OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service on behalf of a resource owner. It provides authorization flows for web and desktop applications, mobile phones, and living room devices. The key roles in OAuth 2.0 are the resource owner, resource server, client, and authorization server. The four core authorization flows are authorization code, implicit, resource owner password credentials, and client credentials. OAuth 2.0 aims to address issues with the traditional client-server authentication model such as storing user credentials, inability to revoke access, and unlimited access provided by passwords.

1. OAuth 2.0

2. User Print Service Photo Service
username, password
username, password
GET /photo
Photo
Printed photo
Traditional Client-Server Authentication Model

3. Problems
User Print Service Photo Service
username, password
username, password
GET /photo
Photo
Printed photo
1. Store user’s credentials
2. Can not revoke once given
4. Unlimited access
3. Password based
authentication

4. +--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | Authorization Grant & +---------------+
| |--(C)--- Client Credentials -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Protocol Flow

5. Roles
• resource owner
• resource server
• client
• authorization server

6. +--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | Authorization Grant & +---------------+
| |--(C)--- Client Credentials -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+

7. +--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | Authorization Grant & +---------------+
| |--(C)--- Client Credentials -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+

8. Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials

9. +----------+
| resource |
| owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)--- & Redirect URI ------>| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Client Credentials, --------' |
| | Authorization Code, |
| Client | & Redirect URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
Authorization Code Request
GET /authorize?response_type=code&client_id=s6BhdRkqt3&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
scope=xxx&state=xxx HTTP/1.1
Host: server.example.com
Respond
HTTP/1.1 302 Found
Location:
https://client.example.com/cb?code=i1WsRn1uB1&
state=xxx

10. Request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=s6BhdRkqt3&
code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"token_type":"example",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8",
"example_parameter":"example_value"
}
+----------+
| resource |
| owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)--- & Redirect URI ------>| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Client Credentials, --------' |
| | Authorization Code, |
| Client | & Redirect URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
Authorization Code

11. Implicit Grant
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)--- & Redirect URI ----->| |
| User- | | Authorization |
| Agent -|----(B)-- User authenticates -->| Server |
| | | |
| |<---(C)---- Redirect URI ------<| |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| |----(D)---- Redirect URI ------>| Web Server |
| | without Fragment | with Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<| |
| | +---------------+
+-|--------+
| |
(A) (G) Access Token
| |
^ v
+---------+
| |
| Client |
| |
+---------+
Request
GET /authorize?response_type=token&client_id=s6BhdRkqt3&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
Response
HTTP/1.1 302 Found
Location: http://example.com/rd#access_token=FJQbwq9&
token_type=example&expires_in=3600

12. Resource Owner Password Credentials
+----------+
| Resource |
| Owner |
| |
+----------+
v
|
(A) Password Credentials
|
v
+---------+ +---------------+
| | Client Credentials | |
| |>--(B)---- & Resource Owner ----->| |
| Client | Password Credentials | Authorization |
| | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
Request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=s6BhdRkqt3&
username=johndoe&password=A3ddj3w
Response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"token_type":"example",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8",
"example_parameter":"example_value"
}

13. +---------+ +---------------+
| | | |
| |>--(A)--- Client Credentials ---->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
Client Credentials

14. Threats

15. CSRF on Authorization response

16. /authorize?state=xxx
Check state

17. ‘redirect_uri’ Attack
Victim Web App OAuth2 Provider
XSS - injects Javascript code to send URL loaded in browser
https://client.com/vuln
Attacker
malicious webpage
/binding
/authorize with wrong redirect_uri
/authorize
https://client.com/vuln?code=AUTH_CODE
AUTH_CODE
GET https://client.com/oauth/callback?code=AUTH_CODE
/token
access_token

18. • whitelist ‘redirect_uri’
• exact matches