OAuth
OAuth¶
- Fixes authorization
- Has no authentication
Differences from OAUTH 1.0¶
- Requests were signed by the clientID and Client Secret
Client Credentials¶
Application sends a request for token using the Client ID and Secret.
Example:
https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET
Authorization Code Grant Type¶
- Client Secret confidentiality is guaranteed. Only accessible by the Application Server and the Authorization server.
- Uses Redirection flow and must be able to interact with the browser.
- response_type=code - specifies that your application is requesting an authorization code grant
- client_id - the application's client ID (how the API identifies the application)
- redirect_uri - Indicates the URI to return the user to after authorization is complete
- scope - One or more scope values indicating which parts of the user's account you wish to access
Example¶
-
Register Client
client_id: 0oajqebu4mvAt0VTb0h7
client_secret: 64RYxz3BR3WsYCqk4Gwh7F0Zp7CYRh3OmYLmz49H
Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
Supported Grant Types : [authorization_code, refresh_token, implicit] -
Make User Account
login: [email protected]
password: Talented-Heron-Real-Bug-3 -
Make Authorization Request to server
https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqebu4mvAt0VTb0h7&redirect_uri=https://www.oauth.com/playground/authorization-code.html&scope=photo+offline_access&state=Xne0u_2hEUHrL3rF&prompt=login
HTTP/1.1 302 Found
[...]
location: https://dev-396343.oktapreview.com/user/verify_password?fromURI=/oauth2/v1/authorize/redirect?okta_key=WPet_Q90GR50Mgloburfs_jRC8Utm0sHDo6ClpUxX2M&isAppSignOnPolicy=true
-
Login and accept Grant the Request
-
Redirect back to the application.
HTTP/1.1 302 Found [...] location: https://www.oauth.com/playground/authorization-code.html?code=6MoouW0whQOR3R21Zfk6&state=Xne0u_2hEUHrL3rF
-
Check State parameter prevents CSRF.
-
Have application server (not browser) make a request to the
POST https://dev-396343.oktapreview.com/oauth2/default/v1/token grant_type=authorization_code &client_id=0oajqebu4mvAt0VTb0h7 &client_secret=64RYxz3BR3WsYCqk4Gwh7F0Zp7CYRh3OmYLmz49H &redirect_uri=https://www.oauth.com/playground/authorization-code.html &code=6MoouW0whQOR3R21Zfk6
HTTP/1.1 200 OK
[...]
{
"access_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlNYTEpOQTRFZHl2VE8zSkp5UUhVd0tyb19qVEFfWUtaazhKNk1oYVpxLVEubVVpbzdiM0xaaUlWOFBuYnZobU9sMDgvckZudjl1NitISll4TXdLNWhJMD0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjUxMjk0MiwiZXhwIjoxNTUyNTE2NTQyLCJjaWQiOiIwb2FqcWVidTRtdkF0MFZUYjBoNyIsInVpZCI6IjAwdWpxZWJyNXhYSU16aVFqMGg3Iiwic2NwIjpbIm9mZmxpbmVfYWNjZXNzIiwicGhvdG8iXSwic3ViIjoic2h5LWdhemVsbGVAZXhhbXBsZS5jb20ifQ.Iv3kr5S34q8gCmDHlzEivXZe2iaslqiaPoPFwRIcl9o16IdT4LzeujEh0c7mERxTz7RLUIHC24i5d89-zLMvkXbaqMXiF2KiY1KmsXPPBhO90f6adDZI6vgUXOVbIMnYFinaXAKX6vsPdatXSho0VOJtmsY-5c87p6nGsG50EzObjcUQVmKGdEkQ-ydYwFlZ8BBwlA2g0gbfU4LX1Ihg02K0NChrpT3M5mUkkxQENuAcncgzQTsqnkFEPSF5dMiQEORNg4MlBbaWXsImPCY8eM75o24Kh11DTcI4RQeNlnHubVluK5CMxBKYRCGkYKgnCMawsf9p1V9y49tXlkFuOw",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "offline_access photo",
"refresh_token": "vlqgsZzDTGQfO29vJiUYkRTCEtB9Uxl43QsDkVU_NX0"
}
Implicit Grant Type¶
Example¶
-
Register Client
client_id: 0oajqpo295eReA4vD0h7
client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
Supported Grant Types : [authorization_code, refresh_token, implicit] -
Make User Account
login: [email protected]
password: Good-Seal-Obnoxious-Hamerkop-5 -
Make Authorization Request to server
https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=token&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/implicit.html&scope=photo&state=8k_IH7E08uWxtGqZ&nonce=59taftMwl3A3gcyo&prompt=login
HTTP/1.1 302 Found
[...]
location: https://dev-396343.oktapreview.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=-DTrxvvgpq8fgv-V92NuF0id-onpA_yk4ZOaDl8ZcVA
-
Login to the application.
-
Redirect back to OAuth application with secret in URL fragment.
https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=-DTrxvvgpq8fgv-V92NuF0id-onpA_yk4ZOaDl8ZcVA
HTTP/1.1 302 Found
[...]
Location: https://www.oauth.com/playground/implicit.html#access_token=eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkNFSlJVY052alRKWXdXQ2dCMkpFbDNhU2ZtQnJRQ3Z5ZDVfbElMWkZVT2siLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjU3NzQ0NiwiZXhwIjoxNTUyNTgxMDQ2LCJjaWQiOiIwb2FqcXBvMjk1ZVJlQTR2RDBoNyIsInVpZCI6IjAwdWpxczc1ZXhUeUNyS1JNMGg3Iiwic2NwIjpbInBob3RvIl0sInN1YiI6ImFnZ3Jlc3NpdmUtcHlnbXlAZXhhbXBsZS5jb20ifQ.PWCVLVK7WYABDlp2a-u6yo1NH8X1GFzyIyk4WrHKGNT1j72p0RUQYh39JqCF6-CkBYFLOg8QGh_rq3y2KqU61IHsp1SkjccW96lwLziqzgvTFvJzfxGDsh_sH3mrnX2aLjJQYGXwe_RBaDxekX1VwG5P3OcqNJlPdeJlwEi5hnQ_5VJ-lS0LdCwhZxZefXoBgHussyCAYGo9owIGKQyOdfKsWYa8x6YuNJvSRWbvFf1c4Jwmex9KDGqgmEuoSDascAuoOEqyG_p3U7uM2WwCh0y8clVV4dYnc9GinDVvu2sxN9M6-00HPzlRSpiIZ4eCwuJh79jaF8-tIfo7bJzTZw&token_type=Bearer&expires_in=3600&scope=photo&state=8k_IH7E08uWxtGqZ
Resource Owner Password¶
Example¶
https://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID
PKCE (Proof Key Code Exchange)¶
Example¶
-
Register Client
client_id: 0oajqpo295eReA4vD0h7
client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
Supported Grant Types : [authorization_code, refresh_token, implicit] -
Make User Account
login: [email protected]
password: Good-Seal-Obnoxious-Hamerkop-5 -
Generate Secret Key. Hash and Base64 it
Secret Key (code_verifier): nwekEDDpjMFWb3UOwnwLiMvzRB_u7H8SIf2s0N0S3CdbruQw
base64url(sha256(code_verifier)): 8DjS8piAJ0qH6UorZVL9s8jLZDSKsxnDm813773NjPA
- Generate Ransom Nonce for state
WkB0Uvgo1wAmkCQ4
https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/authorization-code-with-pkce.html&scope=photo+offline_access&state=WkB0Uvgo1wAmkCQ4&code_challenge=8DjS8piAJ0qH6UorZVL9s8jLZDSKsxnDm813773NjPA&code_challenge_method=S256&prompt=login
HTTP/1.1 302 Found
[...]
Location: https://dev-396343.oktapreview.com/user/verify_password?fromURI=/oauth2/v1/authorize/redirect?okta_key=ecJgr2_dWyIcAkDRVjgbxw1c3VFEz7iH14WhmL98zYs&isAppSignOnPolicy=true
- Return Authorization Code back to the application.
https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=ecJgr2_dWyIcAkDRVjgbxw1c3VFEz7iH14WhmL98zYs&hideBgImage=true
HTTP/1.1 302 Found
[...]
Location: https://www.oauth.com/playground/authorization-code-with-pkce.html?code=0TV8tmN6NYo-ZpeczDPU&state=WkB0Uvgo1wAmkCQ4
- Get Access Token from Authorization Code (Application Server to Authorization Server)
POST https://dev-396343.oktapreview.com/oauth2/default/v1/token
[...]
grant_type=authorization_code
&client_id=0oajqpo295eReA4vD0h7
&client_secret=G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
&redirect_uri=https://www.oauth.com/playground/authorization-code-with-pkce.html
&code=0TV8tmN6NYo-ZpeczDPU
&code_verifier=nwekEDDpjMFWb3UOwnwLiMvzRB_u7H8SIf2s0N0S3CdbruQw
HTTP/1.1 200 OK
[...]
{
"access_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmdRNkxsZHl2dlVNUG1sUXBHaXJYd01XUEhYVUgxcUNzWG9pMHBKbUVVdkUuVVh3M3BCSnd5dHpQRHdySHQrZkY0Rm1PQnNBOVU4eTF2RGpWSU41VXM2QT0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjU5MTU3MiwiZXhwIjoxNTUyNTk1MTcyLCJjaWQiOiIwb2FqcXBvMjk1ZVJlQTR2RDBoNyIsInVpZCI6IjAwdWpxczc1ZXhUeUNyS1JNMGg3Iiwic2NwIjpbIm9mZmxpbmVfYWNjZXNzIiwicGhvdG8iXSwic3ViIjoiYWdncmVzc2l2ZS1weWdteUBleGFtcGxlLmNvbSJ9.B2vB5TyAUG3m65EchznbUacbSDSb5Qwe2FBHroXPhzpuMqlWjmcOCIBofCySpAmVfF-UH4Z1mdxMbzwLA9ZdOjk03OLCYVYeYPb2mtkv4rjPbBi7GTXQ0K1sprszS1q4Kpju1wSitI2OdlEtkYbEAunzszy-sFD6oQDR9zaEc-N1XNlPm4KI5Euw0Sp2-E6Fg-yRgeNcjub7rjO6hbl-Tkz6ccV6yqV1hDAneZqYWC4QLVJbszBlAzfc0_ciLrT2WkGWfLqJyNu0W_a4zyaTXPG7xcnIKFKqlmYc6c0k_8LWZfEBoqXYI1Va3bGfCJDrkruX-8aGkGJuc2xRv7SQ_A",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "offline_access photo",
"refresh_token": "cKPm76N9AlAqzXu9Ynb-aOd13kVRd9QamyZKu5iWA0o"
}
Device Code¶
Example¶
- Use Device to make request to the Authorization Server
POST /o/oauth2/device/code HTTP/1.1 Host: accounts.google.com Content-Type: application/x-www-form-urlencoded client_id=client_id& scope=email%20profile
HTTP/1.1 200 OK
{
"device_code" : "4/4-GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8",
"user_code" : "GQVQ-JKEC",
"verification_url" : "https://www.google.com/device",
"expires_in" : 1800,
"interval" : 5
}
- User uses another device logged in to Authentication server and enters the User code that from the device
https://www.google.com/device
- Device Polls the Authorization Server until response from User or Request has expired.
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=client_id&
client_secret=client_secret&
code=device_code&
grant_type=http://oauth.net/grant_type/device/1.0
4. On successful response from the Authorization Server
HTTP/1.1 200 OK
[...]
{
"access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in":3920,
"token_type":"Bearer",
"refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
}
OpenID Connect¶
- Used to validate the user
Example¶
-
Register Client
client_id: 0oajqpo295eReA4vD0h7
client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
Supported Grant Types : [authorization_code, refresh_token, implicit] -
Make User Account
login: [email protected]
password: Good-Seal-Obnoxious-Hamerkop-5 -
Generate Random Nonce for State Parameter and Make request to Authorization Server.
https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/oidc.html&scope=openid+profile+offline_access&state=3xJaoTBpqEJAt0_g&nonce=LzJHw09aOLrNOP8n&prompt=login
HTTP/1.1 302 Found
[...]
Location: https://dev-396343.oktapreview.com/user/verify_password?fromURI=/oauth2/v1/authorize/redirect?okta_key=VDW-pGlfR-NWmdyY9L7e50YJQPtSLdzeyCRDh72DW-s&isAppSignOnPolicy=true
- Redirect back to Application Server
https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=VDW-pGlfR-NWmdyY9L7e50YJQPtSLdzeyCRDh72DW-s&hideBgImage=true
HTTP/1.1 302 Found
[...]
Location: https://www.oauth.com/playground/oidc.html?code=wbpKG8ao8nDpEkY7_OWI&state=3xJaoTBpqEJAt0_g
- Application Server makes a Request to the Authentication Server
POST https://dev-396343.oktapreview.com/oauth2/default/v1/token
[...]
grant_type=authorization_code
&client_id=0oajqpo295eReA4vD0h7
&client_secret=G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
&redirect_uri=https://www.oauth.com/playground/oidc.html
&code=wbpKG8ao8nDpEkY7_OWI
HTTP/1.1 200 OK
[...]
{
"access_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkk2X3NWUWtMZmFWUURncmR4UU83UHRHUEY5amszV2luclFGaWFmUVV5QVkubmpianhmcUp5cXpLTk9MY2dGZitlRFpQOFBNTVVOUmpaUVlpNHlPS01TWT0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjU5NDcyOSwiZXhwIjoxNTUyNTk4MzI5LCJjaWQiOiIwb2FqcXBvMjk1ZVJlQTR2RDBoNyIsInVpZCI6IjAwdWpxczc1ZXhUeUNyS1JNMGg3Iiwic2NwIjpbInByb2ZpbGUiLCJvZmZsaW5lX2FjY2VzcyIsIm9wZW5pZCJdLCJzdWIiOiJhZ2dyZXNzaXZlLXB5Z215QGV4YW1wbGUuY29tIn0.FtNPSTbqtj8oRaUyts_UVZqbubXAVwYqO5O104IWuWgq2VSMoVy_I15JBcnqYQvkMff8sG_ALFi4CuJ9VuYLeXovnoH1tPA-HPn25QeRKXLYHMzMttd1CLRRVb8YsfLZJoQChr5G57Rc_7Zn8-s1AGc4tE3dtoJ1H4DsuwIrCqiwDO14kXobIi4A9IBW1WwplpseFwnjUE65Vaq5TsuIjCwgHh78QN9FnFA0pwVJ2NINcoyRpkt6PXsbCpv83qKdWpY2INzef9OKUH_yN-JG2YYw7YOVQDPePkQK7yeeZT36AZvyVrxEgdSDJoMf9cIQPQdWgTp_dxH289uDJAMAGQ",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "profile offline_access openid",
"refresh_token": "CzXzgiUd-cvi63Xs8NMOje5XOuvqEm6BAuHMUNxOdOU",
"id_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVqcXM3NWV4VHlDcktSTTBoNyIsIm5hbWUiOiJBZ2dyZXNzaXZlIFB5Z215IiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hanFwbzI5NWVSZUE0dkQwaDciLCJpYXQiOjE1NTI1OTQ3MjksImV4cCI6MTU1MjU5ODMyOSwianRpIjoiSUQuV01pb0lnbXBNb29aZHkyUzY4dWIxNHdOdGRrLU9fbm9tZGdWQjVoaXlBTSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZm01a2Vqcm9zdFlGc20waDciLCJub25jZSI6Ikx6Skh3MDlhT0xyTk9QOG4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZ2dyZXNzaXZlLXB5Z215QGV4YW1wbGUuY29tIiwiYXV0aF90aW1lIjoxNTUyNTk0NzIxLCJhdF9oYXNoIjoibTk3cFRJd1ZqLV95LWJiMXB2eXUtZyJ9.EoWqa0_cCy-eULP-At2yaPAmcJkX9d0U0xhAJ6nFLVpamFw0gNp0fSeCXaDoA6fc2Ez9gGxDR6_RwCRJZXFg90VFAMguJKxoWEof50ESgKmVJSP0B_ISWE54Ju3VDuweHN5B1aT5CTQxVkTjSUJj6QQZsMdfKasMFf9TBwG7SdW-yylQF2PemtsBIdnnu6w53zm87v-LuU5LuMGWwgvSfVMM1sORidZA8DjohwSTKc5XJIoFFwyty6vklx_Hfci2U5ZscjjJ605KiEwCg1PQpr2snqUq3b_Ryl9woNvvnJIqalmJb268ruVinNQ4AFwjtwUo_wGwpu_3pTsqovaCsQ"
}
Exploits¶
The state
variable is mandatory for preventing CSRF attacks.
- Check to make sure that the state parameter is mandatory
- Check to make sure that the state parameter is not predictable
- Check to make sure that the state parameter can not be changed to a different value
- Check to make sure that the state parameter is not user-provided
The code
variable contains the authorization code in the response from the server
- Check to make sure that it is only valid for a maximum of 10 mins.
- Check to make sure that the code can not be reused.
- Check to make sure that if there is two requests with the same token the sessions should be revoked.
The redirect_uri
the URL that the application receives data from the user account server.
- Check to make sure that the url domain is checked.
- Check to make sure that a 302 redirect to the server fails.
- Look for URL parsing Issues
- evilmatch.com, match.com.evil.com, evil.com#match.com, evil.com?match.com, matchAmatch.com, match.com.mx
- IDN homography attack
- Check for Open Redirect on domain
- Check for Directory Traversal
- Check for http endpoint
The access_token
should never be provided to the user
- Check in requests from the browser.
Use authorization code grant flow instead of implicit grant flow. This removes the token from the paramater in the URL.
Test that the scope
can only access the provided permissions.
Make sure Clickjacking is not possible.