You are previewing Mastering OAuth 2.0.
O'Reilly logo
Mastering OAuth 2.0

Book Description

Create powerful applications to interact with popular service providers such as Facebook, Google, Twitter, and more by leveraging the OAuth 2.0 Authorization Framework

About This Book

  • Learn how to use the OAuth 2.0 protocol to interact with the world's most popular service providers, such as Facebook, Google, Instagram, Slack, Box, and more

  • Master the finer details of this complex protocol to maximize the potential of your application while maintaining the utmost of security

  • Step through the construction of a real-world working application that logs you in with your Facebook account to create a compelling infographic about the most important person in the world—you!

  • Who This Book Is For

    If you are an application developer, software architect, security engineer, or even a casual programmer looking to leverage the power of OAuth, Mastering OAuth 2.0 is for you. Covering basic topics such as registering your application and choosing an appropriate workflow, to advanced topics such as security considerations and extensions to the specification, this book has something for everyone. A basic knowledge of programming and OAuth is recommended.

    What You Will Learn

  • Discover the power and prevalence of OAuth 2.0 and use it to improve your application's capabilities

  • Step through the process of creating a real-world application that interacts with Facebook using OAuth 2.0

  • Examine the various workflows described by the specification, looking at what they are and when to use them

  • Learn about the many security considerations involved with creating an application that interacts with other service providers

  • Develop your debugging skills with dedicated pages for tooling and troubleshooting

  • Build your own rich, powerful applications by leveraging world-class technologies from companies around the world

  • In Detail

    OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user's LinkedIn feed? This is all achievable through the power of OAuth.

    With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way.

    At the beginning, you will learn what OAuth is, how it works at a high level, and the steps involved in creating an application. After obtaining an overview of OAuth, you will move on to the second part of the book where you will learn the need for and importance of registering your application and types of supported workflows. You will discover more about the access token, how you can use it with your application, and how to refresh it after expiration.

    By the end of the book, you will know how to make your application architecture robust. You will explore the security considerations and effective methods to debug your applications using appropriate tools. You will also have a look at special considerations to integrate with OAuth service providers via native mobile applications. In addition, you will also come across support resources for OAuth and credentials grant.

    Style and approach

    With a focus on practicality and security, Mastering OAuth 2.0 takes a top-down approach at exploring the protocol. Discussed first at a high level, examining the importance and overall structure of the protocol, the book then dives into each subject, adding more depth as we proceed. This all culminates in an example application that will be built, step by step, using the valuable and practical knowledge you have gained.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Mastering OAuth 2.0
      1. Table of Contents
      2. Mastering OAuth 2.0
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. Why Should I Care About OAuth 2.0?
        1. Authentication versus authorization
          1. Authentication
          2. Authorization
        2. What problems does it solve?
          1. Federated identity
          2. Delegated authority
          3. Real-life examples of OAuth 2.0 in action
        3. How does OAuth 2.0 actually solve the problem?
          1. Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
          2. With OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
        4. Who uses OAuth 2.0?
        5. Introducing "The World's Most Interesting Infographic Generator"
        6. Summary
      9. 2. A Bird's Eye View of OAuth 2.0
        1. How does it work?
          1. User consent
          2. Two main flows for two main types of client
          3. Trusted versus untrusted clients
        2. First look at the client-side flow
          1. An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
          2. The big picture
          3. When should this be used?
          4. Pros and cons of being an untrusted client
            1. Pros
            2. Cons
        3. First look at the server-side flow
          1. A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
          2. The big picture
          3. When should this be used?
          4. Pros and cons of being a trusted client
            1. Pros
            2. Cons
        4. What are the differences?
        5. What about mobile?
        6. Summary
      10. 3. Four Easy Steps
        1. Let's get started
        2. Step 1 – Register your client application
          1. Different service providers, different registration process, same OAuth 2.0 protocol
          2. Your client credentials
        3. Step 2 – Get your access token
          1. A closer look at access tokens
            1. Scope
            2. Duration of access
            3. Token revocation
          2. Sometimes a refresh token
        4. Step 3 – Use your access token
          1. An access token is an access token
        5. Step 4 – Refresh your access token
          1. What if I don't have a refresh token?
          2. Refresh tokens expire too
        6. Putting it all together
        7. Summary
      11. 4. Register Your Application
        1. Recap of registration process
        2. Registering your application with Facebook
          1. Creating your application
          2. Setting your redirection endpoint
            1. What is a redirection endpoint?
          3. Find your service provider's authorization and token endpoints
        3. Putting it all together!
        4. Summary
      12. 5. Get an Access Token with the Client-Side Flow
        1. Refresher on the implicit grant flow
        2. A closer look at the implicit grant flow
          1. Authorization request
            1. According to the specification
            2. In our application
          2. Access token response
            1. Success
            2. Error
        3. Let's build it!
          1. Build the base application
            1. Install Apache Maven
            2. Create the project
            3. Configure base project to fit our application
            4. Modify the hosts file
            5. Running it for the first time
          2. Make the authorization request
          3. Handle the access token response
        4. Summary
        5. Reference pages
          1. Overview of the implicit grant flow
          2. Authorization request
          3. Access token response
          4. Error response
      13. 6. Get an Access Token with the Server-Side Flow
        1. Refresher on the authorization code grant flow
        2. A closer look at the authorization code grant flow
          1. Authorization request
            1. According to the specification
            2. In our application
          2. Authorization response
            1. Success
            2. Error
          3. Access token request
            1. According to the specification
            2. In our application
          4. Access token response
            1. Success
            2. Error
        3. Let's build it!
          1. Build the base application
            1. Install Apache Maven
            2. Create the project
            3. Configure the base project to fit our application
            4. Modify the hosts file
            5. Running it for the first time
          2. Make the authorization request
          3. Handle the authorization response
          4. Make the access token request
          5. Handle the access token response
        4. Summary
        5. Reference pages
          1. An overview of the authorization code grant flow
          2. Authorization request
          3. Authorization response
          4. Error response
          5. Access token request
          6. Access token response
          7. Error response
      14. 7. Use Your Access Token
        1. Refresher on access tokens
        2. Use your access token to make an API call
          1. The authorization request header field
          2. The form-encoded body parameter
          3. The URI query parameter
        3. Let's build it!
          1. In our client-side application
            1. Send via the URI query parameter
            2. Send via the form-encoded body parameter
          2. In our server-side application
            1. Send via the URI query parameter
            2. Send via the HTTP authorization header
        4. Creating the world's most interesting infographic
        5. Summary
        6. Reference pages
          1. An overview of protected resource access
          2. The authorization request header field
          3. The form-encoded body parameter
          4. The URI query parameter
      15. 8. Refresh Your Access Token
        1. A closer look at the refresh token flow
          1. The refresh request
            1. According to the specification
          2. The access token response
            1. Success
            2. Error
        2. What if I have no refresh token? Or my refresh token has expired?
          1. Comparison between the two methods
        3. The ideal workflow
        4. Summary
        5. Reference pages
          1. An overview of the refresh token flow
          2. The refresh request
          3. Access token response
          4. Error response
      16. 9. Security Considerations
        1. What's at stake?
        2. Security best practices
          1. Use TLS!
          2. Request minimal scopes
          3. When using the implicit grant flow, request read-only permissions
          4. Keep credentials and tokens out of reach of users
          5. Use the authorization code grant flow whenever possible
          6. Use the refresh token whenever possible
          7. Use native browsers instead of embedded browsers
          8. Do not use third-party scripts in the redirection endpoint
          9. Rotate your client credentials
        3. Common attacks
          1. Cross-site request forgery (CSRF)
            1. What's going on?
            2. Use the state param to combat CSRF
          2. Phishing
          3. Redirection URI manipulation
          4. Client and user impersonation
        4. Summary
      17. 10. What About Mobile?
        1. What is a mobile application?
        2. What flow should we use for mobile applications?
          1. Are mobile applications trusted or untrusted?
          2. What about mobile applications built on top of mobile platforms with secure storage APIs?
            1. Not quite enough
        3. Hybrid architectures
          1. Implicit for mobile app, authorization code grant for backend server
          2. What is the benefit of this?
        4. Authorization via application instead of user-agent
        5. Summary
      18. 11. Tooling and Troubleshooting
        1. Tools
        2. Troubleshooting
          1. The implicit grant flow
            1. The authorization request
              1. Common issues
          2. The authorization code grant flow
            1. The authorization request
              1. Common issues
            2. The access token request
              1. Common issues
          3. The API call flow
            1. The authorization request header field
              1. Common issues
            2. The form-encoded body parameter
              1. Common issues
            3. The URI query parameter
          4. The refresh token flow
            1. Common issues
        3. Summary
      19. 12. Extensions to OAuth 2.0
        1. Extensions to the OAuth 2.0 framework
          1. Custom grant types
          2. A variety of token types
          3. Any authorization backend
        2. OpenID Connect
        3. Summary
      20. A. Resource Owner Password Credentials Grant
        1. When should you use it?
        2. Reference pages
          1. An overview of the resource owner password credentials grant
          2. Authorization request and response
          3. Access token request
          4. Access token response
          5. Error response
      21. B. Client Credentials Grant
        1. When should you use it?
        2. Reference pages
        3. Overview of the client credentials grant
          1. Authorization request and response
          2. Access token request
          3. Access token response
          4. Error response
      22. C. Reference Specifications
        1. The OAuth 2 Authorization Framework
        2. The OAuth 2 Authorization Framework: Bearer Token Usage
        3. OAuth 2.0 Token Revocation
        4. OAuth 2.0 Thread Model and Security Considerations
        5. Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
        6. Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
        7. JSON Web Token (JWT)
        8. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
        9. OpenID Connect Core 1.0
        10. HTTP Authentication: Basic and Digest Access Authentication
      23. Index