Let’s see about OAuth with week!
Lets assume we have a user and two websites (Website 1 and Website 2). User is trying to access website 2 via website 1
In Password Anti-pattern implementation website 1 stores/logs the user credentials . Resulting in insecure implementation. Website1 can now use user credential for any unintended purpose. This let us to OAuth 1.0
With OAuth 1.0 (RFC) , delegation was introduced . So we didn’t need to save the user creds anymore . However, there were other shortcomings example,
- Access token were not short lived.
- Application needs to adhere cryptographic requirements.
OAuth 2.0 (RFC), was able to solve the problems of OAuth 1.0 . Let’s see how OAuth 2.0 works
- Foremost, It is a authorization framework, it helps in delegating permission to the application to access the protected resources.
snip from OAuth RFC
As you can see token’s are at the core of all the OAuth transactions. For authentication application can use OAuth along with OpenID connect. How ? For this we need to see about the tokens. There are three types of token involved with OAuth 2.0 and OpenID Connect.
ID Tokens, It is used to sign in the user (Used by OpenID Connect).
Access Tokens, It holds permission to access protected resources
Refresh Tokens, used to refresh the tokens without the need of user re-login.
OpenID connect and OAuth in action
- User signs in with credentials (AuthN) and provides consents to the permission (AuthZ)
- Authorize endpoint (Microsoft Identity platform) returns id_token and authorization_code.
- Web server validates the id_token and sets the session cookie.
- Web server communicates with the token endpoint (Microsoft Identity platform) to get the token.
- Now web Application calls the Web App API with the token (To be precise access_token).
OAuth 2.0 solved problem of OAuth 1.0. OAuth 1.0 solved the problem of Password Anti-pattern. Currently most of the modern application uses OAuth v2.0.
Next week , Lets see various flows in OAuth 2.0+ OpenID connect
cloud-security.blog 
Leave a comment