Link to this headingOAuth

• Fixes authorization
• Has no authentication

Link to this headingDifferences from OAUTH 1.0

• Requests were signed by the clientID and Client Secret

Link to this headingClient Credentials

Application sends a request for token using the Client ID and Secret.

Example:
https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

Link to this headingAuthorization Code Grant Type

• Client Secret confidentiality is guaranteed. Only accessible by the Application Server and the Authorization server.

• Uses Redirection flow and must be able to interact with the browser.

• response_type=code - specifies that your application is requesting an authorization code grant

• client_id - the application’s client ID (how the API identifies the application)

• redirect_uri - Indicates the URI to return the user to after authorization is complete

• scope - One or more scope values indicating which parts of the user’s account you wish to access

Reference

Link to this headingExample

1. Register Client
   client_id: 0oajqebu4mvAt0VTb0h7
   client_secret: 64RYxz3BR3WsYCqk4Gwh7F0Zp7CYRh3OmYLmz49H
   Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html\]
   Supported Grant Types : [authorization_code, refresh_token, implicit]

2. Make User Account
   login: [email protected]
   password: Talented-Heron-Real-Bug-3

3. Make Authorization Request to server
   https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqebu4mvAt0VTb0h7&redirect_uri=https://www.oauth.com/playground/authorization-code.html&scope=photo+offline_access&state=Xne0u_2hEUHrL3rF&prompt=login

4. Login and accept Grant the Request

5. Redirect back to the application.

6. Check State parameter prevents CSRF.

7. Have application server (not browser) make a request to the

Link to this headingImplicit Grant Type

Link to this headingExample

1. Register Client
   client_id: 0oajqpo295eReA4vD0h7
   client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
   Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html\]
   Supported Grant Types : [authorization_code, refresh_token, implicit]

2. Make User Account
   login: [email protected]
   password: Good-Seal-Obnoxious-Hamerkop-5

3. Make Authorization Request to server
   https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=token&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/implicit.html&scope=photo&state=8k_IH7E08uWxtGqZ&nonce=59taftMwl3A3gcyo&prompt=login

4. Login to the application.

5. Redirect back to OAuth application with secret in URL fragment.
   https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=-DTrxvvgpq8fgv-V92NuF0id-onpA_yk4ZOaDl8ZcVA

Link to this headingResource Owner Password

Link to this headingExample

https://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID

Link to this headingPKCE (Proof Key Code Exchange)

Link to this headingExample

1. Register Client
   client_id: 0oajqpo295eReA4vD0h7
   client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
   Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html\]
   Supported Grant Types : [authorization_code, refresh_token, implicit]

2. Make User Account
   login: [email protected]
   password: Good-Seal-Obnoxious-Hamerkop-5

3. Generate Secret Key. Hash and Base64 it

Secret Key (code_verifier): nwekEDDpjMFWb3UOwnwLiMvzRB_u7H8SIf2s0N0S3CdbruQw
base64url(sha256(code_verifier)): 8DjS8piAJ0qH6UorZVL9s8jLZDSKsxnDm813773NjPA

4. Generate Ransom Nonce for state WkB0Uvgo1wAmkCQ4

https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/authorization-code-with-pkce.html&scope=photo+offline_access&state=WkB0Uvgo1wAmkCQ4&code_challenge=8DjS8piAJ0qH6UorZVL9s8jLZDSKsxnDm813773NjPA&code_challenge_method=S256&prompt=login

5. Return Authorization Code back to the application.

https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=ecJgr2_dWyIcAkDRVjgbxw1c3VFEz7iH14WhmL98zYs&hideBgImage=true

6. Get Access Token from Authorization Code (Application Server to Authorization Server)

Link to this headingDevice Code

Link to this headingExample

1. Use Device to make request to the Authorization Server

2. User uses another device logged in to Authentication server and enters the User code that from the device

https://www.google.com/device

3. Device Polls the Authorization Server until response from User or Request has expired.

4. On successful response from the Authorization Server

Link to this headingOpenID Connect

• Used to validate the user

Link to this headingExample

1. Register Client
   client_id: 0oajqpo295eReA4vD0h7
   client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
   Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html\]
   Supported Grant Types : [authorization_code, refresh_token, implicit]

2. Make User Account
   login: [email protected]
   password: Good-Seal-Obnoxious-Hamerkop-5

3. Generate Random Nonce for State Parameter and Make request to Authorization Server.
   https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/oidc.html&scope=openid+profile+offline_access&state=3xJaoTBpqEJAt0_g&nonce=LzJHw09aOLrNOP8n&prompt=login

4. Redirect back to Application Server

https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=VDW-pGlfR-NWmdyY9L7e50YJQPtSLdzeyCRDh72DW-s&hideBgImage=true

5. Application Server makes a Request to the Authentication Server

Link to this headingExploits

The state variable is mandatory for preventing CSRF attacks.
- Check to make sure that the state parameter is mandatory
- Check to make sure that the state parameter is not predictable
- Check to make sure that the state parameter can not be changed to a different value
- Check to make sure that the state parameter is not user-provided

The code variable contains the authorization code in the response from the server
- Check to make sure that it is only valid for a maximum of 10 mins.
- Check to make sure that the code can not be reused.
- Check to make sure that if there is two requests with the same token the sessions should be revoked.

The redirect_uri the URL that the application receives data from the user account server.
- Check to make sure that the url domain is checked.
- Check to make sure that a 302 redirect to the server fails.
- Look for URL parsing Issues
- evilmatch.com, match.com.evil.com, evil.com#match.com, evil.com?match.com, matchAmatch.com, match.com.mx
- IDN homography attack
- Check for Open Redirect on domain
- Check for Directory Traversal
- Check for http endpoint

The access_token should never be provided to the user
- Check in requests from the browser.

Use authorization code grant flow instead of implicit grant flow. This removes the token from the paramater in the URL.

Test that the scope can only access the provided permissions.

Make sure Clickjacking is not possible.