OAuth
Introduction
IETF develops and writes the OAuth specifications
Before OAuth, Basic Authentication was used.
First released in 2007
Main feature of OAuth is redirects.
Security
Authentication is the process of confirming a user’s identity
Provides access control
OAuth vs OpenID Connect
OAuth
Apps to access API.
OAuth issues Access Tokens.
Access API
OpenID Connect
is an extension on OAuth.
OpenID issues Id Tokens (Statement about the user)
Identifying the user.
Id Tokens are JWT
OAuth Roles
- User (Resource Owner)
- Device (User Agent)
- Application (Client)
- API (Resource Server)
- Authorization Server
This is where the user will enter their passwords
Types of Applications
Confidential Client
Apps running on a server
Client Secret
Credentialed Client
Public Client
Client apps (Website)
User Consent
Password Grant (Normal email and password)
Users only type in the password in the Authorization server.
Front Channel and Back Channel
Back Channel
The normal or secure way
Client to server HTTPS connection
AJAX or Jetch
Front Channel
GET Parameters in the address bar
Implicit Flow (no back channel)
Application Identity
OAuth Client
ClientId
Authentication Flow
Application builds a URL to redirect the user’s browser to the authorization server
Request will have:
ClientId
RedirectURL
Server will send back
Authentication Code
PKCE
Proof key for Code Exchange
References
Website
Courses
https://www.udemy.com/course/oauth-2-simplified/
https://www.linkedin.com/learning/connecting-linkedin-learning-with-your-organization-s-systems-q1-2021
https://www.linkedin.com/learning/web-security-user-authentication-and-access-control/best-practices-for-user-authentication-and-access-control