$30 off During Our Annual Pro Sale. View details »

OAuth 2 for Me and You - 2022 Edition

OAuth 2 for Me and You - 2022 Edition

This session was given at the Adobe ColdFusion Summit 2022 in Las Vegas, Monday October 3rd, 2022.

It covered the OAuth 2 protocol, what it means to be a consumer or provider, and how to navigate the handshake communications between the service. At the end of this session all attendees walked taller, safe in the fact that they understand OAuth 2, how to use it, and what it all means.

Matt Gifford

October 07, 2022
Tweet

More Decks by Matt Gifford

Other Decks in Technology

Transcript

  1. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

    - Adobe ColdFusion Summit 2022
  2. ABOUT ME @coldfumonkeh app developer / software architect writer

  3. None
  4. None
  5. THE SETLIST ➤ OAuth? ➤ Important De fi nitions ➤

    How to be a consumer ➤ The Authorization Code Flow ➤ Useful Tools
  6. THE SCENARIO

  7. THE SCENARIO I am writing a web-based application for lovers

    of music. I want to access data from third-party services to enhance my application.
  8. THE SCENARIO I am going to use Spotify to build

    a fun project that can generate dynamic playlists for the authenticating user.
  9. THE SCENARIO My application will need to log into Spotify

    on behalf of my users to access their account information and have write access to their playlists.
  10. THE SCENARIO

  11. WHAT IS OAUTH?

  12. WHAT IS OAUTH?

  13. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?
  14. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?
  15. None
  16. A BRIEF HISTORY

  17. A BRIEF HISTORY 2006 Twitter Chief Architect looked for a

    better authentication method - no passwords 2007 OpenID development group (and contributors) came up with the OAuth 1 first draft 2007 7 updated drafts by the end of the year 2009 OAuth 2.0 spec was started “.. to clear up many of the aspects of OAuth 1 that were difficult or confusing.” 2012 OAuth 2.0 core spec was published There were MANY more revisions to the draft
  18. None
  19. DEFINITIONS

  20. ROLES

  21. ROLES Resource Owner (The User)

  22. ROLES Resource Owner (The User) The Client (The App)

  23. ROLES The Client (The App) Resource Owner (The User) Resource

    Server
  24. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server
  25. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server
  26. SCOPE

  27. SCOPE

  28. SCOPE

  29. GRANT TYPES

  30. GRANT TYPES

  31. TOKENS

  32. TOKENS ACCESS TOKEN

  33. TOKENS REFRESH TOKEN

  34. BEING A CONSUMER

  35. REGISTERING YOUR APP

  36. REGISTERING YOUR APP

  37. REGISTERING YOUR APP

  38. REGISTERING YOUR APP

  39. REGISTERING YOUR APP

  40. REGISTERING YOUR APP

  41. REGISTERING YOUR APP

  42. REGISTERING YOUR APP

  43. REGISTERING YOUR APP

  44. THE WORKFLOW

  45. My Application Spotify Authorization Server Spotify Resource Server THE WORKFLOW

    https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e&code_challenge=1assIs_OhqosI koRWb8MopQ9hqHN9gj8HF4HXd06U2U&code_challenge_method=S256&state=A 7CC19EA-D207-414D-9C6C6083A5E1237D&redirect_uri=http:// myapp.local:10539/callback/&scope=playlist-modify-public%20playlist-modify- public%20user-read-email%20user-follow-modify&response_type=code
  46. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW
  47. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW LINK HREF https://accounts.spotify.com/authorize
  48. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e LINK HREF
  49. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code LINK HREF THE WORKFLOW
  50. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback LINK HREF THE WORKFLOW
  51. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email LINK HREF THE WORKFLOW
  52. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 LINK HREF THE WORKFLOW
  53. My Application Spotify Do you give permission for My Application

    to access your basic profile information? No Yes Spotify Authorization Server Spotify Resource Server User Authorization Request THE WORKFLOW
  54. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server https://myapp.local:10538/callback?code=AUTHORIZATION_CODE https://myapp.local:10538/callback?error=XXX THE WORKFLOW
  55. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server THE WORKFLOW
  56. 10 mins 30-60 secs THE WORKFLOW

  57. THE WORKFLOW

  58. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW Authorization Code Grant Access Token Request
  59. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request
  60. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST https://accounts.spotify.com/token
  61. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code https://accounts.spotify.com/token
  62. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 https://accounts.spotify.com/token
  63. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback https://accounts.spotify.com/token
  64. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token
  65. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token
  66. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant
  67. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant
  68. None
  69. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES
  70. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ACCESSING RESOURCES
  71. ACCESSING RESOURCES

  72. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES
  73. None
  74. REFRESH TOKENS

  75. REFRESH TOKENS

  76. REFRESHING AN ACCESS TOKEN POST https://accounts.spotify.com/token

  77. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token https://accounts.spotify.com/token

  78. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… https://accounts.spotify.com/token

  79. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

  80. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

  81. REFRESHING AN ACCESS TOKEN

  82. REFRESHING AN ACCESS TOKEN

  83. USEFUL TOOLS #1

  84. USEFUL TOOLS #1

  85. USEFUL TOOLS #1

  86. USEFUL TOOLS #1

  87. USEFUL TOOLS #1

  88. USEFUL TOOLS #1

  89. USEFUL TOOLS #1

  90. CHANGES

  91. CHANGES

  92. CHANGES

  93. CHANGES

  94. CHANGES

  95. CHANGES

  96. CHANGES

  97. PKCE (Proof Key for Code Exchange)

  98. PKCE A-Z a-z 0-9 -._~ 1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3 Code Veri fi er

  99. PKCE base64url( sha256( code_veri fi er ) ) tZSYs8eBdSGBJpDo3wOPaj729KNWRMnkbG1moPcwB2Q Code

    Challenge
  100. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2
  101. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 &code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR &code_challenge_method=S256
  102. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR code_challenge_method=S256
  103. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE POST grant_type=authorization_code code=10538 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token code_verifier=1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3
  104. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE base64url( sha256( code_verifier ) ) = code_challenge ?
  105. USEFUL TOOLS #2

  106. USEFUL TOOLS #2

  107. USEFUL TOOLS #2

  108. USEFUL TOOLS #2 (AND #1)

  109. USEFUL TOOLS #2 (AND #1)

  110. USEFUL TOOLS #2

  111. RUNNING YOUR OWN OAUTH2 SERVER

  112. USEFUL TOOLS #3

  113. USEFUL TOOLS #3

  114. RUNNING YOUR OWN OAUTH SERVER

  115. RUNNING YOUR OWN OAUTH SERVER gB0NV05ehAs8lkQy

  116. RUNNING YOUR OWN OAUTH SERVER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MDgxNTgxMTIsImlzcyI6Imh0dHBzOi8vdGV zdC5tb25rZWhzZXJ2ZXIuY29tL29hdXRoL3Rva2VuIiwic3ViIjoxMDAwLCJleHAiOjE1MDgxNjE3MTIsI nNjb3BlIjoicmVhZC1wcml2YXRlIHdyaXRlIiwiYXVkIjoiQkYyMzQ3M0UtQTZBQS00NzdELUFEREVCM 0E2REMyNEQyOEUifQ.n4b0VpKAgf0BPVPKxjsep9TtqyoexcnygrSekWu2KV4

  117. RUNNING YOUR OWN OAUTH SERVER

  118. JWTS FOR ACCESS TOKENS

  119. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.
  120. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.
  121. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.n4b0VpKAgf 0BPVPKxjsep9TtqyoexcnygrSek Wu2KV4
  122. RUNNING YOUR OWN OAUTH SERVER (JWT)

  123. RUNNING YOUR OWN OAUTH SERVER (JWT)

  124. USEFUL TOOLS #4

  125. USEFUL TOOLS #4

  126. USEFUL TOOLS #4 - JWT.IO

  127. OPENID CONNECT

  128. OAUTH 2.1

  129. OAUTH 2.1 ➤ PKCE REQUIRED for ALL OAuth clients using

    authorisation code fl ow ➤ Redirect URI values MUST use exact-string matching ➤ Bearer token usage omits the use of bearer tokens in the query string of URIs ➤ Refresh Tokens for public clients must either be sender-constrained or one-time use (mobile apps and JavaScript apps)
  130. BLOG POSTS INCOMING monkehworks.com

  131. GITHUB github.com/coldfumonkeh

  132. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

    - Adobe ColdFusion Summit 2022 THANK YOU!