OAuth 2 for Me and You - 2022 Edition

Transcript

1. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

   - Adobe ColdFusion Summit 2022

2. ABOUT ME @coldfumonkeh app developer / software architect writer

3. None
4. None

5. THE SETLIST ➤ OAuth? ➤ Important De fi nitions ➤

   How to be a consumer ➤ The Authorization Code Flow ➤ Useful Tools

6. THE SCENARIO

7. THE SCENARIO I am writing a web-based application for lovers

   of music. I want to access data from third-party services to enhance my application.

8. THE SCENARIO I am going to use Spotify to build

   a fun project that can generate dynamic playlists for the authenticating user.

9. THE SCENARIO My application will need to log into Spotify

   on behalf of my users to access their account information and have write access to their playlists.

10. THE SCENARIO

11. WHAT IS OAUTH?

12. WHAT IS OAUTH?

13. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?

14. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?
15. None

16. A BRIEF HISTORY

17. A BRIEF HISTORY 2006 Twitter Chief Architect looked for a

    better authentication method - no passwords 2007 OpenID development group (and contributors) came up with the OAuth 1 first draft 2007 7 updated drafts by the end of the year 2009 OAuth 2.0 spec was started “.. to clear up many of the aspects of OAuth 1 that were difficult or confusing.” 2012 OAuth 2.0 core spec was published There were MANY more revisions to the draft
18. None

19. DEFINITIONS

20. ROLES

21. ROLES Resource Owner (The User)

22. ROLES Resource Owner (The User) The Client (The App)

23. ROLES The Client (The App) Resource Owner (The User) Resource

    Server

24. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server

25. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server

26. SCOPE

27. SCOPE

28. SCOPE

29. GRANT TYPES

30. GRANT TYPES

31. TOKENS

32. TOKENS ACCESS TOKEN

33. TOKENS REFRESH TOKEN

34. BEING A CONSUMER

35. REGISTERING YOUR APP

36. REGISTERING YOUR APP

37. REGISTERING YOUR APP

38. REGISTERING YOUR APP

39. REGISTERING YOUR APP

40. REGISTERING YOUR APP

41. REGISTERING YOUR APP

42. REGISTERING YOUR APP

43. REGISTERING YOUR APP

44. THE WORKFLOW

45. My Application Spotify Authorization Server Spotify Resource Server THE WORKFLOW

    https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e&code_challenge=1assIs_OhqosI koRWb8MopQ9hqHN9gj8HF4HXd06U2U&code_challenge_method=S256&state=A 7CC19EA-D207-414D-9C6C6083A5E1237D&redirect_uri=http:// myapp.local:10539/callback/&scope=playlist-modify-public%20playlist-modify- public%20user-read-email%20user-follow-modify&response_type=code

46. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW

47. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW LINK HREF https://accounts.spotify.com/authorize

48. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e LINK HREF

49. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code LINK HREF THE WORKFLOW

50. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback LINK HREF THE WORKFLOW

51. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email LINK HREF THE WORKFLOW

52. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 LINK HREF THE WORKFLOW

53. My Application Spotify Do you give permission for My Application

    to access your basic profile information? No Yes Spotify Authorization Server Spotify Resource Server User Authorization Request THE WORKFLOW

54. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server https://myapp.local:10538/callback?code=AUTHORIZATION_CODE https://myapp.local:10538/callback?error=XXX THE WORKFLOW

55. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server THE WORKFLOW

56. 10 mins 30-60 secs THE WORKFLOW

57. THE WORKFLOW

58. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW Authorization Code Grant Access Token Request

59. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request

60. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST https://accounts.spotify.com/token

61. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code https://accounts.spotify.com/token

62. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 https://accounts.spotify.com/token

63. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback https://accounts.spotify.com/token

64. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

65. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

66. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant

67. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant
68. None

69. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES

70. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ACCESSING RESOURCES

71. ACCESSING RESOURCES

72. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES
73. None

74. REFRESH TOKENS

75. REFRESH TOKENS

76. REFRESHING AN ACCESS TOKEN POST https://accounts.spotify.com/token

77. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token https://accounts.spotify.com/token

78. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… https://accounts.spotify.com/token

79. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

80. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

81. REFRESHING AN ACCESS TOKEN

82. REFRESHING AN ACCESS TOKEN

83. USEFUL TOOLS #1

84. USEFUL TOOLS #1

85. USEFUL TOOLS #1

86. USEFUL TOOLS #1

87. USEFUL TOOLS #1

88. USEFUL TOOLS #1

89. USEFUL TOOLS #1

90. CHANGES

91. CHANGES

92. CHANGES

93. CHANGES

94. CHANGES

95. CHANGES

96. CHANGES

97. PKCE (Proof Key for Code Exchange)

98. PKCE A-Z a-z 0-9 -._~ 1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3 Code Veri fi er

99. PKCE base64url( sha256( code_veri fi er ) ) tZSYs8eBdSGBJpDo3wOPaj729KNWRMnkbG1moPcwB2Q Code

    Challenge

100. My Application Spotify Authorization Server Spotify Resource Server User Authorization

     Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2

101. My Application Spotify Authorization Server Spotify Resource Server User Authorization

     Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 &code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR &code_challenge_method=S256

102. My Application Spotify Authorization Server Spotify Resource Server User Authorization

     Request PKCE code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR code_challenge_method=S256

103. My Application Spotify Authorization Server Spotify Resource Server User Authorization

     Request PKCE POST grant_type=authorization_code code=10538 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token code_verifier=1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3

104. My Application Spotify Authorization Server Spotify Resource Server User Authorization

     Request PKCE base64url( sha256( code_verifier ) ) = code_challenge ?

105. USEFUL TOOLS #2

106. USEFUL TOOLS #2

107. USEFUL TOOLS #2

108. USEFUL TOOLS #2 (AND #1)

109. USEFUL TOOLS #2 (AND #1)

110. USEFUL TOOLS #2

111. RUNNING YOUR OWN OAUTH2 SERVER

112. USEFUL TOOLS #3

113. USEFUL TOOLS #3

114. RUNNING YOUR OWN OAUTH SERVER

115. RUNNING YOUR OWN OAUTH SERVER gB0NV05ehAs8lkQy

116. RUNNING YOUR OWN OAUTH SERVER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MDgxNTgxMTIsImlzcyI6Imh0dHBzOi8vdGV zdC5tb25rZWhzZXJ2ZXIuY29tL29hdXRoL3Rva2VuIiwic3ViIjoxMDAwLCJleHAiOjE1MDgxNjE3MTIsI nNjb3BlIjoicmVhZC1wcml2YXRlIHdyaXRlIiwiYXVkIjoiQkYyMzQ3M0UtQTZBQS00NzdELUFEREVCM 0E2REMyNEQyOEUifQ.n4b0VpKAgf0BPVPKxjsep9TtqyoexcnygrSekWu2KV4

117. RUNNING YOUR OWN OAUTH SERVER

118. JWTS FOR ACCESS TOKENS

119. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

     eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.

120. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

     { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.

121. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

     { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.n4b0VpKAgf 0BPVPKxjsep9TtqyoexcnygrSek Wu2KV4

122. RUNNING YOUR OWN OAUTH SERVER (JWT)

123. RUNNING YOUR OWN OAUTH SERVER (JWT)

124. USEFUL TOOLS #4

125. USEFUL TOOLS #4

126. USEFUL TOOLS #4 - JWT.IO

127. OPENID CONNECT

128. OAUTH 2.1

129. OAUTH 2.1 ➤ PKCE REQUIRED for ALL OAuth clients using

     authorisation code fl ow ➤ Redirect URI values MUST use exact-string matching ➤ Bearer token usage omits the use of bearer tokens in the query string of URIs ➤ Refresh Tokens for public clients must either be sender-constrained or one-time use (mobile apps and JavaScript apps)

130. BLOG POSTS INCOMING monkehworks.com

131. GITHUB github.com/coldfumonkeh

132. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

     - Adobe ColdFusion Summit 2022 THANK YOU!