Mastering OAuth 2.0电子书

Mastering OAuth 2.0

Table of Contents

Mastering OAuth 2.0

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Why Should I Care About OAuth 2.0?

Authentication versus authorization

Authentication

Authorization

What problems does it solve?

Federated identity

Delegated authority

Real-life examples of OAuth 2.0 in action

How does OAuth 2.0 actually solve the problem?

Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends

With OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends

Who uses OAuth 2.0?

Introducing "The World's Most Interesting Infographic Generator"

Summary

2. A Bird's Eye View of OAuth 2.0

How does it work?

User consent

Two main flows for two main types of client

Trusted versus untrusted clients

First look at the client-side flow

An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant

The big picture

When should this be used?

Pros and cons of being an untrusted client

Pros

Cons

First look at the server-side flow

A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant

The big picture

When should this be used?

Pros and cons of being a trusted client

Pros

Cons

What are the differences?

What about mobile?

Summary

3. Four Easy Steps

Let's get started

Step 1 – Register your client application

Different service providers, different registration process, same OAuth 2.0 protocol

Your client credentials

Step 2 – Get your access token

A closer look at access tokens

Scope

Duration of access

Token revocation

Sometimes a refresh token

Step 3 – Use your access token

An access token is an access token

Step 4 – Refresh your access token

What if I don't have a refresh token?

Refresh tokens expire too

Putting it all together

Summary

4. Register Your Application

Recap of registration process

Registering your application with Facebook

Creating your application

Setting your redirection endpoint

What is a redirection endpoint?

Find your service provider's authorization and token endpoints

Putting it all together!

Summary

5. Get an Access Token with the Client-Side Flow

Refresher on the implicit grant flow

A closer look at the implicit grant flow

Authorization request

According to the specification

In our application

Access token response

Success

Error

Let's build it!

Build the base application

Install Apache Maven

Create the project

Configure base project to fit our application

Modify the hosts file

Running it for the first time

Make the authorization request

Handle the access token response

Summary

Reference pages

Overview of the implicit grant flow

Authorization request

Access token response

Error response

6. Get an Access Token with the Server-Side Flow

Refresher on the authorization code grant flow

A closer look at the authorization code grant flow

Authorization request

According to the specification

In our application

Authorization response

Success

Error

Access token request

According to the specification

In our application

Access token response

Success

Error

Let's build it!

Build the base application

Install Apache Maven

Create the project

Configure the base project to fit our application

Modify the hosts file

Running it for the first time

Make the authorization request

Handle the authorization response

Make the access token request

Handle the access token response

Summary

Reference pages

An overview of the authorization code grant flow

Authorization request

Authorization response

Error response

Access token request

Access token response

Error response

7. Use Your Access Token

Refresher on access tokens

Use your access token to make an API call

The authorization request header field

The form-encoded body parameter

The URI query parameter

Let's build it!

In our client-side application

Send via the URI query parameter

Send via the form-encoded body parameter

In our server-side application

Send via the URI query parameter

Send via the HTTP authorization header

Creating the world's most interesting infographic

Summary

Reference pages

An overview of protected resource access

The authorization request header field

The form-encoded body parameter

The URI query parameter

8. Refresh Your Access Token

A closer look at the refresh token flow

The refresh request

According to the specification

The access token response

Success

Error

What if I have no refresh token? Or my refresh token has expired?

Comparison between the two methods

The ideal workflow

Summary

Reference pages

An overview of the refresh token flow

The refresh request

Access token response

Error response

9. Security Considerations

What's at stake?

Security best practices

Use TLS!

Request minimal scopes

When using the implicit grant flow, request read-only permissions

Keep credentials and tokens out of reach of users

Use the authorization code grant flow whenever possible

Use the refresh token whenever possible

Use native browsers instead of embedded browsers

Do not use third-party scripts in the redirection endpoint

Rotate your client credentials

Common attacks

Cross-site request forgery (CSRF)

What's going on?

Use the state param to combat CSRF

Phishing

Redirection URI manipulation

Client and user impersonation

Summary

10. What About Mobile?

What is a mobile application?

What flow should we use for mobile applications?

Are mobile applications trusted or untrusted?

What about mobile applications built on top of mobile platforms with secure storage APIs?

Not quite enough

Hybrid architectures

Implicit for mobile app, authorization code grant for backend server

What is the benefit of this?

Authorization via application instead of user-agent

Summary

11. Tooling and Troubleshooting

Tools

Troubleshooting

The implicit grant flow

The authorization request

Common issues

The authorization code grant flow

The authorization request

Common issues

The access token request

Common issues

The API call flow

The authorization request header field

Common issues

The form-encoded body parameter

Common issues

The URI query parameter

The refresh token flow

Common issues

Summary

12. Extensions to OAuth 2.0

Extensions to the OAuth 2.0 framework

Custom grant types

A variety of token types

Any authorization backend

OpenID Connect

Summary

A. Resource Owner Password Credentials Grant

When should you use it?

Reference pages

An overview of the resource owner password credentials grant

Authorization request and response

Access token request

Access token response

Error response

B. Client Credentials Grant

When should you use it?

Reference pages

Overview of the client credentials grant

Authorization request and response

Access token request

Access token response

Error response

C. Reference Specifications

The OAuth 2 Authorization Framework

The OAuth 2 Authorization Framework: Bearer Token Usage

OAuth 2.0 Token Revocation

OAuth 2.0 Thread Model and Security Considerations

Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants

Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

JSON Web Token (JWT)

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

OpenID Connect Core 1.0

HTTP Authentication: Basic and Digest Access Authentication

Index