OAuth 2.0

From BloomWiki
Jump to navigation Jump to search

OAuth 2.0[edit]

OAuth 2.0 is an open-standard authorization framework that enables secure delegated access to protected resources without sharing user credentials, widely used across modern web and mobile applications.

Remembering (Knowledge / Recall) 🧠[edit]

Core terminology & definitions[edit]

  • OAuth – A family of authorization standards allowing a resource owner to grant limited access to client applications.
  • Authorization Grant – A credential representing the resource owner's permission.
  • JSON Web Token (JWT) – A compact token format often used for access tokens.
  • RFC 6749 – The IETF specification defining OAuth 2.0.
  • Client ID / Client Secret – Identifiers used by applications requesting authorization.

Key components / actors / elements[edit]

  • Authorization Server – Issues tokens after authenticating and authorizing the user.
  • Resource Server – Hosts protected API endpoints.
  • Client Application – Requests access on behalf of the user.
  • Resource Owner – The user controlling access to resources.

Canonical models, tools, or artifacts[edit]

  • OpenID Connect – Identity layer built on top of OAuth 2.0.
  • Bearer Tokens – Standard token type transmitted in HTTP headers.
  • PKCE (Proof Key for Code Exchange) – Extension improving authorization code security.

Typical recall-level facts[edit]

  • Introduced in 2012 (RFC 6749).
  • Used by major platforms such as Google, Facebook, GitHub, and Microsoft.
  • Focuses on authorization, not authentication.

Understanding (Comprehension) πŸ“–[edit]

Conceptual relationships & contrasts[edit]

  • Differs from Basic Authentication by avoiding password sharing.
  • Complements rather than replaces authentication systems; identity is addressed by OpenID Connect.
  • Succeeds OAuth 1.0 by simplifying cryptographic requirements and expanding grant types.

Core principles & paradigms[edit]

  • Separation of roles between authorization and resource servers.
  • Delegation: users grant scoped access rather than full control.
  • Token-based: access is mediated by time-limited, revocable tokens.

How it works (high-level)[edit]

  • Client registers with authorization server β†’ receives Client ID.
  • User attempts protected action β†’ client sends authorization request.
  • Authorization server authenticates user and prompts for consent.
  • Server issues an authorization grant β†’ client exchanges it for a token.
  • Client uses access token to call resource server APIs.

Roles & perspectives[edit]

  • End users – Want privacy and minimal risk when granting access.
  • Developers – Aim for secure flows with minimal friction.
  • Service providers – Enforce policies, scopes, and token lifetimes.

Applying (Use / Application) πŸ› οΈ[edit]

"Hello, World" example (minimal)[edit]

  • A client app requests authorization to read a user's profile.
  • The user approves via the authorization server's consent screen.
  • The client obtains an access token and uses it in the `Authorization: Bearer` header to call the API.

Core task loops / workflows[edit]

  • Register client β†’ configure redirect URIs.
  • Implement Authorization Code flow (with PKCE for public clients).
  • Request and store tokens securely.
  • Refresh tokens before expiry, if supported.

Frequently used actions / methods / techniques[edit]

  • Constructing authorization URLs.
  • Exchanging authorization codes for tokens.
  • Validating token signatures and scopes on the resource server.
  • Performing token introspection or revocation requests.

Real-world use cases[edit]

  • Mobile apps accessing cloud APIs.
  • Third-party integrations with social login providers.
  • Enterprise applications delegating access to microservices.
  • IoT devices using Device Authorization Grant.

Analyzing (Break Down / Analysis) πŸ”¬[edit]

Comparative analysis[edit]

  • Versus API keys: OAuth provides scoped, revocable, user-consented access.
  • Versus SAML: OAuth is lightweight and optimized for APIs rather than enterprise identity federation.
  • Historically replaced OAuth 1.0’s complex signature system with simpler bearer tokens.

Structural insights[edit]

  • Authorization Code, Client Credentials, Device Code, Refresh Token flows form the core architecture.
  • Tokens carry scopes representing permitted operations.
  • Separation of authorization vs resource servers allows distributed security design.

Failure modes & root causes[edit]

  • Misconfigured redirect URIs β†’ open redirect vulnerabilities.
  • Storing tokens insecurely β†’ token theft.
  • Failing to use PKCE in public clients β†’ authorization code interception.

Troubleshooting & observability[edit]

  • Inspect access token expiry, issuer, and scope.
  • Log authorization errors such as `invalid_grant` or `invalid_scope`.
  • Monitor token issuance rates and misuse patterns.

Creating (Synthesis / Create) πŸ—οΈ[edit]

Design patterns & best practices[edit]

  • Prefer Authorization Code + PKCE for web, mobile, and native apps.
  • Use short-lived access tokens with refresh tokens.
  • Restrict scopes to the minimum required.
  • Store sensitive credentials only on secure, confidential clients.

Integration & extension strategies[edit]

  • Add OpenID Connect for authentication and identity claims.
  • Integrate with API gateways for centralized token validation.
  • Extend with JWT-based custom claims for domain-specific authorization.

Security, governance, or ethical considerations[edit]

  • Protect user consent processes to prevent dark-pattern abuses.
  • Ensure TLS is mandatory for all token exchanges.
  • Provide revocation endpoints for user control and compliance.

Lifecycle management strategies[edit]

  • Rotate keys used for signing tokens (JWKS).
  • Version API scopes as services evolve.
  • Migrate legacy flows to PKCE-enabled flows.

Evaluating (Judgment / Evaluation) βš–οΈ[edit]

Evaluation frameworks & tools[edit]

  • Assess token security (entropy, expiry, signature validation).
  • Evaluate implementation via OAuth 2.0 Security Best Current Practice (BCP).
  • Use test suites such as OpenID Foundation's conformance tests.

Maturity & adoption models[edit]

  • Widely adopted across SaaS, consumer apps, and enterprise APIs.
  • Active ecosystem with libraries for major languages and platforms.
  • Barriers include complexity of correct implementation and security hardening.

Key benefits & limitations[edit]

  • Benefits: delegated access, strong security properties, ecosystem support.
  • Limitations: complexity, risk of insecure deployments, need for additional identity layer.

Strategic decision criteria[edit]

  • Use when third-party or cross-service access delegation is required.
  • Avoid for simple internal APIs where mutual TLS or API keys suffice.
  • Consider long-term maintainability and compliance requirements.

Holistic impact analysis[edit]

  • Enables interoperable, user-centric authorization across the web.
  • Strong influence on microservices, identity, and API-driven architectures.
  • Ongoing evolution includes OAuth 2.1 consolidation and hardened best practices.
Retrieved from "http://bloomwiki.org/index.php?title=OAuth_2.0&oldid=28"