TL;DR

  • OAuth 2.0
    • OAuth 2.0 is used for authorization.
    • Terminology:
      • Roles:
        • Client: the application that wants to access the data.
          • Confidential Clients: the clients with the ability to maintain the confidentiality of the client_secret.
          • Public Clients: the clients that cannot maintain the confidentiality of the client_secret.
        • Resource Owner: the user who owns the data.
        • Resource Server: the system that authorizes access to the data.
        • Authorization Server: the system which has the data that the client wants to access.
      • Configurations:
        • Redirect URI
        • Response Type
        • Scope
      • Endpoints:
        • Authorization Endpoint
        • Token Endpoint
        • Resource Endpoint
      • Tokens:
        • Access Token: the token that is used when making authenticated API requests.
        • Refresh Token: the token that is used to get a new access token when the access token expires.
      • Channels:
        • Back Channel (highly secure communication channel)
        • Front Channel (less secure communication channel)
    • Authorization Grant Flows:
      • Authorization Code (front channel + back channel)
        • Use-Case: applications with back-end and front-end
      • Implicit (front channel only)
        • Use-Case: Sinlge-Page App (no backend)
      • Resource Owner Password Credentials (back channel only)
        • Use-Case: Legacy
      • Client Credentials (back channel only)
        • Use-Case: Service to Service Communication (backend-only)
  • OpenID Connect
    • OpenID Connect (OIDC) is used for authentication.
    • OIDC is an extension on top of OAuth for authentication use-caes.
    • Additions:
      • ID Token: a token that has some of the user’s information.
      • User Endpoint: the endpoint for getting more information about the user.
      • Standard Scopes
      • etc.
  • JWT
    • JSON Web Token (JWT) is an open standard for encoding and transmitting information.
    • JWT is a common format for OAuth 2.0 and OIDC tokens.
    • Anatomy:
      • base64(header).base64(payload).<signature>
        • Header
          • Type: JWT
          • Signing Algorithm: HS256, RSA
        • Payload
          • Registered Claims
          • Public Claims
          • Private Claims
        • Signature
          • signing_algorithm(base64(header) + "." + base64(payload), secret)
    • Extensions:
      • JWK (JSON Web Key): a JSON object that represents a cryptographic key.
      • JWKS (JSON Web Key Set): a set of keys which contains the public keys for verifying an issued JWT.
  • PKCE
    • Proof Key for Code Exchange is an extension to authorization code flow for mobile apps to mitigate the risk of having the authorization code intercepted.
  • Tools:

Read More