OAuth 2.0 and OpenID protocol

Open Table of contents

Protocol in short
Token Grant Flow
Token usage
- Use Access Token to Call Resource Provider
- Resource Provider Validate Access Token

Protocol in short

1. OAuth workflow

https://oauth.net/2

❗**How OAuth do authorization?**

Authorization server create a secret for resource owner

Resource owner grant this secret to client

Client ask Authorization Server with this secret for access token

Client use access token to access Resource Server, Resource Server verify access token locally(use Authorization Server’s public key)

2. OpenID Connect

OpenID Connect (OIDC) is part of the implementation of OAuth2, steps1.1 - 2.2

❗**How OIDC do authorization?**

While OAuth 2.0 is about resource access and sharing, OIDC is about user authentication. Its purpose is to give you one login for multiple sites. Each time you need to log in to a website using OIDC, you are redirected to your OpenID site where you log in, and then taken back to the website. For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google sends information back to Auth0 about the user and the authentication performed. This information is returned in a JWT. You’ll receive an access token and if requested, an ID token.

Workload Identity Federation

Workload identity federation is a new authorization method, used in Google Cloud, AWS, Azure.

Comparing to secret auth/cert auth which requires the resource owner to maintain secrets that leads to security risks of secret exposure, secret expiration, Workload Identity Federation introduce a third party role, Identity Provider(IdP), to provide token and authentication service.

Workflow In short:

Client acquires token from IdP(Client is managed by IdP so it could fetch token directly);

Client sends token to Resource Server

Resource Server ask IdP to validate this token(IdP service has been registered in Resource Service as Issuer URL)

https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation#how-it-works

The external workload (such as a GitHub Actions workflow) requests a token from the external IdP (such as GitHub).
The external IdP issues a token to the external workload.
The external workload (the sign in action in a GitHub workflow, for example) sends the token to Microsoft identity platform and requests an access token.
Microsoft identity platform checks the trust relationship on the user-assigned managed identity or app registration and validates the external token against the OpenID Connect (OIDC) issuer URL on the external IdP.
When the checks are satisfied, Microsoft identity platform issues an access token to the external workload.
The external workload accesses Microsoft Entra protected resources using the access token from Microsoft identity platform. A GitHub Actions workflow, for example, uses the access token to publish a web app to Azure App Service.

3. SAML / SSO

SAML = Security Assertion Markup Language

Extensible Markup Language (XML) standard that facilitates secure authentication and authorization data exchange
SAML request / response

SSO = Single Sign-on

Describe authorization procedure: steps 3, 4, 5, 6.

Service Provider and Identity Provider has a trusted relationship

Token Grant Flow

Take Microsoft identity platform as example

1. Authorization Code Grant

Resource owner should interact with User Agent(usually a web browser) to perform approval action

2. Implicit Grant

Resource owner should interact with User Agent

3. Resource Owner Password Credentials Grant

4. Client Credentials Grant

Token usage

Use Access Token to Call Resource Provider

https://auth0.com/docs/secure/tokens/access-tokens/use-access-tokens

Transmit the access token to the API via Header Authorization

GET /calendar/v1/events
    Host: api.example.com
    
    Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuYXV0aDAuY29tLyIsImF1ZCI6Imh0dHBzOi8vYXBpLmV4YW1wbGUuY29tL2NhbGFuZGFyL3YxLyIsInN1YiI6InVzcl8xMjMiLCJpYXQiOjE0NTg3ODU3OTYsImV4cCI6MTQ1ODg3MjE5Nn0.CA7eaHjIHz5NxeIJoFK9krqaeZrPLwmMmgI_XiQiIkQ

Resource Provider Validate Access Token

https://auth0.com/docs/secure/tokens/access-tokens/validate-access-tokens

JWT Validation

JSON Web Token: https://en.wikipedia.org/wiki/JSON_Web_Token
- Bad doc: https://datatracker.ietf.org/doc/html/rfc7519
- JWT contains Header, Payload and Signature (signature is used to validate this token is signed by IDP)
  1. IDP encrypt Header and Payload with its private key ⇒ Signature
  2. IDP publish its public key. API service use the public key to unencrypt Header and Payload
  3. If match, then Header and Payload is trustable

Claim validation

Since asymmetric encryption is trustful. So the content unencrypted from AccessToken is trustable.
An access token contains a list of name/value pairs, which is Claim.
- Claims
Claim usually provide these information
- Security token server that generated the token
- Date when the token was generated, Date to expire this token
- Subject (like the user, but not daemons)
- Audience, which is the app for which the token was generated
- App (the client) that asked for the token
Further validate issuer / client id / permission scope if match