oauth 2, some notes

gistfile1.md

I did a bit of initial OAuth research this week for FxA (Firefox Accounts). It was interrupted by more pressing stuff (bugs bugs bugs), but thought I'd post my incomplete work-in-progress notes for whenever I get back to this.

Notes come from Getting Started with OAuth 2.0, which I accessed via Safari.

my next steps:

• look carefully at a number of JS SDKs
• think in terms of a generic OAuth abstraction for FxOS
• but begin by building the simplest possible solution for FxA on FxOS
  • we really need implicit grant,
  • and a proxy server that could handle redirects on behalf of serverless apps,
  • and a token validation server.
• If we had all that, we could build a really simple JS SDK that works on the real web and FxOS, and avoids getting mired in the rather slow Gecko/Gaia timeline

Client Profiles

1. Server-side web app

• can hold secrets without user seeing them
• can talk with resource server without user intervention
• uses secrets to generate tokens / regenerate tokens (refresh token)

2. Client-side web app

• can't put secrets here -- user secrets yes, app secrets, no
• OAuth's solution: short-lived bearer tokens

3. Native app (desktop or mobile)

• like browser app, you can't put app secrets here
• even worse, might not have full browser capabilities (just embedded webviews)

Sending tokens to server

• HTTP Auth header
  • only required method in the spec
  • preferred because
    • rarely logged by proxy servers/web servers
    • rarely cached, including not stored in browser cache
• Other methods:
• Query parameter (for GET requests)
• Form-encoded body parameter (for POST requests)

Auth flows/grant types

1. Auth code

• used for server-side web apps
• request sends client secrets (client_id, client_secret)
• response includes bearer token and refresh token

2. Implicit grant

• simplest flow, designed for browser-based requests
• user enters creds, redirect contains short-lived token

3. Resource owner password-based access grant

• user gives creds to app
• app gets long-lived access token & discards user creds
• user can revoke app access without needing to change password
• token is scoped, another advantage vs storing password

4. Client creds

• app, not user, has creds for resource it (not user) owns/controls
• irrelevant to our use case

Some existing JS and mobile APIs?

Facebook's "roll your own" docs

1. Logging in

• open a dialog at fb.com/dialog/oauth?client_id={app_id}&redirect_uri={uri}
• if you're in a desktop app, using a webview, then redirect_uri must be fb.com/connect/login_success.html
  • not sure why?
• interesting note that win8 apps use "Package Security Identifier" & ms-app scheme (though it's unforgivably wordy):

var requestUri = new Windows.Foundation.Uri(
  'fb.com/dialog/oauth?...&redirect_uri=ms-app://{package-security-id}
);
Windows.Security.Authentication.Web.webAuthenticationBroker
  .authenticateAsync(options, requestUri)
  .done(function onLogin(result) { /* do something with login */})

After login, you're granted a token or a code.

• Given a token, use fb.com/debug_token to verify app ID and user ID.
  • This prevents malicious fake redirects
• Given a code and a client_secret, you can obtain a token
  • As mentioned above, client_secret can't be stored in binaries/websites, only on secure servers

Refs/link dump

• general oauth links
  • nice diagrams of OAuth flows: https://www-304.ibm.com/support/knowledgecenter/SSELE6_8.0.0.3/com.ibm.ammob.doc_8.0.0.3/config/concept/con_oauth20_workflow.html%23con_oauth20_workflow
  • Getting Started with OAuth 2.0
    • I've used the safari link to access it
• oauth provider docs
  • facebook docs
    • iOS SDK: https://developers.facebook.com/docs/facebook-login/ios/v2.1
    • integrated iOS UX docs: https://developers.facebook.com/docs/ios/ui-controls
    • JS SDK: https://developers.facebook.com/docs/javascript/reference/v2.1
    • roll your own JS: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1
  • windows docs http://msdn.microsoft.com/en-us/library/windows/apps/jj856915.aspx
  • some salesforce oauth docs https://developer.salesforce.com/blogs/developer-relations/2014/04/3-ways-to-configure-salesforce-oauth-authentication-in-native-ios-apps.html
  • chrome user auth docs https://developer.chrome.com/apps/app_identity
    • note that chrome packaged apps handle the redirect URL by providing an app-uuid.chromium-apps.org redirect URL, then proxying the token back to the device: https://developer.chrome.com/apps/identity#method-launchWebAuthFlow
• vendor token validation: http://stackoverflow.com/questions/12296017/how-to-validate-a-oauth2-0-access-token-for-a-resource-server
  • with google: https://developers.google.com/accounts/docs/OAuth2UserAgent#validatetoken
  • with facebook: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1#checktoken
• FxA
  • FxA currently only supports server-server style OAuth, involving client secrets: https://developer.mozilla.org/en-US/Firefox_Accounts#Becoming_a_Firefox_Accounts_OAuth_relier
  • some existing OAuth code inside Gaia https://github.com/mozilla-b2g/gaia/blob/master/apps/calendar/js/oauth_window.js
  • seanmonstar blogged about oauth+fxa: http://seanmonstar.com/post/87709828215/firefox-accounts-oauth-explorations
  • spenrose starting the DOM API discussion: http://lists.w3.org/Archives/Public/public-webapps/2014JulSep/0243.html
    • and related prototype https://github.com/SamPenrose/ua-augmented-auth/
  • random etherpad meeting notes from week of 9/2/14: https://id.etherpad.mozilla.org/oauth-on-fxos