Mastering OAuth 2.0
5/5
()
About this ebook
About This Book
- Learn how to use the OAuth 2.0 protocol to interact with the world's most popular service providers, such as Facebook, Google, Instagram, Slack, Box, and more
- Master the finer details of this complex protocol to maximize the potential of your application while maintaining the utmost of security
- Step through the construction of a real-world working application that logs you in with your Facebook account to create a compelling infographic about the most important person in the world—you!
Who This Book Is For
If you are an application developer, software architect, security engineer, or even a casual programmer looking to leverage the power of OAuth, Mastering OAuth 2.0 is for you. Covering basic topics such as registering your application and choosing an appropriate workflow, to advanced topics such as security considerations and extensions to the specification, this book has something for everyone. A basic knowledge of programming and OAuth is recommended.
What You Will Learn
- Discover the power and prevalence of OAuth 2.0 and use it to improve your application's capabilities
- Step through the process of creating a real-world application that interacts with Facebook using OAuth 2.0
- Examine the various workflows described by the specification, looking at what they are and when to use them
- Learn about the many security considerations involved with creating an application that interacts with other service providers
- Develop your debugging skills with dedicated pages for tooling and troubleshooting
- Build your own rich, powerful applications by leveraging world-class technologies from companies around the world
In Detail
OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user's LinkedIn feed? This is all achievable through the power of OAuth.
With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way.
At the beginning, you will learn what OAuth is, how it works at a high level, and the steps involved in creating an application. After obtaining an overview of OAuth, you will move on to the second part of the book where you will learn the need for and importance of registering your application and types of supported workflows. You will discover more about the access token, how you can use it with your application, and how to refresh it after expiration.
By the end of the book, you will know how to make your application architecture robust. You will explore the security considerations and effective methods to debug your applications using appropriate tools. You will also have a look at special considerations to integrate with OAuth service providers via native mobile applications. In addition, you will also come across support resources for OAuth and credentials grant.
Style and approach
With a focus on practicality and security, Mastering OAuth 2.0 takes a top-down approach at exploring the protocol. Discussed first at a high level, examining the importance and overall structure of the protocol, the book then dives into each subject, adding more depth as we proceed. This all culminates in an example application that will be built, step by step, using the valuable and practical knowledge you have gained.
Related to Mastering OAuth 2.0
Related ebooks
OAuth 2 in Action Rating: 0 out of 5 stars0 ratingsRESTful API Design - Best Practices in API Design with REST: API-University Series, #3 Rating: 5 out of 5 stars5/5OpenID Connect - End-user Identity for Apps and APIs: API-University Series, #6 Rating: 0 out of 5 stars0 ratingsBuilding a RESTful Web Service with Spring Rating: 5 out of 5 stars5/5Designing APIs with Swagger and OpenAPI Rating: 0 out of 5 stars0 ratingsMicroservices Deployment Cookbook Rating: 0 out of 5 stars0 ratingsAPI Security in Action Rating: 5 out of 5 stars5/5Hands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on Kubernetes Rating: 5 out of 5 stars5/5Building Microservices with .NET Core Rating: 1 out of 5 stars1/5Kubernetes Native Microservices with Quarkus and MicroProfile Rating: 0 out of 5 stars0 ratingsSoftware Mistakes and Tradeoffs: How to make good programming decisions Rating: 0 out of 5 stars0 ratingsServerless Architectures on AWS: With examples using AWS Lambda Rating: 0 out of 5 stars0 ratingsKnative in Action Rating: 0 out of 5 stars0 ratingsAPI Design Patterns Rating: 5 out of 5 stars5/5Bootstrapping Microservices with Docker, Kubernetes, and Terraform: A project-based guide Rating: 3 out of 5 stars3/5Devops in Practice: Reliable and automated software delivery Rating: 1 out of 5 stars1/5Enterprise API Management: Design and deliver valuable business APIs Rating: 0 out of 5 stars0 ratingsMicroservices with .Net Core Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsMicroservices Security in Action Rating: 0 out of 5 stars0 ratingsThe Design of Web APIs Rating: 0 out of 5 stars0 ratingsMicroservices in Action Rating: 0 out of 5 stars0 ratingsPractical DevOps Rating: 3 out of 5 stars3/5Microservices Patterns: With examples in Java Rating: 5 out of 5 stars5/5Dependency Injection Principles, Practices, and Patterns Rating: 5 out of 5 stars5/5Cloud Native Patterns: Designing change-tolerant software Rating: 4 out of 5 stars4/5Learning DevOps: Continuously Deliver Better Software Rating: 5 out of 5 stars5/5Docker in Action, Second Edition Rating: 3 out of 5 stars3/5Pipeline as Code: Continuous Delivery with Jenkins, Kubernetes, and Terraform Rating: 3 out of 5 stars3/5Dependency Injection: Design patterns using Spring and Guice Rating: 0 out of 5 stars0 ratings
Security For You
How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5How I Rob Banks: And Other Such Places Rating: 0 out of 5 stars0 ratingsCodes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsEthical Hacking 101 - How to conduct professional pentestings in 21 days or less!: How to hack, #1 Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsSocial Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5
Reviews for Mastering OAuth 2.0
1 rating1 review
- Rating: 5 out of 5 stars5/5well presented the complex part .recommended to read to get good idea on oauth
Book preview
Mastering OAuth 2.0 - Bihis Charles
Table of Contents
Mastering OAuth 2.0
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Why Should I Care About OAuth 2.0?
Authentication versus authorization
Authentication
Authorization
What problems does it solve?
Federated identity
Delegated authority
Real-life examples of OAuth 2.0 in action
How does OAuth 2.0 actually solve the problem?
Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
With OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
Who uses OAuth 2.0?
Introducing The World's Most Interesting Infographic Generator
Summary
2. A Bird's Eye View of OAuth 2.0
How does it work?
User consent
Two main flows for two main types of client
Trusted versus untrusted clients
First look at the client-side flow
An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
The big picture
When should this be used?
Pros and cons of being an untrusted client
Pros
Cons
First look at the server-side flow
A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
The big picture
When should this be used?
Pros and cons of being a trusted client
Pros
Cons
What are the differences?
What about mobile?
Summary
3. Four Easy Steps
Let's get started
Step 1 – Register your client application
Different service providers, different registration process, same OAuth 2.0 protocol
Your client credentials
Step 2 – Get your access token
A closer look at access tokens
Scope
Duration of access
Token revocation
Sometimes a refresh token
Step 3 – Use your access token
An access token is an access token
Step 4 – Refresh your access token
What if I don't have a refresh token?
Refresh tokens expire too
Putting it all together
Summary
4. Register Your Application
Recap of registration process
Registering your application with Facebook
Creating your application
Setting your redirection endpoint
What is a redirection endpoint?
Find your service provider's authorization and token endpoints
Putting it all together!
Summary
5. Get an Access Token with the Client-Side Flow
Refresher on the implicit grant flow
A closer look at the implicit grant flow
Authorization request
According to the specification
In our application
Access token response
Success
Error
Let's build it!
Build the base application
Install Apache Maven
Create the project
Configure base project to fit our application
Modify the hosts file
Running it for the first time
Make the authorization request
Handle the access token response
Summary
Reference pages
Overview of the implicit grant flow
Authorization request
Access token response
Error response
6. Get an Access Token with the Server-Side Flow
Refresher on the authorization code grant flow
A closer look at the authorization code grant flow
Authorization request
According to the specification
In our application
Authorization response
Success
Error
Access token request
According to the specification
In our application
Access token response
Success
Error
Let's build it!
Build the base application
Install Apache Maven
Create the project
Configure the base project to fit our application
Modify the hosts file
Running it for the first time
Make the authorization request
Handle the authorization response
Make the access token request
Handle the access token response
Summary
Reference pages
An overview of the authorization code grant flow
Authorization request
Authorization response
Error response
Access token request
Access token response
Error response
7. Use Your Access Token
Refresher on access tokens
Use your access token to make an API call
The authorization request header field
The form-encoded body parameter
The URI query parameter
Let's build it!
In our client-side application
Send via the URI query parameter
Send via the form-encoded body parameter
In our server-side application
Send via the URI query parameter
Send via the HTTP authorization header
Creating the world's most interesting infographic
Summary
Reference pages
An overview of protected resource access
The authorization request header field
The form-encoded body parameter
The URI query parameter
8. Refresh Your Access Token
A closer look at the refresh token flow
The refresh request
According to the specification
The access token response
Success
Error
What if I have no refresh token? Or my refresh token has expired?
Comparison between the two methods
The ideal workflow
Summary
Reference pages
An overview of the refresh token flow
The refresh request
Access token response
Error response
9. Security Considerations
What's at stake?
Security best practices
Use TLS!
Request minimal scopes
When using the implicit grant flow, request read-only permissions
Keep credentials and tokens out of reach of users
Use the authorization code grant flow whenever possible
Use the refresh token whenever possible
Use native browsers instead of embedded browsers
Do not use third-party scripts in the redirection endpoint
Rotate your client credentials
Common attacks
Cross-site request forgery (CSRF)
What's going on?
Use the state param to combat CSRF
Phishing
Redirection URI manipulation
Client and user impersonation
Summary
10. What About Mobile?
What is a mobile application?
What flow should we use for mobile applications?
Are mobile applications trusted or untrusted?
What about mobile applications built on top of mobile platforms with secure storage APIs?
Not quite enough
Hybrid architectures
Implicit for mobile app, authorization code grant for backend server
What is the benefit of this?
Authorization via application instead of user-agent
Summary
11. Tooling and Troubleshooting
Tools
Troubleshooting
The implicit grant flow
The authorization request
Common issues
The authorization code grant flow
The authorization request
Common issues
The access token request
Common issues
The API call flow
The authorization request header field
Common issues
The form-encoded body parameter
Common issues
The URI query parameter
The refresh token flow
Common issues
Summary
12. Extensions to OAuth 2.0
Extensions to the OAuth 2.0 framework
Custom grant types
A variety of token types
Any authorization backend
OpenID Connect
Summary
A. Resource Owner Password Credentials Grant
When should you use it?
Reference pages
An overview of the resource owner password credentials grant
Authorization request and response
Access token request
Access token response
Error response
B. Client Credentials Grant
When should you use it?
Reference pages
Overview of the client credentials grant
Authorization request and response
Access token request
Access token response
Error response
C. Reference Specifications
The OAuth 2 Authorization Framework
The OAuth 2 Authorization Framework: Bearer Token Usage
OAuth 2.0 Token Revocation
OAuth 2.0 Thread Model and Security Considerations
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
JSON Web Token (JWT)
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
OpenID Connect Core 1.0
HTTP Authentication: Basic and Digest Access Authentication
Index
Mastering OAuth 2.0
Mastering OAuth 2.0
Copyright © 2015 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: December 2015
Production reference: 1081215
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78439-540-7
www.packtpub.com
Credits
Author
Charles Bihis
Reviewers
Shubham Jindal
Oleg Mikheev
Commissioning Editor
Pramila Balan
Acquisition Editors
Richard Harvey
Aaron Lazar
Content Development Editor
Rohit Singh
Technical Editor
Siddhi Rane
Copy Editors
Janbal Dharmaraj
Kevin McGowan
Project Coordinator
Mary Alex
Proofreader
Safis Editing
Indexer
Priya Sane
Graphics
Kirk D'Penha
Production Coordinator
Komal Ramchandani
Cover Work
Komal Ramchandani
About the Author
Charles Bihis is a scientist and engineer from Vancouver, Canada. Earning his degree in computer science from the University of British Columbia, specializing in software engineering, he enjoys exploring the boundaries of technology. He believes that technology is the key to enriching the lives of everyone around us and strives to solve problems people face every day. Reach out to him on his website, www.whoischarles.com, and let's solve the world's problems together!
This work would not have been possible without the help of my colleagues, friends, and family. A special thanks goes to my teammates on the Identity Platform team at Adobe for the years of guidance and tutelage. I'd also like to thank my friends for their constant support and encouragement. And finally, I'd like to thank my family, especially my wife, for their ceaseless confidence in all that I do.
About the Reviewers
Shubham Jindal has an avid interest in programming and is currently pursuing his degree in computer science and engineering from Indian Institute of Technology, Delhi. Leaning towards JavaScript, he breathes computers and can be easily spotted hacking around with things, scripting or inspecting elements on the Web. Being a clinophile, he believes in doing smart work. Inclined towards music since childhood, you can inevitably find him with his earphones plugged in.
He is always agog for new opportunities and is striving to establish his very own start-up.
I would like to thank Dr. Karthikeyan Bhargavan—my INRIA's internship mentor, parents, friends, and Vartika Garg—my partner in crime, for their help in producing this book.
Oleg Mikheev is a computer science enthusiast with over 17 years background both in industry and academia, holding a PhD from one of the top Russian universities. He has completed numerous projects in industries where security is always a top priority—finance, insurance, government.
The list of clients Oleg has worked for includes names such as UBS, CSFB and NYSE, where he has applied a full stack of technologies, specifically IBM WebSphere. Lately, Oleg is focused on start-up ventures, currently working in a financial start-up, Personal Capital.
He has authored a number of articles for the Java World journal, contributed to open source projects and reviewed a book on Struts 2.
I would like to thank Mary Alex for her exceptional work and would like to wish her the best of luck with her married life.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Preface
The Internet is a thriving and dynamic ecosystem. Living and playing within this ecosystem are many world-class services, all offering world-class technologies. Think about the massive social graph that Facebook hosts, the most up-to-date mapping system proudly owned and operated by Google, or the ever-growing professional network that is available from LinkedIn. All of these companies, and more, are presenting their world-class technologies for the world to use!
Until recently, it was very difficult to access these technologies in your own applications. Each company would create their own protocols for how to access and leverage their respective technologies. You may have heard of Yahoo!'s BBAuth, or Google's AuthSub. These are just a couple of examples of proprietary protocols created to allow people to leverage these company's services. Unfortunately, the trend of creating and using proprietary protocols just doesn't scale. Enter OAuth 2.0.
OAuth 2.0 is an open protocol for delegating authorization to such services, and it has become the standard authorization protocol used by companies around the world. It allows developers like you and I to access these world-class technologies and use them in our own applications! It is a fascinating problem space with an equally fascinating and elegant solution.
I've been lucky enough to work in the Identity space for the past 7 years, and during this time, I've been able to witness the evolution and progression of this protocol. Mastering OAuth 2.0 is an attempt at distilling the most important parts of the protocol, including design and usage. With a hard focus on practicality and security, this book focuses on the parts of integration that will give application developers like you and I the most benefit and mileage.
As OAuth 2.0 continues to gain adoption, and more and more services become available for developers to integrate with and leverage, I'm hoping that this book will allow you to be able to comfortably dive in and start building the next generation of world-class applications and technologies!
What this book covers
Chapter 1, Why Should I Care About OAuth 2.0?, introduces the OAuth 2.0 protocol, and discusses its purpose, prevalence, and importance.
Chapter 2, A Bird's Eye View of OAuth 2.0, takes a high-level look at the OAuth 2.0 protocol and the different workflows it describes.
Chapter 3, Four Easy Steps, enumerates the simple steps necessary to integrate with a service provider using the OAuth 2.0 protocol.
Chapter 4, Register Your Application, details the first of these four steps which covers registering your application with the service provider.
Chapter 5, Get an Access Token with the Client-Side Flow, discusses the complicated topic of gaining access to a protected resource from what we call an untrusted client.
Chapter 6, Get an Access Token with the Server-Side Flow, discusses the complicated topic of gaining access to a protected resource from what we call a trusted client.
Chapter 7, Use Your Access Token, outlines the process for exercising access to a resource once it has been granted to you.
Chapter 8, Refresh Your