Kévin Maschtaler

Développeur chez Yupeek

Initiation à

Oauth 2.0

Qu'est-ce que Oauth ?

Serveur d'authentification centralisé

(mail + mot de passe)

Appli iOS

Pèse-parpaing

Service Web

Comptabilité

API REST

Logistique

+

Resource Owner

(user)

Client Application

Authentication

Server

Resource

Server

Access Token

Refresh Token

Authorization Code

  • Implicit : Application web côté client

Client Credentials

CLIENT + SECRET ID

RESOURCE

Application

Serveurs

TOKEN

curl -X POST -d 'grant_type=client_credentials'
http://CLIENTID:SECRETID@localhost/token/
{
    "access_token": "G6ZWqvnxZju7EDr0qVO8JlJkv4iKBv",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "read write"
}
  • Client ID
  • Secret ID
  • Grant type : client_credentials
curl -H 'AUTHORIZATION: Bearer G6ZWqvnxZju7EDr0qVO8JlJkv4iKBv'
http://localhost/locations/2990999/
{
    "id": 2990999,
    "name": "Nancy",
    "slug": "nancy",
    "location": "POINT (6.1849600000000002 48.6843900000000005)",
    "population": 105334,
    "country": {
        "id": 3017382,
        "name": "France",
        "slug": "france",
        "code": "FR",
        "population": 64768389,
        "continent": "EU",
        "tld": "fr"
    },
}

Authorization Code

TOKEN

AUTHORIZATION CODE

RESOURCE

3. LOGIN & CONSENT

1. ASK

FOR LOGIN

2.REDIRECTION

4. REDIRECTION +

CLIENT + SECRET ID

https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=https://www.qwertee.com/auth/google/callback&client_id=CLIENT_ID&scope=openid+email

https://www.qwertee.com/auth/google/callback?code=WjZSJf1fI8qV0SD4jAEPly4Yls2mkD

curl -X POST -d 'grant_type=authorization_code
&code=WjZSJf1fI8qV0SD4jAEPly4Yls2mkD
&redirect_uri=https://www.qwertee.com/auth/google/callback'
https://CLIENTID:SECRETID@accounts.google.com/oauth2/token
{
  "access_token":"1/fFAGRNJru1FTz70BzhT3Zg",
  "expires_in":3920,
  "token_type":"Bearer",
  "refresh_token":"1/xEoDL4iW3cxlI7yKM2C-259HOF2aQbI"
}
  • Client ID
  • Secret ID
  • Grant type : authorization_code
  • Code obtenu
  • Redirect uri utilisé

Oauth 2 ne fait pas tout !

  • Oauth2 - HTTPS = MITM
  • Oauth2 + IFrame = Clickjacking
  • Oauth2 - Param 'State' = CSRF
  • Bearer token + Cookie = Porte blindée ouverte

Références