OAuth 2.0

Question 1

What are the problems of credentials sharing?

Answer 1

The user is impersonated (app acts just like the user and has too much access.
The creds can’t be revoked (needs to change the password)
The credentials are exposed all the time.
SPA’s will never be able to store it securely.

Question 2

Why cookies isn’t a solution as well?

Answer 2

Because of Cross-site request forgery (CSRF, aka XSRF). Meaning that any tab of the browser will be able to acess that api.

Question 3

Is API key a better solution for credentials sharing? What are the remaining issues?

Answer 3

Yes, API keys are still acceptable because you are no longer sharing creds and you can now define scopes for the key… however api keys has no standards, has to have long expirations (e.g 90 days, when the ideal would be 1 hour).

Question 4

Why is oauth the solution to all problems?

Answer 4

Auth is a protocol, built for http apis, scoped access… can be called delegation protocol.

Question 5

What are the oauth2 players?

Answer 5

The protected resource (http api), the client (the app that wants to access the api, the resource owner (the user) and the authorization server which is responsible for handling the authorization requests (all parties needs to trust it).

Question 6

Is Oauth for authentication? What to do then?

Answer 6

No, meant for authorization only. Access tokens do not represent the user. Also, client cannot reliably verify the token… Use OpenId + OAuth

Question 7

What OAuth got very right?

Answer 7

Delegated access, api access control, separation of user and client creds, user consent.

Question 8

What is the OAuth big picture?

Answer 8

https://pasteboard.co/JDz1kM8.png

Question 9

What is a scope?

Answer 9

Defines how much data the client application can access.

Question 10

What are the minimum query string parameters used an authorization request?

Answer 10

?response_type=code&
client_id=example123&
redirect_uri=https://my.client/callback

Question 11

What is the recommended parameter for an authorization request? Is it often used?

Answer 11

state=xyz

very often.

Question 12

What is the optional parameter of an authorization request? What happens when not defined?

Answer 12

scope=ap1 api2.read

the auth server will define a default set of scopes

Question 13

What is included in an authorization response? Where is it sent to? What happens when the state does not match?

Answer 13

sent to https://my.client/callback?code=kAsdg412bAdfA&
state=xyz

the client ideally should reject the whole response.

Question 14

What needs to be done after I get the authorization code?

Answer 14

Do a token request, passing the authorization code, defining the grant type as authorization_code and also defining another redirect_uri… needs to define the client id secret.

Question 15

How many times I can use an authorization code?

Answer 15

Once.

Question 16

What does it mean using basic authentication in oauth2? What it actually is asked in the docs?

Answer 16

we can use basic auth style:
Base64(client_id + “:” + client_secret)

use urlformencode for client id and secret, then base64 the whole thing.

Question 17

If the token request works ok, what will I receive?

Answer 17

a token response json with the access token, the type and the expiration (in seconds). Optionally the scopes

Question 18

What is the Implicit Grant Type?

Answer 18

Is the workflow that SPA needs to follow (since they do not have a backend to relly on). Considered less secure.

Question 19

What differs from implicit grant type and the authorization workflow?

Answer 19

The token is directly asked (we need to pass most of the data in the request, such as client Id and redirect_uri

Question 20

Why redirect URI is important to be as less dynamic as possible (meaning to avoid wildcards)?

Answer 20

because this is the main defense (the redirect_uri needs to match in the server.

Question 21

What is the URL fragment (#)?

Answer 21

Is a protected place where the access_token is placed… seems to be a protected type of query string.

Question 22

Cite 2 concerns of using the implicit grant workflow

Answer 22

access token is exposed to resource owner, js libs that the site is using can access this token too (not other websites), no validation of the token (someone might inject a diff one).

Question 23

What is a better option for the implicit flow?

Answer 23

CORS + PKCE

Question 24

What is the client credentials flow? How many times the credentials are sent?

Answer 24

there’s no user involved.. only machines. sent once…

Question 25

What is Resource Owner Password Credentials(ROPC)?

Answer 25

A flow targeted for legacy application, should no longer be used (used on 2012).

Question 26

What is a refresh token? What does it enable? Should we treat them the same as other tokens?

Answer 26

Swap for new tokens, allow for long-lived access but are highly confidential… the user should give consent about it.

Question 27

How refresh tokens are also called, where are they requested?

Answer 27

aka offline_access, requested in the scope of the auth request.

Question 28

When should I swap the token for a new one (make use of the refresh token)?

Answer 28

When we get a 401 or based in the time defined in the expiration field.

Question 29

Can the refresh token ask for different scope than originally granted?

Answer 29

no… a new workflow is required.

Question 30

How many types of authorization workflows have we seen until now?

Answer 30

4: 
Authorization Code,
Implicit,
Client Credentials,
ROPC

Question 31

What kind of workflows can make use the refresh tokens?

Answer 31

Authorization code and ROPC.

Question 32

Can I store the refresh token in the browser? Where to store then?

Answer 32

NO - NEVER.

Store in the backend.

Question 33

What is the problem of passing sensitive data in the query string? What is becoming a new standard?

Answer 33

The query string will be sent from server to server which increaes the attack surface. New standard is the form post.

Question 34

What is the form post technique similar to?

Answer 34

to SAML

Question 35

Why the new Oauth 2.1 is considered a simplification over the 2.0 one?

Answer 35

No more ROPC;
No more implicit flow;
Single-use refresh tokes;
PKCE across all app types;
No more bearer tokens in the query string/hash fragment.

Question 36

Where can I find more information about Oauth 2?

Answer 36

RFC 6749 (Oauth 2.0);
RFC 6819 (threat model & security considerations)

Question 37

How to spell PKCE?

Answer 37

PIXIE

Question 38

Are native apps (windows/android) considered public clients?

Answer 38

yes

Question 39

Should we use implicit flow for mobile applications? Why?

Answer 39

NO. even though there are vendors out there suggesting it. tokens are accessible.

Question 40

What PKCE stands for? What does it do pratically speaking?

Answer 40

Proof Key for Code Exchange. Links the authorization request to the token request.

Question 41

How does PKCE looks like in action?

Answer 41

1 - native client generate a random code called code_verifier;
2- hash (sha256) this random code and sent it to the auth server as code_challenge and the server stores this value.
3 - Server send back the authorization code and the client will request the token but this time including the code_verifier (unhashed).
4 - The server hashes the code_verifier and compares to the code_challenge.
5 - if both matches, the access token is sent.

Question 42

So it means the PKCE flow is used to guarantee the initial authorization code requester is the same as the token requester?

Answer 42

YES

Question 43

Where to learn more about PKCE?

Answer 43

RFC 7636

Question 44

How to deal with callback urls in native code?

Answer 44

Via the use of private-use URI Scheme;

Question 45

How to make URI Scheme unique?

Answer 45

By bounding to the reverted-DNS com.pluralsight.ios:/cb.

Question 46

What happens when someone put in the browser (or the redirection puts it) the private URI Scheme?

Answer 46

the app will be launched! (very similar to spotify and stuff).

Question 47

Why are embedded user-agent (browsers) insecure? What to use then?

Answer 47

Keystrokes, cookies are exposed and url not shown (encourages phishing). The native browser.

Question 48

What google IDP does when it seens that and embedded browser calls it?

Answer 48

blocks.

Question 49

Where to learn more about native app implementation?

Answer 49

RFC 8252/8525

Question 50

What is token theft?

Answer 50

Code injected by infected CDNs or browser plugins.

Question 51

What is the SameSite cookie? When this might become an issue?

Answer 51

new feature of browsers that only the site that stored the cookie is allowed to access it (Same=Strict). When using 3rd party APIs(different domains).

Question 52

What is a “Backend for Frontend”?

Answer 52

An own dedicated server that wil act as a single point communication for the frontend, this backend then will talk to oauth servers and third party APIs.

Question 53

What is usually used when “Backend for Frontend” is adopted?

Answer 53

SameSite cookie… so that you always communicate to your own sites/domains.

Question 54

What is OpenId, what does it do? Does it change the Oauth framework?

Answer 54

OpenId is an Oauth extension. It adds an identity layer on top of oauth 2.0 and formalizes some Oauth ambiguities. Does not change oauth, only extends.

Question 55

So an Oauth server with open ID makes an authorization server to become an identity provider?

Answer 55

YES.

Question 56

What are the main features of openid?

Answer 56

• Identity access via UserInfo endpoint (to fetch user name and etc).
• Identity token (always JWT).

Question 57

What are the three parts of a JWT?

Answer 57

Header.Payload.Signature

separated by .

Question 58

What is epoch time?

Answer 58

Date in seconds since january 1st 1970.

Question 59

what is nonce?

Answer 59

no more than once.

Question 60

How to discover what the oauth server can do (aka metadata document)?

Answer 60

/.well-known/oauth-authorization-server

similar to swagger.

Question 61

how to auth IOT device since they do not run browser?

Answer 61

via use of secundary device (similar to TV authentication), which is a browser on a smartphone… the iot device will be polling until the auth is complete.

Question 62

how to do an api-to-api delegation?

Answer 62

via token-exchange… the api1 which has the access granted will exchange the existing token for a new token for api2