Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(Understanding) OAuth2

(Understanding) OAuth2

Working with OAuth2 can be a real pain whether on client or on server side.
The standard introduced in 2012 is still a so called proposed-standard and every implementer interprets this standard differently.
For developers the OAuth2 flow is often seen as some kind of magic and many of them are struggeling to get into the topic.
In this session we will take a look at the protocol flow and the different grant flows.
In addition to a theoretical overview we will implement an OAuth2 Flow in a futureproof and safe way.

Johannes Pichler

March 02, 2019
Tweet

More Decks by Johannes Pichler

Other Decks in Programming

Transcript

  1. Johannes Pichler
    → Web Developer since 2006
    → PHP, Golang, .NET, Java
    → Lead Web Developer @ karriere.at

    View full-size slide

  2. karriere.at
    → biggest job platform in Austria
    → ~ 150 employees
    → ~ 40 developers

    View full-size slide

  3. Social Login

    View full-size slide

  4. Some definitions

    View full-size slide

  5. OAuth2 roles
    →resource owner
    →resource server
    →client
    →authorization server

    View full-size slide

  6. Clients
    →client_id & client_secret
    →redirect_url setup
    →grant types that can be used

    View full-size slide

  7. JWT - JSON Web Token
    →open standard for securely transmitting data
    →main features
    → compact
    → self contained
    →Use cases
    → authentication
    → information exchange

    View full-size slide

  8. JWT Header
    {
    "typ": "JWT",
    "alg": "RS256",
    "jti": "identifier"
    }

    View full-size slide

  9. JWT Payload
    {
    "aud": "client-id",
    "jti": "unique identifier",
    "iat": ts,
    "nbf": ts,
    "exp": ts,
    "sub": "user identifier",
    "scopes": [
    "read",
    "openid"
    ]
    }

    View full-size slide

  10. JWT Signature
    $header = [ ... ];
    $payload = [ ... ];
    $signature = sprintf(
    '%s.%s',
    base64_encode($header),
    base64_encode($payload)
    );
    $signature = crypto_magic($signature);

    View full-size slide

  11. JWT & sensitive data
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

    View full-size slide

  12. JWT & sensitive data
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
    {"alg":"HS256","typ":"JWT"}
    {"sub":"1234567890","name":"John Doe","iat":1516239022}

    View full-size slide

  13. Auth code grant

    View full-size slide

  14. Login button

    View full-size slide

  15. 1. Authorize request
    GET: https: //auth-server.test/authorize
    response_type=code
    client_id=client-id
    scope=read
    state=some-state-parameter

    View full-size slide

  16. 1. Authorize response
    HTTP/1.1 302 Found
    Host: auth-server.test
    Location: /login
    Content-Length: 0

    View full-size slide

  17. 2. Login request
    POST: https: //auth-server.test/login
    username=john.doe
    password=password

    View full-size slide

  18. 2. Login response
    HTTP/1.1 302 Found
    Host: auth-server.test
    Location: https: //client.test/callback?code=code&state=state
    Content-Length: 0

    View full-size slide

  19. 3. Auth code - access token exchange request
    POST: https: //auth-server.test/token
    grant_type=code
    client_id=client-id
    client_secret=client-secret
    code=code

    View full-size slide

  20. 3. Auth code - access token exchange response
    {
    "token_type": "Bearer",
    "expires_in": 3600,
    "access_token": "jwt-token",
    "refresh_token": "jwt-token"
    }

    View full-size slide

  21. Identifying the user

    View full-size slide

  22. Getting data about the user
    GET: http: //resource-server.test/profile
    Accept: application/json
    Authorization: Bearer access_token

    View full-size slide

  23. Getting data about the user
    {
    "email": "[email protected]",
    "firstname": "John",
    "lastname": "Doe",
    "username": "john.doe",
    "profile-picture": "https: //example.com/images/johndoe.png"
    }

    View full-size slide

  24. OpenID Connect
    →identity layer on top of OAuth2
    →requested with openid scope
    →id_token is delivered with token response

    View full-size slide

  25. OpenID Connect
    {
    "id_token": "jwt-token",
    "token_type": "Bearer",
    "expires_in": 3600,
    "access_token": "jwt-token",
    "refresh_token": "jwt-token"
    }

    View full-size slide

  26. Token validation

    View full-size slide

  27. ... on the client
    →do not validate token on the client
    →you may store the expires in timespan returned from the
    token request
    →leave validation up to the resource server or auth server

    View full-size slide

  28. ... on the resource server
    →check expiration date
    →signature verification

    View full-size slide

  29. Downsides
    →resource server needs to know the public key
    →token revocation not possible

    View full-size slide

  30. Token introspection

    View full-size slide

  31. Token introspection
    →POST endpoint on the auth server
    →provides token payload as plain JSON
    →tells if token is valid or not

    View full-size slide

  32. Invalid token
    {
    "active": false
    }

    View full-size slide

  33. Valid token
    {
    "active": true,
    "token_type": "access_token",
    "scopes": [
    "read",
    "openid"
    ],
    "client_id": "client id",
    "iat": ts,
    "exp": ts,
    "sub": "user identifier",
    "jti": "unique identifier"
    }

    View full-size slide

  34. Other grant types

    View full-size slide

  35. Implicit grant
    →simplified form of auth code grant
    →instead of an auth code the access token is returned
    →not recommended anymore
    →use auth code grant instead

    View full-size slide

  36. Password grant
    →username, password and client credentials exchanged
    against access token
    →used for first party applications

    View full-size slide

  37. Client credentials grant
    →exchange client id & secret against access token
    →used for machine to machine communication

    View full-size slide

  38. Refresh token grant
    →exchange refresh token against a new access & refresh
    token
    →used when access token has expired

    View full-size slide

  39. Which grant type should I use?
    Auth code Password Client cred Implicit
    3rd party 1st party apps cronjobs never !
    SPAs internal tools system tasks
    native apps

    View full-size slide

  40. Implementing an OAuth2
    server

    View full-size slide

  41. Using a cloud service
    →someone else is responsible for implementing and
    managing the auth stuff
    →easy to use & implement
    →providing SDK's

    View full-size slide

  42. Using a cloud service - downsides
    →you need to transfer your user data to the cloud
    →whole authorization & authentication prodecure is
    outsourced

    View full-size slide

  43. Frameworks
    →PHP: OAuth 2.0 Server by The PHP League
    →node.js: node-oauth2-server by OAuthJS
    →Java: Spring Security OAuth2

    View full-size slide

  44. OAuth 2 Server by The PHP League
    →provides AuthorizationServer class
    →complete token handling included
    →you implement Repositories and Models
    →inject them into the AuthorizationServer
    →implement controllers by using the AuthorizationServer

    View full-size slide

  45. On premise services
    →provide you with the OAuth 2 implementation
    →allow to integrate with existing identity provider
    →https://www.ory.sh

    View full-size slide

  46. OAuth2 ...
    →a good standard for implementing an authorization system
    →has many different grant types for different use cases
    →needs to be combined with an authentication mechanism
    →defines squishy boundaries that you need to be explicit about
    →can help you to centralize the auth system in your
    organization

    View full-size slide

  47. Resources
    →https://oauth.net/2
    →https://www.oauth.com
    →OAuth 2 in Action - Justin Richer & Antonio Sanso

    View full-size slide

  48. Talk infos
    →https://speakerdeck.com/fetzi/understanding-oauth2
    →https://github.com/fetzi/oauth2-server-demo

    View full-size slide

  49. THANKS
    @fetzi_io

    View full-size slide