Table des matières
OAuth
An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
Voir aussi : Single Sign-On
RFC:
OAuth flows
Implicit flow
Diagram source from postman.com.
Implicit flow n'est pas sécurisé car le token est passé dans l'url et peut donc être volé. Il faut donc éviter de l'utiliser ou au pire seulement pour accéder au profile de l'utilisateur identifié. Public clients such as native apps and JavaScript apps should now use the authorization code flow with the PKCE extension instead.
J'ai fait un PoC là: https://git.artefacts.coop/Cyrille37/sso-oauth-implicit-grant
Authorization code flow
Diagram source from postman.com.
Authorization code flow with PKCE
Proof Key for Code Exchange (PKCE).
OAuth 2.0: Implicit Flow is Dead, Try PKCE Instead
Diagram source from postman.com.
Comment API vérifie le Access Token ?
Token Introspection
Question “What about oauth "introspection" ?” posée sur le Github de SocialiteProviders et sur flutter_appauth ainsi que sur StackOverFlow.
Et le client_secret ?
PKCE is not a replacement for client secret, it's not a client application authentication method. It's an additional verification mechanism to protect authorization code to from being stolen from user agent (browser). See RFC 7636.
Providers
- Documentation: https://dev.twitter.com/oauth/overview
- Developper applications settings: https://apps.twitter.com/
- OAuth urls:
- App-only authentication https://api.twitter.com/oauth2/token
- Request token URL https://api.twitter.com/oauth/request_token
- Authorize URL https://api.twitter.com/oauth/authorize
- Access token URL https://api.twitter.com/oauth/access_token
- Account verify credentials https://api.twitter.com/1.1/account/verify_credentials.json
Apple
Apple est moins couramment utilisé, peut être à cause de ses spécificités
To use Apple sign in, you need a client ID and client secret. You can get them from the Apple Developer Portal / Auth Keys.
To access LinkedIn APIs, a developer app should be created in the LinkedIn’s developer page.
For Individual Developers: API products available to individual developers have a default Company page associated with them and you must select that default Company page to proceed.
Documentation :
- Discovery url : https://www.linkedin.com/oauth/.well-known/openid-configuration
- Authenticating with OAuth 2.0 for Native Clients (use loopback IP listener)
- alternative OpenID Connect : Sign In with LinkedIn using OpenID Connect
API
Other tools:
- OAuth2 Proxy A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group with Nginx, Caddy or Traefik
PHP
Mobile & API
3 acteurs: l'App Mobile pour consommer, Le Site/API pour servir et le Fournisseur Tiers pour l'authentification.
On trouve des exemples avec Laravel Socialite pour le site et un package OAuth dans l'App mobile. Mais le site ne vérifie pas la validité du token fourni par l'App Mobile, qui l'a obtenue depuis le fournisseur tiers …
Aussi il n'est pas sécurisé de stocker le client_secret dans l'application.
Recherche d'une "bonne" méthode
Exigences:
- Ne pas avoir le
client_secretdans l'App - S'assurer que le social login est légitime
SESSION_COOKIE + STATE activate Api Api ->> Api: create STATE + SESSION COOKIE Api -->> Mobile: return AUTH_PROVIDER_URL
SESSION_COOKIE + STATE deactivate Api Note over Mobile,Auth: Mobile open the System default Browser Mobile ->> Browser: open AUTH_PROVIDER_URL activate Browser activate Auth Browser ->> Auth: request AUTH_PROVIDER_URL Auth -->> Browser: return auth ui deactivate Auth deactivate Mobile activate User Browser -->> User: read access scopes & login ui User ->> Browser: click Accept or Denied activate Auth Browser ->> Auth: post auth form deactivate User deactivate Browser activate Api critical Auth Protocol Auth ->> Api: "Auth callback with 'code'" Api ->> Auth: "Request Access" Auth -->> Api: "return access" end Note right of Mobile: http(s) deep link is verified with
"assetlinks.json" & "apple-app-site-association" deactivate Auth Api -->> Browser: return redirect DEEP_LINK deactivate Api activate Mobile Browser -->> Mobile: return redirect DEEP_LINK activate Api Mobile ->> Api: request Api Token
with SESSION_COOKIE + STATE Api -->> Mobile: return API_TOKEN deactivate Api deactivate Mobile Note over User,Api: Authentified user can request the Api activate User User ->> Mobile: "do something" activate Mobile activate Api Mobile ->> Api: "request something with API_TOKEN" Api -->> Mobile: "return something" Mobile -->> User: display what ever deactivate Api deactivate Mobile deactivate User