Table des matières

OAuth

OAuth

An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

http://oauth.net/

Voir aussi : Single Sign-On

Comprendre le framework OAuth 2.0 et les roles et mécanismes en jeu durant le processus d'autorisation

RFC:

6749 The OAuth 2.0 Authorization Framework
- 8252 OAuth 2.0 for Native Apps
- 8996 Deprecating TLS 1.0 and TLS 1.1
- rfc9700 Best Current Practice for OAuth 2.0 Security
7636 Proof Key for Code Exchange by OAuth Public Clients, September 2015

OAuth flows

Implicit flow

Image source https://blog.postman.com/pkce-oauth-how-to

Diagram source from postman.com.

Implicit flow n'est pas sécurisé car le token est passé dans l'url et peut donc être volé. Il faut donc éviter de l'utiliser ou au pire seulement pour accéder au profile de l'utilisateur identifié. Public clients such as native apps and JavaScript apps should now use the authorization code flow with the PKCE extension instead.

Why you should stop using the OAuth implicit grant!

J'ai fait un PoC là: https://git.artefacts.coop/Cyrille37/sso-oauth-implicit-grant

Authorization code flow

Diagram source from postman.com.

Authorization code flow with PKCE

Proof Key for Code Exchange (PKCE).

OAuth 2.0: Implicit Flow is Dead, Try PKCE Instead

Diagram source from postman.com.

Comment API vérifie le Access Token ?

Token Introspection

https://stackoverflow.com/questions/12296017/how-to-validate-an-oauth-2-0-access-token-for-a-resource-server

Question “What about oauth "introspection" ?” posée sur le Github de SocialiteProviders et sur flutter_appauth ainsi que sur StackOverFlow.

Et le client_secret ?

PKCE is not a replacement for client secret, it's not a client application authentication method. It's an additional verification mechanism to protect authorization code to from being stolen from user agent (browser). See RFC 7636.

Providers

Twitter

Documentation: https://dev.twitter.com/oauth/overview
Developper applications settings: https://apps.twitter.com/
OAuth urls:
- App-only authentication https://api.twitter.com/oauth2/token
- Request token URL https://api.twitter.com/oauth/request_token
- Authorize URL https://api.twitter.com/oauth/authorize
- Access token URL https://api.twitter.com/oauth/access_token
Account verify credentials https://api.twitter.com/1.1/account/verify_credentials.json

Apple

Apple est moins couramment utilisé, peut être à cause de ses spécificités

To use Apple sign in, you need a client ID and client secret. You can get them from the Apple Developer Portal / Auth Keys.

https://www.better-auth.com/docs/authentication/apple

LinkedIn

To access LinkedIn APIs, a developer app should be created in the LinkedIn’s developer page.

For Individual Developers: API products available to individual developers have a default Company page associated with them and you must select that default Company page to proceed.

Documentation :

Discovery url : https://www.linkedin.com/oauth/.well-known/openid-configuration
Token Introspection : https://learn.microsoft.com/en-us/linkedin/shared/authentication/token-introspection?tabs=http
https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2
Authenticating with OAuth 2.0 for Native Clients (use loopback IP listener)
alternative OpenID Connect : Sign In with LinkedIn using OpenID Connect

API

http://oauth.net/code/

Other tools:

OAuth2 Proxy A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group with Nginx, Caddy or Traefik

PHP

https://github.com/thephpleague/oauth2-client
Laravel Socialite
- Laravel API Authentication via Sanctum & Socialite and test on Postman
- Social Login In Laravel Via Api With Socialite
PHP OAuth API on phpclasses.org: package, blog

Mobile & API

3 acteurs: l'App Mobile pour consommer, Le Site/API pour servir et le Fournisseur Tiers pour l'authentification.

On trouve des exemples avec Laravel Socialite pour le site et un package OAuth dans l'App mobile. Mais le site ne vérifie pas la validité du token fourni par l'App Mobile, qui l'a obtenue depuis le fournisseur tiers …

Aussi il n'est pas sécurisé de stocker le client_secret dans l'application.

Recherche d'une "bonne" méthode

Exigences:

Ne pas avoir le client_secret dans l'App
S'assurer que le social login est légitime

sequenceDiagram participant User participant Mobile participant Browser participant Api participant Auth autonumber activate User User ->> Mobile: Click one provider button activate Mobile deactivate User Mobile ->> Api: request auth provider url
SESSION_COOKIE + STATE activate Api Api ->> Api: create STATE + SESSION COOKIE Api -->> Mobile: return AUTH_PROVIDER_URL
SESSION_COOKIE + STATE deactivate Api Note over Mobile,Auth: Mobile open the System default Browser Mobile ->> Browser: open AUTH_PROVIDER_URL activate Browser activate Auth Browser ->> Auth: request AUTH_PROVIDER_URL Auth -->> Browser: return auth ui deactivate Auth deactivate Mobile activate User Browser -->> User: read access scopes & login ui User ->> Browser: click Accept or Denied activate Auth Browser ->> Auth: post auth form deactivate User deactivate Browser activate Api critical Auth Protocol Auth ->> Api: "Auth callback with 'code'" Api ->> Auth: "Request Access" Auth -->> Api: "return access" end Note right of Mobile: http(s) deep link is verified with
"assetlinks.json" & "apple-app-site-association" deactivate Auth Api -->> Browser: return redirect DEEP_LINK deactivate Api activate Mobile Browser -->> Mobile: return redirect DEEP_LINK activate Api Mobile ->> Api: request Api Token
with SESSION_COOKIE + STATE Api -->> Mobile: return API_TOKEN deactivate Api deactivate Mobile Note over User,Api: Authentified user can request the Api activate User User ->> Mobile: "do something" activate Mobile activate Api Mobile ->> Api: "request something with API_TOKEN" Api -->> Mobile: "return something" Mobile -->> User: display what ever deactivate Api deactivate Mobile deactivate User