WHITE PAPER
API Economy is Transforming Digitization: How to Secure it Using OAuth 2.0
Table of Contents Executive Summary ����������������������������������������������������������������������������������������������������������������������������������������������������������������� 3 Introduction��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������4 What is OAuth 2.0? How does it Enable Secure Resource Access? ����������������������������������������������������������������������������� 5 What are the Principles of OAuth 2.0?��������������������������������������������������������������������������������������������������������������������������������� 6 Terminologies Associated with OAuth 2.0 ����������������������������������������������������������������������������������������������������������������� 7 OAuth 2.0 Grant Types ������������������������������������������������������������������������������������������������������������������������������������������������������������8 Authorization Code Grant �����������������������������������������������������������������������������������������������������������������������������������������������9 Implicit Grant ������������������������������������������������������������������������������������������������������������������������������������������������������������������� 10 Resource Owner Credentials Grant ����������������������������������������������������������������������������������������������������������������������������� 11 Refresh Token Grant ������������������������������������������������������������������������������������������������������������������������������������������������������ 12 Why Does Your Business Need OAuth 2.0?������������������������������������������������������������������������������������������������������������������������ 13 Features of OAuth 2.0 ���������������������������������������������������������������������������������������������������������������������������������������������������� 14 Advantages of OAuth 2.0������������������������������������������������������������������������������������������������������������������������������������������������ 14 Final Thoughts ������������������������������������������������������������������������������������������������������������������������������������������������������������������������ 15
Executive Summary In a world where organizations accelerate their digital roadmaps, APIs (Application Programming Interface) swiftly navigate business success for every industry. Undoubtedly, APIs are progressively becoming the standard entry point for any backend functionality, which not only offer a structured way to access features, but eventually lays the foundation for adequate security. Besides the core functionality and endless opportunities, security is always a significant concern. Often authorization and authentication are carried out through username/passwords or token-based authentication methods. However, specific challenges remain in ensuring the highest security practices in implementing APIs for authentication and authorization. Here’s where OAuth2.0 comes into play. OAuth 2.0 (Open Authorization) is an industry-standard authorization protocol that allows a website or an application to access resources on behalf of a particular user. In this whitepaper, we’ll discuss the aspects associated with OAuth 2.0 security for APIs and how enterprises can leverage the highest level of security for their applications.
© LoginRadius Inc.
|
Confidential Information
3
Introduction Modern businesses on the verge of digital transformation fail to rely on the best security practices, especially when it comes to deploying APIs. Whether it approaches authentication or authorization, certain loopholes can put big brands into serious trouble if adequate security measures aren’t in place. A reliable foundation is necessary for every business application or website, ensuring data security through a robust system. Here we’ll learn about the use of OAuth 2.0, an industry-standard protocol that flawlessly enables authorization and authentication for users within a network.
© LoginRadius Inc.
|
Confidential Information
4
What is OAuth 2.0? How does it Enable Secure Resource Access? OAuth 2.0 (Open Authorization) is an industry-standard authorization protocol that allows a website or an application to access resources on behalf of a particular user. Some people may relate authorization with authentication and believe it to be the same thing. However, they are different and play a crucial role in providing a secure ecosystem. While authentication verifies an individual’s identity, authorization offers consented access along with restricted actions of what users can perform on resources and other crucial data. OAuth stands for Open Authorization. It’s a process through which an application or website can access private data from another website. It provides applications the ability to “secure designated access.” For example, you can tell Google that it’s OK for abc.com to access your google account or contact without having to give abc.com your google password. OAuth never shares password data, rather it uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
© LoginRadius Inc.
|
Confidential Information
5
What are the Principles of OAuth 2.0? As OAuth 2.0 is an authorization protocol, it is exclusively designed as a means to grant access to resources or data within an application or website. The basic working principle of OAuth 2.0 is based on the use of access tokens. This access token is nothing but a small piece of data representing the authorization access on behalf of the end-user. If a user has an access token, they can access the resources or data within that particular application for a specific period. Once the permit expires, the access is revoked. The most common format for the token is JWT (JSON Web Token), that contains the user data and the expiration date for security reasons.
© LoginRadius Inc.
|
Confidential Information
6
Terminologies Associated with OAuth 2.0 Term
Description
Resource Owner
The resource owner is the user who authorizes an application to access their account. The application's access to the user's account is limited to the “scope” of the authorization granted (e.g., read or write access).
Client
The client is the application that’s trying to access the user's account. It needs to obtain permission from the user before accessing the account. For example, a client application can present the user with the login page to get an access token for access to a particular resource.
Authorization Server
An authorization server validates the user credentials and redirects the user back to the client with an authorization code. The client communicates with the authorization server to confirm its identity and exchanges the code for an access token.
Resource Server
A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token.
Scope
It specifies the level of access that the application is requesting from the client.
Consent
The consent screen tells your users who request access to their data and what kind of data you're asking to access.
Now that we have a pretty good understanding of OAuth 2.0 and Terminology, let’s further discuss the OAuth 2.0 grant type Google used in this protocol.
© LoginRadius Inc.
|
Confidential Information
7
OAuth 2.0 Grant Types In total, there are five different grant type flows defined and described to perform authorizations tasks, which includes: •
Authorization Code Grant
•
Implicit Grant
•
Resource Owner Credentials Grant
•
Client Credentials Grant
•
Refresh Token Grant
User client (Web app frontend)
User
Authorization server
Client server (web app backend)
Application requests authentication User authenticates
1
2
3
Code sent to server
Authorization code issued
4
Code forwarded to authorization server
5
6
7
ID token and access token issued
Tokens processed
© LoginRadius Inc.
|
Confidential Information
8
Authorization Code Grant The Authorization Code Grant Type is the most commonly used grant type. Let’s understand this with a real use case. The Story: A user tries to log in on abc.com, but he can’t remember his password, and he discovers an option to sign in with Google. By clicking on this, the user will easily get logged in using a Google account. Flow: The client redirects the user to the authorization server having the following parameters in the query string.
Step 1 •
response_type having the value code
•
client_id having the client identifier
•
redirect_uri having the client redirect URI
•
scope a space-delimited list of scopes
•
state having a random string
After successful authentication, the user will be redirected to the Consent screen, where they need to provide consent to abc.com to access the account details. The authorization server generates the authorization code and sends it back to the client with a redirect URI.
Step 2 The client will now send a POST request to the authorization server with the following parameters: •
grant_type having the value of authorization_code
•
client_id having the client identifier
•
client_secret having the client secret
•
Redirect_uri having the same redirect URI the user redirected back
•
code having the authorization code from the query string
In the entire flow, the access token is never exposed to a web browser.
© LoginRadius Inc.
|
Confidential Information
9
Implicit Grant The Implicit flow is a simplified OAuth flow previously recommended for client-side applications like JavaScript apps. The access token was returned immediately without an extra authorization code exchange step. The Story: In this flow, abc.com directly gets access tokens without extra authorization code exchange steps and can access resources on a resource server. Flow: The client will redirect the user to the authorization server with the following parameters in the query string: •
response_type having the value token
•
client_id having the client identifier
•
redirect_uri having the client redirect URI
•
scope a space-delimited list of scopes
•
the state having the random string
It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without confirmation that the client has received it.
© LoginRadius Inc.
|
Confidential Information
10
Resource Owner Credentials Grant The resource owner password credentials grant type is suitable when the resource owner trusts the client, such as a highly privileged application. Therefore, the authorization server should take special care when enabling this grant type and only allow it when other flows are not viable. This grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token. Flow: The client will ask the user for their authorization credentials (usually a username and password). The client then sends a POST request with the following body parameters to the authorization server: •
grant_type having the value password
•
client_id having the client’s ID
•
client_secret having the client’s secret
•
scope having a space-delimited list of requested scope permissions
•
username having a user’s username
•
password having a user’s password
Using this flow,the client can request an access token using only its client credentials (or other supported means of authentication).
© LoginRadius Inc.
|
Confidential Information
11
The Story The client application presents its client credentials (client identifier and client secret) to the authorization server requesting approval to access the protected resource (owned by the client application) on the resource server. The authorization server authenticates the client credential and issues an access token.
Flow: The client sends a POST request with the following body parameters to the authorization server: •
grant_type having the value client_credentials
•
client_id having the client’s ID
•
client_secret having the client’s secret
•
scope having a space-delimited list of requested scope permissions
Refresh Token Grant Access tokens eventually expire; however, some grants respond with a refresh token, enabling the client to refresh the access token.
Flow: The client sends a POST request with the following body parameters to the authorization server: •
grant_type having the value refresh_token
•
refresh_token having the refresh token
•
client_id having the client’s ID
•
client_secret having the client’s secret
•
scope having a space-delimited list of requested scope permissions
© LoginRadius Inc.
|
Confidential Information
12
Why Does Your Business Need OAuth 2.0? Let’s understand with an example. Suppose you need to edit photos through an application. This application now requires access to your photos placed in Google Photos on your phone. So technically, you need to provide your Gmail credentials to access photos, right? However, this is quite risky as it not only offers access to your photos, but also to sensitive information in your other connected applications, such as your email and Google Drive. Here’s where OAuth 2.0 comes into play. Using OAuth 2.0 is the perfect solution in this scenario as no one would ever provide their login credentials to another application. Therefore, the photo-editing application will first take authorization to access photos from Google, ensuring that only access to images is granted to the application and that too for a limited period once the user approves the same. The same thing goes for every business offering resources or data access to users. The best part about OAuth 2.0 is that everything is managed securely so there are no chances of a data breach or unauthorized access. So, if you’re an enterprise that has a considerable client base and needs to offer specific services and access to resources, OAuth2.0 is a must-have solution in place.
© LoginRadius Inc.
|
Confidential Information
13
Features of OAuth 2.0 As an authorization protocol, OAuth 2.0 offers endless features and capabilities to enterprises as well as users.
Some of them include: •
Simple and secure access to resources without the need to share the credentials.
•
Offers user agent flows to ensure client applications are running using a scripting language, including JavaScript.
•
Accesses data tokens without the need of credentials and stores data in an online file system of a particular user.
Advantages of OAuth 2.0 Several renowned businesses leverage OAuth 2.0 through a dedicated CIAM (consumer identity and access management) solution like LoginRadius.
Here are some advantages of relying on an authorization protocol like OAuth 2.0: •
Flexible and secure as it depends on Secure Sockets Layer (SSL), which ensures data is secured between web servers and browsers.
•
OAuth 2.0 allows limited access to user’s data seeking access to resources. Offers limited access until the token expires.
•
Shares user data without any possibility of personal data breach of users seeking an access.
•
Easy implementation and better authentication authorization through OAuth 2.0.
•
It can be used to handle multiple requests and can cater to several users at a single time.
© LoginRadius Inc.
|
Confidential Information
14
Final Thoughts Ensuring the highest security and confidentiality is what every business requires in today’s era, especially for data security for both enterprises and consumers. Adequate attention must be paid to the ways business applications interact and share resources within a network to avoid any security breach. OAuth 2.0 enables businesses to securely access specific resources and sensitive data without a user’s login credentials. Businesses seeking the finest authentication modes coupled with authorization can consider LoginRadius CIAM that enables a flawless experience coupled with robust security. The LoginRadius CIAM empowers businesses by offering the finest user experience and maximum security through industry-standard protocols, including OAuth 2.0. Book a demo or contact sales to know more.
© LoginRadius Inc.
|
Confidential Information
15
LoginRadius is a leading provider of cloud-based Customer Identity and Access Management solutions for mid-to-large sized companies. The LoginRadius solution serves over 3,000 businesses with a monthly reach of over 1 billion users worldwide.
©Copyright, LoginRadius Inc. All Rights Reserved.
