(Understanding) OAuth2

(Understanding) OAuth2

Working with OAuth2 can be a real pain whether on client or on server side.
The standard introduced in 2012 is still a so called proposed-standard and every implementer interprets this standard differently.
For developers the OAuth2 flow is often seen as some kind of magic and many of them are struggeling to get into the topic.
In this session we will take a look at the protocol flow and the different grant flows.
In addition to a theoretical overview we will implement an OAuth2 Flow in a futureproof and safe way.


Johannes Pichler

March 02, 2019


  1. 1.
  2. 2.

    Johannes Pichler → Web Developer since 2006 → PHP, Golang,

    .NET, Java → Lead Web Developer @ karriere.at
  3. 4.
  4. 6.
  5. 7.
  6. 8.
  7. 10.
  8. 11.
  9. 15.
  10. 16.

    JWT - JSON Web Token →open standard for securely transmitting

    data →main features → compact → self contained →Use cases → authentication → information exchange
  11. 18.

    JWT Payload { "aud": "client-id", "jti": "unique identifier", "iat": ts,

    "nbf": ts, "exp": ts, "sub": "user identifier", "scopes": [ "read", "openid" ] }
  12. 19.

    JWT Signature $header = [ ... ]; $payload = [

    ... ]; $signature = sprintf( '%s.%s', base64_encode($header), base64_encode($payload) ); $signature = crypto_magic($signature);
  13. 23.
  14. 27.
  15. 29.

    2. Login response HTTP/1.1 302 Found Host: auth-server.test Location: https:

    //client.test/callback?code=code&state=state Content-Length: 0
  16. 30.

    3. Auth code - access token exchange request POST: https:

    //auth-server.test/token grant_type=code client_id=client-id client_secret=client-secret code=code
  17. 31.

    3. Auth code - access token exchange response { "token_type":

    "Bearer", "expires_in": 3600, "access_token": "jwt-token", "refresh_token": "jwt-token" }
  18. 34.

    Getting data about the user { "email": "john.doe@example.com", "firstname": "John",

    "lastname": "Doe", "username": "john.doe", "profile-picture": "https: //example.com/images/johndoe.png" }
  19. 35.

    OpenID Connect →identity layer on top of OAuth2 →requested with

    openid scope →id_token is delivered with token response
  20. 38.

    ... on the client →do not validate token on the

    client →you may store the expires in timespan returned from the token request →leave validation up to the resource server or auth server
  21. 42.

    Token introspection →POST endpoint on the auth server →provides token

    payload as plain JSON →tells if token is valid or not
  22. 44.

    Valid token { "active": true, "token_type": "access_token", "scopes": [ "read",

    "openid" ], "client_id": "client id", "iat": ts, "exp": ts, "sub": "user identifier", "jti": "unique identifier" }
  23. 45.
  24. 46.
  25. 48.

    Implicit grant →simplified form of auth code grant →instead of

    an auth code the access token is returned →not recommended anymore →use auth code grant instead
  26. 50.

    Client credentials grant →exchange client id & secret against access

    token →used for machine to machine communication
  27. 51.

    Refresh token grant →exchange refresh token against a new access

    & refresh token →used when access token has expired
  28. 52.

    Which grant type should I use? Auth code Password Client

    cred Implicit 3rd party 1st party apps cronjobs never ! SPAs internal tools system tasks native apps
  29. 54.

    Using a cloud service →someone else is responsible for implementing

    and managing the auth stuff →easy to use & implement →providing SDK's
  30. 55.

    Using a cloud service - downsides →you need to transfer

    your user data to the cloud →whole authorization & authentication prodecure is outsourced
  31. 56.

    Frameworks →PHP: OAuth 2.0 Server by The PHP League →node.js:

    node-oauth2-server by OAuthJS →Java: Spring Security OAuth2
  32. 57.

    OAuth 2 Server by The PHP League →provides AuthorizationServer class

    →complete token handling included →you implement Repositories and Models →inject them into the AuthorizationServer →implement controllers by using the AuthorizationServer
  33. 58.

    On premise services →provide you with the OAuth 2 implementation

    →allow to integrate with existing identity provider →https://www.ory.sh
  34. 59.
  35. 60.

    OAuth2 ... →a good standard for implementing an authorization system

    →has many different grant types for different use cases →needs to be combined with an authentication mechanism →defines squishy boundaries that you need to be explicit about →can help you to centralize the auth system in your organization