OAuth 2.0
December 2022
Last month, I had to conduct an engagement whose one of the main objective was to audit the authentication mechanism of a web application. I identified that the authentication flow relied on the OAuth 2.0 protocol and its Open ID extension, which is a standard that I was not very familiar with. This engagement was an opportunity to learn more about OAuth 2.0 and OpenID Connect. Here is an overview of what I have learned.
The basic of how OAuth 2.0 is quite simple, but all variations of its technicalities can be very complex to master.
The official documentation can be scary and is very technical. I learned mostly about OAuth 2.0 using PortSwigger Academy and by following the course OAuth 2.0 Nuts and Bolt course on Udemy.
Description
The OAuth protocol is integrated in many web applications. One of the most common example of implementation of the OAuth protocol is when a web application allows users to login or register using their social media account.
The main goal of the OAuth protocol is to allow a web applications to have limited access to data from another application on the behalf of the user. One problem solved by the OAuth protocol was the necessity for a user to give his credentials to many providers to grant access a specific web application to his account data from others third parties. For example, if a user wanted to grant access Facebook to his Outlook list of contacts, the user had to give its Outlook credentials to Facebook. This practice was deemed insecure.
Roles and parties
The OAuth flow involves 4 roles and the exchanges occurs between 3 parties.
Roles | Description |
---|---|
Resource owner | The user who owns the data, ex: the end-user. Give its consent to the authorization server. |
Authorization server | The OAuth 2.0 server that is authenticating the user and is issuing the access token to the client. |
Resource server | The server that is receiving the access token and is issuing data to the client. |
Client | The web application that is making the requests to access data from a third-party. |
Sometime, the resource server and the authorization server is the same entity.
High level differences between OpenID Connect vs OAuth
Initially OAuth is a mechanism aiming at giving web applications access to API and others third parties services via an access token. OAuth can be compared to a Hotel card aiming at giving you access to your Hotel room and different services, but without caring about who the user is.
On the other hand, OpenID run over the OAuth protocol. Unlike OAuth, OpenID cares about who the user is (identity). It aims to give to the client application some information about the users via an id_token which is a statement about the user.
Resources
Last updated