OAuth2 and Your Web Application
Donuts.js 8/8/2018, SORT 10/9/2018
Bruce Campbell
What this talk is NOT:
- Deep dive into OAuth2 RFCs and Spec
- A Comprehensive Guide to OAuth
- Authorization Server Implementation Details
- The Gospel Truth about OAuth and OIDC
What this talk is:
- OAuth v2.0 at a high level
- What is it?
- How does it work?
- Demo of sample application
Introduction
What is Oauth2?
A standard way to secure and share a resource
Particularly good at access delegation... granting access from one app to another without giving out your password
example
👨🏼💼
🧡
Do you want to grant
the access to...
☑️ Friendlist
☑️ Birthday
☑️ Email Address
☑️ Post to your timeline
Yes
No
👨🏼💼
👨🏼💼
- Yelp never sees my fb password!
- The relationship can be revoked
👨🏼💼
App
Auth Provider
smells like single-sign-on
what would that look like from the users perspective?
A: Same
http://myapp.mydomain.com
Key Terms
Authorization
What can be done
Authentication
Who the current user is and their presence in the application
vs
(AuthZ)
(AuthN)
OAuth 2.0
OpenID Connect
Authorization Server
The server the user interacts with to approve or deny requests to access their account, as well as the source of tokens
Client
The application attempting to access a resource on a User's behalf
client id
identifier (or username) that identifies a client to the authorization server
client secret
uh... the password
Tokens
Strings that represent a relationship between a user, a client, and the OAuth server
Access Code
string that represents that a user successfully authenticated - traded to the OAuth server for Tokens
Access Token
The token given to the application to access the protected resource on the user or application's behalf
Refresh Token
The token given to the application to request a new access token on its expiration
e4572e3e-2949-442b-90a0-aa00b6a7d6c5
Detailed Flow
Browser
node.js
app server
service a
service b
Architecture
Auth
Server
"client"
"user"
Authorization Code Flow
- client already registered with the auth server - through the Oauth2 cloud foundry service
- single-page app with universal rendering using the architecture shown in the previous slide
- in this walk-through all request are successful
- the app server proxies all api requests
Browser
service a
service b
Auth
Server
"client"
"user"
User navigates to https://myapp.lds.org/demo
node.js
app server
Browser
service a
service b
Auth
Server
"client"
"user"
app server sends a redirect to the login screen
and the browser follows the redirect
node.js
app server
Browser
service a
service b
Auth
Server
"client"
"user"
User authenticates...
submitting credentials to the auth server
node.js
app server
Browser
service a
service b
Auth
Server
"client"
"user"
Auth Server responds with a redirect back to the app server... and includes an "authorization code"
node.js
app server
auth code
Browser
service a
service b
Auth
Server
"client"
"user"
The app server exchanges the auth code for
a pair of tokens (access & refresh)
node.js
app server
auth code
tokens
Browser
service a
service b
Auth
Server
"client"
"user"
app server needs data to render the page so...
makes an api call and includes the access token
node.js
app server
access token
Browser
service a
service b
Auth
Server
"client"
"user"
"service a" verifies the access token using it's own client id and client secret
node.js
app server
access token
👍
Browser
service a
service b
Auth
Server
"client"
"user"
"service a" responds with the data, the app server renders the page and responds to the browser
node.js
app server
👞 👟 👠
👡 👢
Notes
- The app never knows the User's password
- The User never knows the client id / secret
- App server proxies api requests
...no CORS configuration required - Resource servers respond with 200's or 400's
...never a redirect!! - The tokens are stored in the browser via cookies
...so the app server can remain stateless! - We aren't using JWT's*