Access OAuth2

OAuth3.0 knowledge summary

1. OAuth 2.0 is an authorization protocol whose core is obtaining and using access tokens.

2. The authorization code licensing process requires the introduction of authorization codes to ensure security and achieve user experience.

3. OAuth 2.0 can also be regarded as a delegation protocol, in which users entrust third-party software representatives to operate.

4. The authorization code permission process is the most complete and secure authorization method in OAuth 2.0.

5. Improper use may cause safety issues, and various regulatory details need to be followed.

6. HTTPS needs to be used to ensure communication security.

7. JWT is not part of OAuth 2.0, but an extension of it.

8. OAuth 2.0 provides the framework on which OIDC implements identity authentication.

9. Both third-party software and platform parties need to improve their security awareness to ensure the security of OAuth 2.0.

10. OAuth 2.0 is an effective tool to solve authorization and authentication problems.

Mobile APP access OAuth3

The key points of using OAuth 2.0 for mobile apps are summarized as follows:

1. Mobile Apps can be divided into two types: serverless and server-side, the latter using OAuth 2.0 is more secure.

2. Serverless apps can use the PKCE protocol to prevent authorization code leakage, but sensitive information such as app_secret is not recommended.

3. There is a server-side App that can obtain access tokens through the server, which is similar to the web application process and has high security.

4. WeChat and other platforms recommend that mobile apps use background services to obtain access tokens.

5. When using a third-party login such as WeChat login, the App obtains the authorization code, and the server uses code and app_secret to obtain the access token.

6. It is not recommended to save sensitive information on the App side. Using the server side can avoid security issues.

7. The PKCE protocol can ensure the security of serverless apps to a certain extent.

8. It is recommended that mobile apps use server and background communication to obtain access tokens whenever possible.

9. The core ideas of OAuth 2.0 can be applied to Apps to ensure data security through safe use.

Security risks and precautions

The security risks and preventive measures of OAuth 2.0 can be summarized as follows:

1. CSRF attacks can be prevented through the state parameter state.

2. XSS attacks require escaping the response content to prevent the injection of malicious code.

3. Horizontal override requires verification of data ownership to avoid data confusion among different users.

4. If the authorization code is stolen, you need to verify the app_id and invalidate the used authorization code immediately.

5. Redirect URI tampering requires integrity verification of the URI.

6. It is necessary to comply with various specifications and details of OAuth 2.0 to ensure security.

7. Lack of security awareness among developers is a common cause of these vulnerabilities.

8. Thinking from the attacker's side can also help uncover additional risk factors.

9. OAuth 2.0 also faces common security risks across the Internet.

10. Security precautions need to comprehensively consider various possible attack scenarios.

Implementing OIDC using OAuth3

Implementing OIDC using OAuth 2.0 can summarize the following points:

1. OIDC is an open user identity authentication standard protocol built on OAuth 2.0.

2. OIDC has added an ID token, which is used to transfer user identification information, and third-party software can use it to record user login status.

3. OIDC has also added a new UserInfo endpoint for third-party software to obtain more user information.

4. The ID token is a token in JWT format, containing necessary statement information such as iss, sub, aud, exp, etc.

5. The third-party software only needs to parse the payload part of the ID token to obtain user identification and other information.

6. Single sign-on is an application scenario of the OIDC protocol.

7. OAuth 2.0 provides a basic authorization framework on which OIDC implements identity authentication.

8. When implementing OIDC, you need to pay attention to the security of ID tokens, obtaining UserInfo information, etc.

9. OIDC provides a standard identity authentication solution.

Spring Security implements OAuth 2.0

Key points for implementing OAuth 2.0 using Spring Security:

1. The authorization server uses JdbcAuthorizationCodeServices to store authorization codes and JwtTokenStore to store JWT tokens.

2. The resource server verifies the JWT token through the local public key and verifies permissions.

3. Supports three modes: resource owner credential permission, client credential permission, and authorization code permission.

4. TokenEnhancer can be added to add additional information to the JWT token.

5. Single sign-on is achieved through authorization code permission, and OAuth2RestTemplate calls the resource server.

6. The client needs to configure client information, token endpoint, authorization endpoint, redirect URI, etc.

7. Security configuration requires opening access rights to the login page and authorization page.

8. Be careful to use HTTPS to transmit tokens to avoid security risks such as CSRF attacks.

9. Spring Security OAuth 2.0 is simple to use, but requires understanding the workflow.

Microservice architecture based on OAuth3

Key points of the microservices reference architecture using OAuth 2.0/JWT:

1. Microservices can be divided into 5 layers: traffic entry layer, Web application layer, gateway layer, BFF layer and domain service layer.

2. The gateway layer is responsible for key security functions: verification and conversion of OAuth access tokens, and Scope-based authentication.

3. Typical application scenarios include: first-party web applications, first-party mobile applications, and third-party web applications.

4. The IDP service is responsible for OAuth protocol processing, token management, and user authentication.

5. The front-end authenticates via OAuth access tokens, and the back-end authenticates via JWT tokens containing user information.

6. The gateway converts between the two tokens to enable mixed use.

7. Different from traditional web applications, microservices emphasize service autonomy, elastic scaling, and statelessness.

8. Microservice security strives for zero authentication, fine-grained authentication, and stateless sessions.

9. Understanding the microservice security mechanism will help you deploy and operate OAuth 2.0.

How the open platform uses Oauth3

• The overall structure of the open platform system:

  • Third-party software: Application software implemented by third-party developers or ISVs by connecting to open platforms.
  • Open platform: includes API gateway service, OAuth 2.0 authorization service and third-party software developer center service.
  • Protected resource services: API services provided by the open platform require OAuth 2.0 authorization before they can be accessed.

• Authorization procedures for major open platforms:

  • It is recommended to use the authorization code licensing process.
  • The authorization flow charts of open platforms such as WeChat, Alipay, and Meituan all have text related to the authorization code.

• Parameter description in the authorization code process:

  • Parameters used in the redirection process: response_type, client_id, redirect_uri.
  • The authorization endpoint responds to the parameters used by Xiaotu software: code, state.
  • The basic parameters that need to be passed when applying for an access token: grant_type, client_id, client_secret, code.
  • The token endpoint responds to the parameters involved in Xiaotu software: access_token, token_type, expires_in, refresh_token, scope.