OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
1. Matt Raible | @mraible
What the Heck is OAuth and OIDC?
July 20, 2018
https://www.flickr.com/photos/cloudburstdesign/3971741153
#UberConf18
2. Blogger on raibledesigns.com
Web Developer and Java Champion
Father, Skier, Mountain Biker,
Whitewater Rafter
Open Source Connoisseur
Who is Matt Raible?
Bus Lover
Okta Developer Advocate
8. What about You?
Java, .NET, Python, or Node.js?
Have you ever written authentication
from scratch?
Have you implemented OAuth or OIDC?
Have you heard of Okta? Auth0?
Why are you here?
20. Identity Use Cases (circa 2006)
Simple login — basic, forms, and cookies
Single sign-on across sites — SAML
Mobile app login — N/A
Delegated authorization — N/A
21. The Delegated Authorization Problem
How can you let a website access your data
(without giving it your password)?
26. Hotel Key Cards, but for Apps
OAuth Authorization Server Resource (API)Access Token
27. Delegated Authorization with OAuth 2.0
I trust Gmail and I kind of trust
Yelp. I want Yelp to have
access to my contacts only.
yelp.com
Connect with Google
28. Delegated Authorization with OAuth 2.0
yelp.com
Connect with Google
accounts.google.com
Email
**********
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
contacts.google
yelp.com/callback
35. Tokens
• Short-lived token used by
Client to access Resource
Server (API)
• Opaque to the Client
• No client authentication
required (Public Clients)
• Optimized for scale and
performance
• Revocation is dependent on
implementation
Access Token (Required)
• Long-lived token that is
used by Client to obtain
new access tokens from
Authorization Server
• Usually requires
Confidential Clients with
authentication
• Forces client to rotate
secrets
• Can usually be revoked
Refresh Token (Optional)
OAuth doesn’t define the format of a token!
36. Access Token Types
Self-encoded tokens
Protected, time-limited data structure agreed upon between Authorization Server and
Resource Server that contains metadata and claims about the identity of the user or
client over the wire.
Resource Server can validate the token locally by checking the signature, expected
issuer name and expected audience or scope.
Commonly implemented as a signed JSON Web Tokens (JWT)
Reference tokens (aka opaque tokens)
Infeasible-to-guess (secure-random) identifier for a token issued and stored by the
OAuth 2.0 Authorization Server
Resource Server must send the identifier via back-channel to the OAuth 2.0
Authorization Server’s token introspection endpoint to determine if the token is valid
and obtain claims/scopes
37. OAuth 2.0 Authorization Code Flow
yelp.com
Connect with Google
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
yelp.com/callback
Resource owner clicks ^^
Back to redirect URI
with authorization code
contacts.google
Talk to resource server
with access token
Exchange code for
access token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Response type: code
Authorization ServerClient
39. Scopes
Additive bundles of permissions
asked by client when requesting a
token
Decouples authorization policy
decisions from enforcement
Who owns the data? End user or
the target service
Who gets to specify the
authorization policy? End user or
application owner
Scopes to Deny
Scopes to Allow
41. OAuth 2.0 Authorization Code Flow
yelp.com/callback
Back to redirect URI
with authorization code
contacts.google
Talk to resource server
with access token
Exchange code for
access token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Scope: profile contacts
Authorization Server
yelp.com
Connect with Google
Resource owner
Client
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
Request consent
from resource owner
43. Front Channel Flow
Authorize via User Agent
Resource
Server (RS)
Authorization
Server (AS)
4
2
3
1
Resource Owner starts flow to
delegate access to protected
resource
1
Client
2 Client sends authorization request
with desired scopes via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Delegated Access (Grant)
4 Authorization Code Grant or Access
Token is returned to Client via
browser redirect
Resource
Owner (RO)
44. Authorization Request
GET https://accounts.google.com/o/oauth2/auth?
scope=gmail.insert gmail.send&
redirect_uri=https://app.example.com/oauth2/callback&
response_type=code&
client_id=812741506391&
state=af0ifjsldkj
HTTP/1.1 302 Found
Location: https://app.example.com/oauth2/callback?
code=MsCeLvIaQm6bTrgtp7&
state=af0ifjsldkj
Request
Response
Note: Parameters are not URL-encoded for example purposes
45. Back Channel Flow
Exchange Grants for Tokens
Resource
Server (RS)
Authorization
Server (AS)
1
Client
2 Client accesses protected
resource with Access Token
Resource
Owner (RO)
2
Client exchanges Authorization
Code Grant with token endpoint
on Authorization Server for an
Access Token and optionally
Refresh Token
1
46. Token Request
POST /oauth2/v3/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=MsCeLvIaQm6bTrgtp7&
client_id=812741506391&
client_secret={client_secret}&
redirect_uri=https://app.example.com/oauth2/callback&
grant_type=authorization_code
Note: Parameters are not URL-encoded for example purposes
49. OAuth 2.0 Authorization Code Flow
yelp.com/callback
Back to redirect URI
with authorization code
(front channel)
contacts.google
Talk to resource server
(back channel)
Exchange code for
access token (back channel)
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
(front channel)
Authorization Server
yelp.com
Connect with Google
Resource owner
Client
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
Request consent
from resource owner
50. OAuth 2.0 Grant Types (Flows)
• Optimized for browser-only
Public Clients
• Access token returned
directly from authorization
request (Front-channel only)
• Does not support refresh
tokens
• Assumes Resource Owner
and Public Client are on the
same device
• Most vulnerable to security
threats
Implicit (2 Legged)
• Front channel flow used by
Client to obtain
authorization code grant
• Back channel flow used by
Client to exchange
authorization code grant
for access token and
optionally refresh token
• Assumes Resource Owner
and Client are on separate
devices
• Most secure flow as tokens
never passes through user-
agent
Authorization Code (3 Legged)
• Optimized for server-only
Confidential Clients acting
on behalf of itself or a user
• Back-channel only flow to
obtain an access token
using the Client’s
credentials
• Supports shared secrets or
assertions as Client
credentials signed with
either symmetric or
asymmetric keys
Client Credential
51. OAuth 2.0 Grant Types (Flows)
• Legacy grant type for native
username/password apps
such as desktop apps
• Username/password is
authorization grant to
obtain access token from
Authorization Server
• Does not support refresh
tokens
• Assumes Resource Owner
and Public Client or on the
same device
Resource Owner Password
• Allows Authorization Server
to trust authorization
grants from third party such
as SAML IdP (Federation)
• Assertion is used to obtain
access token with token
request
• Does not support refresh
tokens
Assertion
• Optimized for devices that
do not have access to web-
browsers
• User code is returned from
authorization request that
must be redeemed by
visiting a URL on a device
with a browser to authorize
• Back channel flow used by
Client to poll for
authorization approval for
access token and optionally
refresh token
Device
52. OAuth Flows
Six different flows
Necessary because of:
How you get consent from client?
Who is making consent?
Adds a lot of complexity to OAuth
When people ask if you support OAuth, are they asking for all
six?
Image: Ian Sane, Spring Runoff
https://www.flickr.com/photos/31246066@N04/4620052369
56. Common OAuth 2.0 Security Issues
Too many inputs that need validation
Token hijacking with CSRF
Always use CSRF token with state parameter to ensure OAuth flow integrity
Leaking authorization codes or tokens through redirects
Always whitelist redirect URIs and ensure proper URI validations
Token hijacking by switching clients
Bind the same client to authorization grants and token requests
Leaking client secrets
Unbounded & Bearer Tokens
See draft specification of OAuth Proof-of-Possession Token Extension
57. Key Enterprise OAuth 2.0 Use Cases
Decouples authorization policy decisions from
enforcement
Enables the right blend of fine & coarse grained
authorization
Replaces traditional Web Access management (WAM)
Policies
Restrict and revoke which apps can access specific
APIs
Ensure only managed and/or complaint devices can
access specific APIs
Deep integration with identity deprovisioning
workflow to revoke all tokens for a user and device
Federation with an IdP
58. OAuth 2.0 Facts
Not backward compatible with
OAuth 1.0
Interoperability issues exists as
its not a protocol but rather an
authorization framework
OAuth 2.0 is not an
authentication protocol
OAuth 2.0 alone says absolutely
nothing about the user
59. Identity Use Cases (circa 2012)
Simple login — OAuth 2.0
Single sign-on across sites — OAuth 2.0
Mobile app login — OAuth 2.0
Delegated authorization — OAuth 2.0
61. OAuth 2.0 as Pseudo-Authentication
Client accessing a https://
api.example.com/me resource with
an access token is not
authenticating the user
Access tokens just prove the Client
was authorized, are opaque, and
intended to only be consumed by
the Resource Server
Who is the user (claims)?
When did the user authenticate?
Does the user still have an active or
expired session?
How did the user authenticate?
Just password or password + second
factor
As made famous by Facebook Connect and Twitter
63. OAuth 2.0 and OpenID Connect
OpenID Connect is for
authentication
OAuth 2.0 is for
authorization
OpenID Connect
OAuth 2.0
HTTP
64. OpenID Connect
Extends OAuth 2.0 with new signed id_token for the
Client and UserInfo endpoint to fetch user attributes
Provides a standard set of scopes and claims for
identities
profile
email
address
phone
Built-in registration, discovery & metadata for
dynamic federations
Bring Your Own Identity (BYOI)
Supports high assurance levels and key SAML use
cases (enterprise)
OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts)
65. Authorization Request
GET https://accounts.google.com/o/oauth2/auth?
scope=openid email&
redirect_uri=https://app.example.com/oauth2/callback&
response_type=code&
client_id=812741506391&
state=af0ifjsldkj
HTTP/1.1 302 Found
Location: https://app.example.com/oauth2/callback?
code=MsCeLvIaQm6bTrgtp7&
state=af0ifjsldkj
Request
Response
Note: Parameters are not URL-encoded for example purposes
66. Token Request
POST /oauth2/v3/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=MsCeLvIaQm6bTrgtp7&
client_id=812741506391&
client_secret={client_secret}&
redirect_uri=https://app.example.com/oauth2/callback&
grant_type=authorization_code
Note: Parameters are not URL-encoded for example purposes
68. Validate ID
Token
Token Endpoint
Authorization Endpoint
/.well-known/
openid-configuration
JWKS Endpoint
UserInfo Endpoint
OAuth 2.0 Authorization Server &
OpenID Connect Provider (OP)
OAuth 2.0 Resource Server
Client
(Relying Party)
1
3
2
54
1 Discover OpenID Provider Metadata
2
Perform OAuth flow to obtain a ID
token and/or access token
3 Get JSON Web Key Set (JWKS) for
signature keys
4
Validate ID token
(JSON Web Token)
5
Get additional user attributes with
access token from UserInfo
endpoint
OpenID Connect
69. OIDC Authorization Code Flow
yelp.com/callback
Back to redirect URI
with authorization code
Exchange code for
access token and ID token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Scope: openid profile
Authorization Server
yelp.com
Connect with Google
Resource owner
Client
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
Request consent
from resource owner
Hello Matt!
accounts.google
Get user info
with access token
/userinfo
72. Which grant type is right for you?
Authorization
Code
Implicit Authorization
Code
Client Credentials
73. Implicit Flow (SPA)
Authenticate via User Agent
1
User starts flow by visiting Single
Page App Client with User Agent
2
Client sends authentication request
with openid scope via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
ID Token and optionally Access Token for
SPA app is returned to Client via browser
redirect
4
2
3
1
User
SPA
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
5
Client optionally fetches additional claims
with Access Token from UserInfo endpoint
5
74. Authorization Code Flow (Web)
Authenticate via User Agent
1
User starts flow by visiting Web App
Client with User Agent
2
Client sends authentication request
with openid scope via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
Authorization Code Grant and optionally
ID Token for Web App is returned to Client
via browser redirect
4
2
3
1
User
Web App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
75. Authorization Code Flow (Web)
Exchange Grant for Tokens
1b
1a
User
Web App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
2
2
Client optionally fetches additional
claims with Access Token from UserInfo
endpoint
Client authenticates & exchanges
Authorization Code Grant with token
endpoint on Authorization Server for an ID
Token, Access Token and optionally
Refresh Token
1
76. Session Best Practices
ID Tokens should be used to create a session for a
traditional web application or single-page application
Use subject claim (sub) as stable identifier for the user
account
Session cookies should be protected with HTTPOnly flag
to prevent JavaScript access
Avoid using ID Tokens as a stateless “session token”
for Single Page Apps
API is not the audience of the token
ID Tokens can be large in size and often contain PII or
other sensitive data
ID Token lifetime is not your app’s session lifetime
77. Authorization Code Flow (Native)
Authenticate via User Agent
1
User starts flow by launching Native
App Client
2
Client launches User Agent and sends
authentication request with openid
scope and PKCE code challenge via
browser redirect to Authorize Endpoint
on Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
Authorization Code Grant and optionally
ID Token for Web App is returned to Client
via browser redirect and User Agent is
closed
4
2
3
1
User
Native App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
78. Authorization Code Flow (Native)
Exchange Grant for Tokens
1b
1a
User
Native App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
2
2
Client optionally fetches additional
claims with Access Token from UserInfo
endpoint
Client exchanges Authorization Code
Grant and PKCE code verifier with token
endpoint on Authorization Server for an ID
Token, Access Token and optionally
Refresh Token
1
79. Native App Best Practices
Do not use an embedded web views for authenticating users!
App (or 3rd party library/script) can directly obtain the user’s
credentials which goes against OAuth’s raison d'être
Users can’t reuse their existing session with their IdP (SSO)
increasing friction for sign-in/sign-up
IdPs can’t implement new authentication methods
Do not store client secrets in apps that are distributed via App
Stores!
Use PKCE (RFC 7636) to protect authorization code from
interception
Follow guidelines outlined in OAuth 2.0 for Native Apps Best
Current Practice
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-12
302 Found
Location: app://redirect
83. Google OAuth Client Library
ScribeJava
Spring Security OAuth
Nimbus OAuth SDK
List of client and server libraries for many languages:
https://oauth.net/code/
OAuth and OIDC Libraries