Thursday, September 1, 2022

OAuth 2.0 notes

 This post is by no means meant to be original just some notes to persist info acquired while digesting oauth2.0/openid connect articles. Use at your own risk. An attempt was made at keeping pointers to the sources.


rfc6749



The authorization code grant type is used to obtain both access
   tokens and refresh tokens and is optimized for confidential clients.
   Since this is a redirection-based flow, the client must be capable of
   interacting with the resource owner's user-agent (typically a web
   browser) and capable of receiving incoming requests (via redirection)
   from the authorization server.

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token) 
https://www.rfc-editor.org/rfc/rfc6749#section-4.1

AWS Cognito's authorization code grant:

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
Cognito comes by default with an auth app which gets hosted on an URI with a chosen domain name:
https://<domain-name>.auth.<region>.amazoncognito.com
In there you have the different endpoints for your authn/authz flows which are documented on 
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
 
 

Verification of JWT tokens from Cognito

The key information for verification depends on the user pool and can be retrieved from:
https://cognito-idp.Region.amazonaws.com/your_user_pool_ID/.well-known/jwks.json . For details
see the knowledge-center article https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/ 
 

ALB authn/authz

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
The loadbalancer sets the following headers:
  • x-amzn-oidc-accesstoken

The access token from the token endpoint, in plain text.

  • x-amzn-oidc-identity

The subject field (sub) from the user info endpoint, in plain text.

  • x-amzn-oidc-data

The user claims, in JSON web tokens (JWT) format.

 

Miscellaneous notes

    •  redirect_uri's have to match
    • state is also used to avoid cross-side request forgery attacks 
 
Posted by at No comments:
Subscribe to: Posts (Atom)