Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

OAuth2.pdf

Samuele
January 15, 2020
Programming
0
52

 OAuth2.pdf

OAuth2.0: an introduction

Samuele

January 15, 2020
Tweet

More Decks by Samuele

See All by Samuele
SfDay 2024 - Don't let the framework stand on your way
doncallisto
0
82
Autowire all the things!
doncallisto
1
330
Behat from zero to hero - A practical guide to symfony integration and usage
doncallisto
0
540
A journey into Symfony form component
doncallisto
1
1.2k

Other Decks in Programming

See All in Programming
Contemporary Test Cases
maaretp
0
150
Swift Testing - iPlayground
chiaoteni
0
130
カンファレンスの「アレ」Webでなんとかしませんか? / Conference “thing” Why don't you do something about it on the Web?
dero1to
1
150
イマのCSSでできる
インタラクション最前線 + CSS最新情報
clockmaker
5
3.7k
CSC509 Lecture 13
javiergs
PRO
0
120
PipeCDの歩き方
kuro_kurorrr
3
130
Full stack testing :: basic to basic
up1
1
760
Cursorでアプリケーションの追加開発や保守をどこまでできるか試したら得るものが多かった話
drumnistnakano
0
180
競技プログラミングで 基礎体力を身につけよう / You can get basic skills through competitive programming
mdstoy
0
130
flutterkaigi_2024.pdf
kyoheig3
0
350
PaaSとSaaSの境目で信頼性と開発速度を両立する 〜TROCCO®︎のこれまでとこれから〜
gtnao
5
5.6k
romajip: 日本の住所CSVデータを活用した英語住所変換ライブラリを作った話
sangunkang
0
2.2k

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Scaling GitHub
holman
458
140k
The Pragmatic Product Professional
lauravandoore
32
6.3k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Designing the Hi-DPI Web
ddemaree
280
34k
Optimizing for Happiness
mojombo
376
70k
The Invisible Side of Design
smashingmag
298
50k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
A Philosophy of Restraint
colly
203
16k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
We Have a Design System, Now What?
morganepeng
50
7.2k

Transcript

  1. OAuth 2.0 An Introduction Samuele Lilli * DonCallisto - Rimini,

    Jan 15 2020

  2. WHO AM I? https://github.com/DonCallisto https://stackoverflow.com/users/814253/doncallisto https://labs.madisoft.it/ [email protected]

  3. WE’RE HIRING! https://labs.madisoft.it/entra-nel-team/

  4. https://xkcd.com/936/

  5. SECRET UNIQUE RANDOM LONG (15+ CHARS)

  6. CHANGE IT REGULARLY!

  7. “Treat your password like your toothbrush. Don't let anybody else

    use it, and get a new one every six months.” Clifford Stoll

  8. PASSWORD SECURITY IS NOT UNDER YOUR DIRECT CONTROL (CAN’T ASSUME

    YOUR PASSWORD IS STORED IN A SECURE WAY)

  9. OAuth 2.0

  10. None

  11. THE ISSUE (OF GIVING TO 3rd PARTY YOUR PASSWORD) •

    Password stored in clear-text. • Servers are required to support password authentication, despite the security weaknesses inherent in passwords. • Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources. • Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party's password. • Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.

  12. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  13. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  14. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  15. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749
  16. None
  17. None

  18. stackoverflow.com

  19. stackoverflow.com username password login google.com

  20. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny

  21. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny callback

  22. stackoverflow.com username password login google.com google.com stackoverflow.com wants to access

    your profile grant deny callback

  23. “The OAuth 2.0 authorization framework enables a third-party application to

    obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” https://tools.ietf.org/html/rfc6749

  24. AUTHORIZATION != AUTHENTICATION

  25. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

  26. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

  27. OpenID CONNECT “OpenID Connect 1.0 is a simple identity layer

    on top of the OAuth 2.0 [RFC6749] protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.” https://openid.net/specs/openid-connect-core-1_0.html

  28. GLOSSARY Resource Owner: An entity capable of granting access to

    a protected resource. Resource Server: The server hosting the protected resources. Client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics. Access Token: Credentials used to access protected resources. An access token is a string representing an authorization issued to the client. Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Refresh Token: Credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.

  29. CLIENT RESOURCE OWNER AUTHORIZATION REQUEST

  30. CLIENT RESOURCE OWNER AUTHORIZATION REQUEST AUTHORIZATION GRANT

  31. CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION

    GRANT

  32. CLIENT RESOURCE OWNER AUTHORIZATION SERVER AUTHORIZATION REQUEST AUTHORIZATION GRANT AUTHORIZATION

    GRANT ACCESS TOKEN

  33. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN

  34. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES

  35. CLIENT RESOURCE OWNER AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION REQUEST AUTHORIZATION

    GRANT AUTHORIZATION GRANT ACCESS TOKEN ACCESS TOKEN RESOURCES

  36. CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT

  37. CLIENT AUTHORIZATION SERVER AUTHORIZATION GRANT ACCESS TOKEN & REFRESH TOKEN

  38. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN

  39. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN RESOURCES

  40. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN

  41. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN

  42. CLIENT AUTHORIZATION SERVER RESOURCE SERVER AUTHORIZATION GRANT ACCESS TOKEN &

    REFRESH TOKEN ACCESS TOKEN INVALID TOKEN REFRESH TOKEN ACCESS TOKEN & (OPTIONAL) REFRESH TOKEN

  43. CLIENT REGISTRATION • NOT DEFINED BY THE OAUTH SPEC •

    SPECIFY CLIENT TYPE (SEE NEXT) • PROVIDE REDIRECT URIs • PROVIDE OTHER INFOS (APP NAME, LOGO, …) • CLIENT OBTAINS AN IDENTIFIER (PUBLIC; NEVER USE FOR CLIENT AUTHENTICATION!)

  44. CLIENT TYPES • BASED ON ABILITY TO MAINTAIN THE CONFIDENTIALITY

    OF THEIR CREDENTIALS • CONFIDENTIAL (Backend web app) • PUBLIC (SPA, native app, …)

  45. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT • IMPLICIT GRANT •

    RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS

  46. AUTHORIZATION CODE GRANT

  47. CLIENT

  48. CLIENT USER AGENT

  49. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

  50. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

    AUTHE. REQ

  51. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ

  52. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.

  53. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  54. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE

  55. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE

  56. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI

  57. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  58. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  59. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  60. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  61. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  62. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  63. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  64. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  65. CLIENT AUTHORIZATION SERVER USER AGENT AUTHORIZATION CODE AUTHORIZATION CODE

  66. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  67. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  68. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  69. AUTHORIZATION RESPONSE HTTP/1.1 302 Found Location: https://client.example.com/cb?code=Splxl OBeZQQYbYS6WxSbIA&state=xyz

  70. CLIENT AUTHORIZATION SERVER AUTHORIZATION CODE & REDIRECT URI

  71. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  72. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  73. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  74. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  75. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  76. CLIENT AUTHORIZATION SERVER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  77. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

  78. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

  79. ACCESS TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }

  80. IMPLICIT GRANT

  81. CLIENT

  82. CLIENT USER AGENT

  83. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

  84. CLIENT AUTHORIZATION SERVER USER AGENT CLIENT ID & REDIRECT URI

    AUTHE. REQ

  85. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ

  86. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE.

  87. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  88. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT

  89. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)

  90. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT

  91. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. REDIRECT URI WITH ACCESS TOKEN IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT) SCRIPT ACCESS TOKEN

  92. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE.

  93. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  94. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  95. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  96. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  97. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  98. AUTHORIZATION REQUEST GET /authorize?response_type=token&client_i d=s6BhdRkqt3&redirect_uri=https%3A%2F %2Fclient%2Eexample%2Ecom%2Fcb&sco pe=aScope&state=xyz HTTP/1.1 Host: server.example.com

  99. CLIENT AUTHORIZATION SERVER USER AGENT REDIRECT URI WITH ACCESS TOKEN

    IN FRAGMENT WEB-HOSTED CLIENT RESOURCE REDIRECT URI (W/O FRAGMENT)

  100. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  101. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  102. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  103. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  104. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  105. ACCESS TOKEN RESPONSE HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2Yo tnFZFEjr1zCsicMWpAA&state=xyz&token_t ype=example&expires_in=3600

  106. QUESTION TIME

  107. IS THIS GRANT TYPE SECURE ?

  108. • Redirect URI missing or improper validation • Browser history

    • Token injection

  109. HISTORICAL REASONS FOR IMPLICIT GRANT • Browsers can manipulate only

    url fragment without causing a page reload (not true anymore since HistoryAPI) • CORS (Authorization Code Flow requires a POST at some point)

  110. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  111. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE

  112. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PRONOUNCED PIXIE(s)

  113. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) AUTHORIZATION CODE

    GRANT

  114. PKCE FOR THE RESCUE! (PROOF-KEY FOR CODE EXCHANGE) PKCE PKCE

    AUTHORIZATION CODE GRANT

  115. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID &

    REDIRECT URI AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE & REDIRECT URI ACCESS TOKEN (& OPTIONAL REFRESH TOKEN)

  116. CLIENT RESOURCE OWNER AUTHORIZATION SERVER USER AGENT CLIENT ID, REDIRECT

    URI CODE CHALLENGE,CODE CHALLENGE & HASH METHOD AUTHE. REQ AUTHE. REQ USER AUTHE. USER AUTHE. AUTHORIZATION CODE AUTHORIZATION CODE AUTHORIZATION CODE, REDIRECT URI & CODE VERIFIER ACCESS TOKEN (& OPTIONAL REFRESH TOKEN) GENERATE CODE VERIFIER AND ITS HASH (CODE CHALLENGE)

  117. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz HTTP/1.1 Host: server.example.com

  118. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com

  119. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com

  120. AUTHORIZATION REQUEST GET /authorize?response_type=code&client_id =s6BhdRkqt3&redirect_uri=https%3A%2F% 2Fclient%2Eexample%2Ecom%2Fcb&scop e=aScope&state=xyz&code_challenge=aeb e62e61ad1d2c1b4290dd&code_challenge_ method=S256 HTTP/1.1

    Host: server.example.com

  121. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb

  122. ACCESS TOKEN REQUEST POST /token HTTP/1.1 Host: server.example.com Authorization: Basic

    czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxS bIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom% 2Fcb&code_verifier=abcd

  123. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT • IMPLICIT GRANT •

    RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS

  124. OBTAINING AUTHORIZATION • AUTHORIZATION CODE GRANT (+PKCE) • IMPLICIT GRANT

    • RESOURCE OWNER PASSWORD CREDENTIAL • CLIENT CREDENTIALS

  125. WORTH OF A LOOK... • AMAZON COGNITO • OKTA •

    AUTH0 • ORY HYDRA

  126. QUESTIONS?

  127. CREDITS - https://stocksnap.io/photo/SZE0NDYC0F (George Becker) - https://stocksnap.io/photo/KV6IATK4SM (Emily Morter) -

    https://www.iconfinder.com/icons/172626/male_user_icon