OAuth 2

Mohamed Ahmed Abdullah

Google Calendar Dilemma

Mohamed

Secret 123

Import Contact

ESPN

Facebook

What is the Solution ?

X

Clients ScopesAuthorization Server

In Reality (Mobile)

In Reality (website)

The Implicit Flow

Identity Server Resources Host Client (Desktop or Mobile)

Resource Owner

Pressing the Login Button

Client Id and Redirection URI

Client X want to access A,B and C (Scopes)

OK

Access Token

Get, Using Bearer Access Token

Is this Token Legitimate

Yes

Here are the Resources

The Implicit Flow

https://identityserver.sudatel.sd/identityServer/identity/connect/consent?client_id=tripgalleryimplicit&redirect_uri=https%3A%2F%2Fidentityserver.sudatel.sd%2FIdentityServerClient%2Fcallback.html&response_type=token&scope=gallerymanagement

Login Redirection

Location:https://identityserver.sudatel.sd/IdentityServerClient/callback.html#access_token=eyJ0e…900 Char …….NGg&token_type=Bearer&expires_in=20&scope=gallerymanagement

When Finish From authorization the Identity Server Redirect to This Location

Authorization Code

Identity Server Resources HostClient

Resource OwnerServer Side Client Side (Browse)

Pressing the Login Button

Client Id and Redirection URI

Client X want to access A,B and C (Scopes)

OK

Authorization Code

Authorization Code + Client Secret

Authorization Token + Refresh Token

Authorization Token as cookie

Get, Using Bearer Access Token

Is this Token Legitimate

Yes

Here are the Resources

The differences between Implicit Flow and Authorization Code

• Implicit for untrusted clients (Mobile, Desktop, Angular) Authorization Code For Servers (Web Sites, APIs) • Implicit access expire fast • In the implicit no use for the client secret • Implicit don’t have refresh token

Resource Owner Password Flow

• The client is highly trusted• The App Remove the Password after getting the token

Client Credential Flow

• The client want to access his data, not the User’s Data

• Should be used only if you have a server. you can’t do it from untrusted sources

What is bad about OAuth

• Interoperability• You can’t write one peace of code that woks for all. Discover endpoints and log on to one of them

• In the Implicit flow, the redirect URI should be something odd to prevent the Browser from requesting it.

When to Use OAuth

• Single Sign On • Scalable Solution (Many server) because it’s a stateless Authentication• Content Provider like (Facebook,…)• When you have 3 entities, your API, one of your users want to access other user’s data• Best Solution For Authorization

Thanks To

Eran Hammer

References and Resources

• https://github.com/IdentityServer/IdentityServer3

• Getting Started with OAuth 2.0• https://www.pluralsight.com/

Any Question?

How to setup OAuth

1. http://oauth.net/2/ .NET, JAVA, PHP, Python, NodeJS, Ruby, ….2. For .Net get it form https://github.com/IdentityServer/IdentityServer3

3. I Recommend to use real certificate for your development, it will speed up the process 4. Change the Constant Project URIs to Fit your URIs5. Build the Identity Server and the Resources Host6. Install Fiddler and Wireshark to help you debug your application7. At the development you can use in memory Users and Clients, but then you have to setup the Databases8. Then you can start With your developing APIs