Skip to content

OAuth

OAuth

  • Fixes authorization
  • Has no authentication

Differences from OAUTH 1.0

  • Requests were signed by the clientID and Client Secret

Client Credentials

Application sends a request for token using the Client ID and Secret.

Example:
https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

Authorization Code Grant Type

  • Client Secret confidentiality is guaranteed. Only accessible by the Application Server and the Authorization server.
  • Uses Redirection flow and must be able to interact with the browser.
  • response_type=code - specifies that your application is requesting an authorization code grant
  • client_id - the application's client ID (how the API identifies the application)
  • redirect_uri - Indicates the URI to return the user to after authorization is complete
  • scope - One or more scope values indicating which parts of the user's account you wish to access

Reference

Example

  1. Register Client
    client_id: 0oajqebu4mvAt0VTb0h7
    client_secret: 64RYxz3BR3WsYCqk4Gwh7F0Zp7CYRh3OmYLmz49H
    Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
    Supported Grant Types : [authorization_code, refresh_token, implicit]

  2. Make User Account
    login: [email protected]
    password: Talented-Heron-Real-Bug-3

  3. Make Authorization Request to server
    https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqebu4mvAt0VTb0h7&redirect_uri=https://www.oauth.com/playground/authorization-code.html&scope=photo+offline_access&state=Xne0u_2hEUHrL3rF&prompt=login

HTTP/1.1 302 Found
[...]
location: https://dev-396343.oktapreview.com/user/verify_password?fromURI=/oauth2/v1/authorize/redirect?okta_key=WPet_Q90GR50Mgloburfs_jRC8Utm0sHDo6ClpUxX2M&isAppSignOnPolicy=true
  1. Login and accept Grant the Request

  2. Redirect back to the application.

    HTTP/1.1 302 Found
    [...]
    location: https://www.oauth.com/playground/authorization-code.html?code=6MoouW0whQOR3R21Zfk6&state=Xne0u_2hEUHrL3rF
    

  3. Check State parameter prevents CSRF.

  4. Have application server (not browser) make a request to the

    POST https://dev-396343.oktapreview.com/oauth2/default/v1/token
    
    grant_type=authorization_code
    &client_id=0oajqebu4mvAt0VTb0h7
    &client_secret=64RYxz3BR3WsYCqk4Gwh7F0Zp7CYRh3OmYLmz49H
    &redirect_uri=https://www.oauth.com/playground/authorization-code.html
    &code=6MoouW0whQOR3R21Zfk6
    

HTTP/1.1 200 OK
[...]
{
	"access_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlNYTEpOQTRFZHl2VE8zSkp5UUhVd0tyb19qVEFfWUtaazhKNk1oYVpxLVEubVVpbzdiM0xaaUlWOFBuYnZobU9sMDgvckZudjl1NitISll4TXdLNWhJMD0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjUxMjk0MiwiZXhwIjoxNTUyNTE2NTQyLCJjaWQiOiIwb2FqcWVidTRtdkF0MFZUYjBoNyIsInVpZCI6IjAwdWpxZWJyNXhYSU16aVFqMGg3Iiwic2NwIjpbIm9mZmxpbmVfYWNjZXNzIiwicGhvdG8iXSwic3ViIjoic2h5LWdhemVsbGVAZXhhbXBsZS5jb20ifQ.Iv3kr5S34q8gCmDHlzEivXZe2iaslqiaPoPFwRIcl9o16IdT4LzeujEh0c7mERxTz7RLUIHC24i5d89-zLMvkXbaqMXiF2KiY1KmsXPPBhO90f6adDZI6vgUXOVbIMnYFinaXAKX6vsPdatXSho0VOJtmsY-5c87p6nGsG50EzObjcUQVmKGdEkQ-ydYwFlZ8BBwlA2g0gbfU4LX1Ihg02K0NChrpT3M5mUkkxQENuAcncgzQTsqnkFEPSF5dMiQEORNg4MlBbaWXsImPCY8eM75o24Kh11DTcI4RQeNlnHubVluK5CMxBKYRCGkYKgnCMawsf9p1V9y49tXlkFuOw",
	"token_type": "Bearer",
	"expires_in": 3600,
	"scope": "offline_access photo",
	"refresh_token": "vlqgsZzDTGQfO29vJiUYkRTCEtB9Uxl43QsDkVU_NX0"
}

Implicit Grant Type

Example

  1. Register Client
    client_id: 0oajqpo295eReA4vD0h7
    client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
    Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
    Supported Grant Types : [authorization_code, refresh_token, implicit]

  2. Make User Account
    login: [email protected]
    password: Good-Seal-Obnoxious-Hamerkop-5

  3. Make Authorization Request to server
    https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=token&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/implicit.html&scope=photo&state=8k_IH7E08uWxtGqZ&nonce=59taftMwl3A3gcyo&prompt=login

HTTP/1.1 302 Found
[...]
location: https://dev-396343.oktapreview.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=-DTrxvvgpq8fgv-V92NuF0id-onpA_yk4ZOaDl8ZcVA
  1. Login to the application.

  2. Redirect back to OAuth application with secret in URL fragment.
    https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=-DTrxvvgpq8fgv-V92NuF0id-onpA_yk4ZOaDl8ZcVA

HTTP/1.1 302 Found
[...]
Location: https://www.oauth.com/playground/implicit.html#access_token=eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkNFSlJVY052alRKWXdXQ2dCMkpFbDNhU2ZtQnJRQ3Z5ZDVfbElMWkZVT2siLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjU3NzQ0NiwiZXhwIjoxNTUyNTgxMDQ2LCJjaWQiOiIwb2FqcXBvMjk1ZVJlQTR2RDBoNyIsInVpZCI6IjAwdWpxczc1ZXhUeUNyS1JNMGg3Iiwic2NwIjpbInBob3RvIl0sInN1YiI6ImFnZ3Jlc3NpdmUtcHlnbXlAZXhhbXBsZS5jb20ifQ.PWCVLVK7WYABDlp2a-u6yo1NH8X1GFzyIyk4WrHKGNT1j72p0RUQYh39JqCF6-CkBYFLOg8QGh_rq3y2KqU61IHsp1SkjccW96lwLziqzgvTFvJzfxGDsh_sH3mrnX2aLjJQYGXwe_RBaDxekX1VwG5P3OcqNJlPdeJlwEi5hnQ_5VJ-lS0LdCwhZxZefXoBgHussyCAYGo9owIGKQyOdfKsWYa8x6YuNJvSRWbvFf1c4Jwmex9KDGqgmEuoSDascAuoOEqyG_p3U7uM2WwCh0y8clVV4dYnc9GinDVvu2sxN9M6-00HPzlRSpiIZ4eCwuJh79jaF8-tIfo7bJzTZw&token_type=Bearer&expires_in=3600&scope=photo&state=8k_IH7E08uWxtGqZ

Resource Owner Password

Example

https://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID

PKCE (Proof Key Code Exchange)

Example

  1. Register Client
    client_id: 0oajqpo295eReA4vD0h7
    client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
    Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
    Supported Grant Types : [authorization_code, refresh_token, implicit]

  2. Make User Account
    login: [email protected]
    password: Good-Seal-Obnoxious-Hamerkop-5

  3. Generate Secret Key. Hash and Base64 it

Secret Key (code_verifier): nwekEDDpjMFWb3UOwnwLiMvzRB_u7H8SIf2s0N0S3CdbruQw
base64url(sha256(code_verifier)): 8DjS8piAJ0qH6UorZVL9s8jLZDSKsxnDm813773NjPA

  1. Generate Ransom Nonce for state WkB0Uvgo1wAmkCQ4

https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/authorization-code-with-pkce.html&scope=photo+offline_access&state=WkB0Uvgo1wAmkCQ4&code_challenge=8DjS8piAJ0qH6UorZVL9s8jLZDSKsxnDm813773NjPA&code_challenge_method=S256&prompt=login

HTTP/1.1 302 Found
[...]
Location: https://dev-396343.oktapreview.com/user/verify_password?fromURI=/oauth2/v1/authorize/redirect?okta_key=ecJgr2_dWyIcAkDRVjgbxw1c3VFEz7iH14WhmL98zYs&isAppSignOnPolicy=true
  1. Return Authorization Code back to the application.

https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=ecJgr2_dWyIcAkDRVjgbxw1c3VFEz7iH14WhmL98zYs&hideBgImage=true

HTTP/1.1 302 Found
[...]
Location: https://www.oauth.com/playground/authorization-code-with-pkce.html?code=0TV8tmN6NYo-ZpeczDPU&state=WkB0Uvgo1wAmkCQ4
  1. Get Access Token from Authorization Code (Application Server to Authorization Server)

POST https://dev-396343.oktapreview.com/oauth2/default/v1/token
[...]
grant_type=authorization_code
&client_id=0oajqpo295eReA4vD0h7
&client_secret=G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
&redirect_uri=https://www.oauth.com/playground/authorization-code-with-pkce.html
&code=0TV8tmN6NYo-ZpeczDPU
&code_verifier=nwekEDDpjMFWb3UOwnwLiMvzRB_u7H8SIf2s0N0S3CdbruQw

HTTP/1.1 200 OK
[...]
{
	"access_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmdRNkxsZHl2dlVNUG1sUXBHaXJYd01XUEhYVUgxcUNzWG9pMHBKbUVVdkUuVVh3M3BCSnd5dHpQRHdySHQrZkY0Rm1PQnNBOVU4eTF2RGpWSU41VXM2QT0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjU5MTU3MiwiZXhwIjoxNTUyNTk1MTcyLCJjaWQiOiIwb2FqcXBvMjk1ZVJlQTR2RDBoNyIsInVpZCI6IjAwdWpxczc1ZXhUeUNyS1JNMGg3Iiwic2NwIjpbIm9mZmxpbmVfYWNjZXNzIiwicGhvdG8iXSwic3ViIjoiYWdncmVzc2l2ZS1weWdteUBleGFtcGxlLmNvbSJ9.B2vB5TyAUG3m65EchznbUacbSDSb5Qwe2FBHroXPhzpuMqlWjmcOCIBofCySpAmVfF-UH4Z1mdxMbzwLA9ZdOjk03OLCYVYeYPb2mtkv4rjPbBi7GTXQ0K1sprszS1q4Kpju1wSitI2OdlEtkYbEAunzszy-sFD6oQDR9zaEc-N1XNlPm4KI5Euw0Sp2-E6Fg-yRgeNcjub7rjO6hbl-Tkz6ccV6yqV1hDAneZqYWC4QLVJbszBlAzfc0_ciLrT2WkGWfLqJyNu0W_a4zyaTXPG7xcnIKFKqlmYc6c0k_8LWZfEBoqXYI1Va3bGfCJDrkruX-8aGkGJuc2xRv7SQ_A",
	"token_type": "Bearer",
	"expires_in": 3600,
	"scope": "offline_access photo",
	"refresh_token": "cKPm76N9AlAqzXu9Ynb-aOd13kVRd9QamyZKu5iWA0o"
}

Device Code

Example

  1. Use Device to make request to the Authorization Server
    POST /o/oauth2/device/code HTTP/1.1
    Host: accounts.google.com
    Content-Type: application/x-www-form-urlencoded
    
    client_id=client_id&
    scope=email%20profile
    
HTTP/1.1 200 OK
			{
				"device_code" : "4/4-GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8",
				"user_code" : "GQVQ-JKEC",
				"verification_url" : "https://www.google.com/device",
				"expires_in" : 1800,
				"interval" : 5
			}
  1. User uses another device logged in to Authentication server and enters the User code that from the device

https://www.google.com/device

  1. Device Polls the Authorization Server until response from User or Request has expired.

POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded

client_id=client_id&
client_secret=client_secret&
code=device_code&
grant_type=http://oauth.net/grant_type/device/1.0

4. On successful response from the Authorization Server

HTTP/1.1 200 OK
[...]
{
	"access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
	"expires_in":3920,
	"token_type":"Bearer",
	"refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
}

OpenID Connect

  • Used to validate the user

Example

  1. Register Client
    client_id: 0oajqpo295eReA4vD0h7
    client_secret: G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
    Redirect URIs: [https://www.oauth.com/playground/authorization-code.html, https://www.oauth.com/playground/authorization-code-with-pkce.html]
    Supported Grant Types : [authorization_code, refresh_token, implicit]

  2. Make User Account
    login: [email protected]
    password: Good-Seal-Obnoxious-Hamerkop-5

  3. Generate Random Nonce for State Parameter and Make request to Authorization Server.
    https://dev-396343.oktapreview.com/oauth2/default/v1/authorize?response_type=code&client_id=0oajqpo295eReA4vD0h7&redirect_uri=https://www.oauth.com/playground/oidc.html&scope=openid+profile+offline_access&state=3xJaoTBpqEJAt0_g&nonce=LzJHw09aOLrNOP8n&prompt=login

HTTP/1.1 302 Found
[...]
Location: https://dev-396343.oktapreview.com/user/verify_password?fromURI=/oauth2/v1/authorize/redirect?okta_key=VDW-pGlfR-NWmdyY9L7e50YJQPtSLdzeyCRDh72DW-s&isAppSignOnPolicy=true
  1. Redirect back to Application Server

https://dev-396343.oktapreview.com/oauth2/v1/authorize/redirect?okta_key=VDW-pGlfR-NWmdyY9L7e50YJQPtSLdzeyCRDh72DW-s&hideBgImage=true

HTTP/1.1 302 Found
[...]
Location: https://www.oauth.com/playground/oidc.html?code=wbpKG8ao8nDpEkY7_OWI&state=3xJaoTBpqEJAt0_g
  1. Application Server makes a Request to the Authentication Server
POST https://dev-396343.oktapreview.com/oauth2/default/v1/token
[...]
grant_type=authorization_code
&client_id=0oajqpo295eReA4vD0h7
&client_secret=G-nN-YVNZ5ShFLnaGIkWM4IcRyTZFMPMXgcJOlc3
&redirect_uri=https://www.oauth.com/playground/oidc.html
&code=wbpKG8ao8nDpEkY7_OWI
HTTP/1.1 200 OK
[...]
{
	"access_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkk2X3NWUWtMZmFWUURncmR4UU83UHRHUEY5amszV2luclFGaWFmUVV5QVkubmpianhmcUp5cXpLTk9MY2dGZitlRFpQOFBNTVVOUmpaUVlpNHlPS01TWT0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU1MjU5NDcyOSwiZXhwIjoxNTUyNTk4MzI5LCJjaWQiOiIwb2FqcXBvMjk1ZVJlQTR2RDBoNyIsInVpZCI6IjAwdWpxczc1ZXhUeUNyS1JNMGg3Iiwic2NwIjpbInByb2ZpbGUiLCJvZmZsaW5lX2FjY2VzcyIsIm9wZW5pZCJdLCJzdWIiOiJhZ2dyZXNzaXZlLXB5Z215QGV4YW1wbGUuY29tIn0.FtNPSTbqtj8oRaUyts_UVZqbubXAVwYqO5O104IWuWgq2VSMoVy_I15JBcnqYQvkMff8sG_ALFi4CuJ9VuYLeXovnoH1tPA-HPn25QeRKXLYHMzMttd1CLRRVb8YsfLZJoQChr5G57Rc_7Zn8-s1AGc4tE3dtoJ1H4DsuwIrCqiwDO14kXobIi4A9IBW1WwplpseFwnjUE65Vaq5TsuIjCwgHh78QN9FnFA0pwVJ2NINcoyRpkt6PXsbCpv83qKdWpY2INzef9OKUH_yN-JG2YYw7YOVQDPePkQK7yeeZT36AZvyVrxEgdSDJoMf9cIQPQdWgTp_dxH289uDJAMAGQ",
	"token_type": "Bearer",
	"expires_in": 3600,
	"scope": "profile offline_access openid",
	"refresh_token": "CzXzgiUd-cvi63Xs8NMOje5XOuvqEm6BAuHMUNxOdOU",
	"id_token": "eyJraWQiOiJvLWlnUFVkX2prN2pKNDM1Rl9IdW9pWWluamxhb0lKV0FkMWk0ZU9NQ2FNIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVqcXM3NWV4VHlDcktSTTBoNyIsIm5hbWUiOiJBZ2dyZXNzaXZlIFB5Z215IiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hanFwbzI5NWVSZUE0dkQwaDciLCJpYXQiOjE1NTI1OTQ3MjksImV4cCI6MTU1MjU5ODMyOSwianRpIjoiSUQuV01pb0lnbXBNb29aZHkyUzY4dWIxNHdOdGRrLU9fbm9tZGdWQjVoaXlBTSIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZm01a2Vqcm9zdFlGc20waDciLCJub25jZSI6Ikx6Skh3MDlhT0xyTk9QOG4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZ2dyZXNzaXZlLXB5Z215QGV4YW1wbGUuY29tIiwiYXV0aF90aW1lIjoxNTUyNTk0NzIxLCJhdF9oYXNoIjoibTk3cFRJd1ZqLV95LWJiMXB2eXUtZyJ9.EoWqa0_cCy-eULP-At2yaPAmcJkX9d0U0xhAJ6nFLVpamFw0gNp0fSeCXaDoA6fc2Ez9gGxDR6_RwCRJZXFg90VFAMguJKxoWEof50ESgKmVJSP0B_ISWE54Ju3VDuweHN5B1aT5CTQxVkTjSUJj6QQZsMdfKasMFf9TBwG7SdW-yylQF2PemtsBIdnnu6w53zm87v-LuU5LuMGWwgvSfVMM1sORidZA8DjohwSTKc5XJIoFFwyty6vklx_Hfci2U5ZscjjJ605KiEwCg1PQpr2snqUq3b_Ryl9woNvvnJIqalmJb268ruVinNQ4AFwjtwUo_wGwpu_3pTsqovaCsQ"
}

Exploits

The state variable is mandatory for preventing CSRF attacks.
- Check to make sure that the state parameter is mandatory
- Check to make sure that the state parameter is not predictable
- Check to make sure that the state parameter can not be changed to a different value
- Check to make sure that the state parameter is not user-provided

The code variable contains the authorization code in the response from the server
- Check to make sure that it is only valid for a maximum of 10 mins.
- Check to make sure that the code can not be reused.
- Check to make sure that if there is two requests with the same token the sessions should be revoked.

The redirect_uri the URL that the application receives data from the user account server.
- Check to make sure that the url domain is checked.
- Check to make sure that a 302 redirect to the server fails.
- Look for URL parsing Issues
- evilmatch.com, match.com.evil.com, evil.com#match.com, evil.com?match.com, matchAmatch.com, match.com.mx
- IDN homography attack
- Check for Open Redirect on domain
- Check for Directory Traversal
- Check for http endpoint

The access_token should never be provided to the user
- Check in requests from the browser.

Use authorization code grant flow instead of implicit grant flow. This removes the token from the paramater in the URL.

Test that the scope can only access the provided permissions.

Make sure Clickjacking is not possible.