oauth2

why we need oauth2?

epic

The authentication and authorization is isolated and restrict to the specific domain before the socaial net epic.

social network and mobile

The apis and web2 need the isolated information islands connected. 2 problems need to be resolved.

1. The delegated authorization
2. The duplicated registeration

Could the cookie help this connection? No.

• the cookis is designed to specific domain
• There is no scope (part of permissions) for a cookie
• cookie born with the web and not proper when applied to rest apis

Oauth2 flow

1. authorization code
2. implict
3. password
4. client credential

The possible vulnerabilities of implementing oauth2 authorization code

1. state parameter? Prevent CSRF attack, the start url can only be generated by the clints not the url shared and constructed by anyone.

2. code reply If the code can be used lots of times, the code may expose as a reply attack.

3. redirect uri？ If the redireck uri is replaced to another valid client url, the attacker may get the token by the code response from the authorization server.

4. access token revoke? refresh token revoke? If the access token can not be revoked, the protected resource is under the risk during the tokens life time.

What about the customization Oauth2 ?

Customizing OAuth2 can be a complex task, and it’s essential to follow best practices to ensure the security of the implementation. It’s recommended to use a well-known and trusted OAuth2 library and follow the OAuth2 specification closely to avoid security vulnerabilities. Additionally, it’s crucial to test the implementation thoroughly to ensure that it works as expected and to identify any potential issues or vulnerabilities.

Oauth2 faclitates the communication of the world easier.