tags : Identity Management
OAuth (Open Authorization)
- OAuth 2.1 Spec : https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07
- Framework that provides clients a “secure delegated access” to server resources on behalf of a resource owner.
- It’s an Authorization only thing. i.e most times assumes parties communicating are trusted already.
- It does NOT deal with user registration, password recovery, changing a password or email address and so on.
- OIDC (OpenID Connect)’s parent: OIDC is an authentication layer built on top of OAuth 2.0.
Some usecases
- Allow third parties access to your data e.g. Facebook data (
OAuth2). - Allow third parties to authenticate you via your social acc e.g. Facebook account (
OpenID Connect). - Allow third parties to access your users data safely etc. (
OAuth2)
History
- OAuth 1.0 was published as RFC 5849 in 2010
- OAuth 2.0 was published as RFC 6749 in 2012
- OAuth 2.1 Authorization Framework is in draft stage, Consolidates OAuth 2.0 and adds best practices.
Flows
Implicit Flow (deprecated)
- Issues
- Access token is sent over in the url
- No Authorization Code
- Cannot have refresh token
PKCE
- Problem:
Authorization serverneeds to know that the correct application is requesting for anaccess token. Normally,client_secretsolves this. BUT! we cannot useclient_secretforSPAsandmobile apps. We can use the Implicit flow but PKCE is just better. - Solution: PKCE
- The application generates code challenge and code verifier
- Uses code challenge to get one time auth code
- Uses auth code and code verifier to get access token and refresh token
Front channel & Back channel
Front channel
The indirect communication between the client and the authorization endpoint via the user agent and based on HTTP redirects
Back channel
The direct communication between the client and the token endpoint.
