OAuth2.pdf

6ec359ca87eda89de3251951372a2e8d?s=47 Samuele
January 15, 2020

 OAuth2.pdf

OAuth2.0: an introduction

6ec359ca87eda89de3251951372a2e8d?s=128

Samuele

January 15, 2020
Tweet

Transcript

  1. OAuth 2.0 An Introduction Samuele Lilli * DonCallisto - Rimini,

    Jan 15 2020
  2. WHO AM I? https://github.com/DonCallisto https://stackoverflow.com/users/814253/doncallisto https://labs.madisoft.it/ samuele.lilli@gmail.com

  3. WE’RE HIRING! https://labs.madisoft.it/entra-nel-team/

  4. https://xkcd.com/936/

  5. SECRET UNIQUE RANDOM LONG (15+ CHARS)

  6. CHANGE IT REGULARLY!

  7. “Treat your password like your toothbrush. Don't let anybody else

    use it, and get a new one every six months.” Clifford Stoll
  8. PASSWORD SECURITY IS NOT UNDER YOUR DIRECT CONTROL (CAN’T ASSUME

    YOUR PASSWORD IS STORED IN A SECURE WAY)
  9. OAuth 2.0

  10. None
  11. THE ISSUE (OF GIVING TO 3rd PARTY YOUR PASSWORD) •

    Password stored in clear-text. • Servers are required to support password authentication, despite the security weaknesses inherent in passwords. • Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. • Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. • Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.
  12. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  13. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  14. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  15. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  16. None
  17. None
  18. stackoverflow.com

  19. stackoverflow.com username password login google.com

  20. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny
  21. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny callback
  22. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny callback
  23. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  24. AUTHORIZATION != AUTHENTICATION

  25. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html
  26. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html
  27. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html
  28. GLOSSARY Resource Owner: An entity capable of granting access to

    a protected resource. Resource Server: The server hosting the protected resources. Client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics. Access Token: Credentials used to access protected resources. An access token is a string representing an authorization issued to the client. Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Refresh Token: Credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.
  29. CLIENT RESOURCE OWNER AUTHORIZATION REQUEST

  30. CLIENT RESOURCE OWNER AUTHORIZATION REQUEST AUTHORIZATION GRANT

  31. CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION

    GRANT
  32. CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION

    GRANT ACCESS TOKEN
  33. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN
  34. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES
  35. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES
  36. CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT

  37. CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN

  38. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN
  39. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN RESOURCES
  40. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN
  41. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN
  42. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN ACCESS TOKEN & (OPTIONAL) REFRESH TOKEN
  43. CLIENT REGISTRATION • NOT DEFINED BY THE OAUTH SPEC •

    SPECIFY CLIENT TYPE (SEE NEXT) • PROVIDE REDIRECT URIs • PROVIDE OTHER INFOS (APP NAME, LOGO, …) • CLIENT OBTAINS AN IDENTIFIER (PUBLIC; NEVER USE FOR CLIENT AUTHENTICATION!)
  44. CLIENT TYPES • BASED ON ABILITY TO MAINTAIN THE CONFIDENTIALITY

    OF THEIR CREDENTIALS • CONFIDENTIAL (Backend web app) • PUBLIC (SPA, native app, …)
  45. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT • IMPLICIT GRANT •

    RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS
  46. AUTHORIZATION CODE GRANT

  47. CLIENT

  48. CLIENT USER AGENT

  49. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

  50. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

    AUTHE. REQ
  51. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ
  52. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.
  53. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.
  54. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE
  55. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE
  56. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI
  57. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)
  58. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.
  59. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  60. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  61. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  62. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  63. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  64. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  65. CLIENT AUTHORIZATION SERVER USER AGENT AUTHORIZATION CODE AUTHORIZATION CODE

  66. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  67. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  68. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  69. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  70. CLIENT AUTHORIZATION SERVER AUTHORIZATION CODE & REDIRECT URI

  71. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  72. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  73. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  74. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  75. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  76. CLIENT AUTHORIZATION SERVER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  77. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  78. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  79. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  80. IMPLICIT GRANT

  81. CLIENT

  82. CLIENT USER AGENT

  83. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

  84. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

    AUTHE. REQ
  85. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ
  86. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.
  87. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.
  88. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT
  89. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)
  90. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT
  91. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT ACCESS TOKEN
  92. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.
  93. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  94. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  95. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  96. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  97. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  98. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  99. CLIENT AUTHORIZATION SERVER USER AGENT REDIRECT URI WITH ACCESS TOKEN

    IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)
  100. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  101. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  102. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  103. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  104. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  105. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  106. QUESTION TIME

  107. IS THIS GRANT TYPE SECURE ?

  108. • Redirect URI missing or improper validation • Browser history

    • Token injection
  109. HISTORICAL REASONS FOR IMPLICIT GRANT • Browsers can manipulate only

    url fragment without causing a page reload (not true anymore since HistoryAPI) • CORS (Authorization Code Flow requires a POST at some point)
  110. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  111. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE

  112. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE(s)

  113. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) AUTHORIZATION CODE

    GRANT
  114. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PKCE PKCE

    AUTHORIZATION CODE GRANT
  115. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)
  116. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID, REDIRECT

    URI CODE CHALLENGE,CODE CHALLENGE & HASH METHOD AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE, REDIRECT URI & CODE VERIFIER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN) GENERATE CODE VERIFIER AND ITS HASH (CODE CHALLENGE)
  117. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  118. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com
  119. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com
  120. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com
  121. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb
  122. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb&code_verifier=abcd
  123. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT • IMPLICIT GRANT •

    RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS
  124. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT (+PKCE) • IMPLICIT GRANT

    • RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS
  125. WORTH OF A LOOK... • AMAZON COGNITO • OKTA •

    AUTH0 • ORY HYDRA
  126. QUESTIONS?

  127. CREDITS - https://stocksnap.io/photo/SZE0NDYC0F (George Becker) - https://stocksnap.io/photo/KV6IATK4SM (Emily Morter) -

    https://www.iconfinder.com/icons/172626/male_user_icon