Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(Understanding) OAuth2

Johannes Pichler
March 02, 2019
Programming
0
180

(Understanding) OAuth2

Working with OAuth2 can be a real pain whether on client or on server side.
The standard introduced in 2012 is still a so called proposed-standard and every implementer interprets this standard differently.
For developers the OAuth2 flow is often seen as some kind of magic and many of them are struggeling to get into the topic.
In this session we will take a look at the protocol flow and the different grant flows.
In addition to a theoretical overview we will implement an OAuth2 Flow in a futureproof and safe way.

Johannes Pichler

March 02, 2019
Tweet

More Decks by Johannes Pichler

See All by Johannes Pichler
Battle tested API design - Laracon EU Online
fetzi
0
53
Battle tested API design
fetzi
0
67
Mastering CLIs
fetzi
0
27
Decouple Everything
fetzi
0
140
Go Basics Workshop
fetzi
1
50
Getting more out of Git (german)
fetzi
0
50
Go for PHP devs
fetzi
3
67
Refactoring to Collections
fetzi
0
180

Other Decks in Programming

See All in Programming
Jetpack Compose Debugging to fix performance problems
yucamm124
0
180
フロントエンド刷新をプロジェクトとして進める際に気をつけていること
koba04
1
1.2k
Developing Chrome Extension with ruby.wasm
logiteca7
1
770
From Cloud-Native Java and Quarkus 3 with Love @ DevoxxUK 2023 London
hpgrahsl
0
160
Revisiting TypeProf - IDE support as a primary feature
mame
1
660
Studio Botを遠くから眺める
shinmiy
0
140
JRuby: Looking Forward
headius
1
100
sync.Mutexの仕組みを理解する
ffjlabo
1
420
AWS CDKとZodを活用したバリデーションパターン集 / validation patterns with cdk and zod
gotok365
3
940
新人PHPer向け 圧倒的に差をつける仕事の進め方 #phpstudy
77web
2
550
SPAでもデータをURLでシェアしたい / Kyoto.js 19
utgwkk
1
140
Composing a Design System
stewemetal
0
170

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
1k
Designing the Hi-DPI Web
ddemaree
273
33k
Producing Creativity
orderedlist
PRO
335
38k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M
How to train your dragon (web standard)
notwaldorf
69
4.4k
Git: the NoSQL Database
bkeepers
PRO
420
60k
From Idea to $5000 a Month in 5 Months
shpigford
374
45k
Visualization
eitanlees
130
12k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
1.4k

Transcript

  1. View Slide

  2. Johannes Pichler
    → Web Developer since 2006
    → PHP, Golang, .NET, Java
    → Lead Web Developer @ karriere.at

    View Slide

  3. karriere.at
    → biggest job platform in Austria
    → ~ 150 employees
    → ~ 40 developers

    View Slide

  4. View Slide

  5. Why OAuth2?

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Social Login

    View Slide

  10. View Slide

  11. Topics

    View Slide

  12. Some definitions

    View Slide

  13. OAuth2 roles
    →resource owner
    →resource server
    →client
    →authorization server

    View Slide

  14. Clients
    →client_id & client_secret
    →redirect_url setup
    →grant types that can be used

    View Slide

  15. Tokens

    View Slide

  16. JWT - JSON Web Token
    →open standard for securely transmitting data
    →main features
    → compact
    → self contained
    →Use cases
    → authentication
    → information exchange

    View Slide

  17. JWT Header
    {
    "typ": "JWT",
    "alg": "RS256",
    "jti": "identifier"
    }

    View Slide

  18. JWT Payload
    {
    "aud": "client-id",
    "jti": "unique identifier",
    "iat": ts,
    "nbf": ts,
    "exp": ts,
    "sub": "user identifier",
    "scopes": [
    "read",
    "openid"
    ]
    }

    View Slide

  19. JWT Signature
    $header = [ ... ];
    $payload = [ ... ];
    $signature = sprintf(
    '%s.%s',
    base64_encode($header),
    base64_encode($payload)
    );
    $signature = crypto_magic($signature);

    View Slide

  20. JWT & sensitive data
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

    View Slide

  21. JWT & sensitive data
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
    {"alg":"HS256","typ":"JWT"}
    {"sub":"1234567890","name":"John Doe","iat":1516239022}

    View Slide

  22. Auth code grant

    View Slide

  23. View Slide

  24. Login button

    View Slide

  25. 1. Authorize request
    GET: https: //auth-server.test/authorize
    response_type=code
    client_id=client-id
    scope=read
    state=some-state-parameter

    View Slide

  26. 1. Authorize response
    HTTP/1.1 302 Found
    Host: auth-server.test
    Location: /login
    Content-Length: 0

    View Slide

  27. 2. Login

    View Slide

  28. 2. Login request
    POST: https: //auth-server.test/login
    username=john.doe
    password=password

    View Slide

  29. 2. Login response
    HTTP/1.1 302 Found
    Host: auth-server.test
    Location: https: //client.test/callback?code=code&state=state
    Content-Length: 0

    View Slide

  30. 3. Auth code - access token exchange request
    POST: https: //auth-server.test/token
    grant_type=code
    client_id=client-id
    client_secret=client-secret
    code=code

    View Slide

  31. 3. Auth code - access token exchange response
    {
    "token_type": "Bearer",
    "expires_in": 3600,
    "access_token": "jwt-token",
    "refresh_token": "jwt-token"
    }

    View Slide

  32. Identifying the user

    View Slide

  33. Getting data about the user
    GET: http: //resource-server.test/profile
    Accept: application/json
    Authorization: Bearer access_token

    View Slide

  34. Getting data about the user
    {
    "email": "[email protected]",
    "firstname": "John",
    "lastname": "Doe",
    "username": "john.doe",
    "profile-picture": "https: //example.com/images/johndoe.png"
    }

    View Slide

  35. OpenID Connect
    →identity layer on top of OAuth2
    →requested with openid scope
    →id_token is delivered with token response

    View Slide

  36. OpenID Connect
    {
    "id_token": "jwt-token",
    "token_type": "Bearer",
    "expires_in": 3600,
    "access_token": "jwt-token",
    "refresh_token": "jwt-token"
    }

    View Slide

  37. Token validation

    View Slide

  38. ... on the client
    →do not validate token on the client
    →you may store the expires in timespan returned from the
    token request
    →leave validation up to the resource server or auth server

    View Slide

  39. ... on the resource server
    →check expiration date
    →signature verification

    View Slide

  40. Downsides
    →resource server needs to know the public key
    →token revocation not possible

    View Slide

  41. Token introspection

    View Slide

  42. Token introspection
    →POST endpoint on the auth server
    →provides token payload as plain JSON
    →tells if token is valid or not

    View Slide

  43. Invalid token
    {
    "active": false
    }

    View Slide

  44. Valid token
    {
    "active": true,
    "token_type": "access_token",
    "scopes": [
    "read",
    "openid"
    ],
    "client_id": "client id",
    "iat": ts,
    "exp": ts,
    "sub": "user identifier",
    "jti": "unique identifier"
    }

    View Slide

  45. Demo

    View Slide

  46. View Slide

  47. Other grant types

    View Slide

  48. Implicit grant
    →simplified form of auth code grant
    →instead of an auth code the access token is returned
    →not recommended anymore
    →use auth code grant instead

    View Slide

  49. Password grant
    →username, password and client credentials exchanged
    against access token
    →used for first party applications

    View Slide

  50. Client credentials grant
    →exchange client id & secret against access token
    →used for machine to machine communication

    View Slide

  51. Refresh token grant
    →exchange refresh token against a new access & refresh
    token
    →used when access token has expired

    View Slide

  52. Which grant type should I use?
    Auth code Password Client cred Implicit
    3rd party 1st party apps cronjobs never !
    SPAs internal tools system tasks
    native apps

    View Slide

  53. Implementing an OAuth2
    server

    View Slide

  54. Using a cloud service
    →someone else is responsible for implementing and
    managing the auth stuff
    →easy to use & implement
    →providing SDK's

    View Slide

  55. Using a cloud service - downsides
    →you need to transfer your user data to the cloud
    →whole authorization & authentication prodecure is
    outsourced

    View Slide

  56. Frameworks
    →PHP: OAuth 2.0 Server by The PHP League
    →node.js: node-oauth2-server by OAuthJS
    →Java: Spring Security OAuth2

    View Slide

  57. OAuth 2 Server by The PHP League
    →provides AuthorizationServer class
    →complete token handling included
    →you implement Repositories and Models
    →inject them into the AuthorizationServer
    →implement controllers by using the AuthorizationServer

    View Slide

  58. On premise services
    →provide you with the OAuth 2 implementation
    →allow to integrate with existing identity provider
    →https://www.ory.sh

    View Slide

  59. Summary

    View Slide

  60. OAuth2 ...
    →a good standard for implementing an authorization system
    →has many different grant types for different use cases
    →needs to be combined with an authentication mechanism
    →defines squishy boundaries that you need to be explicit about
    →can help you to centralize the auth system in your
    organization

    View Slide

  61. Resources
    →https://oauth.net/2
    →https://www.oauth.com
    →OAuth 2 in Action - Justin Richer & Antonio Sanso

    View Slide

  62. Talk infos
    →https://speakerdeck.com/fetzi/understanding-oauth2
    →https://github.com/fetzi/oauth2-server-demo

    View Slide

  63. THANKS
    @fetzi_io

    View Slide