Mastering OAuth 2. 0 : Create Powerful Applications to Interact with Popular Service Providers Such As Facebook, Google, Twitter, and More by Leveraging the OAuth 2. 0 Authorization Framework.
- 1st ed.
- 1 online resource (238 pages)
Cover -- Copyright -- Credits -- About the Author -- About the Reviewers -- www.PacktPub.com -- Table of Contents -- Preface -- Chapter 1: Why Should I Care About OAuth 2.0? -- Authentication versus authorization -- Authentication -- Authorization -- What problems does it solve? -- Federated identity -- Delegated authority -- Real-life examples of OAuth 2.0 in action -- How does OAuth 2.0 actually solve the problem? -- Without OAuth 2.0 - GoodApp wants to suggest contacts by looking at your Facebook friends -- With OAuth 2.0 - GoodApp wants to suggest contacts by looking at your Facebook friends -- Who uses OAuth 2.0? -- Introducing "The World's Most Interesting Infographic Generator -- Summary -- Chapter 2: A Bird's Eye View of OAuth 2.0 -- How does it work? -- User consent -- Two main flows for two main types of client -- Trusted versus untrusted clients -- First look at the client-side flow -- An untrusted client - GoodApp requests access for user's Facebook friends using implicit grant -- The big picture -- When should this be used? -- Pros and cons of being an untrusted client -- Pros -- Cons -- First look at the server-side flow -- A trusted client - GoodApp requests access for user's Facebook friends using authorization code grant -- The big picture -- When should this be used? -- Pros and cons of being a trusted client -- Pros -- Cons -- What are the differences? -- What about mobile? -- Summary -- Chapter 3: Four Easy Steps -- Let's get started -- Step 1 - Register your client application -- Different service providers, different registration process, same OAuth 2.0 protocol -- Your client credentials -- Step 2 - Get your access token -- A closer look at access tokens -- Scope -- Duration of access -- Token revocation -- Sometimes a refresh token -- Step 3 - Use your access token -- An access token is an access token. Step 4 - Refresh your access token -- What if I don't have a refresh token? -- Refresh tokens expire too -- Putting it all together -- Summary -- Chapter 4: Register Your Application -- Recap of registration process -- Registering your application with Facebook -- Creating your application -- Setting your redirection endpoint -- What is a redirection endpoint? -- Find your service provider's authorization and token endpoints -- Putting it all together! -- Summary -- Chapter 5: Get an Access Token with the Client-Side Flow -- Refresher on the implicit grant flow -- A closer look at the implicit grant flow -- Authorization request -- According to the specification -- In our application -- Access token response -- Success -- Error -- Let's build it! -- Build the base application -- Install Apache Maven -- Create the project -- Configure base project to fit our application -- Modify the hosts file -- Running it for the first time -- Make the authorization request -- Handle the access token response -- Summary -- Reference pages -- Authorization request -- Access token response -- Error response -- Chhapter 6: Get an Access Token with the Server-Side Flow -- Refresher on the authorization code grant flow -- A closer look at the authorization code grant flow -- Authorization request -- According to the specification -- In our application -- Authorization response -- Success -- Error -- Access token request -- According to the specification -- In our application -- Access token response -- Success -- Error -- Let's build it! -- Build the base application -- Install Apache Maven -- Create the project -- Configure the base project to fit our application -- Modify the hosts file -- Running it for the first time -- Make the authorization request -- Handle the authorization response -- Make the access token request -- Handle the access token response. Summary -- Reference pages -- An overview of the authorization code grant flow -- Authorization request -- Authorization response -- Error response -- Access token request -- Access token response -- Error response -- Chapter 7: Use Your Access Token -- Refresher on access tokens -- Use your access token to make an API call -- The authorization request header field -- The form-encoded body parameter -- The URI query parameter -- Let's build it! -- In our client-side application -- Send via the URI query parameter -- Send via the form-encoded body parameter -- In our server-side application -- Send via the URI query parameter -- Send via the HTTP authorization header -- Creating the world's most interesting infographic -- Summary -- Reference pages -- An overview of protected resource access -- The authorization request header field -- The form-encoded body parameter -- The URI query parameter -- Chapter 8: Refresh Your Access Token -- A closer look at the refresh token flow -- The refresh request -- According to the specification -- The access token response -- Success -- Error -- What if I have no refresh token? Or my refresh token has expired? -- Comparison between the two methods -- The ideal workflow -- Summary -- Reference pages -- An overview of the refresh token flow -- The refresh request -- Access token response -- Error response -- Chapter 9: Security Considerations -- What's at stake? -- Security best practices -- Use TLS! -- Request minimal scopes -- When using the implicit grant flow, request read-only permissions -- Keep credentials and tokens out of reach of users -- Use the authorization code grant flow whenever possible -- Use the refresh token whenever possible -- Use native browsers instead of embedded browsers -- Do not use third-party scripts in the redirection endpoint -- Rotate your client credentials -- Common attacks. Cross-site request forgery (CSRF) -- What's going on? -- Use the state param to combat CSRF -- Phishing -- Redirection URI manipulation -- Client and user impersonation -- Summary -- Chapter 10 : What About Mobile? -- What is a mobile application? -- What flow should we use for mobile applications? -- Are mobile applications trusted or untrusted? -- What about mobile applications built on top of mobile platforms with secure storage APIs? -- Not quite enough -- Hybrid architectures -- Implicit for mobile app, authorization code grant for backend server -- What is the benefit of this? -- Authorization via application instead of user-agent -- Summary -- Chapter 11: Tooling and Troubleshooting -- Tools -- Troubleshooting -- The implicit grant flow -- The authorization request -- The authorization code grant flow -- The authorization request -- The access token request -- The API call flow -- The authorization request header field -- The form-encoded body parameter -- The URI query parameter -- The refresh token flow -- Summary -- Chapter 12: Extensions to OAuth 2.0 -- Extensions to the OAuth 2.0 framework -- Custom grant types -- A variety of token types -- Any authorization backend -- OpenID Connect -- Summary -- Appendix A: Resource Owner Password Credentials Grant -- When should you use it? -- Reference pages -- An overview of the resource owner password credentials grant -- Authorization request and response -- Access token request -- Access token response -- Error response -- Appendix B: Client Credentials Grant -- When should you use it? -- Reference pages -- Overview of the client credentials grant -- Authorization request and response -- Access token request -- Access token response -- Error response -- Appendix C: Reference Specifications -- The OAuth 2 Authorization Framework -- The OAuth 2 Authorization Framework: Bearer Token Usage. OAuth 2.0 Token Revocation -- OAuth 2.0 Thread Model and Security Considerations -- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants -- Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants -- JSON Web Token (JWT) -- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants -- OpenID Connect Core 1.0 -- HTTP Authentication: Basic and DigestAccess Authentication -- Index.
9781784392307
Application program interfaces (Computer software).