OAuth 2.0: Difference between revisions

From bibbleWiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 50: Line 50:
*Refresh Token Grant
*Refresh Token Grant


===Full Authorization Code Grant Type Flow===
===Authorization Code Grant Type Flow===
The Authorization Code Grant Type is the most commonly used grant type to authorize the Client to access protected data from a Resource Server.
The Authorization Code Grant Type is the most commonly used grant type to authorize the Client to access protected data from a Resource Server.
[[File:Authorization Code Flow.png|600px]]<br>
[[File:Authorization Code Flow.png|600px]]<br>
===Step 1 - Authorization Request===
===Step 1 - Authorization Request===
To make an Authorization request we send
To make an Authorization request we send

Revision as of 11:39, 18 July 2021

Introduction

History

Previously we used

  • XML
  • SOAP
  • SAML or WS-*

Now we Use

  • JSON
  • HTTP APIs
  • OAuth and OpenID Connect

Credential Sharing

Previously we used to use credential Sharing. E.g. Problems with this are

  • We can impersonate the use
  • Issues around revocation
  • Exposed user credentials

Cookies

Next solution was cookies but CSRF and XSRF attacks were common.

API Key

Next API Key, this works well accept for where the app has no backend. E.g. Single Page App.

  • API Keys have no standard
  • Expiration management

OAuth 2.0

Features include

  • Authorization framework
  • Built for HTTP APIs
  • Scoped access (User defined what can be used)
  • Delegation Protocol

Players include

  • Protected Resource (Our API)
  • Client (requesting application)
  • Resource Owner (the user)
  • Authorization Server

Here is the flow for OAuth 2.0
How the API trusts the access token is out of scope for OAuth but if is up to the Protected Resource to do this before sending the response.

Detail

Endpoints

The Protocol endpoint are either

  • Authorization Handles all user interaction by the user agent
  • Token - This endpoint is for machines only

Scope

A scope in OAuth is a permission to do something with a protected resource. E.g. access to API, Read/Write, Feature.

Grant Types

Types

There are five Grant Types

  • Authorization Code Grant Type ()
  • Implicit Grant Type
  • Resource Owner Credentials Grant Type
  • Client Credentials Grant Type
  • Refresh Token Grant

Authorization Code Grant Type Flow

The Authorization Code Grant Type is the most commonly used grant type to authorize the Client to access protected data from a Resource Server.

Step 1 - Authorization Request

To make an Authorization request we send

  • Response Type
  • Client Id
  • Redirect Uri
  • state (optional)
  • scope parameters (optional)

Step 2 - Authorization Response

This redirect to the Url in the request and returns

  • code
  • state (optionally)

Step 3 - POST Token Request

The parameters include

  • Host (e.g. myserver.co.nz)
  • Content Type (e.g. x-www-for-urlencoded)
  • Authorization (e.g. Basic)

The POST body must include a body with


There are two forms of Basic Authentication

  • RFC 7617 Base64(client_id + ":" + client_secret)
  • RFC 67649 Base64(urlformencode(client_id) + ":" + urlformencode(client_secret))

Step 4 - Token Request Response

If successful we will get

  • access_token
  • token_type
  • expiry (in seconds)
  • scope (optional)
Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=OAuth_2.0&oldid=5255"