Application program interface (API):
In OAuth 2.0 this RESTful API will be on the resource server, and we will have an authorization server where client applications will be registered. Users are then registered on the authorization server and can give these applications access to the resources on their behalf or not.
When a user has access to a single client application, he is therefore redirected to the authorization server and asked to authorize that client application. Then an access token is issued and the client can submit requests to the resource server.
It’s all clear to me. There’s only one thing missing: The protection of each source may depend on the user. Specifically, these could be claims. I mean, we could be in the next situation:
When I first heard that OAuth was connected to ASP.NET WebAPI, I reacted as follows: when the request was sent with permission: The [Token] header on the server side was set to Thread, and I thought this meant that the user was authenticated via the API. So I used the [Authorize] attribute to check if a user has access to the resource.
After studying OAuth in more detail, I saw that it was a terrible abuse of protocol. I understand that OAuth allows applications, not users. If a request is made with the authorization header, the access mark, I learned, must not contain any information about the user, but only about the application that is authorized to make the request.
In this context, sending the consent header with the request does not identify the user and says nothing about whether or not he can access the specified resource.
How can such an authorisation be carried out in this case? In other words, not the authorisation of the application of the client who executes the request, but the authorisation of the user who has access to the source on the basis of his or her claims? I think this is where OpenID Connect and his ID coins are installed, but I’m not sure. How are you handling the situation?
How do I solve my API problem?
Decision No 1:
The access mark does not contain any claims by the user, but by a user who has granted access rights to the client application. Subject is a technical term and means a unique identifier. Simply put, a subject is a user ID in your database.
You do it on the protected side of the well:
- Remove the access sticker from the application. (RFC 6750)
- For detailed information about the badge, see the section on authorisation. (RFC 7662)
- Check your access card. The check shall consist of verifying (a) whether the access sign has expired and (b) whether the access sign relates to the zones (authorisations) required for the end point of the protected resource.
Steps 1 to 3 above are used to control access to client applications. OAuth 2.0 (RFC 6749) for this purpose. For more information on these steps, see the section Protected Sources in Authlete (by me).
After following the steps described above, do this:
- Remove the object from the access token. Again, the subject is a unique identifier.
- Remove the user rights from your database.
- Check the applications at your convenience.
Steps 4 to 6 above form the user access control. OAuth 2.0 is not suitable for this purpose.
The fundamental goal of OpenID Connect is to receive an identification mark in a verifiable manner. You can confirm that the identifier has been issued from the right by checking the signature attached to the identifier. Look, look, look, look, look, look. JSON Web Signature (JWS) (RFC 7515) for detailed signature information.
The identifier itself is not a Web API protection technology. But you can use it for this purpose if you use the at_hash statement in an identification token correctly (see 220.127.116.11. Token ID in OpenID Connect Core 1.0). However, with a protected source it is much easier to obtain measurements directly from the database than to analyse an identifier.[Supplementary answer No 1 for comments]
In your case, you don’t need identification. Indeed, the access mark already contains information about the user’s object. Normally the information corresponds to the cost of a subscription in an overview.
So you don’t need an identifier to get the user’s subject. In the description of step 4 you will find the extraction of the object from the access token.[Supplementary answer #2 for comment]
Is it therefore wrong to remove a subject from such an access pass and check a request? Or is that the right way?
There’s no objection to that. For example, suppose you define the Web API, https://api.example.com/profile, which displays information about the user’s profile. Normally this API accepts the access mark and then extracts the subject from the access mark to determine which user should be contacted. On the other hand, if the API does not remove the subject from the access token, it must ask the subject as a query parameter to determine which user to contact (or ask the identification token with a sub-element). However, the API must verify that the object specified by the request parameter is identical to the object associated with the access token, otherwise it would pose a security problem.
The verification of claims after deletion of the object is also a normal step. For example, you may limit the functionality of your service depending on the rate you pay (Free Rate, Lite Rate, Enterprise Rate or any other rate). In this case, you must complain about the plan. Of course, such a declaration can only be verified after the subject of the access pass has been unpacked.
Therefore, (1) extracting the subject from the access token and then (2) verifying the user’s statements are normal and even typical steps in the implementation of protected source endpoints.
Decision No 2:
You’re right, OAuth is not an authentication protocol, it’s a delegation protocol.
OpenID Connect adds two important identification structures to the OAuth 2.0 token sharing model.
- Identity card –
can provide federated identity SoAs from one side to the other.
- Standardized Identification Attribute API – where the
client can obtain the required identification attributes for that user.
The TOken identification can be displayed in userinfo_endpoint for information and provides assurance that the user has been authenticated by the OpenID provider.
COSTATI: This subsection is only unique in the context of the authorization server. It is advisable to save a submarine so that you can also save something like iss-sub. The thoughts on Google may not be on Twitter.