While reading RFC6749, one may get the impression that it is a document describing general guidelines for building support for OAuth 2.0. This observation is consistent with the title, which includes the word “framework”. OAuth 2.0 is therefore not a collection of strict and precisely defined rules. Leaving some freedom in how RFC6749 is interpreted creates more room for implementation mistakes. That is why the need arose for an article that would comprehensively explain what the second version of the OAuth standard is and what threats are associated with it. To meet the needs of people responsible for implementing and testing OAuth 2.0-based solutions, I prepared an article published in the “Programista” 10/2016 journal.
Before discussing the framework itself, the reader gets a brief refresher on the meaning of the most important terms. This includes, among other things, a precise explanation of the differences between “authentication” and “authorization”.
This article covers the following topics:
- The rules governing OAuth 2.0
- The advantages of using this authorization method
- What OAuth is not, including issues related to using OAuth for authentication
- Methods that can be used to obtain a token
- Which token acquisition method should be chosen for a given usage scenario
- Common security mistakes in OAuth 2.0, along with practical examples
- OAuth in the mobile app environment (including PKCE and the threats stemming from the use of WebView)
The article concludes with a long list of questions that should be asked during threat modeling for applications using OAuth 2.0.
Update Feb 13, 2017: this article was published on sekurak.pl.