OAuth2 Authorization Server Under the Hood

December 2021
OAuth 2
Authorization Server Under the Hood

3
Company Confidential © Capgemini 2021. All rights reserved |
OAuth 2.0 framework overview
• Authorization code flow
• PKCE
Reference tokens vs self-contained
• Introspection endpoint
• JWT validation
OAuth Authorization server frontend
• /authorize path and parameters
OAuth Authorization server endpoints
• /authorize
• /token
Possible errors
OIDC and Authentication
• User sign in and registration
SSO
SLO
AGENDA

4
OAuth 2.0 Framework
Overview
1.

5
https://oauth.net
“OAuth 2.0 is the industry-
standard protocol for
authorization. ”

6
Roles
OAuth 2.0 Framework Overview
An OAuth 2.0 flow has the following roles
• Resource Owner: Entity that can grant access to a protected resource.
Typically, this is the end-user
• Resource Server: Server hosting the protected resources. This is the API you
want to access
• Client: Application requesting access to a protected resource on behalf of the
Resource Owner
• Authorization Server: Server that authenticates the Resource Owner and
issues access tokens after getting proper authorization.

7
Roles

8
Authorization Code flow

9
Use-case example

10
PKCE
The Proof Key for Code Exchange (PKCE, pronounced pixie) extension describes a
technique for public clients to mitigate the threat of having the authorization code
intercepted.
The technique involves the client first creating a secret, and then using that secret
again when exchanging the authorization code for an access token.
This way if the code is intercepted, it will not be useful since the token request
relies on the initial secret.

11
OAuth 2.0 Framework Overview PKCE

12
Reference tokens vs
self-contained
2.

13
gho_16C7e42F292c6912E7710c838347Ae178B4a
Reference
REFERENCE TOKENS VS SELF-CONTAINED
Self-contained

14
 Unique string (e.g.: uuid / hash)
 Remote information
• Introspection endpoint (e.g.: /token_info)
• Verification
• Payload
 Benefits
• Light wight
• Session management
 Challenges
• Additional time for getting remote info
Reference Self-contained
 JWT
• Signature
 Payload
• User id
• Role / permission
• Etc
 Benefits
• Autonomous validation
 Challenges
• Session related logic, e.g.: instant logout
REFERENCE TOKENS VS SELF-CONTAINED

15
OAuth Authorization
server Frontend
3.

16
OAuth authorization server Frontend Authentication

17
OAuth authorization server Frontend Consent

18
OAuth Authorization
server endpoints
4.

19
/oauth/authorize
?client_id=a17c21ed
&response_type=code
&state=5ca75bd30
&redirect_uri=https://example.com/cb
&scope=photos
Authorization request Backend logic
• Authorize request against access token
• Validate request parameters
• Generate authorization code
• Store in DB request data
• Return authorization code
• or redirect to the redirect_uri
https://example.com/cb
?state=txcSDMn3Q5bZ-w32
&code=EVOcNHq7TBVaxVw
Authorization response

20
/token
?code=EVOcNHq7TBVaxVw
&grant_type=code
&redirect_uri=https://example.com/cb
&client_id=a17c21ed
&client_secret=ZGVmMjMz
Token exchange request Backend logic
- Authorize request
- Validate query params
- Get data from DB by the authorization code
- userId
- scope
- Issue tokens limited to scopes
{
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "sjmHG1EywNbSDAelt",
"refresh_token": "Qb6kKM4BWPIwq"
}
Token exchange response

21
Scopes
Scopes are like roles or permissions in common access management patterns.
Basically, they specify scope of access.
Implementation of authorization (scopes check) is not covered by the spec. and
might be implemented in any way.

22
Possible Errors
5.

23
Possible errors
• Invalid redirect URL
• Unrecognized client_id
• The user denies the request
• Invalid parameters
• invalid_request: The request is missing a required parameter, includes an invalid parameter
value, or is otherwise malformed.
• unauthorized_client: The client is not authorized to request an authorization code using this
method.
• unsupported_response_type: The authorization server does not support obtaining an
authorization code using this method.
• invalid_scope: The requested scope is invalid, unknown, or malformed.
• server_error: The authorization server encountered an unexpected condition which
prevented it from fulfilling the request.
• temporarily_unavailable: The authorization server is currently unable to handle the request
due to a temporary overloading or maintenance of the server.

24
OIDC and
Authentication
6.

25
Authentication comparison

26
User sign in and registration w/o OIDC

27
User sign in and registration

28
SSO
7.

29
SSO

30
SLO
8.

31
SLO

33
What did we we learn
• OAuth 2 authorization code flow in details
• OAuth 2 FE SPA / SSR
• Endpoints and logic
• Scopes and authorization
• Sign-in and registration

34
References
• https://oauth.net/ - open-source website maintained by Aaron Parecki
• https://www.oauth.com/ - OAuth 2.0 Simplified (Written by Aaron Parecki)
• https://jwt.io/ - debugger / book
• https://openid.net/connect/ - consolidated data about OIDC
• https://oidcdebugger.com/ - OIDC debugger
• https://portswigger.net/web-security/oauth/preventing - OAuth vulnerabilities
• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics - OAuth
spec: Security Best Practices

35
Inspired by
https://oauth2simplified.com/
OAuth 2.0 Simplified
OAuth 2.0 Simplified is a guide to building an
OAuth 2.0 server. Through high-level
overviews, step-by-step instructions, and real-
world examples, you will learn how to take
advantage of the OAuth 2.0 framework while
building a secure API.

This presentation contains information that may be privileged or confidential and
is the property of the Capgemini Group.
Copyright © 2021 Capgemini. All rights reserved.
Capgemini Engineering combines, under one brand, a unique set of strengths from across the
Capgemini Group: the world leading engineering and R&D services of Altran – acquired by
Capgemini in 2020 - and Capgemini’s digital manufacturing expertise. With broad industry
knowledge and cutting-edge technologies in digital and software, Capgemini Engineering
supports the convergence of the physical and digital worlds. Combined with the capabilities of
the rest of the Group, it helps clients to accelerate their journey towards Intelligent Industry.
Capgemini Engineering has more than 52,000 engineer and scientist team members in over 30
countries across sectors including aeronautics, automotive, railways, communications, energy,
life sciences, semiconductors, software & internet, space & defence, and consumer products.
Capgemini Engineering is an integral part of the Capgemini Group, a global leader in partnering
with companies to transform and manage their business by harnessing the power of technology.
The Group is guided every day by its purpose of unleashing human energy through technology
for an inclusive and sustainable future. It is a responsible and diverse organization of 270,000
team members in nearly 50 countries. With its strong 50-year heritage and deep industry
expertise, Capgemini is trusted by its clients to address the entire breadth of their business
needs, from strategy and design to operations, fueled by the fast evolving and innovative world
of cloud, data, AI, connectivity, software, digital engineering and platforms. The Group reported
in 2020 global revenues of €16 billion.
About Capgemini Engineering
Get the Future You Want | www.capgemini.com/capgemini-engineering

OAuth2 Authorization Server Under the Hood

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OAuth2 Authorization Server Under the Hood

Similar to OAuth2 Authorization Server Under the Hood (20)

More from Lohika_Odessa_TechTalks

More from Lohika_Odessa_TechTalks (20)

Recently uploaded

Recently uploaded (20)

OAuth2 Authorization Server Under the Hood