Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What the Heck is OAuth - Boulder JUG 2023

Matt Raible
February 07, 2023

What the Heck is OAuth - Boulder JUG 2023

There’s a lot of confusion around what OAuth actually is.

Some people think OAuth is a login flow (like when you sign into an application with Google Login), and some people think of OAuth as a “security thing”, and don’t really know much more than that.

I’m going to show you what OAuth is, explain how it works, and hopefully leave you with a sense of how and where OAuth can benefit your application.

Related blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

Matt Raible

February 07, 2023
Tweet

More Decks by Matt Raible

Other Decks in Technology

Transcript

  1. Matt Raible | @mraible
    What the Heck is OAuth?
    February 7, 2023 Photo by Jeff Burak https://unsplash.com/photos/lPO0VzF_4s8

    View full-size slide

  2. @mraible
    Hi, I’m Matt Raible
    Father, Husband, Skier, Mountain Biker,
    Whitewater Rafter


    Bus Lover


    Web Developer and Java Champion


    Okta Developer Advocate


    Blogger on raibledesigns.com and
    developer.okta.com/blog

    View full-size slide

  3. developer.okta.com

    View full-size slide

  4. developer.auth0.com

    View full-size slide

  5. Authentication Standards

    View full-size slide

  6. Have you heard of OAuth or OIDC?


    Do you consider yourself a developer?


    Have you ever written authentication
    from scratch?


    Have you implemented OAuth or OIDC?


    Why are you here?
    What about You?

    View full-size slide

  7. OAuth 2.0 Overview
    OAuth 2.0 Overview

    View full-size slide

  8. Web Authentication
    GET /index.html HTTP/1.1


    Host: www.example.com


    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    View full-size slide

  9. Federated Identity
    Identity Provider
    (IdP)
    Service Provider
    (SP)
    End User
    Trust
    Obtains Assertion Provides Assertion

    View full-size slide

  10. SAML 2.0
    OASIS Standard, 15 March 2005
    Authentication Request
    Protocol
    Assertion

    View full-size slide

  11. SAML 2.0 Authentication Request Protocol

    View full-size slide

  12. SAML 2.0 Assertion
    IssueInstant="2004-12-05T09:22:05"
    https://example.okta.com
    ...


    [email protected]






    https://sp.example.com/saml2/sso





    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport





    Matt Raible



    View full-size slide

  13. SAML = Web SSO

    View full-size slide

  14. What’s
    Changed


    Since


    2005?

    View full-size slide

  15. An open standard for authorization; anyone can implement it


    Provides “secure delegated access” to client applications


    Works over HTTPS and authorizes:


    Devices


    APIs


    Servers


    Applications


    … with access tokens rather than credentials
    What is OAuth?

    View full-size slide

  16. Simple login — basic, forms, & cookies


    Single sign-on across sites — SAML


    Mobile app login — N/A


    Delegated authorization — N/A
    Identity Use Cases (circa 2006)

    View full-size slide

  17. The Delegated Authorization Problem
    How can you let a website access your data


    (without giving it your password)?

    View full-size slide

  18. Don’t do it this way!

    View full-size slide

  19. Have you ever seen one of these?

    View full-size slide

  20. © Okta and/or its affiliates. All rights reserved. Okta Confidential

    View full-size slide

  21. Hotel Key Cards, but for Apps

    View full-size slide

  22. Hotel Key Cards, but for Apps
    OAuth Authorization Server Resource (API)
    Access Token

    View full-size slide

  23. Delegated Authorization with OAuth 2.0
    I trust Gmail and I kind of
    trust Yelp. I want Yelp to have
    access to my contacts only.
    yelp.com
    Connect with Google

    View full-size slide

  24. Delegated Authorization with OAuth 2.0
    yelp.com
    Connect with Google
    accounts.google.com
    Email
    **********
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    contacts.google
    yelp.com/callback

    View full-size slide

  25. OAuth Simplified
    App requests authorization from User
    1
    User authorizes App and delivers proof
    2
    App presents proof of authorization to server to get a Token
    3
    Token is restricted to only access what the User authorized
    for the specific App
    4

    View full-size slide

  26. Actors


    Clients


    Authorization Server


    Resource Server


    Access Tokens


    Redirect URI
    OAuth 2.0 Terminology

    View full-size slide

  27. Authorization

    Server (AS)
    Resource
    Owner (RO) Client
    Delegates
    Obtains Token
    Uses Token
    Resource

    Server (RS)
    Actors

    View full-size slide

  28. Authorization

    Server (AS)
    Resource
    Owner (RO) Client
    Delegates
    Obtains Token
    Uses Token
    Resource

    Server (RS)
    Actors

    View full-size slide

  29. Clients
    Public


    (Client Identification)
    Confidential

    (Client Authentication)

    View full-size slide

  30. Clients
    Client Registration is the DMV of OAuth

    View full-size slide

  31. Authorization Server
    Authorize Endpoint


    (/oauth2/authorize)
    Token Endpoint


    (/oauth2/token)
    Authorization Server
    Authorization Grant
    Refresh Token
    Access Token
    Introspection Endpoint


    (/oauth2/introspect)
    Revocation Endpoint


    (/oauth2/revoke)

    View full-size slide

  32. Tokens
    • Short-lived token used by
    Client to access Resource
    Server (API)


    • Opaque to the Client


    • No client authentication
    required (Public Clients)


    • Optimized for scale and
    performance


    • Revocation is dependent on
    implementation
    Access Token (Required)
    • Long-lived token that is used
    by Client to obtain new
    access tokens from
    Authorization Server


    • Usually requires
    Confidential Clients with
    authentication


    • Forces client to rotate
    secrets


    • Can usually be revoked
    Refresh Token (Optional)
    OAuth doesn’t define the format of a token!

    View full-size slide

  33. Self-encoded tokens


    Protected, time-limited data structure agreed upon between Authorization Server and Resource Server
    that contains metadata and claims about the identity of the user or client over the wire.


    Resource Server can validate the token locally by checking the signature, expected issuer name and
    expected audience or scope.


    Commonly implemented as a signed JSON Web Tokens (JWT)


    Reference tokens (aka opaque tokens)


    Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0
    Authorization Server


    Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization Server’s
    token introspection endpoint to determine if the token is valid and obtain claims/scopes
    Access Token Types

    View full-size slide

  34. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code
    contacts.google
    Talk to resource server


    with access token
    Exchange code for


    access token
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/cb


    Response type: code
    Authorization Server
    Client

    View full-size slide

  35. Scopes


    Consent


    Grants
    More OAuth 2.0 Terminology

    View full-size slide

  36. Scopes
    Additive bundles of permissions asked
    by client when requesting a token


    Decouples authorization policy
    decisions from enforcement


    Who owns the data? End user or the
    target service


    Who gets to specify the authorization
    policy? End user or application owner
    Scopes to Deny
    Scopes to Allow

    View full-size slide

  37. Capturing User Consent
    Authorization Grant (Trust of First Use)

    View full-size slide

  38. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code
    contacts.google
    Talk to resource server


    with access token
    Exchange code for


    access token
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/cb


    Scope: profile contacts
    Authorization Server
    Client
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent


    from resource owner

    View full-size slide

  39. Flow Channels
    Resource

    Server (RS)
    Authorization

    Server (AS)
    Resource
    Owner (RO)
    Client
    Delegates
    Obtains Token
    Uses Token
    Front


    Channel
    Back
    Channel

    View full-size slide

  40. Front Channel Flow
    Authorize via User Agent
    Resource

    Server (RS)
    Authorization

    Server (AS)
    4
    2
    3
    1
    Resource Owner starts flow to
    delegate access to protected
    resource
    1
    Client
    2
    Client sends authorization request
    with desired scopes via browser
    redirect to Authorize Endpoint on
    Authorization Server
    3
    User authenticates and consents to
    Delegated Access (Grant)
    4 Authorization Code Grant or
    Access Token is returned to Client
    via browser redirect
    Resource
    Owner (RO)

    View full-size slide

  41. Authorization Request
    GET https://accounts.google.com/o/oauth2/auth?

    scope=gmail.insert gmail.send&

    redirect_uri=https://app.example.com/oauth2/callback&

    response_type=code&

    client_id=812741506391&

    state=af0ifjsldkj


    HTTP/1.1 302 Found

    Location: https://app.example.com/oauth2/callback?

    code=MsCeLvIaQm6bTrgtp7&

    state=af0ifjsldkj
    Request
    Response
    Note: Parameters are not URL-encoded for example purposes

    View full-size slide

  42. Back Channel Flow
    Exchange Grants for Tokens
    Resource

    Server (RS)
    Authorization

    Server (AS)
    1
    Client
    2
    Client accesses protected
    resource with Access Token
    Resource
    Owner (RO)
    2
    Client exchanges Authorization
    Code Grant with token endpoint
    on Authorization Server for an
    Access Token and optionally
    Refresh Token
    1

    View full-size slide

  43. Token Request
    POST /oauth2/v3/token HTTP/1.1


    Host: www.googleapis.com


    Content-Type: application/x-www-form-urlencoded


    code=MsCeLvIaQm6bTrgtp7&


    client_id=812741506391&


    client_secret={client_secret}&


    redirect_uri=https://app.example.com/oauth2/callback&


    grant_type=authorization_code
    Note: Parameters are not URL-encoded for example purposes

    View full-size slide

  44. Token Response
    {
    "access_token": "2YotnFZFEjr1zCsicMWpAA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA"
    }

    View full-size slide

  45. Making Protected Resource Requests
    curl -H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA" \


    https://www.googleapis.com/gmail/v1/users/1444587525/messages

    View full-size slide

  46. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code


    (front channel)
    contacts.google
    Talk to resource server


    (back channel)
    Exchange code for


    access token (back channel)
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/cb


    (front channel)
    Authorization Server
    Client
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent


    from resource owner

    View full-size slide

  47. OAuth 2.0 Grant Types (Flows)
    • Optimized for browser-only
    Public Clients


    • Access token returned
    directly from authorization
    request (Front-channel only)


    • Does not support refresh
    tokens


    • Assumes Resource Owner
    and Public Client are on the
    same device


    • Most vulnerable to security
    threats
    Implicit
    • Front channel flow used by
    Client to obtain authorization
    code grant


    • Back channel flow used by
    Client to exchange
    authorization code grant
    for access token and
    optionally refresh token


    • Assumes Resource Owner
    and Client are on separate
    devices


    • Most secure flow as tokens
    never passes through user-
    agent
    Authorization Code
    • Optimized for server-only
    Confidential Clients acting
    on behalf of itself or a user


    • Back-channel only flow to
    obtain an access token
    using the Client’s credentials


    • Supports shared secrets or
    assertions as Client
    credentials signed with
    either symmetric or
    asymmetric keys
    Client Credential

    View full-size slide

  48. OAuth 2.0 Grant Types (Flows)
    • Legacy grant type for native
    username/password apps
    such as desktop apps


    • Username/password is
    authorization grant to
    obtain access token from
    Authorization Server


    • Does not support refresh
    tokens


    • Assumes Resource Owner
    and Public Client or on the
    same device


    Resource Owner Password
    • Optimized for devices that
    do not have access to web-
    browsers


    • User code is returned from
    authorization request that
    must be redeemed by
    visiting a URL on a device
    with a browser to authorize


    • Back channel flow used by
    Client to poll for
    authorization approval for
    access token and optionally
    refresh token


    Device
    • Allows Authorization Server
    to trust authorization
    grants from third party such
    as SAML IdP (Federation)


    • Assertion is used to obtain
    access token with token
    request


    • Does not support refresh
    tokens


    Assertion

    View full-size slide

  49. Six different flows


    Necessary because of:


    How you get consent from client?


    Who is making consent?


    Adds a lot of complexity to OAuth
    OAuth Flows

    View full-size slide

  50. OAuth 2.0 Playground https://oauth.com/playground

    View full-size slide

  51. © Okta and/or its affiliates. All rights reserved. Okta Confidential
    Token State Management
    Developer Friction
    57

    View full-size slide

  52. Too many inputs that need validation


    Token hijacking with CSRF


    Always use CSRF token with state parameter to ensure OAuth flow integrity


    Leaking authorization codes or tokens through redirects


    Specify exact redirect URIs and ensure proper URI validations


    Token hijacking by switching clients


    Bind the same client to authorization grants and token requests


    Leaking client secrets


    Unbounded & Bearer Tokens


    See draft specification of OAuth Proof-of-Possession Token Extension
    Common OAuth 2.0 Security Issues

    View full-size slide

  53. Not backward compatible with
    OAuth 1.0


    Interoperability issues exists as its
    not a protocol but rather an
    authorization framework


    OAuth 2.0 is not an authentication
    protocol


    OAuth 2.0 alone says absolutely
    nothing about the user
    OAuth 2.0 Facts

    View full-size slide

  54. Simple login — OAuth 2.0


    Single sign-on across sites — OAuth 2.0


    Mobile app login — OAuth 2.0


    Delegated authorization — OAuth 2.0
    Identity Use Cases (circa 2012)

    View full-size slide

  55. © Okta and/or its affiliates. All rights reserved. Okta Confidential
    Not an
    Authentication


    Protocol?

    View full-size slide

  56. OAuth 2.0 as Pseudo-Authentication
    Client accessing a https://
    api.example.com/me resource with
    an access token is not
    authenticating the user


    Access tokens just prove the
    Client was authorized, are opaque,
    and intended to only be consumed
    by the Resource Server
    Who is the user (claims)?


    When did the user authenticate?


    Does the user still have an active or
    expired session?


    How did the user authenticate?


    Just password or password + second
    factor
    As made famous by Facebook Connect and Twitter

    View full-size slide

  57. OAuth 2.0 Overview
    OpenID Connect

    View full-size slide

  58. OAuth 2.0 and OpenID Connect
    OpenID Connect is for
    authentication


    OAuth 2.0 is for
    authorization
    OpenID Connect
    OAuth 2.0
    HTTP

    View full-size slide

  59. OpenID Connect
    Extends OAuth 2.0 with new signed id_token for the Client and
    UserInfo endpoint to fetch user attributes


    Provides a standard set of scopes and claims for identities


    profile


    email


    address


    phone


    Built-in registration, discovery & metadata for dynamic
    federations


    Bring Your Own Identity (BYOI)


    Supports high assurance levels and key SAML use cases
    (enterprise)
    OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts)

    View full-size slide

  60. Authorization Request
    GET https://accounts.google.com/o/oauth2/auth?

    scope=openid email&

    redirect_uri=https://app.example.com/oauth2/callback&

    response_type=code&

    client_id=812741506391&

    state=af0ifjsldkj


    HTTP/1.1 302 Found

    Location: https://app.example.com/oauth2/callback?

    code=MsCeLvIaQm6bTrgtp7&

    state=af0ifjsldkj
    Request
    Response
    Note: Parameters are not URL-encoded for example purposes

    View full-size slide

  61. Token Request
    POST /oauth2/v3/token HTTP/1.1


    Host: www.googleapis.com


    Content-Type: application/x-www-form-urlencoded


    code=MsCeLvIaQm6bTrgtp7&


    client_id=812741506391&


    client_secret={client_secret}&


    redirect_uri=https://app.example.com/oauth2/callback&


    grant_type=authorization_code

    View full-size slide

  62. Token Response
    {
    "access_token": "2YotnFZFEjr1zCsicMWpAA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",


    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ..."
    }

    View full-size slide

  63. Validate ID
    Token
    Token Endpoint
    Authorization Endpoint
    /.well-known/

    openid-configuration
    JWKS Endpoint
    UserInfo Endpoint
    OAuth 2.0 Authorization Server &


    OpenID Connect Provider (OP)
    OAuth 2.0 Resource Server
    Client


    (Relying Party) 1
    3
    2
    5
    4
    1 Discover OpenID Provider Metadata
    2 Perform OAuth flow to obtain a ID
    token and/or access token
    3 Get JSON Web Key Set (JWKS)
    for signature keys
    4 Validate ID token

    (JSON Web Token)
    5 Get additional user attributes
    with access token from UserInfo
    endpoint
    OpenID Connect

    View full-size slide

  64. OIDC Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code
    accounts.google
    /userinfo
    Get user info

    with access token
    Exchange code for


    access token and ID token
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/cb


    Scope: openid profile
    Authorization Server
    Client
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent


    from resource owner
    Hello Matt!

    View full-size slide

  65. JSON Web Token (JWT)
    base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)
    eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4
    YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxd
    llsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeE
    VqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDY
    zMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjox
    NDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb
    20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq
    p R 2 2 L L t i 7 7 7 A M M V C x M 7 F j E P K Z Q n d -
    AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H-
    L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyiZ9
    _YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhEQsgm
    8
    {


    "alg": "RS256”

    "kid": "123456789"


    }
    {


    "iss": "https://example.okta.com",


    "sub": "00ugrenMeqvYla4HW0g3",


    "aud": "w255HEWiSU4AuNxEjeij",


    "iat": 1446305282,


    "exp": 1446308882,


    "amr": [


    "pwd"


    ],


    "auth_time": 1446305282,


    "email": "[email protected]",


    "email_verified": true


    }
    Header Claims
    Signature
    Header
    Claims

    View full-size slide

  66. jwt.io https://jwt.io

    View full-size slide

  67. Which grant type is right for you?
    Authorization

    Code + PKCE
    Authorization

    Code + PKCE
    Authorization

    Code
    Client Credentials


    View full-size slide

  68. Session Best Practices
    ID Tokens should be used to create a session for a
    traditional web application or single-page application


    Use subject claim (sub) as stable identifier for the user account


    Session cookies should be protected with HTTPOnly flag to
    prevent JavaScript access


    Avoid using ID Tokens as a stateless “session token” for
    Single Page Apps


    API is not the audience of the token


    ID Tokens can be large in size and often contain PII or other
    sensitive data


    ID Token lifetime is not your app’s session lifetime

    View full-size slide

  69. Native App Best Practices
    Do not use an embedded web views for authenticating users!


    App (or 3rd party library/script) can directly obtain the user’s
    credentials which goes against OAuth’s raison d'être


    Users can’t reuse their existing session with their IdP (SSO)
    increasing friction for sign-in/sign-up


    IdPs can’t implement new authentication methods


    Do not store client secrets in apps that are distributed via App
    Stores!


    Use PKCE (RFC 7636) to protect authorization code from
    interception


    Follow guidelines outlined in OAuth 2.0 for Native Apps Best
    Current Practice

    https://tools.ietf.org/html/draft-ietf-oauth-native-apps-12
    302 Found

    Location: app://redirect

    View full-size slide

  70. Just Use AppAuth!
    https://appauth.io
    Implements OAuth 2.0 for Native Apps Best Current Practice

    View full-size slide

  71. ORY Hydra


    https://github.com/ory/hydra


    Apereo CAS


    https://github.com/apereo/cas


    Keycloak


    https://github.com/keycloak/keycloak


    Spring Authorization Server


    https://spring.io/projects/spring-authorization-server
    Open Source OAuth and OIDC Servers

    View full-size slide

  72. OAuth Specification


    oauth.net


    OAuth 2.0 Simplified


    oauth.com


    Additional Resources

    View full-size slide

  73. PKCE is required for all clients using the authorization code flow


    Redirect URIs must be compared using exact string matching


    The Implicit grant is omitted from this specification


    The Resource Owner Password Credentials grant is omitted from this specification


    Bearer token usage omits the use of bearer tokens in the query string of URIs


    Refresh tokens for public clients must either be sender-constrained or one-time use


    OAuth 2.1
    https://oauth.net/2.1/

    View full-size slide

  74. Play with OAuth 2.0 and OIDC
    developer.auth0.com

    View full-size slide

  75. Join us as an Auth0 Ambassador!
    auth0.com/ambassador-program

    View full-size slide

  76. YouTube: OAuth 2.0 in plain English
    https://youtu.be/996OiexHze0

    View full-size slide

  77. Thanks!


    Keep in Touch


    raibledesigns.com


    @mraible


    Presentations


    speakerdeck.com/mraible


    Code


    github.com/oktadev
    developer.okta.com
    developer.auth0.com

    View full-size slide