Embed Size (px)
Citation preview
OAuth with Facebook and Google Using .NET
Sathyaish Chakravarthy, Independent Consultant
You
Contacts
Gmail
Resource Owner
Resource Server
Client
You
Contacts
Gmail
Resource Owner
Resource Server
Client
OAuth is not about authentication.
OAuth allows you to give a third-party application the
permission to use some of your resources on a resource
server without giving the third party your user name
and password on the resource server.
“”
REGISTERING CLIENTS
console.developers.google.com
developers.facebook.com
ROLES & FLOWS
Implicit
Flow
Authorization
Code
Flow
Resource Server
Client Credentials
Flow
Resource Owner
Password Credentials
Flow
Authorization Code Flow from an End-User’s Perspective
Authorization Code Flow Under the Covers
You
Resource Owner
Resource Server
Client
AuthorizationServer
2
1
4
5
3
Exchange auth code for access token
2.0
1.0
1.0a
Not backward compatible
Authorization Code Flow Under the Covers
You
Resource Owner
Client
2
1
GET
client_id
Who is making this request?
scope
What do they want to know about the user?
response_type (reserved: code)
What do they want from me just now?
redirect_uri
Where should I send them this stuff?
state (optional but recommended)
CSRF token
1 2and
?
Authorization Code Flow Under the Covers
You
Resource Owner
Client
2
1
RESPONSE (302)
code
Authorization code
error
Location: client_redirect_uri?code=ljfvknfANB3454
Location: client_redirect_uri?error=access_denied
Or
2
state (CSRF token)
If you’d sent it
?
Authorization Code Flow Under the Covers
You
Resource Owner
Client
2
1
GET
code
Authorization code
error
client_redirect_uri?code=ljfvknfANB3454
client_redirect_uri?error=access_denied
Or
3
3
Authorization Code Flow Under the Covers
Client
AuthorizationServer4
Exchange auth code for access token
GET or POST
client_id
Who is making this request?
client_secret
What’s the password I gave you earlier? Prove your identity.
grant_type
What’s this flow? Oh, you’re a web server, so this must be the “authorization code” flow.
code
Okay, show us the authorization code?
state (optional but recommended)
CSRF token
4
Authorization Code Flow Under the Covers
Client
AuthorizationServer4
Exchange auth code for access token
RESPONSE (query string or request body)
access_token
state (optional but recommended)
CSRF token
4
Authorization Code Flow Under the Covers
Resource Server
Client
5
GET OR POST
Access_token
As querystring or request body or basic
authentication / bearer authentication
(HTTP authorization header)
5
Authorization Code Flow Under the Covers
You
Resource Owner
Resource Server
Client
AuthorizationServer
2
1
4
5
3
Exchange auth code for access token
Roles
• You, the resource owner
• Client, the server side web app
• Resource server
• Authorization Server
DEMO: GOOGLE OAUTH CLIENT (AUTHORIZATION CODE FLOW)
DEMO: FACEBOOK OAUTH CLIENT (AUTHORIZATION CODE FLOW)
Summary: What’s in it for me?
Summary: What’s in it for me?
User
Client
Summary: What’s in it for me?
Limitations of OAuth 2.0
• No discovery
• Requires HTTPS
• Open redirectors – RFC 6819 – OAuth 2.0 Thread Model and Security Considerations
• Implementations differ widely
Further Reading
• RFC 6749 – The OAuth 2.0 Authorization Frameworkhttp://tools.ietf.org/html/rfc6749
• Google https://developers.google.com/identity/protocols/OAuth2WebServer
• Facebook (Facebook Login) -https://developers.facebook.com/docs/facebook-login/v2.3
