Josh Kerr
February 2, 2016
@jokerr
Client Application
Auth Server
Resource Server
Resource Owner
Request token
Login and approve
Authorization code
Exchange code for a token
Access Token
Call secured service with Access Token
{
"access_token": "T9cE5asGnuyYCCqIZFoWjFHl",
"expires_in": 3600,
"token_type": "bearer",
"refresh_token": "J7rxTiWOHMoSC1isKZgCUfGMinKBDLZWP9BgR"
}
POST https://myapp.com/api/oauth2/token
grant_type=authorization_code&code=123456abcdef&
client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET
GET https://myapp.com/api/oauth2/authorize?response_type=code&
client_id=MY_CLIENT_ID&state=security_state&
redirect_url=https://jokerr.net/oauth
https://jokerr.net/oauth?code=123456abcdef&state=security_state
GET /resource HTTP/1.1
Host: myapp.com
Authorization: Bearer T9cE5asGnuyYCCqIZFoWjFHl
Client Application
Auth Server
Resource Server
Resource Owner
Request token
Login and approve
Access Token
Call secured service with Access Token
GET https://myapp.com/authorize?response_type=token&
client_id=MY_CLIENT_ID&
redirect_url=https://jokerr.net/oauth
https://jokerr.net/oauth?access_token=T9cE5asGCCqIZFo
&token_type=bearer
Client Application
Auth Server
Resource Server
Resource Owner
Request Token with username/password
Access Token
Call secured service with Access Token
Validate credentials
POST https://myapp.com/api/oauth2/token
grant_type=password&
username=jokerr&
password=12345&
client_id=MY_CLIENT_ID
{
"access_token": "T9cE5asGnuyYCCqIZFoWjFHl",
"expires_in": 3600,
"token_type": "bearer",
"refresh_token": "J7rxTiWOHMoSC1isKZgCVJ9bKBDLZWP9BgR"
}
Client Application
Auth Server
Resource Server
Request Token with client credentials
Access Token
Call secured service with Access Token
Validate credentials
POST https://myapp.com/api/oauth2/token
grant_type=client_credentials&
client_id=MY_CLIENT_ID&
client_secret=MY_CLIENT_SECRET
{
"access_token": "T9cE5asGnuyYCCqIZFoWjFHl",
"expires_in": 3600,
"token_type": "bearer"
}
JSON Web Token is a means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS) and/or encrypted using JSON Web Encryption (JWE).
header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJzdWIiOiJKb2tlcnIiLCJuYW1lIjoiSm9zaCBLZXJyIiwiYXVkIjoiU0FUIEpVRyJ9
.
VUJOunV-K9lOqjf-jAr_pGZIt6ja3fNXXS-v8vmyx7A
{
"alg": "HS256",
"typ": "JWT"
}
.
{
"sub": "Jokerr",
"name": "Josh Kerr",
"aud": "SAT JUG",
"iat": 1453342985,
"exp": 1454379784
}
.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
{
"iss": "https://idp.jokerr.net",
"sub": "jokerr",
"aud": "https://satjug.slack.com",
"iat": 1453342985,
"exp": 1454379784,
"jti": "8ce244c2-9090-43e3-8aaf-2632a6daf33b"
}
POST https://myapp.com/api/oauth2/token
grant_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJpc3MiOiJodHRwczovL2lkcC5qb2tlcn[...omitted...]zYiJ9.
WgIONUSAR7L5CmbtwbZBmQaYFBQrMBInS5PbmS_vW-w