Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Speaking about the OAuth flow it is important to clearly define some of the common terms. The terms used throughout this document are defined below.

Terma.k.aDefinition

Example

Resource
 

The protected data or service.Mary's Facebook Account.

Resource Owner

UserThe entity that grants permission to use a Resource.  Often also the user of the application.Mary

Resource Server

API ServerThe server that hosts the Resource.Facebook's Data Server

Client

ApplicationThe application that wants to use the Resource.GreetingCardMaker
Authorization ServerToken Manager

The server responsible for authenticating the Resource Owner and determining their concent.

The Resource Server trusts the Authorization Server and they are almost always run by the same organization.

Often the Resource Server and Authorization Server are the same thing.

Facebook's OAuth Server
Client ID & SecretApp Username/Password

The credentials that a Client application uses to authenticate with the Authorization Server.

These are usually generated when the Client is registered with the Authorization Server.

 


Username & Password
 

The credentials that the Resource Owner uses to authenticate with the Authorization Server.

Mary's Facebook

username and password.

OAuth TokenBearer Token

A short lived token that is issued to the Client by the Authorization Server after authenticating and getting permission from the Resource Owner.

A short random string.
Authorization GrantGrant Code

A representation of the Resource Owner's consent for the Resource to be released to a Client.

The Authorization Grant is provided by the Client to the Authorization Server (along with the Client ID & Secret) in exchange for an OAuth Token.

Each Authorization Grant is limited to a specific Client, Resource Owner and Scope.

A short random string.
Scope
 

A subset of the Resource.

Facebook Photo's,

Contacts, Status etc.

Authorization Code - Trusted Application

...

  1. The Client ID & Secret are compiled into the application. 
  2. Users of the application are sent to the Authorization Server to provide their consent.  The Client ID and requested Scope are encoded in the url.
  3. The Authorization Server returns a Authorization Grant to the Client.
  4. The Client gives they the Authorization Grant and Client ID & Secret to the Authorization Server.
  5. The Authorization Server returns a OAuth Token.
  6. The Client invokes api on the Resource Server, passing along the OAuth Token.

...

This problem has been the subject of significant consideration and while not optimal the Fragment Identifier seems the best solution.

Possible Solution: One Time Tokens

It has been proposed that the Authorization Server could send back a One Time Token instead of the OAuth Token.  The Client would then make a GET request to the Authorization Server to exchange the One Time Token for a OAuth Token.  As the name indicates, the One Time Token would only be valid for one such exchange and have a much shorter TTL (~2min).

The Browser History Attack would be impossible, as the only time any token is placed in the browser history it is invalidated by that same call.

An alternative proposal is that One Time Tokens behave as normal OAuth Tokens but are only good for a single use (or a very small window ~30sec from first use).

Neither concept is not part of the OAuth spec and is not supported by WSO2's products.

...

PKCE

Proof Key of Code Exchange is a replacement for implicit grant type.  It's the same as Implicit Grant with the change that the OAuth Token is retrieved via a separate direct call where the token is stored in the body and thus encrypted by SSL.

Before sending the user off to authenticate the Client generates a random value, it then sends a hash of the value off with the user when they are sent to authenticate.  At the end of the process the Client sends the unhashed random value to the Authorization Server, which then verifies that this value hashes to the hash previously presented.  This proves to the Authorization Server that the Client asking for the token is the same one that sent the user in for authorization.

Flow:

  1. The Client generates a random value (CodeVerifier) and then hashes it (CodeChallenge).
  2. Users of the application are sent to the Authorization Server to provide their consent.  The ClientId and CodeChallenge are sent with the request.
  3. The User authenticates with the Authorization Server.
  4. The Authorization Server redirects the browser to the Client's callback URL with a randomly generated Authorization Code.  It stores this authorization event associated with the Authorization Code.
  5. The Client extracts the Authorization Code from the browsers url.
  6. The Client sends the Authorization Code, ClientId and CodeVerifier to the Authorization Server.
  7. The Authorization Server looks up the authorization event attached to the Authorization Code. It then hashes the CodeVerifier and checks that it matches the CodeVerifier.  It returns a OAuth Token in the payload.
  8. The Client invokes APIs on the Resource Server, passing along the OAuth Token.


Example:

Image Added

Pros & Cons

  • This process allows authenticating the user even when the Client can't be trusted to protect the Client Secret.
  • The API can not trust the application, as the code may have been modified by the User. 

Resource Owner Password Credentials - Thick Client / Script

With the Resource Owner Password Credentials grant type the Client submits it's own Client ID & Secret along with the Resource Owner's Username & Password.  The motivation for this grant type is "canonical" apps, for example the Facebook app on a mobile device might ask for the users Facebook password and use Resource Owner Password Credentials

Flow:

  1. The Client requests and stores the Username & Password from the Resource Owner.  This can be done in advance of the other steps and persist over sessions.
  2. The Client submits to the Authorization Server the Client ID & Secret along with the Username & Password.
  3. The Authorization Server returns a OAuth Token.  There is now "consent" screen as the user has give all control to the Client by turning over their Password.
  4. The Client invokes APIs on the Resource Server, passing along the OAuth Token.

Example:

Pros & Cons:

  • Requires the user to turn over their Username & Password, which users should be very wary of doing.  Which is why this is usually restricted to "canonical" apps (e.g. the Facebook App -> Facebook API).
  • App has responsibility of securely storing the Password.  The Password cannot be stored as a salted hash as is normally advised, because the request to the Authorization Server requires the original plain text (Base64 Encoded) Password.
  • The User doesn't have the authenticate every time they use the app.
  • The App can act on the users behalf without user input, for example the App can check for new messages in the background.

...

Info

When the application is invoking an API because of input from the User, Authorization Grant should be used instead.  However that requires the user be sent to the APIM to authenticate and give consent.  In circumstances where consent is automatic or assumed and the User has already authenticated to the Application (e.g. webapp behind SSO) it is acceptable to use Client Credentials.  The application should include any User details needed by the backend server in the payload as the APIM won't be able to provide any User information.

Flow:

  1. Client requests a token from the Authorization Server, including the Client ID & Secret.
  2. The Authorization Server returns an OAuth Token.
  3. The Client invokes APIs on the Resource Server, passing along the OAuth Token.

Example:

Pros & Cons:

  • Simple.
  • No need for "fake" users or service accounts.
  • API Manager can not consider User when determining permissions (if there is one).
  • API Manager cannot log which User was involved (if there is one)

...

When a web app sends the user to SSO for authentication, the SSO server returns a signed SAML Assertion.  This assertion includes the known data about the current user, such as username.  If the Authorization Server also trusts the SSO Server, then that signed SAML Assertion can be exchanged for a OAuth Token.  

Flow:

  1. Client sends user to SSO for authentication.
  2. The user authenticates with the SSO server, usually with a username/password.
  3. The SSO returns an assertion to the Client, proving that the current user has authenticated.
  4. The Client requests an OAuth Token from the Authorization Server, including the SAML Assertion.
  5. The Authorization Server verifies the assertion was signed by a trusted IDP and returns an OAuth Token.

...

Code Block
titleSAML2 Bearer Assertion
title SAML2 Bearer Assertion
participant A4
participant Mary
participant MyTime
participant Auth Server
Mary->MyTime: Access MyTime
MyTime->Mary: Redirect to A4
Mary->A4: Authenticate
note over Mary, A4: Authenticate
A4->Mary: SAML Assertion
Mary->MyTime: Access MyTime (SAML Assertion)
MyTime->MyTime: Process Assertion, \nextract user data.
MyTime->Auth Server: Request OAuth Toke (SAMl Assertion)
Auth Server->Auth Server: Verify Signed by trusted IDP
Auth Server->MyTime: OAuth Token
MyTime->Leave Balances API: get user's vacation time (OAuth Token)

 

 

...