(Understanding) OAuth2

Transcript

1. None

2. Johannes Pichler → Web Developer since 2006 → PHP, Golang,

   .NET, Java → Lead Web Developer @ karriere.at

3. karriere.at → biggest job platform in Austria → ~ 150

   employees → ~ 40 developers
4. None

5. Why OAuth2?

6. None
7. None
8. None

9. Social Login

10. None

11. Topics

12. Some definitions

13. OAuth2 roles →resource owner →resource server →client →authorization server

14. Clients →client_id & client_secret →redirect_url setup →grant types that can

    be used

15. Tokens

16. JWT - JSON Web Token →open standard for securely transmitting

    data →main features → compact → self contained →Use cases → authentication → information exchange

17. JWT Header { "typ": "JWT", "alg": "RS256", "jti": "identifier" }

18. JWT Payload { "aud": "client-id", "jti": "unique identifier", "iat": ts,

    "nbf": ts, "exp": ts, "sub": "user identifier", "scopes": [ "read", "openid" ] }

19. JWT Signature $header = [ ... ]; $payload = [

    ... ]; $signature = sprintf( '%s.%s', base64_encode($header), base64_encode($payload) ); $signature = crypto_magic($signature);

20. JWT & sensitive data eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

21. JWT & sensitive data eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c {"alg":"HS256","typ":"JWT"} {"sub":"1234567890","name":"John Doe","iat":1516239022}

22. Auth code grant

23. None

24. Login button

25. 1. Authorize request GET: https: //auth-server.test/authorize response_type=code client_id=client-id scope=read state=some-state-parameter

26. 1. Authorize response HTTP/1.1 302 Found Host: auth-server.test Location: /login

    Content-Length: 0

27. 2. Login

28. 2. Login request POST: https: //auth-server.test/login username=john.doe password=password

29. 2. Login response HTTP/1.1 302 Found Host: auth-server.test Location: https:

    //client.test/callback?code=code&state=state Content-Length: 0

30. 3. Auth code - access token exchange request POST: https:

    //auth-server.test/token grant_type=code client_id=client-id client_secret=client-secret code=code

31. 3. Auth code - access token exchange response { "token_type":

    "Bearer", "expires_in": 3600, "access_token": "jwt-token", "refresh_token": "jwt-token" }

32. Identifying the user

33. Getting data about the user GET: http: //resource-server.test/profile Accept: application/json

    Authorization: Bearer access_token

34. Getting data about the user { "email": "[email protected]", "firstname": "John",

    "lastname": "Doe", "username": "john.doe", "profile-picture": "https: //example.com/images/johndoe.png" }

35. OpenID Connect →identity layer on top of OAuth2 →requested with

    openid scope →id_token is delivered with token response

36. OpenID Connect { "id_token": "jwt-token", "token_type": "Bearer", "expires_in": 3600, "access_token":

    "jwt-token", "refresh_token": "jwt-token" }

37. Token validation

38. ... on the client →do not validate token on the

    client →you may store the expires in timespan returned from the token request →leave validation up to the resource server or auth server

39. ... on the resource server →check expiration date →signature verification

40. Downsides →resource server needs to know the public key →token

    revocation not possible

41. Token introspection

42. Token introspection →POST endpoint on the auth server →provides token

    payload as plain JSON →tells if token is valid or not

43. Invalid token { "active": false }

44. Valid token { "active": true, "token_type": "access_token", "scopes": [ "read",

    "openid" ], "client_id": "client id", "iat": ts, "exp": ts, "sub": "user identifier", "jti": "unique identifier" }

45. Demo

46. None

47. Other grant types

48. Implicit grant →simplified form of auth code grant →instead of

    an auth code the access token is returned →not recommended anymore →use auth code grant instead

49. Password grant →username, password and client credentials exchanged against access

    token →used for first party applications

50. Client credentials grant →exchange client id & secret against access

    token →used for machine to machine communication

51. Refresh token grant →exchange refresh token against a new access

    & refresh token →used when access token has expired

52. Which grant type should I use? Auth code Password Client

    cred Implicit 3rd party 1st party apps cronjobs never ! SPAs internal tools system tasks native apps

53. Implementing an OAuth2 server

54. Using a cloud service →someone else is responsible for implementing

    and managing the auth stuff →easy to use & implement →providing SDK's

55. Using a cloud service - downsides →you need to transfer

    your user data to the cloud →whole authorization & authentication prodecure is outsourced

56. Frameworks →PHP: OAuth 2.0 Server by The PHP League →node.js:

    node-oauth2-server by OAuthJS →Java: Spring Security OAuth2

57. OAuth 2 Server by The PHP League →provides AuthorizationServer class

    →complete token handling included →you implement Repositories and Models →inject them into the AuthorizationServer →implement controllers by using the AuthorizationServer

58. On premise services →provide you with the OAuth 2 implementation

    →allow to integrate with existing identity provider →https://www.ory.sh

59. Summary

60. OAuth2 ... →a good standard for implementing an authorization system

    →has many different grant types for different use cases →needs to be combined with an authentication mechanism →defines squishy boundaries that you need to be explicit about →can help you to centralize the auth system in your organization

61. Resources →https://oauth.net/2 →https://www.oauth.com →OAuth 2 in Action - Justin Richer

    & Antonio Sanso

62. Talk infos →https://speakerdeck.com/fetzi/understanding-oauth2 →https://github.com/fetzi/oauth2-server-demo

63. THANKS @fetzi_io