Auth 2.0, also called open authorization, is industry-standard protocol for secure authentication. The protocol enables third party apps to access user data without sharing their credentials, such as username and passwords. Instead the protocol, let’s the client(third party app) access or query information using access tokens (generated by OAuth 2.0 provider).

Use Scenario

• User sign in third party app using authentication app such as google
• The third party app redirect users to gogole authorization page
• user grants permission for the app to access their data
• OAuth provide issues an authorization code or access token directly
• Third party app uses the token to access the user’s data securely from the provider

  Fundamental Concept Review

  Authentication: verify who user is

Authorization: verify what access does a user have

• RBAC - Access based on predefined roles (based on the roles)
  • will need a user table
  • also need a role table
• ABAC - Access based on attributes (based on the attributed in the request)
  • a need table called resources

JWT - JSON Web Token

• self-contained, compact token format
• for both authentication and authorization
• contains: header, payload, signature

Traditional Use Scenario

• app the requires user to sign in
• JWT-based authentication and an RBAC system for authorization
• Challenge:
  • User wants to log in with their Google or GitHub account
  • third-party app needs access to user data
  • do user needs to share their credential to the third party app
• Solution: OAuth 2.0 solve this problem

  OAuth 2.0 Terminology

  OAuth 2.0 Roles

• Resource Owner: person who owns the data
• Client: The third party app requesting access to the user’s data
• Authorization Server: the service that issues access tokens
• Resource Server: the api or server where user’s data resides

  OAuth 2.o Tokens

• Access Token:
  • Shorted-lived
  • Used to access protected resources
  • Attached in the HTTP Authorization Header
• Refresh Token:
  • Long-lived
  • Used to obtain new access token

    OAuth 2.0 Grant Types

• Authorization Code Grant (Most Secure and standard)
  • ideal for apps that need long-term access to user data
• Client Credential Grant
  • used for server-to-server communication
• Implicit Grant (Deprecated)
  • used for single-page application
• Resources Owner Password Credentials Grant (not recommended)
  • User providing their credential to client app

    Authorization Code Grant Logic

• Used for web and mobile apps that need long-term access to user data
• Used an authorization code instead of directly exposing tokens
• Prevents security risks like token leakage

  High Level Flow

• User access third-party app
• The app redirect the user to OAuth Provider
• User grants permission
• Oauth grants permission
• Oauth provider issues an authorization code (abc.com?code=xxx)
• Third-party app exchange the authorization code for access token with Oauth Provider
• Third-party app uses the access token to access the users’ data

  Step 1 - Request Authorization Code

  Third-party app redirects user to OAuth Provider with following key parameter

• Response_type: specifies the type of response expected from the Oauth Provider
• client_id: identifies the third-party app making the request
• Redirect_URL
  • the callback URL where the user will be redirected after authorization
• Scope
  • Define the permissions the third part app is requesting
    • profile, email, offline_access
• state: a random string used for security pruposes

  Step 2 - OAuth Provider Response with Authorization Code

• OAuth provider redirects User back to third-party app
• key ele
  • code: Authorization code that third-party app will use to obtain an access token
  • state: a random string to verify the integrity of the request and prevent CSRF attack

    Step 3 - Exchange Authorization code for access token

• third-party app makes secure request to Oauth provider
  • Grant_type
  • code
  • client_id:
  • client_secret: credential between our app and the authorization app
  • redirect URL

    Step 4 - Using the access token

• third party app makes API request using access token
• Authorization header
  • attach the token as a bear token

    Step 5 - Using Refresh Token to get a new access token

• Grant Type: grant type: refresh_token
• Refresh_token: the fresh token
• Client_id: app id
• Client Secret
  • The client’s secret used for authentication with the Oauth Provider ![[Pasted image 20260111165750.png]] ![[Pasted image 20260111120900.png]]

    Client Credential Grant Logic

• used for machine-to-machine communication
• No User interaction required
• Client Requests access on its own behalf

  High Level Flow

• Client app sends a requests to OAuth Provider
• OAuth provider verifies the credential and issues an access token
• Client App uses the access token to access the protected resources

  Step 1 - Request Access token

• Client app makes secure request to OAuth Provider
  • Grant type: grant type
  • Client Id
  • client secret

    Step 2 - Using the access token

• Client App uses access token to access resource
  • Authorization Header
    • Access token
    • Bearer Token

      Implicit Grant Logic

• Used for Single-Page Applications (SPAs) & Client-Side Apps
• Access Token is issued directly without au authorization code
• no client credential
• directly grant the access token
• Less Secure
  • the access token is directly exposed in the URL fragment
  • No secure server-to-server exchange
  • vulnerable to token Leakage

    High Level Flow

• user access third-party app
• The app redirects the user to OAuth provider
• User grants permission
• OAuth provider immediately issues an access token
• Third-party app uses the access token to access the user’s data

  Resource Owner Password credentials grant Logic

• getting user’s username and password
• no redirection to OAuth provider
• take over peoples’ account

  OIDC

  also named OpenID Connect 1.0

• An identify layer built on top of OAuth 2.0
• while OAuth 2.0 handles authorization, OIDC verifies user’s identity
  • ID Token - A JWT that contains user profile information, with claims like …
  • signed using (JSON Web Signature)JWS for security

    OIDC with Authorization code grant

• Step 1 - third party app redirects user to Oauth provider
  • adding openid to the scope to get ID token
• Step 2- Oauth provider redirect user back with Authorization code
• Step 3 - Third party app exchanges authorization code for tokens
  • the ID token is returned as well
• When server received a POST with access token from the auth server, we take the ID token, check the signature, and then also check the content

  OAuth 2.0 with Spring Security

  OAuth 2.0 with Spring security

• Bearer Authentication
  • Handles access tokens passed in the Authorization header of the HTTP request
• BearerTokenAuthenticationFilter
  • Intercepts the incoming request and extracts the access token
  • Passed the token AuthenticationManager for validation and authentication

AuthenticationManager to with JWT in spring security

• Authenticationmanger is responsible for validating and authenticating tokens
• with help of
  • JwtAuthenticationProvider: provides the necessary logic for validating JWT tokens
  • JwtDecoder: decode the JWT tojen and verify its signature
  • JwtAuthenticationConverter: converts the decoded JWT into an Authentication instance that can be used by sring security

OAuth 2.0 resource Server configuration

• Spring Boot’s Oauth 2.0 Resource server support
• JSON web key sets (JWKS)
  • Used to verify JWT tokens by checking their signature against the public keys exposed by the OAuth 2.0 Authorization Server