book

Mastering OAuth 2.0

by Charles Bihis

December 2015

Beginner to intermediate

238 pages

5h 12m

English

Packt Publishing

Read now

Unlock full access

Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
What this book covers

Downloading the example codeErrataPiracyQuestions
Authentication versus authorizationAuthenticationAuthorization
Federated identityDelegated authorityReal-life examples of OAuth 2.0 in action
Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friendsWith OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
How does it work?User consentTwo main flows for two main types of clientTrusted versus untrusted clients
An untrusted client – GoodApp requests access for user's Facebook friends using implicit grantThe big pictureWhen should this be used?Pros and cons of being an untrusted clientProsCons
A trusted client – GoodApp requests access for user's Facebook friends using authorization code grantThe big pictureWhen should this be used?Pros and cons of being a trusted clientProsCons
Let's get started
Different service providers, different registration process, same OAuth 2.0 protocolYour client credentials
A closer look at access tokensScopeDuration of accessToken revocationSometimes a refresh token
An access token is an access token
What if I don't have a refresh token?Refresh tokens expire too
Recap of registration process
Creating your applicationSetting your redirection endpointWhat is a redirection endpoint?Find your service provider's authorization and token endpoints
Refresher on the implicit grant flow
Authorization requestAccording to the specificationIn our applicationAccess token responseSuccessError
Build the base applicationInstall Apache MavenCreate the projectConfigure base project to fit our applicationModify the hosts fileRunning it for the first timeMake the authorization requestHandle the access token response
Overview of the implicit grant flowAuthorization requestAccess token responseError response
Refresher on the authorization code grant flow
Authorization requestAccording to the specificationIn our applicationAuthorization responseSuccessErrorAccess token requestAccording to the specificationIn our applicationAccess token responseSuccessError
Build the base applicationInstall Apache MavenCreate the projectConfigure the base project to fit our applicationModify the hosts fileRunning it for the first timeMake the authorization requestHandle the authorization responseMake the access token requestHandle the access token response
An overview of the authorization code grant flowAuthorization requestAuthorization responseError responseAccess token requestAccess token responseError response
Refresher on access tokens
The authorization request header fieldThe form-encoded body parameterThe URI query parameter
In our client-side applicationSend via the URI query parameterSend via the form-encoded body parameterIn our server-side applicationSend via the URI query parameterSend via the HTTP authorization header
An overview of protected resource accessThe authorization request header fieldThe form-encoded body parameterThe URI query parameter
A closer look at the refresh token flowThe refresh requestAccording to the specificationThe access token responseSuccessError
Comparison between the two methods
An overview of the refresh token flowThe refresh requestAccess token responseError response
What's at stake?
Use TLS!Request minimal scopesWhen using the implicit grant flow, request read-only permissionsKeep credentials and tokens out of reach of usersUse the authorization code grant flow whenever possibleUse the refresh token whenever possibleUse native browsers instead of embedded browsersDo not use third-party scripts in the redirection endpointRotate your client credentials
Cross-site request forgery (CSRF)What's going on?Use the state param to combat CSRFPhishingRedirection URI manipulationClient and user impersonation
What is a mobile application?
Are mobile applications trusted or untrusted?What about mobile applications built on top of mobile platforms with secure storage APIs?Not quite enough
Implicit for mobile app, authorization code grant for backend serverWhat is the benefit of this?
Tools
The implicit grant flowThe authorization requestCommon issuesThe authorization code grant flowThe authorization requestCommon issuesThe access token requestCommon issuesThe API call flowThe authorization request header fieldCommon issuesThe form-encoded body parameterCommon issuesThe URI query parameterThe refresh token flowCommon issues
Extensions to the OAuth 2.0 frameworkCustom grant typesA variety of token typesAny authorization backend
When should you use it?
An overview of the resource owner password credentials grantAuthorization request and responseAccess token requestAccess token responseError response
When should you use it?
Authorization request and responseAccess token requestAccess token responseError response
The OAuth 2 Authorization Framework

Content preview from Mastering OAuth 2.0

A closer look at the authorization code grant flow

Our server-side application would like to view the profile and feed data of the user who is using the application. In order to do this, WMIIG must first get authorization from the user by sending them to the service provider's authorization endpoint, passing along with it various properties describing the request. This step is nearly identical to how we did it for the implicit grant flow, with one important difference which we will get to shortly.

Here, the user is presented with the user consent screen, where they have the option of either accepting or denying the request. Once the user either accepts or denies, the response is sent back to WMIIG via the redirection endpoint. If the user accepts, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781784395407Supplemental Content

Mastering OAuth 2.0

by Charles Bihis

A closer look at the authorization code grant flow

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

OAuth 2.0 Cookbook

Getting Started with OAuth 2.0

Securing Microservice APIs

REST API Development with Node.js: Manage and Understand the Full Capabilities of Successful REST Development

Publisher Resources

A closer look at the authorization code grant flow

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

OAuth 2.0 Cookbook

Getting Started with OAuth 2.0

Securing Microservice APIs

REST API Development with Node.js: Manage and Understand the Full Capabilities of Successful REST Development

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.