· 6 years ago · Jul 26, 2019, 08:06 PM
1---
2title: OAuth 2.0
3created: '2019-06-27T17:14:48.452Z'
4modified: '2019-07-09T23:19:26.698Z'
5attachments: [abstract-flow.png, authorization-code-flow.png, implicit-flow.png]
6---
7
8# OAuth 2.0
9
10Auth framework to allow applications limited access to user accounts on HTTP service by delegating auth to service hosting the user account and authorizing 3P apps to access user account (e.g. accessing Atlassian user account from Trello)
11
12## Why not OAuth 1?
13* Cryptographic requirements of signing requests with client ID and secret made it hard to get started quickly with OAuth 1
14* Limited UX for non-desktop-browser devices
15* Performance at scale
16 * Steps required state management and temporary credentials, requiring shared storage and synchronization of data across data centers
17 * Requires server to have access to client ID + secret, not allowing separation of authorization server + resource server
18## OAuth Roles
19* Resource owner : User
20 * User who authorizes an application to access their account
21* Client : Application
22 * Application wanting to access user account
23* Resource server : API
24 * Hosts user accounts
25* Authorization Server : API
26 * Verifies identity of the user then issues access tokens to application (e.g. Auth0)
27 * exposes endpoints such as `/oauth/authorize`, `/oauth/token`
28 * secured via Web SSO
29
30
31
32## Before using OAuth
331. Registering application
34 * MUST register application with service
35 * Provide redirect URI to allow the service to redirect the user after they authorize/deny application -> redirect URI is generally part of application handling auth codes and access tokens
362. Client ID and Client Secret
37 * Service issues “client credentials” (client ID + secret) to application
38 * Client ID is publicly exposed string used by the service API to identify the application (service API may store list of trusted client IDs) and is used to build authorization URLs presented to users
39 * Client Secret used to authenticate identity of application to service API when application requests to access a user’s account
40 * Client secret is not actually used to decrypt anything, it is used by the service to verify client
41## Access Tokens
42* String representing granted permissions either in the form of an opaque string or JSON Web Token format
43* Access Tokens should be used as a `Bearer` credential and transmitted in an HTTP `Authorization` header to the API.
44* Parts
45 * Header
46 * contains metadata about type of token + crypto algoritms used to secure its contents
47 * Payload
48 * statements about permissions allowed + intended audience + expiration time
49 * Signature
50 * verifies token has not been tampered with + is trustworthy
51## Authorization Grants
52* Type defends on the method used by the app to request authorization
53* Authorization Grant Types defined by OAuth 2
54 * [Authorization code](#auth-code-flow): used with server-side applications that can hides source code from public
55 * [Implicit](#implicit-flow): mobile apps/web apps that run source code strictly in browser
56 * Resource Owner Password Credentials: used with trusted applications, such as those owned by service
57 * Client Credentials: used with Applications API access
58
59### <a name="auth-code-flow"></a>Grant Types Continued: Authorization Codes AKA 3-Legged OAuth
60
61* Example authorization code link: `https://cloud.digitalocean.com/v1/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read`
62 * `scope` - defines level of access application is requesting
63### <a name="implicit-flow"></a>Grant Types Continued: Implicit
64
65### <a name="client-credentials-flow"></a> Grant Types Continued: Client Credentials AKA 2-Legged OAuth
66* The client can request an access token using only its client
67 credentials (or other supported means of authentication) when the
68 client is requesting access to the protected resources under its
69 control, or those of another resource owner that have been previously
70 arranged with the authorization server (the method of which is beyond
71 the scope of this specification).
72
73## Best Practices
74* [Request scopes incrementally](https://developers.google.com/identity/protocols/OAuth2WebServer#incrementalAuth)
75* Do not send tokens in query-string parameters as they can end up in insecure log files
76* Save refresh tokens in secure long-term storage to use them as long as they are valid
77
78## Case Study: Atlassian
79* Protected resource - Stargate
80 * API proxy (api.atlassian.com/me)
81 * owned by Stargate team
82* id-proxy service (auth.atlassian.com)
83 * path based routing (e.g. `/authorize`, `/oauth/oidc`, `oauth/token`)
84 * owned by Megaman
85* Auth0 - authorization server
86 * Clients stored in their databases
87 * configured with `aid-auth0-config` repo owned by Megaman team
88* OIDC session bridge - authorization server
89* I.A.C (AID signup) - Web SSO
90 * uses Session Service
91 * owned by Megaman team
92* Session service - Web SSO
93 * Token creation/retrieval/validation service
94* Edge authenticator - auth proxy
95 * returns Bearer token and User Context (UCTX) token
96### Creating Clients
97* Oauth-Management Service
98 * facade for client management
99 * communicates with Auth0 and PERMs (owned by Khaleesi)
100* developer.atlassian.com (DAC)
101 * communicates with Oauth-Management
102* aid-auth0-config
103 * configuration repo applied to Auth0
104* Clients
105 1. First-party clients have more scopes + no consent
106 * Atlassian products only
107 3. Third-party clients are scope restricted + consent
108 * Created through developer.atlassian.com
109
110Authorization grant flow - PKCE
111
112## References
1131. https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
1142. https://developers.google.com/identity/protocols/OAuth2
1153. https://tools.ietf.org/html/draft-ietf-oauth-v2-31
1164. https://hueniverse.com/introducing-oauth-2-0-b5681da60ce2
1175. https://aaronparecki.com/oauth-2-simplified/#differences
1186. https://auth0.com/docs/protocols/oauth2