summaryrefslogtreecommitdiff
path: root/2020-12-07-oauth2.md
diff options
context:
space:
mode:
Diffstat (limited to '2020-12-07-oauth2.md')
-rw-r--r--2020-12-07-oauth2.md213
1 files changed, 213 insertions, 0 deletions
diff --git a/2020-12-07-oauth2.md b/2020-12-07-oauth2.md
new file mode 100644
index 0000000..c684da1
--- /dev/null
+++ b/2020-12-07-oauth2.md
@@ -0,0 +1,213 @@
+# Introduction
+
+* OAuth 2.0: Something I implemented in a previous job.
+
+* A common, almost fundamental protocol on the web, especially
+ for APIs.
+
+ - See: OKAPI
+
+* Solves a common problem: letting one site act on behalf of an end
+ user on another site.
+
+-----------------------------------------------------------------------------
+
+# Basic concepts
+
+* Identification "who are you?"
+
+ - all the relevant things others need to know about you
+ - name, date of birth, contact info, DNS sample, ...
+ - often just "this user account on this service"
+
+* Authentication: "how do I know it's really you?"
+
+ - something you know, something you have, something you are
+ - passwords
+ - hardware security tokens
+ - biometrics
+ - possibly several, depending
+
+* Authorization: "what should I allow you to do?"
+
+ - who said you can?
+
+-----------------------------------------------------------------------------
+
+# What OAuth2 is for?
+
+* Client authorization by end-user.
+
+* NOT end-user identification.
+
+* NOT end-user authentication.
+
+* NOT end-user authorization.
+
+* NOT client identification.
+
+* NOT client authentication.
+
+-----------------------------------------------------------------------------
+
+I hereby authorize this specific third party to access these bits of
+my data stored on this particular service. The third party has only
+specific, limited access, possibly for a limited time. I may withdraw
+my authorization at any time.
+
+-----------------------------------------------------------------------------
+
+# Example
+
+* Alice uses an email service, AMail.
+
+* Alice wants to have a book printed with all her emails. A
+ beautifully typeset, illustrated, color-printed, leather-bound, hard
+ cover book. An heirloom.
+
+* Book printing service, MailBooks, can do this, but needs to access
+ AMail to download all of Alice's emails.
+
+* How can this be done securely?
+
+-----------------------------------------------------------------------------
+
+# Not this way
+
+Alice gives MailBooks her username and password at AMail.
+
+MailBooks solemnly promises to not delete anything and to not send any
+mail, and to forget the password after they've got what they need for
+producing the book.
+
+Yeah right.
+
+-----------------------------------------------------------------------------
+
+# Not this way either
+
+MailBooks and AMail have a special agreement.
+
+AMail will give all the emails MailBooks asks for. MailBooks promises
+to only ask for email of people who say they want a book. MailBooks
+asks its customers to not lie about who they are.
+
+There is no way in which this might go badly.
+
+-----------------------------------------------------------------------------
+
+# No, just no
+
+Alice forwards each email to MailBooks. All 1.3 million of them.
+
+-----------------------------------------------------------------------------
+
+# OAuth2: Overview
+
+* Alice asks MailBooks for a book.
+
+* MailBooks tells her to authorize them on AMail.
+
+* Alice logs into AMail and clicks a button to authorize MailBooks.
+ AMail creates an **access token**.
+
+* Alice gives the access token to MailBooks.
+
+* MailBooks gives the access token to AMail and says it wants a copy
+ of every one of Alice's email.
+
+* AMail checks the token and responds with all a copy of all the emails.
+
+* MailBooks prints and sends the book to Alice.
+
+-----------------------------------------------------------------------------
+
+~~~plantuml
+@startuml
+actor Alice
+entity "Book service" as Booksite
+database "Email service" as Email
+
+Alice -> Booksite: Want book!
+Booksite -> Email: May I get emails?
+Email -> Alice: OK to give emails to Booksite?
+Alice -> Email: Sure!
+Email -> Booksite: Have an access token
+Booksite -> Email: Emails please
+Booksite -> Alice: Your book, bitte
+@enduml
+~~~
+
+
+-----------------------------------------------------------------------------
+
+# Details
+
+* HTTPS: always when credentials or tokens are transmitted
+* access and **refresh tokens**: may be opaque to clients
+ - but JWT is common
+* tokens are for a specific client and service
+* tokens specify a **scope**: what operations they allow
+* tokens expire → refresh tokens
+* endpoint discovery: originally unspecified
+
+-----------------------------------------------------------------------------
+
+# Transaction 1: four specified grant variants
+
+* authorization code: OKish, but security can be improved
+
+ * a lot of HTTP redirects
+
+* client credentials: bots without end users
+
+* implicit: don't use, trusts browser too much
+
+* resource owner password credentials: NO, JUST NO!
+
+* any of these may of course fail
+
+-----------------------------------------------------------------------------
+
+# Transaction 2: use access token
+
+* send request + token to resource provider (server)
+
+
+-----------------------------------------------------------------------------
+
+# Transaction 3: get new access token
+
+* When access token expires.
+
+* Or when a client wants to give another client an access token,
+ possibly with less scope.
+
+-----------------------------------------------------------------------------
+
+# SEE ALSO
+
+
+* [RFC 6749](https://tools.ietf.org/html/rfc6749)
+* [OAuth website](https://oauth.net/)
+* [Yuck](https://yuck.liw.fi/)
+
+
+-----------------------------------------------------------------------------
+
+# Legalese
+
+Copyright 2020 Wikimedia Foundation
+
+This content is licensed under the Creative Commons
+Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.
+
+[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/
+
+
+---
+title: "The OAuth 2.0 Protocol"
+subtitle: "EngProd paper club: RFC 6749"
+author: "Lars Wirzenius"
+date: "2020-12-07"
+...