Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(Understanding) OAuth2

(Understanding) OAuth2

Working with OAuth2 can be a real pain whether on client or on server side.
The standard introduced in 2012 is still a so called proposed-standard and every implementer interprets this standard differently.
For developers the OAuth2 flow is often seen as some kind of magic and many of them are struggeling to get into the topic.
In this session we will take a look at the protocol flow and the different grant flows.
In addition to a theoretical overview we will implement an OAuth2 Flow in a futureproof and safe way.

Johannes Pichler

March 02, 2019

More Decks by Johannes Pichler

Other Decks in Programming


  1. None
  2. Johannes Pichler → Web Developer since 2006 → PHP, Golang,

    .NET, Java → Lead Web Developer @ karriere.at
  3. karriere.at → biggest job platform in Austria → ~ 150

    employees → ~ 40 developers
  4. None
  5. Why OAuth2?

  6. None
  7. None
  8. None
  9. Social Login

  10. None
  11. Topics

  12. Some definitions

  13. OAuth2 roles →resource owner →resource server →client →authorization server

  14. Clients →client_id & client_secret →redirect_url setup →grant types that can

    be used
  15. Tokens

  16. JWT - JSON Web Token →open standard for securely transmitting

    data →main features → compact → self contained →Use cases → authentication → information exchange
  17. JWT Header { "typ": "JWT", "alg": "RS256", "jti": "identifier" }

  18. JWT Payload { "aud": "client-id", "jti": "unique identifier", "iat": ts,

    "nbf": ts, "exp": ts, "sub": "user identifier", "scopes": [ "read", "openid" ] }
  19. JWT Signature $header = [ ... ]; $payload = [

    ... ]; $signature = sprintf( '%s.%s', base64_encode($header), base64_encode($payload) ); $signature = crypto_magic($signature);
  20. JWT & sensitive data eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

  21. JWT & sensitive data eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c {"alg":"HS256","typ":"JWT"} {"sub":"1234567890","name":"John Doe","iat":1516239022}

  22. Auth code grant

  23. None
  24. Login button

  25. 1. Authorize request GET: https: //auth-server.test/authorize response_type=code client_id=client-id scope=read state=some-state-parameter

  26. 1. Authorize response HTTP/1.1 302 Found Host: auth-server.test Location: /login

    Content-Length: 0
  27. 2. Login

  28. 2. Login request POST: https: //auth-server.test/login username=john.doe password=password

  29. 2. Login response HTTP/1.1 302 Found Host: auth-server.test Location: https:

    //client.test/callback?code=code&state=state Content-Length: 0
  30. 3. Auth code - access token exchange request POST: https:

    //auth-server.test/token grant_type=code client_id=client-id client_secret=client-secret code=code
  31. 3. Auth code - access token exchange response { "token_type":

    "Bearer", "expires_in": 3600, "access_token": "jwt-token", "refresh_token": "jwt-token" }
  32. Identifying the user

  33. Getting data about the user GET: http: //resource-server.test/profile Accept: application/json

    Authorization: Bearer access_token
  34. Getting data about the user { "email": "john.doe@example.com", "firstname": "John",

    "lastname": "Doe", "username": "john.doe", "profile-picture": "https: //example.com/images/johndoe.png" }
  35. OpenID Connect →identity layer on top of OAuth2 →requested with

    openid scope →id_token is delivered with token response
  36. OpenID Connect { "id_token": "jwt-token", "token_type": "Bearer", "expires_in": 3600, "access_token":

    "jwt-token", "refresh_token": "jwt-token" }
  37. Token validation

  38. ... on the client →do not validate token on the

    client →you may store the expires in timespan returned from the token request →leave validation up to the resource server or auth server
  39. ... on the resource server →check expiration date →signature verification

  40. Downsides →resource server needs to know the public key →token

    revocation not possible
  41. Token introspection

  42. Token introspection →POST endpoint on the auth server →provides token

    payload as plain JSON →tells if token is valid or not
  43. Invalid token { "active": false }

  44. Valid token { "active": true, "token_type": "access_token", "scopes": [ "read",

    "openid" ], "client_id": "client id", "iat": ts, "exp": ts, "sub": "user identifier", "jti": "unique identifier" }
  45. Demo

  46. None
  47. Other grant types

  48. Implicit grant →simplified form of auth code grant →instead of

    an auth code the access token is returned →not recommended anymore →use auth code grant instead
  49. Password grant →username, password and client credentials exchanged against access

    token →used for first party applications
  50. Client credentials grant →exchange client id & secret against access

    token →used for machine to machine communication
  51. Refresh token grant →exchange refresh token against a new access

    & refresh token →used when access token has expired
  52. Which grant type should I use? Auth code Password Client

    cred Implicit 3rd party 1st party apps cronjobs never ! SPAs internal tools system tasks native apps
  53. Implementing an OAuth2 server

  54. Using a cloud service →someone else is responsible for implementing

    and managing the auth stuff →easy to use & implement →providing SDK's
  55. Using a cloud service - downsides →you need to transfer

    your user data to the cloud →whole authorization & authentication prodecure is outsourced
  56. Frameworks →PHP: OAuth 2.0 Server by The PHP League →node.js:

    node-oauth2-server by OAuthJS →Java: Spring Security OAuth2
  57. OAuth 2 Server by The PHP League →provides AuthorizationServer class

    →complete token handling included →you implement Repositories and Models →inject them into the AuthorizationServer →implement controllers by using the AuthorizationServer
  58. On premise services →provide you with the OAuth 2 implementation

    →allow to integrate with existing identity provider →https://www.ory.sh
  59. Summary

  60. OAuth2 ... →a good standard for implementing an authorization system

    →has many different grant types for different use cases →needs to be combined with an authentication mechanism →defines squishy boundaries that you need to be explicit about →can help you to centralize the auth system in your organization
  61. Resources →https://oauth.net/2 →https://www.oauth.com →OAuth 2 in Action - Justin Richer

    & Antonio Sanso
  62. Talk infos →https://speakerdeck.com/fetzi/understanding-oauth2 →https://github.com/fetzi/oauth2-server-demo

  63. THANKS @fetzi_io