售 价:¥
温馨提示:数字商品不支持退换货,不提供源文件,不支持导出打印
为你推荐
Mastering OAuth 2.0
Table of Contents
Mastering OAuth 2.0
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Why Should I Care About OAuth 2.0?
Authentication versus authorization
Authentication
Authorization
What problems does it solve?
Federated identity
Delegated authority
Real-life examples of OAuth 2.0 in action
How does OAuth 2.0 actually solve the problem?
Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
With OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
Who uses OAuth 2.0?
Introducing "The World's Most Interesting Infographic Generator"
Summary
2. A Bird's Eye View of OAuth 2.0
How does it work?
User consent
Two main flows for two main types of client
Trusted versus untrusted clients
First look at the client-side flow
An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
The big picture
When should this be used?
Pros and cons of being an untrusted client
Pros
Cons
First look at the server-side flow
A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
The big picture
When should this be used?
Pros and cons of being a trusted client
Pros
Cons
What are the differences?
What about mobile?
Summary
3. Four Easy Steps
Let's get started
Step 1 – Register your client application
Different service providers, different registration process, same OAuth 2.0 protocol
Your client credentials
Step 2 – Get your access token
A closer look at access tokens
Scope
Duration of access
Token revocation
Sometimes a refresh token
Step 3 – Use your access token
An access token is an access token
Step 4 – Refresh your access token
What if I don't have a refresh token?
Refresh tokens expire too
Putting it all together
Summary
4. Register Your Application
Recap of registration process
Registering your application with Facebook
Creating your application
Setting your redirection endpoint
What is a redirection endpoint?
Find your service provider's authorization and token endpoints
Putting it all together!
Summary
5. Get an Access Token with the Client-Side Flow
Refresher on the implicit grant flow
A closer look at the implicit grant flow
Authorization request
According to the specification
In our application
Access token response
Success
Error
Let's build it!
Build the base application
Install Apache Maven
Create the project
Configure base project to fit our application
Modify the hosts file
Running it for the first time
Make the authorization request
Handle the access token response
Summary
Reference pages
Overview of the implicit grant flow
Authorization request
Access token response
Error response
6. Get an Access Token with the Server-Side Flow
Refresher on the authorization code grant flow
A closer look at the authorization code grant flow
Authorization request
According to the specification
In our application
Authorization response
Success
Error
Access token request
According to the specification
In our application
Access token response
Success
Error
Let's build it!
Build the base application
Install Apache Maven
Create the project
Configure the base project to fit our application
Modify the hosts file
Running it for the first time
Make the authorization request
Handle the authorization response
Make the access token request
Handle the access token response
Summary
Reference pages
An overview of the authorization code grant flow
Authorization request
Authorization response
Error response
Access token request
Access token response
Error response
7. Use Your Access Token
Refresher on access tokens
Use your access token to make an API call
The authorization request header field
The form-encoded body parameter
The URI query parameter
Let's build it!
In our client-side application
Send via the URI query parameter
Send via the form-encoded body parameter
In our server-side application
Send via the URI query parameter
Send via the HTTP authorization header
Creating the world's most interesting infographic
Summary
Reference pages
An overview of protected resource access
The authorization request header field
The form-encoded body parameter
The URI query parameter
8. Refresh Your Access Token
A closer look at the refresh token flow
The refresh request
According to the specification
The access token response
Success
Error
What if I have no refresh token? Or my refresh token has expired?
Comparison between the two methods
The ideal workflow
Summary
Reference pages
An overview of the refresh token flow
The refresh request
Access token response
Error response
9. Security Considerations
What's at stake?
Security best practices
Use TLS!
Request minimal scopes
When using the implicit grant flow, request read-only permissions
Keep credentials and tokens out of reach of users
Use the authorization code grant flow whenever possible
Use the refresh token whenever possible
Use native browsers instead of embedded browsers
Do not use third-party scripts in the redirection endpoint
Rotate your client credentials
Common attacks
Cross-site request forgery (CSRF)
What's going on?
Use the state param to combat CSRF
Phishing
Redirection URI manipulation
Client and user impersonation
Summary
10. What About Mobile?
What is a mobile application?
What flow should we use for mobile applications?
Are mobile applications trusted or untrusted?
What about mobile applications built on top of mobile platforms with secure storage APIs?
Not quite enough
Hybrid architectures
Implicit for mobile app, authorization code grant for backend server
What is the benefit of this?
Authorization via application instead of user-agent
Summary
11. Tooling and Troubleshooting
Tools
Troubleshooting
The implicit grant flow
The authorization request
Common issues
The authorization code grant flow
The authorization request
Common issues
The access token request
Common issues
The API call flow
The authorization request header field
Common issues
The form-encoded body parameter
Common issues
The URI query parameter
The refresh token flow
Common issues
Summary
12. Extensions to OAuth 2.0
Extensions to the OAuth 2.0 framework
Custom grant types
A variety of token types
Any authorization backend
OpenID Connect
Summary
A. Resource Owner Password Credentials Grant
When should you use it?
Reference pages
An overview of the resource owner password credentials grant
Authorization request and response
Access token request
Access token response
Error response
B. Client Credentials Grant
When should you use it?
Reference pages
Overview of the client credentials grant
Authorization request and response
Access token request
Access token response
Error response
C. Reference Specifications
The OAuth 2 Authorization Framework
The OAuth 2 Authorization Framework: Bearer Token Usage
OAuth 2.0 Token Revocation
OAuth 2.0 Thread Model and Security Considerations
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
JSON Web Token (JWT)
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
OpenID Connect Core 1.0
HTTP Authentication: Basic and Digest Access Authentication
Index
买过这本书的人还买过
读了这本书的人还在读
同类图书排行榜