Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth2.pdf

Samuele
January 15, 2020
Programming
0
47

 OAuth2.pdf

OAuth2.0: an introduction

Samuele

January 15, 2020
Tweet

More Decks by Samuele

See All by Samuele
Autowire all the things!
doncallisto
1
300
Behat from zero to hero - A practical guide to symfony integration and usage
doncallisto
0
480
A journey into Symfony form component
doncallisto
1
1.1k

Other Decks in Programming

See All in Programming
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
2
200
Ruby GitHub Packages
bkuhlmann
0
630
Goのmultiple errorsについて (2024年4月版)
syumai
4
910
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
140
Random\Randomizer クラスで日常のあれこれを解決しよう! / Random\Randomizer class solves familiar trouble
cocoeyes02
0
250
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
340
Git Rebase
bkuhlmann
11
1.6k
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
340
"config" ってなんだ? / What is "config"?
okashoi
0
240
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
810
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
940

Featured

See All Featured
Making Projects Easy
brettharned
108
5.5k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Done Done
chrislema
178
15k
Gamification - CAS2011
davidbonilla
76
4.6k
Teambox: Starting and Learning
jrom
128
8.4k
Git: the NoSQL Database
bkeepers
PRO
422
63k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Ruby is Unlike a Banana
tanoku
96
10k
A better future with KSS
kneath
231
16k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k

Transcript

  1. OAuth 2.0 An Introduction Samuele Lilli * DonCallisto - Rimini,

    Jan 15 2020

  2. WHO AM I? https://github.com/DonCallisto https://stackoverflow.com/users/814253/doncallisto https://labs.madisoft.it/ [email protected]

  3. WE’RE HIRING! https://labs.madisoft.it/entra-nel-team/

  4. https://xkcd.com/936/

  5. SECRET UNIQUE RANDOM LONG (15+ CHARS)

  6. CHANGE IT REGULARLY!

  7. “Treat your password like your toothbrush. Don't let anybody else

    use it, and get a new one every six months.” Clifford Stoll

  8. PASSWORD SECURITY IS NOT UNDER YOUR DIRECT CONTROL (CAN’T ASSUME

    YOUR PASSWORD IS STORED IN A SECURE WAY)

  9. OAuth 2.0

  10. None

  11. THE ISSUE (OF GIVING TO 3rd PARTY YOUR PASSWORD) •

    Password stored in clear-text. • Servers are required to support password authentication, despite the security weaknesses inherent in passwords. • Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. • Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. • Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.

  12. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  13. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  14. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  15. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  16. None
  17. None

  18. stackoverflow.com

  19. stackoverflow.com username password login google.com

  20. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny

  21. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny callback

  22. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny callback

  23. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  24. AUTHORIZATION != AUTHENTICATION

  25. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

  26. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

  27. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

  28. GLOSSARY Resource Owner: An entity capable of granting access to

    a protected resource. Resource Server: The server hosting the protected resources. Client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics. Access Token: Credentials used to access protected resources. An access token is a string representing an authorization issued to the client. Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Refresh Token: Credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.

  29. CLIENT RESOURCE OWNER AUTHORIZATION REQUEST

  30. CLIENT RESOURCE OWNER AUTHORIZATION REQUEST AUTHORIZATION GRANT

  31. CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION

    GRANT

  32. CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION

    GRANT ACCESS TOKEN

  33. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN

  34. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES

  35. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES

  36. CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT

  37. CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN

  38. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN

  39. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN RESOURCES

  40. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN

  41. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN

  42. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN ACCESS TOKEN & (OPTIONAL) REFRESH TOKEN

  43. CLIENT REGISTRATION • NOT DEFINED BY THE OAUTH SPEC •

    SPECIFY CLIENT TYPE (SEE NEXT) • PROVIDE REDIRECT URIs • PROVIDE OTHER INFOS (APP NAME, LOGO, …) • CLIENT OBTAINS AN IDENTIFIER (PUBLIC; NEVER USE FOR CLIENT AUTHENTICATION!)

  44. CLIENT TYPES • BASED ON ABILITY TO MAINTAIN THE CONFIDENTIALITY

    OF THEIR CREDENTIALS • CONFIDENTIAL (Backend web app) • PUBLIC (SPA, native app, …)

  45. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT • IMPLICIT GRANT •

    RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS

  46. AUTHORIZATION CODE GRANT

  47. CLIENT

  48. CLIENT USER AGENT

  49. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

  50. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

    AUTHE. REQ

  51. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ

  52. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.

  53. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  54. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE

  55. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE

  56. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI

  57. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  58. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  59. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  60. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  61. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  62. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  63. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  64. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  65. CLIENT AUTHORIZATION SERVER USER AGENT AUTHORIZATION CODE AUTHORIZATION CODE

  66. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  67. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  68. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  69. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  70. CLIENT AUTHORIZATION SERVER AUTHORIZATION CODE & REDIRECT URI

  71. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  72. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  73. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  74. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  75. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  76. CLIENT AUTHORIZATION SERVER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  77. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

  78. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

  79. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

  80. IMPLICIT GRANT

  81. CLIENT

  82. CLIENT USER AGENT

  83. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

  84. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

    AUTHE. REQ

  85. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ

  86. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.

  87. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  88. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT

  89. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)

  90. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT

  91. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT ACCESS TOKEN

  92. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  93. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  94. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  95. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  96. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  97. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  98. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  99. CLIENT AUTHORIZATION SERVER USER AGENT REDIRECT URI WITH ACCESS TOKEN

    IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)

  100. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  101. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  102. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  103. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  104. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  105. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  106. QUESTION TIME

  107. IS THIS GRANT TYPE SECURE ?

  108. • Redirect URI missing or improper validation • Browser history

    • Token injection

  109. HISTORICAL REASONS FOR IMPLICIT GRANT • Browsers can manipulate only

    url fragment without causing a page reload (not true anymore since HistoryAPI) • CORS (Authorization Code Flow requires a POST at some point)

  110. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  111. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE

  112. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE(s)

  113. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) AUTHORIZATION CODE

    GRANT

  114. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PKCE PKCE

    AUTHORIZATION CODE GRANT

  115. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  116. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID, REDIRECT

    URI CODE CHALLENGE,CODE CHALLENGE & HASH METHOD AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE, REDIRECT URI & CODE VERIFIER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN) GENERATE CODE VERIFIER AND ITS HASH (CODE CHALLENGE)

  117. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  118. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com

  119. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com

  120. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com

  121. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  122. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb&code_verifier=abcd

  123. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT • IMPLICIT GRANT •

    RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS

  124. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT (+PKCE) • IMPLICIT GRANT

    • RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS

  125. WORTH OF A LOOK... • AMAZON COGNITO • OKTA •

    AUTH0 • ORY HYDRA

  126. QUESTIONS?

  127. CREDITS - https://stocksnap.io/photo/SZE0NDYC0F (George Becker) - https://stocksnap.io/photo/KV6IATK4SM (Emily Morter) -

    https://www.iconfinder.com/icons/172626/male_user_icon