OAuth2 overview - vinhtbkit/bkit-kb GitHub Wiki

About OAuth2

• An Authorization Framework
• Grant a 3rd party application access to user's protected resources
• Do not reveal credentials / identity to 3rd party applications
• Client obtain an access token to access resources

Roles

• Resource Owner: Entity that can grant access to a protected resource. Typically, this is the end-user.
• Resource Server: Server hosting the protected resources. This is the API you want to access.
• Client: Application requesting access to a protected resource on behalf of the Resource Owner.
• Authorization Server: Server that authenticates the Resource Owner and issues access tokens after getting proper authorization.

Authorization flows

Authorization Code

• Resource owners are redirected to OAuth2 login, and provide their credentials

• Clients use authorization_code provided by Authorization Server and exchange for token

• This flow exposes client_secret on the web / app and can be exploited

PKCE Enhancement

• Proof Key for Code Exchange
• Replaces client_secret with code_challenge and code_verifier

Implicit

• Get ID tokens without the use of backend site
• Should only be used to check for authentication
• No need to store for client id / secret

Resource Owner Password

• For highly trusted apps
• Authentication directly on client webapp

Client credentials

• For Machine-to-Machine use ( like backend service...)

Device code

• When authentication happens on a device which has difficulty to enter text (smart TV...)

Tokens

Access Tokens

• Allow an application to access an API

• Contains information regarding user identity or scope

• Issued by Identity Provider JWT access token: self-contained token. No need to call server to validate Opaque access token: need to call the issuer to validate / get info of token

• JWT Format: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure

Sample JWT (decoded):

{
  "iss": "https://my-domain.auth0.com/",
  "sub": "auth0|123456",
  "aud": [
    "https://example.com/health-api",
    "https://my-domain.auth0.com/userinfo"
  ],
  "azp": "my_client_id",
  "exp": 1311281970,
  "iat": 1311280970,
  "scope": "openid profile read:patients read:admin"
}

ID tokens

• Used by applications to cache user profile
• Should never be used to access API
• Should be in JWT format

Refresh token

• Used to exchange for new access token
• Should have a longer time to live than access token
• Should be invalidated once consumed (Refresh Token rotation)

References

• OAuth2 playground: https://www.oauth.com/playground/