Michał Pipa
PHPCon Poland, Szczyrk, 27 October 2013
Authorization framework
October 2012
Authorization: Basic dXNlcjpwYXNzd29yZA==
Third-party app which is accessing resource server data
The person who is giving third-party app access to his/her resources
The server hosting protected resources (API)
The server issuing access tokens to the client (often the same as resource server)
Allow the client to specify the scope of the access request
+--------+ +---------------+
| |------ Authorization Request ->| Resource |
| | | Owner |
| |<------ Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |------- Authorization Grant -->| Authorization |
| Client | | Server |
| |<--------- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |---------- Access Token ------>| Resource |
| | | Server |
| |<------- Protected Resource ---| |
+--------+ +---------------+
Credential representing the resource owner's authorization
The client directs the resource owner to an authorization server, which directs back to the client with the authorization code
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
The client is issued access token directly
Simplified flow, used in JavaScript
GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
HTTP/1.1 302 Found
Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
&state=xyz&token_type=example&expires_in=3600
The resource owner credentials are used directly to obtain an access token
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
The client credentials are used directly to obtain an access token
Used when the client is acting on its own behalf
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
$ curl -H "Authorization: Bearer MjAyNTYyNDE5YmI2MTk4OTE" https://api.example.com/resource
Refreshing an Expired Access Token
+--------+ +---------------+
| |------------ Authorization Grant --------->| |
| | | |
| |<--------------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--------- Access Token ---->| | | |
| | | | | |
| |<----- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--------- Access Token ---->| | | |
| | | | | |
| |<----- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |---------------- Refresh Token ----------->| |
| | | |
| |<--------------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
+-------------+ +-----------+
| | | |
| |+------->| Facebook |
| | | |
| |<-------+| LinkedIn |
| | | |
| | | |
| Mobile apps | | |
| | | |
| | | |
| | +-----------+
| iOS |
| | +-----------+
| Android | | |
| |+------->| |
| | | Backend |
| |<-------+| |
| | | |
| | | |
| | | |
| | | |
+-------------+ +-----------+
Don't reinvent the wheel!