Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2 for Me and You - 2022 Edition

Matt Gifford
October 07, 2022
Technology
0
240

OAuth 2 for Me and You - 2022 Edition

This session was given at the Adobe ColdFusion Summit 2022 in Las Vegas, Monday October 3rd, 2022.

It covered the OAuth 2 protocol, what it means to be a consumer or provider, and how to navigate the handshake communications between the service. At the end of this session all attendees walked taller, safe in the fact that they understand OAuth 2, how to use it, and what it all means.

Matt Gifford

October 07, 2022
Tweet

More Decks by Matt Gifford

See All by Matt Gifford
ColdFusion and Vue - Building CFML-powered reactive applications
coldfumonkeh
0
1.1k
ColdFusion and Vue - Building CFML-powered reactive applications
coldfumonkeh
0
290
Building an API with cffractal and ColdBox
coldfumonkeh
0
200
API Management from the Trenches
coldfumonkeh
0
260
Adaptive Development in a Creative World
coldfumonkeh
1
240
Get Grulping with JavaScript Task Runners
coldfumonkeh
0
360
Swing when you’re winning - an introduction to Ruby and Sinatra
coldfumonkeh
1
120
The Need For SPEED
coldfumonkeh
1
240

Other Decks in Technology

See All in Technology
How to be an AWS Community Builder | 君もAWS Community Builderになろう!〜2024 冬 CB募集直前対策編?!〜
coosuke
PRO
2
2.9k
Google Cloud で始める Cloud Run 〜AWSとの比較と実例デモで解説〜
risatube
PRO
0
120
Oracle Cloud Infrastructure:2024年12月度サービス・アップデート
oracle4engineer
PRO
1
270
開発生産性向上! 育成を「改善」と捉えるエンジニア育成戦略
shoota
2
460
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
180
いまからでも遅くないコンテナ座学
nomu
0
130
サイバー攻撃を想定したセキュリティガイドライン 策定とASM及びCNAPPの活用方法
syoshie
3
1.4k
[Oracle TechNight#85] Oracle Autonomous Databaseを使ったAI活用入門
oracle4engineer
PRO
1
120
社内イベント管理システムを1週間でAKSからACAに移行した話し
shingo_kawahara
0
200
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
550
ずっと昔に Star をつけたはずの 思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
160
ハイテク休憩
sat
PRO
2
180

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
450
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
3
170
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
95
17k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Thoughts on Productivity
jonyablonski
68
4.4k
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
Adopting Sorbet at Scale
ufuk
73
9.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Six Lessons from altMBA
skipperchong
27
3.5k
Automating Front-end Workflow
addyosmani
1366
200k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k

Transcript

  1. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

    - Adobe ColdFusion Summit 2022

  2. ABOUT ME @coldfumonkeh app developer / software architect writer

  3. None
  4. None

  5. THE SETLIST ➤ OAuth? ➤ Important De fi nitions ➤

    How to be a consumer ➤ The Authorization Code Flow ➤ Useful Tools

  6. THE SCENARIO

  7. THE SCENARIO I am writing a web-based application for lovers

    of music. I want to access data from third-party services to enhance my application.

  8. THE SCENARIO I am going to use Spotify to build

    a fun project that can generate dynamic playlists for the authenticating user.

  9. THE SCENARIO My application will need to log into Spotify

    on behalf of my users to access their account information and have write access to their playlists.

  10. THE SCENARIO

  11. WHAT IS OAUTH?

  12. WHAT IS OAUTH?

  13. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?

  14. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?
  15. None

  16. A BRIEF HISTORY

  17. A BRIEF HISTORY 2006 Twitter Chief Architect looked for a

    better authentication method - no passwords 2007 OpenID development group (and contributors) came up with the OAuth 1 first draft 2007 7 updated drafts by the end of the year 2009 OAuth 2.0 spec was started “.. to clear up many of the aspects of OAuth 1 that were difficult or confusing.” 2012 OAuth 2.0 core spec was published There were MANY more revisions to the draft
  18. None

  19. DEFINITIONS

  20. ROLES

  21. ROLES Resource Owner (The User)

  22. ROLES Resource Owner (The User) The Client (The App)

  23. ROLES The Client (The App) Resource Owner (The User) Resource

    Server

  24. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server

  25. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server

  26. SCOPE

  27. SCOPE

  28. SCOPE

  29. GRANT TYPES

  30. GRANT TYPES

  31. TOKENS

  32. TOKENS ACCESS TOKEN

  33. TOKENS REFRESH TOKEN

  34. BEING A CONSUMER

  35. REGISTERING YOUR APP

  36. REGISTERING YOUR APP

  37. REGISTERING YOUR APP

  38. REGISTERING YOUR APP

  39. REGISTERING YOUR APP

  40. REGISTERING YOUR APP

  41. REGISTERING YOUR APP

  42. REGISTERING YOUR APP

  43. REGISTERING YOUR APP

  44. THE WORKFLOW

  45. My Application Spotify Authorization Server Spotify Resource Server THE WORKFLOW

    https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e&code_challenge=1assIs_OhqosI koRWb8MopQ9hqHN9gj8HF4HXd06U2U&code_challenge_method=S256&state=A 7CC19EA-D207-414D-9C6C6083A5E1237D&redirect_uri=http:// myapp.local:10539/callback/&scope=playlist-modify-public%20playlist-modify- public%20user-read-email%20user-follow-modify&response_type=code

  46. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW

  47. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW LINK HREF https://accounts.spotify.com/authorize

  48. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e LINK HREF

  49. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code LINK HREF THE WORKFLOW

  50. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback LINK HREF THE WORKFLOW

  51. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email LINK HREF THE WORKFLOW

  52. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 LINK HREF THE WORKFLOW

  53. My Application Spotify Do you give permission for My Application

    to access your basic profile information? No Yes Spotify Authorization Server Spotify Resource Server User Authorization Request THE WORKFLOW

  54. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server https://myapp.local:10538/callback?code=AUTHORIZATION_CODE https://myapp.local:10538/callback?error=XXX THE WORKFLOW

  55. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server THE WORKFLOW

  56. 10 mins 30-60 secs THE WORKFLOW

  57. THE WORKFLOW

  58. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW Authorization Code Grant Access Token Request

  59. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request

  60. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST https://accounts.spotify.com/token

  61. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code https://accounts.spotify.com/token

  62. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 https://accounts.spotify.com/token

  63. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback https://accounts.spotify.com/token

  64. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

  65. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

  66. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant

  67. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant
  68. None

  69. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES

  70. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ACCESSING RESOURCES

  71. ACCESSING RESOURCES

  72. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES
  73. None

  74. REFRESH TOKENS

  75. REFRESH TOKENS

  76. REFRESHING AN ACCESS TOKEN POST https://accounts.spotify.com/token

  77. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token https://accounts.spotify.com/token

  78. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… https://accounts.spotify.com/token

  79. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

  80. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

  81. REFRESHING AN ACCESS TOKEN

  82. REFRESHING AN ACCESS TOKEN

  83. USEFUL TOOLS #1

  84. USEFUL TOOLS #1

  85. USEFUL TOOLS #1

  86. USEFUL TOOLS #1

  87. USEFUL TOOLS #1

  88. USEFUL TOOLS #1

  89. USEFUL TOOLS #1

  90. CHANGES

  91. CHANGES

  92. CHANGES

  93. CHANGES

  94. CHANGES

  95. CHANGES

  96. CHANGES

  97. PKCE (Proof Key for Code Exchange)

  98. PKCE A-Z a-z 0-9 -._~ 1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3 Code Veri fi er

  99. PKCE base64url( sha256( code_veri fi er ) ) tZSYs8eBdSGBJpDo3wOPaj729KNWRMnkbG1moPcwB2Q Code

    Challenge

  100. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2

  101. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 &code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR &code_challenge_method=S256

  102. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR code_challenge_method=S256

  103. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE POST grant_type=authorization_code code=10538 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token code_verifier=1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3

  104. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE base64url( sha256( code_verifier ) ) = code_challenge ?

  105. USEFUL TOOLS #2

  106. USEFUL TOOLS #2

  107. USEFUL TOOLS #2

  108. USEFUL TOOLS #2 (AND #1)

  109. USEFUL TOOLS #2 (AND #1)

  110. USEFUL TOOLS #2

  111. RUNNING YOUR OWN OAUTH2 SERVER

  112. USEFUL TOOLS #3

  113. USEFUL TOOLS #3

  114. RUNNING YOUR OWN OAUTH SERVER

  115. RUNNING YOUR OWN OAUTH SERVER gB0NV05ehAs8lkQy

  116. RUNNING YOUR OWN OAUTH SERVER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MDgxNTgxMTIsImlzcyI6Imh0dHBzOi8vdGV zdC5tb25rZWhzZXJ2ZXIuY29tL29hdXRoL3Rva2VuIiwic3ViIjoxMDAwLCJleHAiOjE1MDgxNjE3MTIsI nNjb3BlIjoicmVhZC1wcml2YXRlIHdyaXRlIiwiYXVkIjoiQkYyMzQ3M0UtQTZBQS00NzdELUFEREVCM 0E2REMyNEQyOEUifQ.n4b0VpKAgf0BPVPKxjsep9TtqyoexcnygrSekWu2KV4

  117. RUNNING YOUR OWN OAUTH SERVER

  118. JWTS FOR ACCESS TOKENS

  119. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.

  120. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.

  121. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.n4b0VpKAgf 0BPVPKxjsep9TtqyoexcnygrSek Wu2KV4

  122. RUNNING YOUR OWN OAUTH SERVER (JWT)

  123. RUNNING YOUR OWN OAUTH SERVER (JWT)

  124. USEFUL TOOLS #4

  125. USEFUL TOOLS #4

  126. USEFUL TOOLS #4 - JWT.IO

  127. OPENID CONNECT

  128. OAUTH 2.1

  129. OAUTH 2.1 ➤ PKCE REQUIRED for ALL OAuth clients using

    authorisation code fl ow ➤ Redirect URI values MUST use exact-string matching ➤ Bearer token usage omits the use of bearer tokens in the query string of URIs ➤ Refresh Tokens for public clients must either be sender-constrained or one-time use (mobile apps and JavaScript apps)

  130. BLOG POSTS INCOMING monkehworks.com

  131. GITHUB github.com/coldfumonkeh

  132. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

    - Adobe ColdFusion Summit 2022 THANK YOU!