Open Authentication (OAuth)

What is it?

OAuth (Open Authorization) is an internet protocol that authorizes users to grant third-party applications access to their web resources without sharing their passwords.

History

Early 2000s: Pre-OAuth Era: Before OAuth, various proprietary solutions were used for delegated access, including password sharing and custom APIs. These methods had significant security and usability issues, such as the need to share passwords with third-party applications.

2006: The Need for a Standard: In 2006, Blaine Cook (lead developer at Twitter) and Ma.gnolia (a social bookmarking service) were working on solutions to enable users to grant third-party applications access to their resources without sharing passwords. They recognized the need for a standardized protocol for this purpose.

2007: OAuth 1.0 Drafting: In November 2007, a group of developers from various companies (including Twitter, Ma.gnolia, and others) came together to draft the initial version of OAuth. The goal was to create a simple, secure, and standardized way for users to delegate access to their resources.

2008-2009: Adoption and Feedback: OAuth 1.0 gained rapid adoption by major web service providers, including Google, Yahoo, and Twitter. As more developers and companies implemented OAuth, they provided feedback on the protocol's complexities and areas for improvement.

April 2010: OAuth 2.0 Development: In response to the feedback on OAuth 1.0, the OAuth Working Group was formed within the Internet Engineering Task Force (IETF) to develop OAuth 2.0. The goal was to simplify the protocol while maintaining security and flexibility.

October 2012: OAuth 2.0 RFC 6749: OAuth 2.0 was finalized and published as RFC 6749 in October 2012. OAuth 2.0 introduced significant changes, including:

• Simplified token issuance and management.
• Support for multiple grant types (authorization code, implicit, resource owner password credentials, and client credentials).
• Removal of cryptographic signing requirements, making it easier to implement.

Post-2012: Widespread Adoption: OAuth 2.0 quickly became the industry standard for authorization, with widespread adoption by major platforms such as Google, Facebook, Microsoft, and GitHub. It is used in a variety of applications, including mobile apps, web apps, and APIs.

Key Security Features of OAuth

1. Token-Based Authentication: OAuth uses access tokens to grant permissions, eliminating the need for sharing passwords. This reduces the risk of credential exposure.
2. Scopes: OAuth allows defining scopes, which specify the level of access granted. This helps in limiting the permissions given to third-party applications.
3. Expiration and Revocation: Access tokens have expiration times, and refresh tokens can be used to obtain new access tokens. Tokens can also be revoked, providing control over access.
4. Redirect URIs: OAuth uses redirect URIs to ensure that authorization codes and tokens are only sent to pre-registered and trusted URLs.
5. State Parameter: The state parameter is used to prevent CSRF (Cross-Site Request Forgery) attacks by maintaining state between the client and the authorization server.

Common Security Threats and Mitigations

1. Phishing Attacks: Users may be tricked into authorizing malicious applications. To mitigate this, users should be educated to verify the legitimacy of applications before granting access.
2. Authorization Code Interception: Attackers may intercept authorization codes. To mitigate this, use secure communication channels (HTTPS) and consider using the PKCE (Proof Key for Code Exchange) extension for public clients.
3. Token Leakage: Access tokens may be leaked through logs, URLs, or other channels. Use secure storage for tokens and avoid including tokens in URLs.
4. Replay Attacks: Attackers may reuse tokens. Tokens should be bound to specific clients and users and have short lifetimes. Consider using refresh tokens with secure storage.
5. Cross-Site Request Forgery (CSRF): The state parameter helps prevent CSRF attacks by ensuring that the authorization request was initiated by the client.

Reference:

1. Red Hat, "Chapter?2.?Configuring the internal OAuth server", https://docs.redhat.com/en/documentation/openshift_container_platform/4.1/html/authentication/configuring-internal-oauth#configuring-internal-oauth, Accessed on 19th July 2024.
2. Red Hat, "Chapter?5.?Configuring OAuth authorization", https://docs.redhat.com/en/documentation/red_hat_codeready_workspaces/2.1/html/end-user_guide/configuring-oauth-authorization_crw, Accessed on 19th July 2024.
3. Wikipedia, "OAuth", https://en.wikipedia.org/wiki/OAuth - Wikipedia, Accessed on 20th July 2024.
4. OAuth, "OAuth 2.0", https://oauth.net/2/, Accessed on 24th July 2024.
5. Amazon Web Service, "OAuth 2.0 grants", https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html, Accessed on 19th July 2024.
6. History section is obtained from ChatGPT, ChatGPT, OpenAI, Date of the conversation: 24th July 2024.