Let's Get Authorization Done by OAuth 2.0

What is OAuth 2.0? 

OAuth 2.0 is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ABC.com/application to access your profile or post updates to your timeline without having to give ABC.com your Facebook password. This minimizes risk in a major way: In the event ABC.com suffers a breach, your Facebook password remains safe. This is known as secure, third-party, user-agent, delegated authorization.

How it works? 

Let's get started with OAuth Roles 👀

  • Resource Owner - the user who authorizes an application to access their account.
  • Client - the application that wants to access the user's account.
  • Resource Server - hosts the protected user accounts.
  • Authorization Server - verifies the identity of the user then issues access tokens to the application.
There are five types of grants specified in the OAuth 2.0 specification
  1. Authorization grant
  2. Implicit grant
  3. Resource owner credentials grant
  4. Client credentials grant
  5. Refresh token grant

1. Authorization grant


Let's build an Android application to demonstrate this 

   1. Create a GitHub application.


Go to https://github.com/settings/developers and create a new OAuth App.


The authorization code will be passed as a query parameter in the provided callback url. For more information read GitHub OAuth documentation

Once the application is created, a Client ID and a Client Secret will be provided. 

 2. Obtain the authorization code.

Assume you have initiated an Android project. 
In order to obtain an authorization code, a GET request should be made to the following URL with the bellow parameters.
GET https://github.com/login/oauth/authorize
Parameters

NameTypeDescription
client_idstringRequired. The client ID you received from GitHub when you registered.
redirect_uristringThe URL in your application where users will be sent after authorization. See details below about redirect urls.
scopestringA space-delimited list of scopes. If not provided, scopedefaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with reposcope, a third web flow that does not provide a scope will receive a token with user and repo scope.
statestringAn unguessable random string. It is used to protect against cross-site request forgery attacks.
allow_signupstringWhether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is true. Use false in the case that a policy prohibits signups.

 In order to redirect the user to GitHub sign in page, in Application login button onClick, the bellow code will get executed.


Once user is redirected to Github login page, user has to log into Github and grant consent for the provided scope (in our application the scope is repo) 

If the user accepts the request, GitHub triggers a callback with a temporary code in a code parameter. In order to catch the authorization code provided as a query parameter the in callback url, we have to define an Intent Filter inside the Activity in the AndroidManifest.xml and catch the authorization code onResume in the activity


3. Obtain the access token using authorization code.

In order to get the access token a POST request should be made to the following URL with the bellow parameters. 
POST https://github.com/login/oauth/access_token
Parameters
NameTypeDescription
client_idstringRequired. The client ID you received from GitHub for your GitHub App.
client_secretstringRequired. The client secret you received from GitHub for your GitHub App.
codestringRequired. The code you received as a response.
redirect_uristringThe URL in your application where users are sent after authorization.
Let's implement API service in the application to make the POST request.  


4. Consume the API using the token.

The obtained access token allows the app to make requests to the API on behalf of the user. 

 Let's modify the API service in the application to fetch repos from GitHub API.



 Full implementation can be found on GitHub.
______________________________________________________________

Tip: Understand the concept well. Then you will be able to develop better applications.:octocat::zap:

Comments

Post a Comment

Popular posts from this blog

Preventing CSRF Using Double Submit Cookie Pattern

Image
In  previous blog post, what CSRF is and how to preventing CSRF using  Synchronizer Token Pattern are discussed.  This blog post will discuss how to use Double Submit Cookie Pattern to prevent from CSRF attacks.   How Double Submit Cookie Pattern works? When a user authenticates to a site, the site should generate a (cryptographically strong) pseudo-random value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense . The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy.     Let's modify the previously built NodeJS application to demonstrate this 1. Handle /login POST Request. Once the u...
Read more

Preventing CSRF Using Synchronizer Token Pattern

Image
What is CSRF?  Cross-Site Request Forgery  (CSRF) is an  attack occurs when an attacker is able to create forged HTTP requests and trick the victim into making those requests via image tags, XSS, and many other ways. When the user makes these malicious requests and is authenticated with the application, the attack can be even more devastating. The attacker is able to get the user to perform state changing operations that the user is authorized to do in the application such as updating account details, making purchases, transferring money, and even deleting the account. Essentially, the attacker takes advantage of the website’s trust in the user. How CSRF works? CSRF will only work if the potential victim is authenticated.Using a CSRF attack an attacker can bypass the authentication process to enter a web application. When a victim with additional privileges performs actions that are not accessible to everyone, which is when CSRF attacks are utilized. Such as onli...
Read more

Code Coverage Using Clover

Image
What is Code Coverage? Code Coverage is the percentage of code which is covered by automated tests. Let's Get Started Code Coverage with Clover Clover is an industry-leading code coverage tool which allows us to easily measure the coverage of the unit tests, enabling targeted work in unit testing — resulting in stability and enhanced quality code with maximal efficiency of effort. It is an open source product from Atlassian. It has the server edition as well as desktop edition which is available as plugins for Eclipse and IDEA. Clover's Ant and Maven integrations allow coverage measurement to be performed in Automated Build and Continuous Integration systems, and reports generated to be shared by the team. Download and Configure Clover-for-Eclipse Download Clover-for-Eclipse from the Clover downloads page. Select from the menu " Help > Install New Software ... " Click " Add... ", next click " Archive... " and point to the...
Read more