path: root/2020-12-07-oauth2.md

# Introduction

* OAuth 2.0: Something I implemented in a previous job.

* A common, almost fundamental protocol on the web, especially
  for APIs.

  - See: OKAPI

* Solves a common problem: letting one site act on behalf of an end
  user on another site.

-----------------------------------------------------------------------------

# Basic concepts

* Identification "who are you?"

  - all the relevant things others need to know about you
  - name, date of birth, contact info, DNS sample, ...
  - often just "this user account on this service"

* Authentication: "how do I know it's really you?"

  - something you know, something you have, something you are
  - passwords
  - hardware security tokens
  - biometrics
  - possibly several, depending
  
* Authorization: "what should I allow you to do?"

  - who said you can?

-----------------------------------------------------------------------------

# What OAuth2 is for?

* Client authorization by end-user.

* NOT end-user identification.

* NOT end-user authentication.

* NOT end-user authorization.

* NOT client identification.

* NOT client authentication.

-----------------------------------------------------------------------------

I hereby authorize this specific third party to access these bits of
my data stored on this particular service. The third party has only
specific, limited access, possibly for a limited time. I may withdraw
my authorization at any time.

-----------------------------------------------------------------------------

# Example

* Alice uses an email service, AMail.

* Alice wants to have a book printed with all her emails. A
  beautifully typeset, illustrated, color-printed, leather-bound, hard
  cover book. An heirloom.

* Book printing service, MailBooks, can do this, but needs to access
  AMail to download all of Alice's emails.
  
* How can this be done securely?

-----------------------------------------------------------------------------

# Not this way

Alice gives MailBooks her username and password at AMail. 

MailBooks solemnly promises to not delete anything and to not send any
mail, and to forget the password after they've got what they need for
producing the book.

Yeah right.

-----------------------------------------------------------------------------

# Not this way either

MailBooks and AMail have a special agreement.

AMail will give all the emails MailBooks asks for. MailBooks promises
to only ask for email of people who say they want a book. MailBooks
asks its customers to not lie about who they are.

There is no way in which this might go badly.

-----------------------------------------------------------------------------

# No, just no

Alice forwards each email to MailBooks. All 1.3 million of them.

-----------------------------------------------------------------------------

# OAuth2: Overview

* Alice asks MailBooks for a book.

* MailBooks tells her to authorize them on AMail.

* Alice logs into AMail and clicks a button to authorize MailBooks.
  AMail creates an **access token**.

* Alice gives the access token to MailBooks.

* MailBooks gives the access token to AMail and says it wants a copy
  of every one of Alice's email.
  
* AMail checks the token and responds with all a copy of all the emails.

* MailBooks prints and sends the book to Alice.

-----------------------------------------------------------------------------

~~~plantuml
@startuml
actor Alice
entity "Book service" as Booksite
database "Email service" as Email

Alice -> Booksite: Want book!
Booksite -> Email: May I get emails?
Email -> Alice: OK to give emails to Booksite?
Alice -> Email: Sure!
Email -> Booksite: Have an access token
Booksite -> Email: Emails please
Booksite -> Alice: Your book, bitte
@enduml
~~~


-----------------------------------------------------------------------------

# Details

* HTTPS: always when credentials or tokens are transmitted
* access and **refresh tokens**: may be opaque to clients
  - but JWT is common
* tokens are for a specific client and service
* tokens specify a **scope**: what operations they allow
* tokens expire → refresh tokens
* endpoint discovery: originally unspecified

-----------------------------------------------------------------------------

# Transaction 1: four specified grant variants

* authorization code: OKish, but security can be improved

  * a lot of HTTP redirects

* client credentials: bots without end users

* implicit: don't use, trusts browser too much

* resource owner password credentials: NO, JUST NO!

* any of these may of course fail

-----------------------------------------------------------------------------

# Transaction 2: use access token

* send request + token to resource provider (server)


-----------------------------------------------------------------------------

# Transaction 3: get new access token

* When access token expires.

* Or when a client wants to give another client an access token,
  possibly with less scope.

-----------------------------------------------------------------------------

# SEE ALSO


* [RFC 6749](https://tools.ietf.org/html/rfc6749)
* [OAuth website](https://oauth.net/)
* [Yuck](https://yuck.liw.fi/)


-----------------------------------------------------------------------------

# Legalese

Copyright 2020 Wikimedia Foundation

This content is licensed under the Creative Commons
Attribution-ShareAlike 4.0 International ([CC BY-SA 4.0][]) licence.

[CC BY-SA 4.0]: https://creativecommons.org/licenses/by-sa/4.0/


---
title: "The OAuth 2.0 Protocol"
subtitle: "EngProd paper club: RFC 6749"
author: "Lars Wirzenius"
date: "2020-12-07"
...