. HEADER
    PAYLOAD
    SIGNATURE
    JWT
    {


    "alg": "HS256",


    "typ": "JWT"


    }
    {


    "iat": 1508158112,


    "iss": "https://test.monkehserver.com/oauth/token",


    "sub": 1000,


    "exp": 1508161712,


    "scope": "read-private write",


    "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E"


    }
    HMACSHA256(


    base64UrlEncode(header) + "." +


    base64UrlEncode(payload),


    secret


    )
    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
    XVCJ9.eyJpYXQiOjE1MDgxNTgx
    MTIsImlzcyI6Imh0dHBzOi8vdGVz
    dC5tb25rZWhzZXJ2ZXIuY29tL29
    hdXRoL3Rva2VuIiwic3ViIjoxMDA
    wLCJleHAiOjE1MDgxNjE3MTIsIn
    Njb3BlIjoicmVhZC1wcml2YXRlIH
    dyaXRlIiwiYXVkIjoiQkYyMzQ3M0
    UtQTZBQS00NzdELUFEREVCM0E
    2REMyNEQyOEUifQ.
    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
    XVCJ9.eyJpYXQiOjE1MDgxNTgx
    MTIsImlzcyI6Imh0dHBzOi8vdGVz
    dC5tb25rZWhzZXJ2ZXIuY29tL29
    hdXRoL3Rva2VuIiwic3ViIjoxMDA
    wLCJleHAiOjE1MDgxNjE3MTIsIn
    Njb3BlIjoicmVhZC1wcml2YXRlIH
    dyaXRlIiwiYXVkIjoiQkYyMzQ3M0
    UtQTZBQS00NzdELUFEREVCM0E
    2REMyNEQyOEUifQ.n4b0VpKAgf
    0BPVPKxjsep9TtqyoexcnygrSek
    Wu2KV4

    View Slide

  122. RUNNING YOUR OWN OAUTH SERVER (JWT)

    View Slide

  123. RUNNING YOUR OWN OAUTH SERVER (JWT)

    View Slide

  124. USEFUL TOOLS #4

    View Slide

  125. USEFUL TOOLS #4

    View Slide

  126. USEFUL TOOLS #4 - JWT.IO

    View Slide

  127. OPENID CONNECT

    View Slide

  128. OAUTH 2.1

    View Slide

  129. OAUTH 2.1
    ➤ PKCE REQUIRED for ALL OAuth clients using authorisation code
    fl
    ow


    ➤ Redirect URI values MUST use exact-string matching


    ➤ Bearer token usage omits the use of bearer tokens in the query string of URIs


    ➤ Refresh Tokens for public clients must either be sender-constrained or one-time use
    (mobile apps and JavaScript apps)

    View Slide

  130. BLOG POSTS INCOMING
    monkehworks.com

    View Slide

  131. GITHUB
    github.com/coldfumonkeh

    View Slide

  132. OAUTH 2 FOR ME AND YOU
    Matt Gi
    ff
    ord - Adobe ColdFusion Summit 2022
    THANK YOU!

    View Slide