OAuth 2.0 Cookbook

Book description

Efficiently integrate OAuth 2.0 to protect your mobile, desktop, Cloud applications and APIs using Spring Security technologies.

About This Book

  • Interact with public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google.
  • Use Spring Security and Spring Security OAuth2 to implement your own OAuth 2.0 provider
  • Learn how to implement OAuth 2.0 native mobile clients for Android applications

Who This Book Is For

This book targets software engineers and security experts who are looking to develop their skills in API security and OAuth 2.0. Prior programming knowledge and a basic understanding of developing web applications are necessary. As this book's recipes mostly use Spring Security and Spring Security OAuth2, some prior experience with Spring Framework will be helpful.

What You Will Learn

  • Use Redis and relational databases to store issued access tokens and refresh tokens
  • Access resources protected by the OAuth2 Provider using Spring Security
  • Implement a web application that dynamically registers itself to the Authorization Server
  • Improve the safety of your mobile client using dynamic client registration
  • Protect your Android client with Proof Key for Code Exchange
  • Protect the Authorization Server from invalid redirection

In Detail

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications.

The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients.

By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Style and approach

With the help of real-world examples, this book provides step by step recipes for troubleshooting and extending your API security. The book also helps you with accessing and securing data on mobile, desktop, and cloud apps with OAuth 2.0.

Table of contents

  1. Title Page
  2. Copyright
    1. OAuth 2.0 Cookbook
  3. Credits
  4. About the Author
  5. About the Reviewer
  6. www.PacktPub.com
    1. Why subscribe?
  7. Customer Feedback
  8. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Sections
      1. Getting ready
      2. How to do it…
      3. How it works…
      4. There's more…
      5. See also
    5. Conventions
    6. Reader feedback
    7. Customer support
      1. Downloading the example code
      2. Downloading the color images of this book
      3. Errata
      4. Piracy
      5. Questions
  9. OAuth 2.0 Foundations
    1. Introduction
    2. Preparing the environment
      1. Getting ready
      2. How to do it...
      3. See also
      4. How it works...
      5. There's more...
      6. See also
    3. Reading the user's contacts from Facebook on the client side
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    4. Reading the user's contacts from Facebook on the server side
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    5. Accessing OAuth 2.0 LinkedIn protected resources
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    6. Accessing OAuth 2.0 Google protected resources bound to the user's session
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
  10. Implementing Your Own OAuth 2.0 Provider
    1. Introduction
    2. Protecting resources using the Authorization Code grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
    3. Supporting the Implicit grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    4. Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    5. Configuring the Client Credentials grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    6. Adding support for refresh tokens
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    7. Using a relational database to store tokens and client details
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    8. Using Redis as a token store
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    9. Implementing client registration
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    10. Breaking the OAuth 2.0 Provider in the middle
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    11. Using Gatling to load test the token validation process using shared databases
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
  11. Using OAuth 2.0 Protected APIs
    1. Introduction
    2. Creating an OAuth 2.0 client using the Authorization Code grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
    3. Creating an OAuth 2.0 client using the Implicit grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    4. Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    5. Creating an OAuth 2.0 client using the Client Credentials grant type
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    6. Managing refresh tokens on the client side
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    7. Accessing an OAuth 2.0 protected API with RestTemplate
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
  12. OAuth 2.0 Profiles
    1. Introduction
    2. Revoking issued tokens
      1. Getting ready
      2. How to do it...
      3. How it works...
    3. Remote validation using token introspection
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
    4. Improving performance using cache for remote validation
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    5. Using Gatling to load test remote token validation
      1. Getting ready
      2. How to do it...
      3. There's more...
      4. See also
    6. Dynamic client registration
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
  13. Self Contained Tokens with JWT
    1. Introduction
    2. Generating access tokens as JWT
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    3. Validating JWT tokens at the Resource Server side
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    4. Adding custom claims on JWT
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    5. Asymmetric signing of a JWT token
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    6. Validating asymmetric signed JWT token
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    7. Using JWE to cryptographically protect JWT tokens
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    8. Using JWE at the Resource Server side
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    9. Using proof-of-possession key semantics on OAuth 2.0 Provider
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    10. Using proof-of-possession key on the client side
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
  14. OpenID Connect for Authentication
    1. Introduction
    2. Authenticating Google's users through Google OpenID Connect
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    3. Obtaining user information from Identity Provider
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    4. Using Facebook to authenticate users
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    5. Using Google OpenID Connect with Spring Security 5
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    6. Using Microsoft and Google OpenID providers together with Spring Security 5
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
  15. Implementing Mobile Clients
    1. Introduction
    2. Preparing an Android development environment
      1. Getting ready
      2. How to do it...
      3. How it works...
    3. Creating an Android OAuth 2.0 client using an Authorization Code with the system browser
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    4. Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    5. Creating an Android OAuth 2.0 client using the embedded browser
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    6. Using the Password grant type for client apps provided by the OAuth 2 server
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. There's more...
      5. See also
    7. Protecting an Android client with PKCE
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    8. Using dynamic client registration with mobile applications
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
  16. Avoiding Common Vulnerabilities
    1. Introduction
    2. Validating the Resource Server audience
      1. Getting ready
      2. How to do it...
      3. How it works...
    3. Protecting Resource Server with scope validation
      1. Getting ready
      2. How to do it...
      3. How it works...
    4. Binding scopes with user roles to protect user's resources
      1. Getting ready
      2. How to do it...
      3. How it works...
      4. See also
    5. Protecting the client against Authorization Code injection
      1. Getting ready
      2. How to do it...
      3. How it works...
    6. Protecting the Authorization Server from invalid redirection
      1. Getting ready
      2. How to do it...
      3. How it works...

Product information

  • Title: OAuth 2.0 Cookbook
  • Author(s): Adolfo Eloy Nascimento
  • Release date: October 2017
  • Publisher(s): Packt Publishing
  • ISBN: 9781788295963