OAuth2 overview - vinhtbkit/bkit-kb GitHub Wiki
About OAuth2
- An Authorization Framework
- Grant a 3rd party application access to user's protected resources
- Do not reveal credentials / identity to 3rd party applications
- Client obtain an access token to access resources
Roles
- Resource Owner: Entity that can grant access to a protected resource. Typically, this is the end-user.
- Resource Server: Server hosting the protected resources. This is the API you want to access.
- Client: Application requesting access to a protected resource on behalf of the Resource Owner.
- Authorization Server: Server that authenticates the Resource Owner and issues access tokens after getting proper authorization.
Authorization flows
Authorization Code
-
Resource owners are redirected to OAuth2 login, and provide their credentials
-
Clients use authorization_code provided by Authorization Server and exchange for token
-
This flow exposes client_secret on the web / app and can be exploited
PKCE Enhancement
- Proof Key for Code Exchange
- Replaces client_secret with
code_challenge
andcode_verifier
Implicit
- Get ID tokens without the use of backend site
- Should only be used to check for authentication
- No need to store for client id / secret
Resource Owner Password
- For highly trusted apps
- Authentication directly on client webapp
Client credentials
- For Machine-to-Machine use ( like backend service...)
Device code
- When authentication happens on a device which has difficulty to enter text (smart TV...)
Tokens
Access Tokens
-
Allow an application to access an API
-
Contains information regarding user identity or scope
-
Issued by Identity Provider JWT access token: self-contained token. No need to call server to validate Opaque access token: need to call the issuer to validate / get info of token
-
JWT Format: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure
Sample JWT (decoded):
{
"iss": "https://my-domain.auth0.com/",
"sub": "auth0|123456",
"aud": [
"https://example.com/health-api",
"https://my-domain.auth0.com/userinfo"
],
"azp": "my_client_id",
"exp": 1311281970,
"iat": 1311280970,
"scope": "openid profile read:patients read:admin"
}
ID tokens
- Used by applications to cache user profile
- Should never be used to access API
- Should be in JWT format
Refresh token
- Used to exchange for new access token
- Should have a longer time to live than access token
- Should be invalidated once consumed (Refresh Token rotation)
References
- OAuth2 playground: https://www.oauth.com/playground/