OAuth 2.0 - RFC 6749 and Google Identity implementation (hands-on)

Page content

This is my memo while learning OAuth 2.0.

RFC 6749

https://tools.ietf.org/html/rfc6749

1.1 (Entities and) Roles

  1. Client: An application making protected resource requests on behalf of the resource owner and with its authorization.
  2. Resource owner: An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
  3. Resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  4. Authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

1.2. Protocol Flow

     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

Data

Authorization Grant

1.3. Authorization Grant … This specification defines four grant types – authorization code, implicit, resource owner passwordcredentials, and client credentials

In Google Identity, they implement the Authorization Grant with an authorization code.

Access Token

Access Tokens are used when a client request resources (final data which we want to get, like Username, e-mail address, etc.).

An implementation: Google Identity

In case of Google (web), we should issue client ID and client secret beforhand.

I followed the official instruction

Prepare the credentials (31.Oct.2022)

  1. Go to https://console.developers.google.com/apis/credentials.
  2. CREATE CREDENTIALS -> OAuth Client ID

Prepare the credentials (just a note)

  1. Go to https://console.developers.google.com/apis/credentials.
  2. Anmeldedaten -> Anmeldedaten erstellen -> OAuth-Client-ID -> ZUSTIMMUNGSBILDSCHIRM KONFIGURIERE
  3. Datei
  • User Type: Extern
  • Anwendungsname: atlex00-test <- used as Application name
  • Email; Your Google account
  • logo: empty
  1. Startseite der Anwendung
  2. Link zur Datenschutzerklärung der Anwendung
  3. Link zu Nutzungsbedingungen der Anwendung
  • Autorisierte Domains (mandatory) you domain. atlex00.com
  • Kontaktdaten des Entwicklers
  • Bereich hinzufügen oder entfernen: openid
  1. Testnutzer: Your Google account
  • ACHTUNG: Fügen Sie Nutzer hinzu, um Ihre App zu testen. Nach dem Speichern können Sie Nutzer nicht mehr entfernen.
  1. https://console.developers.google.com/apis/credentials
  2. Anmeldedaten -> Anmeldedaten erstellen -> OAuth-Client-ID -> Anwendungstyp (webanwendung)
  3. Name: “Webclient 1”
  4. Client ID und Client Clientschlüssel
  5. Autorisierte Weiterleitungs-URIs: http://localhost

Implementation in Google OAuth 2.0 (use them)

  1. Access to the following URL with browser
https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A//mail.google.com/&access_type=offline&include_granted_scopes=true&response_type=code&state=state_parameter_passthrough_value&redirect_uri=http%3A//localhost&client_id={{ your_client_id }}
  1. Login with your Google account.
  2. Allow an access to Gmail
  3. Allow -> callback to http://localhost/?state=state_parameter_passthrough_value&code={{ authorization_code_like_4/0... }}&scope=https://mail.google.com/. The parameter code is your Authorization code.
  4. Exchange the authentication code for an access token.
$ curl --data "code={{ authorization_code }}&client_id={{ your_client_id }}&client_secret={{ your_client_secret }}&redirect_uri={{ same_as_the_previous_request}}&grant_type=authorization_code" -H "Content-Type: application/x-www-form-urlencoded" https://oauth2.googleapis.com/token

{
  "access_token": "{{ Long_access_token }}",
  "expires_in": 3599,
  "refresh_token": "1//092sdJTC5ksTJCgYIARAAGAkSNwF-L9IrsFZhCoyq_q_Ii4iNRSonmHT_hCbL29Ghe4SbY8pH9Ab4eXchVBUqnVtTpDrr-3UzKwQ",
  "scope": "https://mail.google.com/",
  "token_type": "Bearer"
}

You can’t access this endpoint twice (the API returns invalid_grant, Bad Request 400).

  1. Revoke it
curl -d -X -POST --header "Content-type:application/x-www-form-urlencoded" \
      https://oauth2.googleapis.com/revoke?token={token}

Further more: OpenID Connect (OIDC)

Here is a good demo.

https://youtu.be/996OiexHze0?t=3160