OAuth2 and Your Web Application

Donuts.js 8/8/2018, SORT 10/9/2018

Bruce Campbell

What this talk is NOT:

• Deep dive into OAuth2 RFCs and Spec
• A Comprehensive Guide to OAuth
• Authorization Server Implementation Details
• The Gospel Truth about OAuth and OIDC

What this talk is:

• OAuth v2.0 at a high level
  • What is it?
  • How does it work?
• Demo of sample application

Introduction

What is Oauth2?

A standard way to secure and share a resource

Particularly good at access delegation...  granting access from one app to another without giving out your password

example

👨🏼‍💼

🧡

Do you want to grant

the access to...

☑️ Friendlist

☑️ Birthday

☑️ Email Address

☑️ Post to your timeline

Yes

No

👨🏼‍💼

👨🏼‍💼

• Yelp never sees my fb password!

• The relationship can be revoked

👨🏼‍💼

App

Auth Provider

smells like single-sign-on

what would that look like from the users perspective?

http://myapp.mydomain.com

Key Terms

Authorization

What can be done

Authentication

Who the current user is and their presence in the application

vs

(AuthZ)

(AuthN)

OAuth 2.0

OpenID Connect

Authorization Server

The server the user interacts with to approve or deny requests to access their account, as well as the source of tokens

Client

The application attempting to access a resource on a User's behalf

client id

identifier (or username) that identifies a client to the authorization server

client secret

uh... the password

Tokens

Strings that represent a relationship between a user, a client, and the OAuth server

Access Code

string that represents that a user successfully authenticated - traded to the OAuth server for Tokens

Access Token

The token given to the application to access the protected resource on the user or application's behalf

Refresh Token

The token given to the application to request a new access token on its expiration

e4572e3e-2949-442b-90a0-aa00b6a7d6c5

Detailed Flow

Browser
 

node.js
app server

service a

service b

Architecture

Auth

Server

Authorization Code Flow

• client already registered with the auth server - through the Oauth2 cloud foundry service
• single-page app with universal rendering using the architecture shown in the previous slide
• in this walk-through all request are successful
• the app server proxies all api requests

Browser
 

service a

service b

Auth

Server

User navigates to https://myapp.lds.org/demo

node.js
app server

Browser
 

service a

service b

Auth

Server

app server sends a redirect to the login screen

and the browser follows the redirect

node.js
app server

Browser
 

service a

service b

Auth

Server

User authenticates...
submitting credentials to the auth server

node.js
app server

Browser
 

service a

service b

Auth

Server

Auth Server responds with a redirect back to the app server... and includes an "authorization code"

node.js
app server

auth code

Browser
 

service a

service b

Auth

Server

The app server exchanges the auth code for
a pair of tokens (access & refresh)

node.js
app server

auth code

tokens

Browser
 

service a

service b

Auth

Server

app server needs data to render the page so...
makes an api call and includes the access token

node.js
app server

access token

Browser
 

service a

service b

Auth

Server

"service a" verifies the access token using it's own client id and client secret

node.js
app server

access token

👍

Browser
 

service a

service b

Auth

Server

"service a" responds with the data, the app server renders the page and responds to the browser

node.js
app server

👞 👟 👠
👡   👢

Notes

• The app never knows the User's password
• The User never knows the client id / secret
• App server proxies api requests
       ...no CORS configuration required
• Resource servers respond with 200's or 400's
       ...never a redirect!!
• The tokens are stored in the browser via cookies
       ...so the app server can remain stateless!
• We aren't using JWT's*