OAuth 2.0 is an authorization framework that is extensively used in the Internet. With extensions, it can be used to implement single sign-on (SSO) where a user who logs in to one web site can be made to interact with other web sites as a logged in user without retyping username and password. OAuth 2.0 provides more. A user can allow an application A to access web application B on behalf of the user without providing the username and password pair to A. The said application A could be a web application, a desktop application or even a mobile application. Both A and B however need to interact with what is known as an authorization server trusted by the user.
In modern days, we find a lot of mobile applications that communicate with web based APIs. OAuth 2.0 can be used to secure those APIs too while benefiting from the features provided by OAuth 2.0.
In this training, we investigate how OAuth 2.0 works and also experiment with basic implementations of an OAuth 2.0 authorization server, a client and a resource server. The demonstrations will be done in PHP language even though the concepts learnt will be applicable to other languages as well.
Target groups
- Web application developers
- Mobile application developers
- Information systems security professionals
Prerequisites
- Some familiarity with how web applications work.
Communication language
English or SinhalaDuration
3 Hours
Facilitator(s)
Kamal Wickramanayake (Profile)
Content
-
Introduction
- Problems solved by OAuth 2.0
- OAuth 2.0 usage scenarios
- Roles
- Protocol flow
-
Grant types
- Authorization code
- Implicit
- Resource owner password credentials
- Client credentials
-
Tokens
- Access token
- Refresh token
-
Client types
- Confidential
- Public
- Scopes
- JWT (JSON Web Token)
- OpenID Connect
-
PKCE (Proof Key for Code Exchange) extension
- Problems solved by PKCE
- Protocol flow
- Implementing an OAuth 2.0 authorization server
- Implementing an OAuth 2.0 client
- Implementing an OAuth 2.0 resource server