====== OAuth ======

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

http://oauth.net/

Voir aussi : [[:glossaire:sso|Single Sign-On]]

  * [[https://zestedesavoir.com/articles/1616/comprendre-oauth-2-0-par-lexemple/#5-les-differents-scenarios-dautorisation|Comprendre le framework OAuth 2.0 et les roles et mécanismes en jeu durant le processus d'autorisation]]

RFC:
  * [[rfc>6749]] The OAuth 2.0 Authorization Framework
    * [[rfc>8252]] OAuth 2.0 for Native Apps
    * [[rfc>8996]] Deprecating TLS 1.0 and TLS 1.1
    * [[rfc>rfc9700]] Best Current Practice for OAuth 2.0 Security
  * [[rfc>7636|]] Proof Key for Code Exchange by OAuth Public Clients, September 2015



===== OAuth flows =====

==== Implicit flow ====

{{:informatique:oauth_implicit_flow.png?nolink&400|Image source https://blog.postman.com/pkce-oauth-how-to}}

Diagram source from [[https://blog.postman.com/pkce-oauth-how-to|postman.com]].

  * [[https://oauth.net/2/grant-types/implicit/|OAuth 2.0 Implicit Grant]]
  * [[https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow|GitLab OAuth 2.0 Implicit Grant]]

Implicit flow n'est pas sécurisé car le token est passé dans l'url et peut donc être volé. Il faut donc éviter de l'utiliser ou au pire seulement pour accéder au profile de l'utilisateur identifié. Public clients such as native apps and JavaScript apps should now use the **authorization code flow with the PKCE** extension instead.

  * [[https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926|Why you should stop using the OAuth implicit grant!]]

J'ai fait un PoC là: https://git.artefacts.coop/Cyrille37/sso-oauth-implicit-grant
==== Authorization code flow ====

{{:informatique:oauth_authorization_code_flow_.png?nolink&650|}}

Diagram source from [[https://blog.postman.com/pkce-oauth-how-to|postman.com]].

==== Authorization code flow with PKCE ====

Proof Key for Code Exchange (PKCE).

[[https://blog.postman.com/pkce-oauth-how-to/|OAuth 2.0: Implicit Flow is Dead, Try PKCE Instead]]

{{:informatique:oauth_authorization_code_flow_with_pkce.png?nolink&700|}}

Diagram source from [[https://blog.postman.com/pkce-oauth-how-to|postman.com]].

=== Comment API vérifie le Access Token ? ===

Token Introspection
 
https://stackoverflow.com/questions/12296017/how-to-validate-an-oauth-2-0-access-token-for-a-resource-server

Question "[[https://github.com/SocialiteProviders/Providers/discussions/1387|What about oauth "introspection" ?]]" posée sur le Github de SocialiteProviders et sur [[https://github.com/MaikuB/flutter_appauth/issues/624|flutter_appauth]] ainsi que sur [[https://stackoverflow.com/questions/79752406/lavarel-socialite-and-introspection-endpoint-aka-access-token-validation-at-ser|StackOverFlow]].

=== Et le client_secret ? ===

PKCE is **not a replacement for client secret**, it's not a client application authentication method. It's an additional verification mechanism to protect authorization code to from being stolen from user agent (browser). See [[rfc>7636|RFC 7636]].

===== Providers =====

==== Twitter ====

  * Documentation: https://dev.twitter.com/oauth/overview
  * Developper applications settings: https://apps.twitter.com/
  * OAuth urls:
    * App-only authentication https://api.twitter.com/oauth2/token
    * Request token URL https://api.twitter.com/oauth/request_token
    * Authorize URL https://api.twitter.com/oauth/authorize
    * Access token URL https://api.twitter.com/oauth/access_token 
  * Account verify credentials https://api.twitter.com/1.1/account/verify_credentials.json

==== Apple ====

Apple est moins couramment utilisé, peut être à cause de ses spécificités

  * [[https://dev.to/varsilias/complete-guide-to-implementing-apple-oauth-20sign-in-with-apple-authentication-in-a-nodeexpress-application-4hf|Guide to Implementing Apple OAuth 2.0(Sign in with Apple)]]
  * [[https://support.apple.com/fr-fr/guide/deployment/depfdbf18f55/web|Introduction à l’authentification unique avec des appareils Apple]]

To use Apple sign in, you need a client ID and client secret. You can get them from the [[https://developer.apple.com/account/resources/authkeys/list|Apple Developer Portal / Auth Keys]].
  * https://www.better-auth.com/docs/authentication/apple

==== LinkedIn ====

To access LinkedIn APIs, a developer app should be created in the [[https://www.linkedin.com/developers/apps|LinkedIn’s developer page]].

For Individual Developers: API products available to individual developers have a **default Company page associated with them** and you must select that default Company page to proceed.


Documentation :
  * Discovery url : https://www.linkedin.com/oauth/.well-known/openid-configuration
  * Token Introspection : https://learn.microsoft.com/en-us/linkedin/shared/authentication/token-introspection?tabs=http
  * https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2
  * [[https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow-native?context=linkedin%2Fsales%2Fcontext|Authenticating with OAuth 2.0 for Native Clients]] (use loopback IP listener)
  * alternative OpenID Connect : [[https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2?source=recommendations|Sign In with LinkedIn using OpenID Connect]]
=====API=====

  * http://oauth.net/code/

Other tools:

  * [[https://oauth2-proxy.github.io/oauth2-proxy/|OAuth2 Proxy]] A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group with Nginx, Caddy or Traefik

==== PHP ====

  * https://github.com/thephpleague/oauth2-client
  * [[https://github.com/laravel/socialite|Laravel Socialite]]
    * [[https://dev.to/philipdroubi/laravel-9-api-authentication-via-sanctum-socialite-and-test-on-postman-2iki|Laravel API Authentication via Sanctum & Socialite and test on Postman]]
    * [[https://medium.com/@faizanrafique/the-social-login-in-laravel-via-api-with-socialite-by-faizan-ali-717ad9075ee7|Social Login In Laravel Via Api With Socialite]]
  * PHP OAuth API on phpclasses.org: [[http://www.phpclasses.org/blog/package/7700/|package]], [[http://www.phpclasses.org/package/7700-PHP-Authorize-and-access-APIs-using-OAuth.html|blog]]

===== Mobile & API =====

3 acteurs: l'App Mobile pour consommer, Le Site/API pour servir et le Fournisseur Tiers pour l'authentification.

On trouve des exemples avec Laravel Socialite pour le site et un package OAuth dans l'App mobile. Mais le site ne vérifie pas la validité du token fourni par l'App Mobile, qui l'a obtenue depuis le fournisseur tiers ... 

Aussi il n'est pas sécurisé de stocker le ''client_secret'' dans l'application.

  * [[https://taufanfadhilahiskandar.medium.com/three-ways-to-using-laravel-socialite-5f1280ed3c47|Three ways to using Laravel Socialite]]
  * https://api-platform.com/docs/laravel/

==== Recherche d'une "bonne" méthode ====

Exigences:
  * Ne pas avoir le ''client_secret'' dans l'App
  * S'assurer que le social login est légitime

<mermaid 80%>
sequenceDiagram

participant User
participant Mobile
participant Browser
participant Api
participant Auth
autonumber

activate User
User ->> Mobile: Click one provider button
activate Mobile
deactivate User
Mobile ->> Api: request auth provider url<br/>SESSION_COOKIE + STATE
activate Api
Api ->> Api: create STATE + SESSION COOKIE
Api -->> Mobile: return AUTH_PROVIDER_URL<br/>SESSION_COOKIE + STATE
deactivate Api

Note over Mobile,Auth: Mobile open the System default Browser

Mobile ->> Browser: open AUTH_PROVIDER_URL
activate Browser
activate Auth
Browser ->> Auth: request AUTH_PROVIDER_URL
Auth -->> Browser: return auth ui
deactivate Auth
deactivate Mobile
activate User
Browser -->> User: read access scopes & login ui
User ->> Browser: click Accept or Denied
activate Auth
Browser ->> Auth: post auth form
deactivate User
deactivate Browser
activate Api

critical Auth Protocol
Auth ->> Api: "Auth callback with 'code'"
Api ->> Auth: "Request Access"
Auth -->> Api: "return access"
end

Note right of Mobile: http(s) deep link is verified with<br/>"assetlinks.json" & "apple-app-site-association"

deactivate Auth
Api -->> Browser: return redirect DEEP_LINK
deactivate Api
activate Mobile
Browser -->> Mobile: return redirect DEEP_LINK

activate Api
Mobile ->> Api: request Api Token<br/>with SESSION_COOKIE + STATE
Api -->> Mobile: return API_TOKEN
deactivate Api
deactivate Mobile

Note over User,Api: Authentified user can request the Api

activate User
User ->> Mobile: "do something"
activate Mobile
activate Api
Mobile ->> Api: "request something with API_TOKEN"
Api -->> Mobile: "return something"
Mobile -->> User: display what ever
deactivate Api
deactivate Mobile
deactivate User

</mermaid>