Security (OAuth etc.) Flashcards
What is OAuth 2.0? What problem does it solve?
Problem: Traditionally we’ve had forms based authentication on the web. User would input username, password, we would check that against credentials held in DB. Each app would do this.
But makes more sense to have central auth service which deals with this. It shouldn’t be the app’s responsibility to handle that, maintain that, keep up with security best practices etc.
Problem 2: Delegated authorization. How do you grant an external app access to your data without giving them your password? E.g. I want to give Yelp access to my Gmail, but I don’t want to give them my credentials.
OAuth 2.0 is a protocol designed to solve this problem. It allows users to grant access to their data on one site, to another site.
In essence, the client app (Yelp) will redirect to central auth server, user will login and client app will get an access token that grants it access to the resource server (Gmail).
More details in descriptions of flows!
What is OpenID Connect?
OAuth is for authorization (what you can do), not for authentication (who you are).
Open ID is an extra layer on top of OAuth 2.0 that is for authentication. It defines a standard set of ID scopes. Client app gets info on the user and an ID token used to identify the user.
How do OAuth and OpenID differ?
OAuth is for authorization (what you can do), not for authentication (who you are).
OAuth is the basic protocol, Open ID adds the auth/ID layer on top of it.
OAuth is for:
- Granting access to your API
- Granting access to user’s data in another app
OpenID is for:
- Logging the user in
- Making your accounts available in other systems
What is OAuth auth code flow?
Authorisation code flow happens on both front channel and back channel
- client app calls the auth server auth endpoint, giving it the scopes it wants, the response type and the callback/redirect url.
- The auth server requests login + consent from the resource owner (user)
- Auth server redirects back to client app redirect url, passing the authorisation code with the redirect (front channel)
- Client app (through the server / back channel) makes another call to the auth server, passing it the authorisation code and getting the access token in return
- Client app accesses the resource server, using the access token
What is OAuth implicit flow?
Implicit flow is front channel only
- client app calls the auth server auth endpoint, giving it the scopes it wants, the response type and the callback/redirect url.
- The auth server requests login + consent from the resource owner (user)
- Auth server redirects back to client app redirect url, passing the access token with the redirect (front channel)
- Client app accesses the resource server, using the access token
What is OAuth resource owner credentials (or something_ flow?
The resource owner credentials/password flow is very different to the others because it involves the client app getting the credentials.
- Client app asks user for username and password
- Client app goes to auth server with username and password, and gets access token in return
- Client app uses token to talk to resource
Optionally, a refresh token is returned as well. This can be exchanged for a new access token when the access token expires. This is a good idea as otherwise the client app would have to either request credentials again or store the credentials somewhere (v. bad idea)
What is OAuth client credentials flow?
This is usually for machine-to-machine communication.
- Client requests access token from auth server, passing it the client ID and client secret.
- Client uses the access token to access the resource API.
What is PKCE?
Proof Key for Code Exchange.
This is a secret created by the client app that can be verified by the auth server when requesting access token. This is an extra level of security to protect against the authorisation code being stolen and then used to get the access token.
What is an authorisation code, an access token and an ID token?
Access code: Used in authorisation code flow. Given to client app on successful login and then used to request access token.
Access token: The thing that grants the client access to the API.
ID token: A JWT token that is given to the client alongside the access token when using OpenID Connect. It contains a set of claims about the authentication session, e.g. user identifier (sub), provider identifier (iss for issuer) and client identifier (aud for audience)
How does traditional forms authentication work?
Application provides a form for user to input credentials. These are posted to server, which checks password and authenticates user.
What part do cookies play in authentication?
When user authenticates, the browser gets a cookie basically saying that the user is logged in, e.g. has session ID.
Every time the browser makes a request to the server it sends the cookie along with it. Server checks cookie, sees user is logged in.
What is IdentityServer4?
IdentityServer is an implementation of OAuth 2.0 and OpenID Connect available as a .NET package. It is a third party library.
Note - it is not the same as ASP.NET Core Identity which is a .NET package for managing membership, e.g. users, passwords, etc.
So you could set up a central auth server which uses IdentityServer to handle OAuth stuff, create and grant tokens etc. But the users/passwords/login part of it is handled by ASP.NET Core Identity
In ASP.NET, what is traditional roles based authorization?
Users have associated roles e.g. Admin, Manager, Normal User etc.
What they can and can’t do is then based on these roles. E.g. you could do User.IsInRole(“Admin”) to check whether to allow user to do something, or decorate an action e.g.
[Authorise(Roles=”Admin, Manager”)
public ActionResult DoSomething()
In ASP.NET, explain the new claims/policy based authorization
Claims are info about a user e.g.
Country: PT
EmployeeNumber: 12345
etc.
Can use these claims to determine what user can do.
Do this by creating policies like:
(pseudo)
CreatePolicy(“MustBeEmployee”, policy => policy.RequireClaim(“EmployeeNumber”)
So any users that have the claim EmployeeNumber would satisfy the policy and be granted access
[Authorise(Policy=”MustBeEmployee”)
public ActionResult DoSomething()
What are front channel and back channel in security?
Back channel: secure channel of communication, e.g. server to server
Front channel: Less secure, e.g. browser to server (potential for things to get stolen from browser etc.)
