...
Term | a.k.a | Definition | Example | |
---|---|---|---|---|
Resource | The protected data or service. | Mary's Facebook Account. | ||
Resource Owner | User | The entity that grants permission to use a Resource. Often also the user of the application. | Mary | |
Resource Server | API Server | The server that hosts the Resource. | Facebook's Data Server | |
Client | Application | The application that wants to use the Resource. | GreetingCardMaker | |
Authorization Server | Token Manager | The server responsible for authenticating the Resource Owner and determining their concent. The Resource Server trusts the Authorization Server and they are almost always run by the same organization. Often the Resource Server and Authorization Server are the same thing. | Facebook's OAuth Server | |
Client ID & Secret | App Username/Password | The credentials that a Client application uses to authenticate with the Authorization Server. These are usually generated when the Client is registered with the Authorization Server. | ||
Username & Password | The credentials that the Resource Owner uses to authenticate with the Authorization Server. | Mary's Facebook username and password. | ||
OAuth Token | Bearer Token | A short lived token that is issued to the Client by the Authorization Server after authenticating and getting permission from the Resource Owner. | A short random string. | |
Authorization Grant | Grant Code | A representation of the Resource Owner's consent for the Resource to be released to a Client. The Authorization Grant is provided by the Client to the Authorization Server (along with the Client ID & Secret) in exchange for an OAuth Token. Each Authorization Grant is limited to a specific Client, Resource Owner and Scope. | A short random string. | |
Scope | A subset of the Resource. | Facebook Photo's, Contacts, Status etc. |
...
This problem has been the subject of significant consideration and while not optimal the Fragment Identifier seems the best solution.
Possible Solution: One Time Tokens
It has been proposed that the Authorization Server could send back a One Time Token instead of the OAuth Token. The Client would then make a GET request to the Authorization Server to exchange the One Time Token for a OAuth Token. As the name indicates, the One Time Token would only be valid for one such exchange and have a much shorter TTL (~2min).
The Browser History Attack would be impossible, as the only time any token is placed in the browser history it is invalidated by that same call.
An alternative proposal is that One Time Tokens behave as normal OAuth Tokens but are only good for a single use (or a very small window ~30sec from first use).
Neither concept is not part of the OAuth spec and is not supported by WSO2's products.
...
PKCE
Proof Key of Code Exchange is a replacement for implicit grant type. It's the same as Implicit Grant with the change that the OAuth Token is retrieved via a separate direct call where the token is stored in the body and thus encrypted by SSL.
Before sending the user off to authenticate the Client generates a random value, it then sends a hash of the value off with the user when they are sent to authenticate. At the end of the process the Client sends the unhashed random value to the Authorization Server, which then verifies that this value hashes to the hash previously presented. This proves to the Authorization Server that the Client asking for the token is the same one that sent the user in for authorization.
Flow:
- The Client generates a random value (CodeVerifier) and then hashes it (CodeChallenge).
- Users of the application are sent to the Authorization Server to provide their consent. The ClientId and CodeChallenge are sent with the request.
- The User authenticates with the Authorization Server.
- The Authorization Server redirects the browser to the Client's callback URL with a randomly generated Authorization Code. It stores this authorization event associated with the Authorization Code.
- The Client extracts the Authorization Code from the browsers url.
- The Client sends the Authorization Code, ClientId and CodeVerifier to the Authorization Server.
- The Authorization Server looks up the authorization event attached to the Authorization Code. It then hashes the CodeVerifier and checks that it matches the CodeVerifier. It returns a OAuth Token in the payload.
- The Client invokes APIs on the Resource Server, passing along the OAuth Token.
Example:
Pros & Cons
- This process allows authenticating the user even when the Client can't be trusted to protect the Client Secret.
- The API can not trust the application, as the code may have been modified by the User.
Resource Owner Password Credentials - Thick Client / Script
With the Resource Owner Password Credentials grant type the Client submits it's own Client ID & Secret along with the Resource Owner's Username & Password. The motivation for this grant type is "canonical" apps, for example the Facebook app on a mobile device might ask for the users Facebook password and use Resource Owner Password Credentials.
Flow:
- The Client requests and stores the Username & Password from the Resource Owner. This can be done in advance of the other steps and persist over sessions.
- The Client submits to the Authorization Server the Client ID & Secret along with the Username & Password.
- The Authorization Server returns a OAuth Token. There is now "consent" screen as the user has give all control to the Client by turning over their Password.
- The Client invokes APIs on the Resource Server, passing along the OAuth Token.
Example:
Pros & Cons:
- Requires the user to turn over their Username & Password, which users should be very wary of doing. Which is why this is usually restricted to "canonical" apps (e.g. the Facebook App -> Facebook API).
- App has responsibility of securely storing the Password. The Password cannot be stored as a salted hash as is normally advised, because the request to the Authorization Server requires the original plain text (Base64 Encoded) Password.
- The User doesn't have the authenticate every time they use the app.
- The App can act on the users behalf without user input, for example the App can check for new messages in the background.
...
Info |
---|
When the application is invoking an API because of input from the User, Authorization Grant should be used instead. However that requires the user be sent to the APIM to authenticate and give consent. In circumstances where consent is automatic or assumed and the User has already authenticated to the Application (e.g. webapp behind SSO) it is acceptable to use Client Credentials. The application should include any User details needed by the backend server in the payload as the APIM won't be able to provide any User information. |
Flow:
- Client requests a token from the Authorization Server, including the Client ID & Secret.
- The Authorization Server returns an OAuth Token.
- The Client invokes APIs on the Resource Server, passing along the OAuth Token.
Example:
Pros & Cons:
- Simple.
- No need for "fake" users or service accounts.
- API Manager can not consider User when determining permissions (if there is one).
- API Manager cannot log which User was involved (if there is one)
...
When a web app sends the user to SSO for authentication, the SSO server returns a signed SAML Assertion. This assertion includes the known data about the current user, such as username. If the Authorization Server also trusts the SSO Server, then that signed SAML Assertion can be exchanged for a OAuth Token.
Flow:
- Client sends user to SSO for authentication.
- The user authenticates with the SSO server, usually with a username/password.
- The SSO returns an assertion to the Client, proving that the current user has authenticated.
- The Client requests an OAuth Token from the Authorization Server, including the SAML Assertion.
- The Authorization Server verifies the assertion was signed by a trusted IDP and returns an OAuth Token.
...
Code Block | ||
---|---|---|
| ||
title SAML2 Bearer Assertion participant A4 participant Mary participant MyTime participant Auth Server Mary->MyTime: Access MyTime MyTime->Mary: Redirect to A4 Mary->A4: Authenticate note over Mary, A4: Authenticate A4->Mary: SAML Assertion Mary->MyTime: Access MyTime (SAML Assertion) MyTime->MyTime: Process Assertion, \nextract user data. MyTime->Auth Server: Request OAuth Toke (SAMl Assertion) Auth Server->Auth Server: Verify Signed by trusted IDP Auth Server->MyTime: OAuth Token MyTime->Leave Balances API: get user's vacation time (OAuth Token) |
...