Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth 2 for Me and You - 2022 Edition

Matt Gifford
October 07, 2022
Technology
0
210

OAuth 2 for Me and You - 2022 Edition

This session was given at the Adobe ColdFusion Summit 2022 in Las Vegas, Monday October 3rd, 2022.

It covered the OAuth 2 protocol, what it means to be a consumer or provider, and how to navigate the handshake communications between the service. At the end of this session all attendees walked taller, safe in the fact that they understand OAuth 2, how to use it, and what it all means.

Matt Gifford

October 07, 2022
Tweet

More Decks by Matt Gifford

See All by Matt Gifford
ColdFusion and Vue - Building CFML-powered reactive applications
coldfumonkeh
0
950
ColdFusion and Vue - Building CFML-powered reactive applications
coldfumonkeh
0
240
Building an API with cffractal and ColdBox
coldfumonkeh
0
190
API Management from the Trenches
coldfumonkeh
0
250
Adaptive Development in a Creative World
coldfumonkeh
1
240
Get Grulping with JavaScript Task Runners
coldfumonkeh
0
360
Swing when you’re winning - an introduction to Ruby and Sinatra
coldfumonkeh
1
110
The Need For SPEED
coldfumonkeh
1
240

Other Decks in Technology

See All in Technology
MapLibreとAmazon Location Service
dayjournal
1
150
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
300
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
350
オーナーシップを持つ領域を明確にする
konifar
13
3.1k
アクセス制御にまつわる改善 / Improving access control
itkq
0
530
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
410
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
400
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
100
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
データベース02: データベースの概念
trycycle
0
150
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
130
VS CodeでAWSを操作しよう
smt7174
7
1.6k

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
The Cult of Friendly URLs
andyhume
74
5.7k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Code Review Best Practice
trishagee
55
15k
Git: the NoSQL Database
bkeepers
PRO
422
63k
For a Future-Friendly Web
brad_frost
172
9k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
We Have a Design System, Now What?
morganepeng
43
6.7k
RailsConf 2023
tenderlove
4
540
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k

Transcript

  1. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

    - Adobe ColdFusion Summit 2022

  2. ABOUT ME @coldfumonkeh app developer / software architect writer

  3. None
  4. None

  5. THE SETLIST ➤ OAuth? ➤ Important De fi nitions ➤

    How to be a consumer ➤ The Authorization Code Flow ➤ Useful Tools

  6. THE SCENARIO

  7. THE SCENARIO I am writing a web-based application for lovers

    of music. I want to access data from third-party services to enhance my application.

  8. THE SCENARIO I am going to use Spotify to build

    a fun project that can generate dynamic playlists for the authenticating user.

  9. THE SCENARIO My application will need to log into Spotify

    on behalf of my users to access their account information and have write access to their playlists.

  10. THE SCENARIO

  11. WHAT IS OAUTH?

  12. WHAT IS OAUTH?

  13. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?

  14. A delegation framework to allow secure authorization in a simple

    and standard method from web, mobile and desktop applications WHAT IS OAUTH?
  15. None

  16. A BRIEF HISTORY

  17. A BRIEF HISTORY 2006 Twitter Chief Architect looked for a

    better authentication method - no passwords 2007 OpenID development group (and contributors) came up with the OAuth 1 first draft 2007 7 updated drafts by the end of the year 2009 OAuth 2.0 spec was started “.. to clear up many of the aspects of OAuth 1 that were difficult or confusing.” 2012 OAuth 2.0 core spec was published There were MANY more revisions to the draft
  18. None

  19. DEFINITIONS

  20. ROLES

  21. ROLES Resource Owner (The User)

  22. ROLES Resource Owner (The User) The Client (The App)

  23. ROLES The Client (The App) Resource Owner (The User) Resource

    Server

  24. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server

  25. ROLES The Client (The App) Resource Owner (The User) Resource

    Server Authorization Server

  26. SCOPE

  27. SCOPE

  28. SCOPE

  29. GRANT TYPES

  30. GRANT TYPES

  31. TOKENS

  32. TOKENS ACCESS TOKEN

  33. TOKENS REFRESH TOKEN

  34. BEING A CONSUMER

  35. REGISTERING YOUR APP

  36. REGISTERING YOUR APP

  37. REGISTERING YOUR APP

  38. REGISTERING YOUR APP

  39. REGISTERING YOUR APP

  40. REGISTERING YOUR APP

  41. REGISTERING YOUR APP

  42. REGISTERING YOUR APP

  43. REGISTERING YOUR APP

  44. THE WORKFLOW

  45. My Application Spotify Authorization Server Spotify Resource Server THE WORKFLOW

    https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e&code_challenge=1assIs_OhqosI koRWb8MopQ9hqHN9gj8HF4HXd06U2U&code_challenge_method=S256&state=A 7CC19EA-D207-414D-9C6C6083A5E1237D&redirect_uri=http:// myapp.local:10539/callback/&scope=playlist-modify-public%20playlist-modify- public%20user-read-email%20user-follow-modify&response_type=code

  46. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW

  47. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW LINK HREF https://accounts.spotify.com/authorize

  48. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e LINK HREF

  49. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code LINK HREF THE WORKFLOW

  50. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback LINK HREF THE WORKFLOW

  51. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email LINK HREF THE WORKFLOW

  52. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 LINK HREF THE WORKFLOW

  53. My Application Spotify Do you give permission for My Application

    to access your basic profile information? No Yes Spotify Authorization Server Spotify Resource Server User Authorization Request THE WORKFLOW

  54. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server https://myapp.local:10538/callback?code=AUTHORIZATION_CODE https://myapp.local:10538/callback?error=XXX THE WORKFLOW

  55. User Authorization Request Authorization Code Grant My Application Spotify Authorization

    Server Spotify Resource Server THE WORKFLOW

  56. 10 mins 30-60 secs THE WORKFLOW

  57. THE WORKFLOW

  58. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request THE WORKFLOW Authorization Code Grant Access Token Request

  59. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request

  60. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST https://accounts.spotify.com/token

  61. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code https://accounts.spotify.com/token

  62. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 https://accounts.spotify.com/token

  63. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback https://accounts.spotify.com/token

  64. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

  65. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request REQUESTING AN ACCESS TOKEN Authorization Code Grant Access Token Request POST grant_type=authorization_code code=33160 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

  66. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant

  67. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request RECEIVING THE ACCESS TOKEN Authorization Code Grant Access Token Request Access Token Grant
  68. None

  69. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES

  70. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ACCESSING RESOURCES

  71. ACCESSING RESOURCES

  72. User Authorization Request Authorization Code Grant Access Token Request Access

    Token Grant Authenticated API Request Protected Resources My Application Spotify Authorization Server Spotify Resource Server ACCESSING RESOURCES
  73. None

  74. REFRESH TOKENS

  75. REFRESH TOKENS

  76. REFRESHING AN ACCESS TOKEN POST https://accounts.spotify.com/token

  77. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token https://accounts.spotify.com/token

  78. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… https://accounts.spotify.com/token

  79. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 https://accounts.spotify.com/token

  80. REFRESHING AN ACCESS TOKEN POST grant_type=refresh_token refresh_token=SflKxwRJSMeKKF2QT4fwpM… client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token

  81. REFRESHING AN ACCESS TOKEN

  82. REFRESHING AN ACCESS TOKEN

  83. USEFUL TOOLS #1

  84. USEFUL TOOLS #1

  85. USEFUL TOOLS #1

  86. USEFUL TOOLS #1

  87. USEFUL TOOLS #1

  88. USEFUL TOOLS #1

  89. USEFUL TOOLS #1

  90. CHANGES

  91. CHANGES

  92. CHANGES

  93. CHANGES

  94. CHANGES

  95. CHANGES

  96. CHANGES

  97. PKCE (Proof Key for Code Exchange)

  98. PKCE A-Z a-z 0-9 -._~ 1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3 Code Veri fi er

  99. PKCE base64url( sha256( code_veri fi er ) ) tZSYs8eBdSGBJpDo3wOPaj729KNWRMnkbG1moPcwB2Q Code

    Challenge

  100. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2

  101. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE https://accounts.spotify.com/authorize? client_id=0170ed62bfad4dcc90bd5b057787790e &response_type=code &redirect_uri=https://myapp.local:10538/callback &scope=playlist-modify-public user-read-email &state=9DC18EB2-3B79-4E05-904BD9E6590267C2 &code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR &code_challenge_method=S256

  102. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE code_challenge=tZSYs8eBdSGBJpDo3wOPaj729KNWR code_challenge_method=S256

  103. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE POST grant_type=authorization_code code=10538 redirect_uri=https://myapp.local:10538/callback client_id=a3dd5f928fb04a1f8b5f7bdd3dbd3010 client_secret=e6b218b3a4cb46d8a11578b8a60f55fb https://accounts.spotify.com/token code_verifier=1XxTnj2kNC2Szytqp7WDck3jVUD61nu5KwtQQJBIL_HIH6R3

  104. My Application Spotify Authorization Server Spotify Resource Server User Authorization

    Request PKCE base64url( sha256( code_verifier ) ) = code_challenge ?

  105. USEFUL TOOLS #2

  106. USEFUL TOOLS #2

  107. USEFUL TOOLS #2

  108. USEFUL TOOLS #2 (AND #1)

  109. USEFUL TOOLS #2 (AND #1)

  110. USEFUL TOOLS #2

  111. RUNNING YOUR OWN OAUTH2 SERVER

  112. USEFUL TOOLS #3

  113. USEFUL TOOLS #3

  114. RUNNING YOUR OWN OAUTH SERVER

  115. RUNNING YOUR OWN OAUTH SERVER gB0NV05ehAs8lkQy

  116. RUNNING YOUR OWN OAUTH SERVER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MDgxNTgxMTIsImlzcyI6Imh0dHBzOi8vdGV zdC5tb25rZWhzZXJ2ZXIuY29tL29hdXRoL3Rva2VuIiwic3ViIjoxMDAwLCJleHAiOjE1MDgxNjE3MTIsI nNjb3BlIjoicmVhZC1wcml2YXRlIHdyaXRlIiwiYXVkIjoiQkYyMzQ3M0UtQTZBQS00NzdELUFEREVCM 0E2REMyNEQyOEUifQ.n4b0VpKAgf0BPVPKxjsep9TtqyoexcnygrSekWu2KV4

  117. RUNNING YOUR OWN OAUTH SERVER

  118. JWTS FOR ACCESS TOKENS

  119. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.

  120. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.

  121. HEADER PAYLOAD SIGNATURE JWT { "alg": "HS256", "typ": "JWT" }

    { "iat": 1508158112, "iss": "https://test.monkehserver.com/oauth/token", "sub": 1000, "exp": 1508161712, "scope": "read-private write", "aud": "BF23473E-A6AA-477D-ADDEB3A6DC24D28E" } HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9.eyJpYXQiOjE1MDgxNTgx MTIsImlzcyI6Imh0dHBzOi8vdGVz dC5tb25rZWhzZXJ2ZXIuY29tL29 hdXRoL3Rva2VuIiwic3ViIjoxMDA wLCJleHAiOjE1MDgxNjE3MTIsIn Njb3BlIjoicmVhZC1wcml2YXRlIH dyaXRlIiwiYXVkIjoiQkYyMzQ3M0 UtQTZBQS00NzdELUFEREVCM0E 2REMyNEQyOEUifQ.n4b0VpKAgf 0BPVPKxjsep9TtqyoexcnygrSek Wu2KV4

  122. RUNNING YOUR OWN OAUTH SERVER (JWT)

  123. RUNNING YOUR OWN OAUTH SERVER (JWT)

  124. USEFUL TOOLS #4

  125. USEFUL TOOLS #4

  126. USEFUL TOOLS #4 - JWT.IO

  127. OPENID CONNECT

  128. OAUTH 2.1

  129. OAUTH 2.1 ➤ PKCE REQUIRED for ALL OAuth clients using

    authorisation code fl ow ➤ Redirect URI values MUST use exact-string matching ➤ Bearer token usage omits the use of bearer tokens in the query string of URIs ➤ Refresh Tokens for public clients must either be sender-constrained or one-time use (mobile apps and JavaScript apps)

  130. BLOG POSTS INCOMING monkehworks.com

  131. GITHUB github.com/coldfumonkeh

  132. OAUTH 2 FOR ME AND YOU Matt Gi ff ord

    - Adobe ColdFusion Summit 2022 THANK YOU!