2. WHAT IS OAUTH 2
OAuth 2.0 is the industry-standard
framework for authorization.
Enables a third-party application to obtain
limited access to an HTTP service
(either on behalf of resource owner,
or by allowing the third-party application
to obtain access on its own).
Transport Layer Security (TLS)
must be used to any request.
https://oauth.net/2/
3. WHAT IS OAUTH 2
OAuth 2.0 is the industry-standard
framework for authorization.
Enables a third-party application to obtain
limited access to an HTTP service
(either on behalf of resource owner,
or by allowing the third-party application
to obtain access on its own).
Transport Layer Security (TLS)
must be used to any request.
All other trademarks cited herein are the property of their respective owners.
4. THE ROLES
• Resource Owner
generally human, yourself
• Resource Server
any server that has data with we want
to get access to eg. Google profile
data with personal information
• Client
application that requests access to a
resource server (backend, frontend,
mobile application)
• Authorization Server
server where access policy is defined
nad based on that policy, it issues
access tokens to clients
Resource Owner
(real user: me, you)
Client
(any application)
Authorization
Server
(real user: me, you)
Resource
Server
(server that serves
some data / logic)
5. CLIENTTYPES
Web application that runs
entirely on the server
User agent - based application
Native applications
Confidential
Clients capable of maintaining the confidentiality of
their credentials (e.g., client implemented on a secure
server with restricted access to the client credentials),
or capable of secure client authentication using other
means.
Public
Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by
the resource owner, such as an installed native application
or a web browser-based application), and incapable of
secure client authentication via any other means.
6. TOKENS
Refresh Token
• issuing a refresh token is optional at the discretion
of the authorisation server;
this token is issued with the access token
but it is not sent in each request
• requests for new token (mainly when old token
has expired and we must renew an access token);
the scope of the new token could change
• valid only in combination with client authentication
• for security reasons, it is not always possible to
obtain this token
• unlike access tokens, refresh tokens are intended
for use only with authorisation servers and are
never sent to resource servers
Access Token
• allows the client to access the data from
resource server
• this token is sent by the client as a parameter
or as a header in the request to the resource
server.
• has a limited lifetime, which is defined by
the authorisation server settings
• must be kept confidential as soon as possible
(for example by storing that kind of token in
cookie with HttpOnly and Secure flag)
7. SCOPES
• the scope is a parameter used to
limit the rights of the access token
• this is the authorization server that defines the list
of the available scopes (case sensitive)
• the client must then send the scopes he wants to
use while authorization process and AuthServer
may override them
https://YOUR_AUTH0_DOMAIN/authorize?
scope=read%20profile&
response_type=id_token&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
nonce=YOUR_CRYPTOGRAPHIC_NONCE
state=YOUR_OPAQUE_VALUE
8. authorization code
resource owner password credentials
implicit
client credentials
AUTHORIZATION GRANT
An authorization grant is a credential representing the resource owner's
authorization (to access its protected resources)
used by the client to obtain an access token.
device operating system, privileged applications
confidential clients only
public clients, browser applications
confidential clients only
9. authorization code
resource owner password credentials
implicit
client credentials
AUTHORIZATION GRANT
An authorization grant is a credential representing the resource owner's
authorization (to access its protected resources)
used by the client to obtain an access token.
device operating system, privileged applications
confidential clients only
public clients, browser applications
confidential clients only
10. authorization code
resource owner password credentials
implicit
client credentials
AUTHORIZATION GRANT
An authorization grant is a credential representing the resource owner's
authorization (to access its protected resources)
used by the client to obtain an access token.
device operating system, privileged applications
confidential clients only
public clients, browser applications
confidential clients only
31. JSON WEBTOKEN (JWT)
JSON WebToken (JWT) is an open standard
(RFC 7519) that defines a compact and
self-contained way for securely
transmitting information
between parties as a JSON object.
This information can be verified
and trusted because it is digitally signed.
JWTs can be signed using a secret
(with the HMAC algorithm) or
a public/private key pair using RSA.
Client
(any application)
Authorization
Server
(real user: me, you)
Resource
Server
(server that serves
some data / logic)
token
token
check