OAuth 2.0

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites

Auth 2.0 has Four major roles 

  • Client -- Also called "the app". It can be an app running on a mobile device or a traditional web app. The app makes requests to the resource server for protected assets on behalf of the resource owner. The resource owner must give the app permission to access the protected resources.
  • Resource owner -- Also called an "end user". This is generally the person (or other entity) who is capable of granting access to a protected resource. For example, if an app needs to use data from one of your social media sites, then you are the resource owner -- the only person who can grant the app access to your data.
  • Resource server -- Think of the resource server as a service like Twitter or Facebook, or an HR service on your intranet, or a partner service on your B2B extranet. Apigee Edge is a resource server whenever OAuth token validation is required to process API requests. The resource server needs some kind of authorization before it will serve up protected resources to the app.
  • Authorization server -- The authorization server is implemented in compliance with the OAuth 2.0 specification, and it is responsible for validating authorization grants and issuing the access tokens that give the app access to the user's data on the resource server. 


Basic Flow of the Auth 2.0


OAuth 2.0 Grant Types

OAuth 2.0 framework specifies several grant types for different use cases, as well as a framework for creating new grant types.The most common OAuth 2.0 grant types are listed below.

  • Authorization Code
  • Implcit
  • Password
  • Client Credentials
  • Device Code
  • Refresh token

Lets see the Implementation of authorization code example

  •  Register Your application in google developer console and get client ID and client secret.

  1. Open the Google API Console Credentials page.
  2. From the project drop-down, select your project.
  3. Select Create credentials and choose OAuth client ID.
  4. Under Application type, select Web application, enter a Name and set the Restrictions (optional), then click Create.
  5. Make note of the OAuth 2.0 client ID and client secret. You will need them to configure the UI.

  • Include client ID and client secret and scopes
Here I used PHP as developing language.Download  Google API Client Library that enables you to work with Google APIs such as Google+, Drive, or YouTube on your server.Use below Link to download it and include that library to your project.


 Inside a config file include all the necessary data.

<?php/** * Created by PhpStorm. * User: sacheen * Date: 09/10/2018 * Time: 01:00 */
session_start();
require_once "g-phpclient/vendor/autoload.php";
$gclient=new Google_Client();
$gclient->setClientId("146020606393-mtofk1vpm6716ndrcbmo92jkpuk02a0k.apps.googleusercontent.com");
$gclient->setClientSecret("kC2Kyk2xAYUMN8vKzne97WGO");
$gclient->setApplicationName("AuthApp");
$gclient->setRedirectUri("http://localhost/AuthApp/g-callback.php");
$gclient->addScope("https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email");
config.php


  •    Obtaining Authorization code
To obtain the Authorization code from google HTTP GET request to the Authorize Endpoint of Google.

<?php/** * Created by PhpStorm. * User: sacheen * Date: 10/10/2018 * Time: 14:12 */
require_once "config.php";
if (isset($_SESSION['access_token'])) {    header('Location: index.php');    exit();}
$loginURL = $gclient->createAuthUrl();
?>
<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport"          content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Login With Google</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
</head>
<body>
    <div class="container" style="margin-top: 100px">
        <div class="row justify-content-center">
            <div class="col-md-6 col-offset-3" align="center">

                <img style="width: 20%;" src="images/logo.jpg"><br><br>

                <form >
                    <input placeholder="Email..." name="email" class="form-control"><br>
                    <input type="password" placeholder="Password..." name="password" class="form-control"><br>
                    <input type="submit" value="Log In" class="btn btn-primary">
                    <input type="button" onclick="window.location = '<?php echo $loginURL ?>';" value="Log In With Google" class="btn btn-danger">
                </form>

            </div>
        </div>
    </div>
</body>
</html> 

login.php


login Page with google login
Application Ask for log in to google Account

Once you logged in to your google account you will recive the authorization code as below

http://localhost/AuthApp/g-callback.php?code=4/egBf4A03L6Bbtyan1c2Odj01lCbjr_OzvOlw0acd1cvcTxz9vDqwngN6zRLk3Jd50k1caqKBijVVIfzSVTQjtc

  • Get the access token using authorization code
Once you have the access token you can access the user details according to the scope you have mentioned.


<?php/** * Created by PhpStorm. * User: sacheen * Date: 09/10/2018 * Time: 00:16 */
   require_once "config.php";
   if (isset($_SESSION['access_token'])) 
       $gclient->setAccessToken($_SESSION['access_token']); 
   else if (isset($_GET['code'])) {    
    $token = $gclient->fetchAccessTokenWithAuthCode($_GET['code']); 
    $_SESSION['access_token'] = $token; 
   } else {     
   header('Location: login.php');  
      exit();  
  }

   $oAuth = new Google_Service_Oauth2($gclient);
   $userData = $oAuth->userinfo_v2_me->get();
   $_SESSION['id'] = $userData['id']; 
   $_SESSION['email'] = $userData['email']; 
   $_SESSION['gender'] = $userData['gender']; 
   $_SESSION['picture'] = $userData['picture']; 
   $_SESSION['familyName'] = $userData['familyName'];
   $_SESSION['givenName'] = $userData['givenName'];
   header('Location: index.php');   exit();?>
g-callback.php

Comments

Post a Comment

Popular posts from this blog

Impact to other quality attributes when improving security of IOS

Image
IOS operating system have pay more attention towards the security of their operating system. When they try to improve their security quality attribute that was affected in other quality attributes in positively as well as negatively.so let’s see some of the security improvements that are done by IOS and how they affected for other quality attributes. 1.  6-digits  Pass-code After the release of IOS 9, Apple has change their default pass-code form 4 digits to 6 digits. Their main target was make harder for hackers to crack their system. ➢     But with this newly introduced feature Usability has been decreased . Users have faced to troubles with this newly introduced security feature.                              Ex-: ➢     This 6 digit pass-code was introduced with after the IOS version...
Read more

Cross Site Request Forgery

Image
WHAT IS CSRF Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. For better understand let's look at this example User loged in to his bank account.The bank give session token. Haker send malicious link that look like it pointed to some trusted location.But really it connected to the bank. When the user clicked on the fake link it use previously set session token.The hackers request will be executed and the users account hacked.for example money from the users account will be transfered to the the hackers account. How did this happened? The hackers request to the bank was forged as it used the same session token of the user, which did not require user to log in again Let's see how to prevent CSRF attacks... The most popular implementation to prevent Cross-site Request Forgery (CSRF), i...
Read more