Regardless, the last time I dug into this topic I ended up feeling the same. The web is littered with articles that scratch the surface and only cover the basics. They often leave out the details, which IME ended up making things more difficult to understand. What was the most helpful, as you said, was to follow the RFCs and the OIDC spec directly.
What might also be useful, if you are implementing an auth server, is to look at existing implementations. Duende IdentityServer (https://github.com/DuendeSoftware/products/tree/main/identit...) is the most widely-used one in the .NET space.
And OAuth has somehow managed to be _harder_ to integrate with an existing implementation of than just to implement from scratch.
I still used Spring Sessions though, where a successfull authed user got a new Spring Session. The reason was that I liked the idea of having beans with session scope, for example where each user/role has access to a specific database schema.
One thing I found after a while: even though the refresh tokens should theoretically not expire, many sites do expire them. You have to refresh every once in a while to maintain a usable refresh token.
Many people will tell you to "just use a library", but I found that the contact surface of oauth with your app is quite large, such that a library might not actually help much. This (among other reasons) is why I wrote my own implementation (Clojure).
That is subjective. In essence, they should last long enough so the client can use them to get new access token without the user(resource owner) having to authorise a new grant. Each client is different with different needs and the scopes might be too sensitive to provide a long lasting access. So as usual, it depends.
In my server implementation, access tokens are valid for one hour and refresh tokens for 30 days. I also return refresh tokens with each access token request, so as long as the client makes at least one request per month, they do not have to bother the user for a new grant.
I just wish the spec would have a dedicated "refresh_expires_in" field in addition to "expires_in" for refresh tokens, so the client would be better informed about this. As refresh tokens are part of the spec, though optional, their life span information is lacking here.
https://datatracker.ietf.org/doc/html/rfc9700
As for your API surface, typically you'd handle this at the gateway level, then individual services don't have to perform authorization.
Although it isn't a published RFC yet, it intends to replace several sometimes-conflicting previous RFCs + the BCP with a single document.
I recommend sections I and II of the OpenPubkey paper to anyone trying to understand OIDC public clients. I consult it at least once a month: https://eprint.iacr.org/2023/296
at this time I keep a copy of rfc6749 binded and highlighted near my desk... every now and then i have to go look at some detail.
also, somehow the openid spec is a bunch of documents that aren't really formatted for being printed. it really feels like the authors are implicitly assuming no one is going to actually read them.
https://infosec.mozilla.org/guidelines/iam/openid_connect.ht...
Was by far the most useful information about OIDC I could find when I was implementing an integration.
When you get used to the technical writing, it’s actually pretty straightforward—most of them actually document the endpoint structure and payloads, error codes, and so on. After that, the most complicated part is organizing your code to be modular and handle persistence right.
I can really recommend doing this once, and once the pieces start to fall into place, you’ll be able to understand most OAuth issues you’ll ever come across!
I launched and worked on OAuth 2.0 at Okta for ~5 years and spent most of my time showing people how to do it well and (gently) finding the holes and mistakes in their implementations. Sure, we were selling "OAuth as a Service" but most had introduced usability problems (at minimum) and gaping security vulns (at worst).
For a deep dive, check out Aaron Parecki's book: https://oauth2simplified.com/ - he's deeply involved in the (coming) OAuth 2.1
When I led re-implementation at pangea.cloud over the last couple years, we dropped most of the capabilies deprecated in 2.1 (resource owner password, implicit) and went straight to Auth Code with PKCE to make it a bit more manageable.
I walk through that progression/simplication here: https://speakerdeck.com/caseysoftware/the-many-layers-of-oau...
I'm glad this analogy was used ... because I too feel like OAuth and Open Banking is effectively the same thing.
Am I alone thinking that and/or why is it actually two different things?
One can think of the whole exchange as a way for the client to prove future knowledge, but only actually transmitting the held back "secret" during token redemption. Let's use just a random integer
1. r = randomInt()
2. future = base64(sha256(r))
3. /authorize?client_id=cid-123&code_challenge_method=S256&code_challenge=${future}
The server has to retain the ${future} in durable storage, because it's going to need access to it, plus the ${code} that it's about to return, in step 5
4. <-- &code=abc789
5. /token?code=abc789&code_verifier=${r}
Now, the server can repeat that same sha256 dance from step 2 and establish that the client presenting "r" means it really was the same requester in step 3, because no one else, even with that same IP address and same access to the client_id sniffed in transit, could have known "r" for sufficiently random values of "r", thus proving their key during code exchange
Security through obscurity and all that...
Without client side encryption? The server processing the POST is still receiving the information posted regardless if the client is HTTPS or not.
Say, you're attempting login, the password is still received by the server and which you do with whatever when processing.
What's not stopping someone from injecting a trace on that receiving function?
In other-words, How would you secure the server processing the POST request information?
Since all typical web servers/processors only loh the call and not the body there is a lesser probability of a leak.
I am writing this as someone who manages cybersecurity and is offering faced with not enough information in investigations because of that. This is also the reason that I used "typical" and "usually" above - it is pretty weird what people send and how they process what they receive.
I've seen just a general recommendation to avoid urlencoding parameters -- I guess that's why?
I have an old writeup on that and solution to it https://sakurity.com/oauth - better analyze it with LLM if interested in authorization protocols
The addition of the comment about LLMs isn't really helping.
The spec itself made mistakes:
• Silent account hijack via “Connect this provider.”
• Redirect leaks of code (via Referrer) or access_token (via #hash).
• CSRF because state was optional and often ignored.
The point is: these aren’t obscure edge cases, they’re structural issues baked into the protocol.
I think I would suggest that PKCE is not really "less secure" than a client secret. It serves somewhat of a different purpose, and is actually frequently recommended even with a client secret. Its main purpose is "flow integrity" and ensuring that the same client is involved all the way through the redirects.
I think it also didn't really put the authorization code grant in context with the other possibilities. This really covered the "3 legged redirect" flow pretty well, which is what most people associate with OAuth. But the OAuth2 framework has a bunch of different grants you can use for different purposes. The Client Credentials one is pretty common, for server-to-server use cases, as well as fancier versions of it like the JWT Bearer flow.
Finally, taking an advantage of general OAuth2 discussion, since I've been noodling on it myself from the point of view of creating an "app ecosystem": since the redirect_uri is such an integral part of the security of it, and recommendations are for exact matches now rather than just prefixes and wildcards and such, how do folks handle OAuth2 when the app isn't owned by a single entity, but rather something like ServiceNow or Backstage which is self-hosted?
That is, you want your resource server to behave like "this was a request from a customer's ServiceNow instance", and all such requests are in some sense related. However, they're not really the same client, because you can't manage a client secret across all the installations. It's somewhat like a mobile app, which also can't manage a client secret, but that at least can share the same underlying OAuth Client because it can register a single, unique redirect URI.
I have other questions about things like how to fit the client credentials grant into a multi-tenant system... if these are things you've worked on, I'd love to hear from you! My email should be on my profile here.
fcpguru•6h ago
7bit•4h ago
brabel•3h ago
ted_dunning•2h ago
brabel•18m ago