SlideShare a Scribd company logo

An introduction to OAuth 2

Download as PPTX, PDF
S
Sanjoy Kumar Roy

This document provides an introduction and overview of OAuth 2.0. It discusses the key components and actors in the OAuth framework, including clients, protected resources, resource owners, and authorization servers. It describes the major steps of an OAuth transaction, issuing and using tokens. Specifically, it outlines the authorization code grant flow, how clients request and receive access tokens from authorization servers to access protected resources on behalf of resource owners. It also defines common OAuth concepts like scopes, refresh tokens, and authorization grants.

1 of 31
Downloaded 45 times
An introduction to OAuth 2.0 Sanjoy Roy
This presentation is based on OAuth 2 specification and the chapters of this book.
OAuth is a delegation protocol that provides authorisation across systems. OAuth is about: how to get a token and how to use a token. OAuth replaces the password-sharing anti-pattern with a delegation protocol thatโ€™s simultaneously more secure and more usable.
Two major steps to an OAuth transaction: Issuing a token Using a token
OAuth2.0 authorisation grant flow โ€ข Here the client will be interactively authorised directly by the resource owner. โ€ข The authorisation code grant uses a temporary credential, the authorisation code, to represent the resource ownerโ€™s delegation to the client.
Resource Owner Client Authorisation Server Token End PointAuthorisation End Point Protected Resource Redirects the user agent to authorisation end point User agent loads authorisation end point Resource owner authenticates to authorisation server Resource owner authorises the client Authorisation server redirects user agent to the client with authorisation code User agent loads the redirect URI at client with authorisation code Client sends the authorisation code and its own credential to token end point Authorisation server sends access token to the client Client sends access token to protected resource Protected resource returns resource to client
Client I need an access token. It starts with:
HTTP/1.1 302 Content-Length: 0 Date: Sun, 30 Apr 2017 17:47:27 GMT Location: https://unibet.okta.com/ oauth2/v1/authorize? client_id=P9BxWcYwdNnGFmIt8Oiz& redirect_uri=http://localhost:8080& response_type=code&scope=openid& state=2qdOs6PJAcE1E6qwg81R Set-Cookie: JSESSIONID=646430;path=/;HttpOnly
This redirect to the browser causes the browser to send an HTTP GET to the authorisation server. /authorize/authorize?client_id=P9BxWcYwdNnGFmI t8Oiz&redirect_uri=http://localhost:8080&respo nse_type=code&scope=openid&state=2qdOs6PJAcE1E 6qwg81R
Now the authorisation server will usually require the user to authenticate. This step is essential in determining who the resource owner is and what rights theyโ€™re allowed to delegate to the client.
User authorises the client application.
Next, the authorisation server redirects the user back to the client application. This takes the form of an HTTP redirect to the clientโ€™s redirect_uri. http://localhost:8080/? code=VzYHKvGXwqxBMq9qn8Pw& state=moBRz4CFpviCE4e5h0HZ Authorisation code
The authorisation code is sent back to the client. This code is a one-time use credential. It represents the result of the userโ€™s authorisation decision.
The client now sends the code and itโ€™s own credential (client id and client secret) to the authorisation server on its token end point.
The authorisation server takes the request and performs a number of steps to ensure that the request is valid: โ€ข It validates the clientโ€™s credential to determine which client is requesting the access. โ€ข Then, it reads the value of the code parameter from the body and looks up any information it has about that authorisation code, including which client made the initial authorisation request, which user authorises it, and what it was authorised for. โ€ข If the authorisation code is valid, hasnโ€™t been used previously, and the client making this request is the same as the client that made original request, then the authorisation server issues a new access token for the client.
The client receives an access token.
This access token is returned in the HTTP response as a JSON object: { โ€œaccess_tokenโ€: โ€œtdgsgsdfq232wASDq232aโ€, โ€œtoken_typeโ€: โ€œBearerโ€ } The client can now parse the token response and get the access token value from it to be used at the protected resource.
The client has several methods for presenting the access token. The recommended one: using the Authorization header. GET /reward HTTP/1.1 Host: localhost:8080 Accept: application/json Connection: keep-alive Authorization: Bearer tdgsgsdfq232wASDq232a The protected resource can then parse the token out of the header. It determines whether itโ€™s still valid, look up information regarding who authorised it and what it was authorised for, and return the response accordingly.
The client uses the access token to do things:
OAuth Actors: ๏ƒ˜ Client ๏ƒ˜ Protected Resource ๏ƒ˜ Resource Owner ๏ƒ˜ Authorisation Server
Client โ€ข It is a piece of software that attempts to access the protected resource on behalf of the resource owner. โ€ข It uses OAuth to obtain that access. โ€ข An OAuth client can be a web application, a native application, or even an in-browser JavaScript application.
Protected Resource โ€ข An OAuth protected resource is available through an HTTP server and it requires an OAuth token to be accessed. โ€ข The protected resource needs to validate the tokens presented to it and determine whether and how to serve requests. โ€ข In an OAuth architecture, the protected resource has the final say as to whether or not to honor a token.
Resource Owner โ€ข A resource owner is the entity that has the authority to delegate access to the client. โ€ข In most cases, the resource owner is the person using the client software to access something they control.
Authorisation Server โ€ข An OAuth authorisation server is an HTTP server that acts as the central component to an OAuth system. โ€ข It authenticates the resource owner and client, provides mechanisms for allowing resource owners to authorise clients, and issues tokens to the client. โ€ข Some authorisation servers also provide additional capabilities such as token introspection and remembering authorisation decisions.
OAuthโ€™s components: ๏ƒ˜ Access Token ๏ƒ˜ Scope ๏ƒ˜ Refresh Token ๏ƒ˜ Authorisation grant
Access Token ๏ƒผ An OAuth access token is an artifact issued by the authorisation server to a client that indicates the rights that the client has been delegated. ๏ƒผ OAuth does not define a format or content for the token itself, but it always represents the combination of the clientโ€™s requested access, the resource owner that authorised the client, and the rights conferred during that authorisation. ๏ƒผ OAuth tokens are opaque to the client, which means that the client has no need (and often no ability) to look at the token itself. The clientโ€™s job is to carry the token, requesting it from the authorisation server and presenting it to the protected resource.
Scope ๏ƒผ An OAuth scope is a representation of a set of rights at a protected resource. ๏ƒผ Scopes are represented by strings in the OAuth protocol, and they can be combined into a set by using a space-separated list. ๏ƒผ The scope value canโ€™t contain the space character. ๏ƒผ Scopes are an important mechanism for limiting the access granted to a client. Scopes are defined by the protected resource, based on the API that itโ€™s offering.
Refresh Token ๏ƒผ An OAuth refresh token is similar in concept to the access token, in that itโ€™s issued to the client by the authorisation server and the client doesnโ€™t know or care whatโ€™s inside the token. ๏ƒผ But this token is never sent to the protected resource. Instead, the client uses the refresh token to request new access tokens without involving the resource owner. ๏ƒผ In OAuth, an access token could stop working for a client at any point. When the access token expires, client can use the refresh token to request a new access token.
Authorisation grant ๏ƒผ An authorisation grant is a way by which an OAuth client is given access to a protected resource using the OAuth protocol, and if successful it ultimately results in the client getting a token. ๏ƒผ The authorisation grant is the method for getting a token.
What OAuth 2.0 isnโ€™t? ๏ƒ˜ OAuth isnโ€™t an authentication protocol. ๏ƒ˜ OAuth doesnโ€™t define a mechanism for user-to-user delegation, even though it is fundamentally about delegation of a user to a piece of software. OAuth assumes that the resource owner is the one thatโ€™s controlling the client. ๏ƒ˜ OAuth doesnโ€™t define authorisation-processing mechanisms. ๏ƒ˜ OAuth doesnโ€™t define a token format. ๏ƒ˜ OAuth 2.0 does not define any cryptographic method.
Thank You.
Ad

Recommended

An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
ย 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
ย 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
ย 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
ย 
Us Healthcare Presentation
Us Healthcare PresentationUs Healthcare Presentation
Us Healthcare Presentation
esilbert
ย 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
ย 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
ย 
Clean code
Clean codeClean code
Clean code
ifnu bima
ย 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
ย 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
ย 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
ย 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
ย 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
ย 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
ย 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
ย 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
ย 
OAuth
OAuthOAuth
OAuth
Ivรกn Fernรกndez Perea
ย 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
ย 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
ย 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
ย 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
ย 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
Ankita Mahajan
ย 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
ย 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
ย 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
ย 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
ย 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
ย 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
ย 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
ย 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
ย 
Ad

More Related Content

What's hot (20)

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
ย 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
ย 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
ย 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
ย 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
ย 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
ย 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
ย 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
ย 
OAuth
OAuthOAuth
OAuth
Ivรกn Fernรกndez Perea
ย 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
ย 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
ย 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
ย 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
ย 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
Ankita Mahajan
ย 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
ย 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
ย 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
ย 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
ย 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
ย 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
ย 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
ย 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
ย 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
ย 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
ย 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
ย 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
ย 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
ย 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
ย 
OAuth
OAuthOAuth
OAuth
Ivรกn Fernรกndez Perea
ย 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
ย 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
ย 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
ย 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
ย 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
Ankita Mahajan
ย 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
ย 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
ย 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
ย 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
ย 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
ย 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
ย 

Similar to An introduction to OAuth 2 (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
ย 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
ย 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
ย 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
ย 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
ย 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
ย 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
ย 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
ย 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha
ย 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
idsecconf
ย 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
ย 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi
ย 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
ย 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
WSO2
ย 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
Prabath Siriwardena
ย 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
ย 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
ย 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lรธnne
ย 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
ย 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
ย 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
ย 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
Amin Saqi
ย 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
ย 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
ย 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
ย 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
ย 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo
ย 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
ย 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha
ย 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
idsecconf
ย 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
ย 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
Samuele Cozzi
ย 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
ย 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
WSO2
ย 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
Prabath Siriwardena
ย 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
ย 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
ย 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lรธnne
ย 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
ย 
(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
anikristo
ย 
Ad

More from Sanjoy Kumar Roy (8)

Arch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptxArch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptx
Sanjoy Kumar Roy
ย 
Visualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service DescriptionVisualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service Description
Sanjoy Kumar Roy
ย 
Hypermedia API and how to document it effectively
Hypermedia API and how to document it effectivelyHypermedia API and how to document it effectively
Hypermedia API and how to document it effectively
Sanjoy Kumar Roy
ย 
Transaction
TransactionTransaction
Transaction
Sanjoy Kumar Roy
ย 
Microservice architecture design principles
Microservice architecture design principlesMicroservice architecture design principles
Microservice architecture design principles
Sanjoy Kumar Roy
ย 
Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.
Sanjoy Kumar Roy
ย 
An introduction to G1 collector for busy developers
An introduction to G1 collector for busy developersAn introduction to G1 collector for busy developers
An introduction to G1 collector for busy developers
Sanjoy Kumar Roy
ย 
Major Java 8 features
Major Java 8 featuresMajor Java 8 features
Major Java 8 features
Sanjoy Kumar Roy
ย 
Arch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptxArch CoP - Domain Driven Design.pptx
Arch CoP - Domain Driven Design.pptx
Sanjoy Kumar Roy
ย 
Visualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service DescriptionVisualizing Software Architecture Effectively in Service Description
Visualizing Software Architecture Effectively in Service Description
Sanjoy Kumar Roy
ย 
Hypermedia API and how to document it effectively
Hypermedia API and how to document it effectivelyHypermedia API and how to document it effectively
Hypermedia API and how to document it effectively
Sanjoy Kumar Roy
ย 
Transaction
TransactionTransaction
Transaction
Sanjoy Kumar Roy
ย 
Microservice architecture design principles
Microservice architecture design principlesMicroservice architecture design principles
Microservice architecture design principles
Sanjoy Kumar Roy
ย 
Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.Lessons learned in developing an agile architecture to reward our customers.
Lessons learned in developing an agile architecture to reward our customers.
Sanjoy Kumar Roy
ย 
An introduction to G1 collector for busy developers
An introduction to G1 collector for busy developersAn introduction to G1 collector for busy developers
An introduction to G1 collector for busy developers
Sanjoy Kumar Roy
ย 
Major Java 8 features
Major Java 8 featuresMajor Java 8 features
Major Java 8 features
Sanjoy Kumar Roy
ย 
Ad

Recently uploaded (20)

Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
ย 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
ย 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
ย 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
ย 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
ย 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
ย 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
ย 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
ย 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
ย 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
ย 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
ย 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
ย 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
ย 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
ย 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
ย 
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
ย 
HCL Nomad Web โ€“ Best Practices and Managing Multiuser Environments
HCL Nomad Web โ€“ Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web โ€“ Best Practices and Managing Multiuser Environments
HCL Nomad Web โ€“ Best Practices and Managing Multiuser Environments
panagenda
ย 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
ย 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
ย 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
ย 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
ย 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
ย 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
ย 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
ย 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
ย 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
ย 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
ย 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
ย 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
ย 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
ย 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
ย 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
ย 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
ย 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
ย 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
ย 
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything โ€“ Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
ย 
HCL Nomad Web โ€“ Best Practices and Managing Multiuser Environments
HCL Nomad Web โ€“ Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web โ€“ Best Practices and Managing Multiuser Environments
HCL Nomad Web โ€“ Best Practices and Managing Multiuser Environments
panagenda
ย 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
ย 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
ย 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
ย 

An introduction to OAuth 2

  • 1. An introduction to OAuth 2.0 Sanjoy Roy
  • 2. This presentation is based on OAuth 2 specification and the chapters of this book.
  • 3. OAuth is a delegation protocol that provides authorisation across systems. OAuth is about: how to get a token and how to use a token. OAuth replaces the password-sharing anti-pattern with a delegation protocol thatโ€™s simultaneously more secure and more usable.
  • 4. Two major steps to an OAuth transaction: Issuing a token Using a token
  • 5. OAuth2.0 authorisation grant flow โ€ข Here the client will be interactively authorised directly by the resource owner. โ€ข The authorisation code grant uses a temporary credential, the authorisation code, to represent the resource ownerโ€™s delegation to the client.
  • 6. Resource Owner Client Authorisation Server Token End PointAuthorisation End Point Protected Resource Redirects the user agent to authorisation end point User agent loads authorisation end point Resource owner authenticates to authorisation server Resource owner authorises the client Authorisation server redirects user agent to the client with authorisation code User agent loads the redirect URI at client with authorisation code Client sends the authorisation code and its own credential to token end point Authorisation server sends access token to the client Client sends access token to protected resource Protected resource returns resource to client
  • 7. Client I need an access token. It starts with:
  • 8. HTTP/1.1 302 Content-Length: 0 Date: Sun, 30 Apr 2017 17:47:27 GMT Location: https://unibet.okta.com/ oauth2/v1/authorize? client_id=P9BxWcYwdNnGFmIt8Oiz& redirect_uri=http://localhost:8080& response_type=code&scope=openid& state=2qdOs6PJAcE1E6qwg81R Set-Cookie: JSESSIONID=646430;path=/;HttpOnly
  • 9. This redirect to the browser causes the browser to send an HTTP GET to the authorisation server. /authorize/authorize?client_id=P9BxWcYwdNnGFmI t8Oiz&redirect_uri=http://localhost:8080&respo nse_type=code&scope=openid&state=2qdOs6PJAcE1E 6qwg81R
  • 10. Now the authorisation server will usually require the user to authenticate. This step is essential in determining who the resource owner is and what rights theyโ€™re allowed to delegate to the client.
  • 11. User authorises the client application.
  • 12. Next, the authorisation server redirects the user back to the client application. This takes the form of an HTTP redirect to the clientโ€™s redirect_uri. http://localhost:8080/? code=VzYHKvGXwqxBMq9qn8Pw& state=moBRz4CFpviCE4e5h0HZ Authorisation code
  • 13. The authorisation code is sent back to the client. This code is a one-time use credential. It represents the result of the userโ€™s authorisation decision.
  • 14. The client now sends the code and itโ€™s own credential (client id and client secret) to the authorisation server on its token end point.
  • 15. The authorisation server takes the request and performs a number of steps to ensure that the request is valid: โ€ข It validates the clientโ€™s credential to determine which client is requesting the access. โ€ข Then, it reads the value of the code parameter from the body and looks up any information it has about that authorisation code, including which client made the initial authorisation request, which user authorises it, and what it was authorised for. โ€ข If the authorisation code is valid, hasnโ€™t been used previously, and the client making this request is the same as the client that made original request, then the authorisation server issues a new access token for the client.
  • 16. The client receives an access token.
  • 17. This access token is returned in the HTTP response as a JSON object: { โ€œaccess_tokenโ€: โ€œtdgsgsdfq232wASDq232aโ€, โ€œtoken_typeโ€: โ€œBearerโ€ } The client can now parse the token response and get the access token value from it to be used at the protected resource.
  • 18. The client has several methods for presenting the access token. The recommended one: using the Authorization header. GET /reward HTTP/1.1 Host: localhost:8080 Accept: application/json Connection: keep-alive Authorization: Bearer tdgsgsdfq232wASDq232a The protected resource can then parse the token out of the header. It determines whether itโ€™s still valid, look up information regarding who authorised it and what it was authorised for, and return the response accordingly.
  • 19. The client uses the access token to do things:
  • 20. OAuth Actors: ๏ƒ˜ Client ๏ƒ˜ Protected Resource ๏ƒ˜ Resource Owner ๏ƒ˜ Authorisation Server
  • 21. Client โ€ข It is a piece of software that attempts to access the protected resource on behalf of the resource owner. โ€ข It uses OAuth to obtain that access. โ€ข An OAuth client can be a web application, a native application, or even an in-browser JavaScript application.
  • 22. Protected Resource โ€ข An OAuth protected resource is available through an HTTP server and it requires an OAuth token to be accessed. โ€ข The protected resource needs to validate the tokens presented to it and determine whether and how to serve requests. โ€ข In an OAuth architecture, the protected resource has the final say as to whether or not to honor a token.
  • 23. Resource Owner โ€ข A resource owner is the entity that has the authority to delegate access to the client. โ€ข In most cases, the resource owner is the person using the client software to access something they control.
  • 24. Authorisation Server โ€ข An OAuth authorisation server is an HTTP server that acts as the central component to an OAuth system. โ€ข It authenticates the resource owner and client, provides mechanisms for allowing resource owners to authorise clients, and issues tokens to the client. โ€ข Some authorisation servers also provide additional capabilities such as token introspection and remembering authorisation decisions.
  • 25. OAuthโ€™s components: ๏ƒ˜ Access Token ๏ƒ˜ Scope ๏ƒ˜ Refresh Token ๏ƒ˜ Authorisation grant
  • 26. Access Token ๏ƒผ An OAuth access token is an artifact issued by the authorisation server to a client that indicates the rights that the client has been delegated. ๏ƒผ OAuth does not define a format or content for the token itself, but it always represents the combination of the clientโ€™s requested access, the resource owner that authorised the client, and the rights conferred during that authorisation. ๏ƒผ OAuth tokens are opaque to the client, which means that the client has no need (and often no ability) to look at the token itself. The clientโ€™s job is to carry the token, requesting it from the authorisation server and presenting it to the protected resource.
  • 27. Scope ๏ƒผ An OAuth scope is a representation of a set of rights at a protected resource. ๏ƒผ Scopes are represented by strings in the OAuth protocol, and they can be combined into a set by using a space-separated list. ๏ƒผ The scope value canโ€™t contain the space character. ๏ƒผ Scopes are an important mechanism for limiting the access granted to a client. Scopes are defined by the protected resource, based on the API that itโ€™s offering.
  • 28. Refresh Token ๏ƒผ An OAuth refresh token is similar in concept to the access token, in that itโ€™s issued to the client by the authorisation server and the client doesnโ€™t know or care whatโ€™s inside the token. ๏ƒผ But this token is never sent to the protected resource. Instead, the client uses the refresh token to request new access tokens without involving the resource owner. ๏ƒผ In OAuth, an access token could stop working for a client at any point. When the access token expires, client can use the refresh token to request a new access token.
  • 29. Authorisation grant ๏ƒผ An authorisation grant is a way by which an OAuth client is given access to a protected resource using the OAuth protocol, and if successful it ultimately results in the client getting a token. ๏ƒผ The authorisation grant is the method for getting a token.
  • 30. What OAuth 2.0 isnโ€™t? ๏ƒ˜ OAuth isnโ€™t an authentication protocol. ๏ƒ˜ OAuth doesnโ€™t define a mechanism for user-to-user delegation, even though it is fundamentally about delegation of a user to a piece of software. OAuth assumes that the resource owner is the one thatโ€™s controlling the client. ๏ƒ˜ OAuth doesnโ€™t define authorisation-processing mechanisms. ๏ƒ˜ OAuth doesnโ€™t define a token format. ๏ƒ˜ OAuth 2.0 does not define any cryptographic method.

Editor's Notes

  • #4: The power of OAuth is the notion of delegation. Although OAuth is often called an authorisation protocol, it is a delegation protocol. Generally, a subset of a userโ€™s authorisation is delegated, but OAuth itself doesnโ€™t carry or convey the authorisation. Instead, it provides a means by which a client can request that a user delegate some of their authority to it. The user can then approve this request, and the client can then act on it with the results of that approval. OAuth is used to grant authorisation. It enables you to authorise the web app A to access the information from the web app B without sharing your credentials. It was built with only authorisation in mind and does not include any authentication mechanism.
  • #5: The token represents the access thatโ€™s been delegated to the client and it plays a central role in every part of OAuth 2.0.
  • #11: The userโ€™s authentication passes directly between the user (and their browser) and the authorisation server; itโ€™s never seen by the client application. This essential aspect protects the user from having to share their credentials with the client application, the anti-pattern that OAuth was invented to combat.
  • #13: The client can parse the HTTP parameter to get the authorisation code value when the request comes in, and it will use that code in the next step. The client will also check that the value of the state parameter matches the value that it sent in the previous step. State parameter is used to protect against CSRF attack. Cross-site request forgery (CSRF) is an exploit in which an attacker causes the user-agent of a victim end-user to follow a malicious URI (e.g., provided to the user-agent as a misleading link, image, or redirection) to a trusting server (usually established via the presence of a valid session cookie). A CSRF attack against the client's redirection URI allows an attacker to inject its own authorization code or access token, which can result in the client using an access token associated with the attacker's protected resources rather than the victim's (e.g., save the victim's bank account information to a protected resource controlled by the attacker).
  • #15: The client performs an HTTP POST with its parameters as a form-encoded HTTP entity body, passing its client_id and client_secret as an HTTP Basic authorisation header. This HTTP request is made directly between the client and the authorisation server, without involving the browser or resource owner at all. This separation between different HTTP connections ensures that the client can authenticate itself directly without other components being able to see or manipulate the token request.
  • #18: The response can also include a refresh token (used to get new access tokens without asking for authorisation again) as well as additional information about the access token, like a hint about the tokenโ€™s scopes and expiration time. In Okta, using the authorisation_code grant type also returns an ID token if theย openidย scope is requested. ID token is a JWT. ID token must be validated before use.
  • #22: The client is generally the simplest component in an OAuth system, and its responsibilities are largely centered on obtaining tokens from the authorisation server and using tokens at the protected resource. The client doesnโ€™t have to understand the token, nor should it ever need to inspect the tokenโ€™s contents. Instead, the client uses the token as an opaque string.
  • #29: Refresh tokens also give the client the ability to down-scope its access. If a client is granted scopes A, B, and C, but it knows that it needs only scope A to make a particular call, it can use the refresh token to request an access token for only scope A.