OAuth 2.0 and OpenID Connect

TL;DR

• OAuth 2.0
  • OAuth 2.0 is used for authorization.
  • Terminology:
    • Roles:
      • Client: the application that wants to access the data.
        • Confidential Clients: the clients with the ability to maintain the confidentiality of the client_secret.
        • Public Clients: the clients that cannot maintain the confidentiality of the client_secret.
      • Resource Owner: the user who owns the data.
      • Resource Server: the system that authorizes access to the data.
      • Authorization Server: the system which has the data that the client wants to access.
    • Configurations:
      • Redirect URI
      • Response Type
      • Scope
    • Endpoints:
      • Authorization Endpoint
      • Token Endpoint
      • Resource Endpoint
    • Tokens:
      • Access Token: the token that is used when making authenticated API requests.
      • Refresh Token: the token that is used to get a new access token when the access token expires.
    • Channels:
      • Back Channel (highly secure communication channel)
      • Front Channel (less secure communication channel)
  • Authorization Grant Flows:
    • Authorization Code (front channel + back channel)
      • Use-Case: applications with back-end and front-end
    • Implicit (front channel only)
      • Use-Case: Sinlge-Page App (no backend)
    • Resource Owner Password Credentials (back channel only)
      • Use-Case: Legacy
    • Client Credentials (back channel only)
      • Use-Case: Service to Service Communication (backend-only)
• OpenID Connect
  • OpenID Connect (OIDC) is used for authentication.
  • OIDC is an extension on top of OAuth for authentication use-caes.
  • Additions:
    • ID Token: a token that has some of the user’s information.
    • User Endpoint: the endpoint for getting more information about the user.
    • Standard Scopes
    • etc.
• JWT
  • JSON Web Token (JWT) is an open standard for encoding and transmitting information.
  • JWT is a common format for OAuth 2.0 and OIDC tokens.
  • Anatomy:
    • base64(header).base64(payload).<signature>
      • Header
        • Type: JWT
        • Signing Algorithm: HS256, RSA
      • Payload
        • Registered Claims
        • Public Claims
        • Private Claims
      • Signature
        • signing_algorithm(base64(header) + "." + base64(payload), secret)
  • Extensions:
    • JWK (JSON Web Key): a JSON object that represents a cryptographic key.
    • JWKS (JSON Web Key Set): a set of keys which contains the public keys for verifying an issued JWT.
• PKCE
  • Proof Key for Code Exchange is an extension to authorization code flow for mobile apps to mitigate the risk of having the authorization code intercepted.
• Tools:
  • https://jwt.io
  • https://oauthdebugger.com
  • https://oidcdebugger.com

Read More

• Specs
  • The OAuth 2.0 Authorization Framework
  • OpenID Connect Core 1.0
  • OpenID Connect Discovery 1.0
  • OpenID Connect Dynamic Client Registration 1.0
  • JSON Web Token (JWT)
  • JSON Web Key (JWK)
• Reads
  • An Illustrated Guide to OAuth and OpenID Connect
• Talks
  • OAuth 2.0 and OpenID Connect in Plain English
  • Securing APIs and Microservices with OAuth and OpenID Connect
  • Microservice Authentication and Authorization