Application program interface (API):

Suppose we have a RESTful API we want to share. End users will work with this API via client applications such as mobile applications and Javascript-based clients running on web browsers.

In OAuth 2.0 this RESTful API will be on the resource server, and we will have an authorization server where client applications will be registered. Users are then registered on the authorization server and can give these applications access to the resources on their behalf or not.

When a user has access to a single client application, he is therefore redirected to the authorization server and asked to authorize that client application. Then an access token is issued and the client can submit requests to the resource server.

It’s all clear to me. There’s only one thing missing: The protection of each source may depend on the user. Specifically, these could be claims. I mean, we could be in the next situation:

When I first heard that OAuth was connected to ASP.NET WebAPI, I reacted as follows: when the request was sent with permission: The [Token] header on the server side was set to Thread, and I thought this meant that the user was authenticated via the API. So I used the [Authorize] attribute to check if a user has access to the resource.

After studying OAuth in more detail, I saw that it was a terrible abuse of protocol. I understand that OAuth allows applications, not users. If a request is made with the authorization header, the access mark, I learned, must not contain any information about the user, but only about the application that is authorized to make the request.

In this context, sending the consent header with the request does not identify the user and says nothing about whether or not he can access the specified resource.

How can such an authorisation be carried out in this case? In other words, not the authorisation of the application of the client who executes the request, but the authorisation of the user who has access to the source on the basis of his or her claims? I think this is where OpenID Connect and his ID coins are installed, but I’m not sure. How are you handling the situation?

How do I solve my API problem?

Decision No 1:

The access mark does not contain any claims by the user, but by a user who has granted access rights to the client application. Subject is a technical term and means a unique identifier. Simply put, a subject is a user ID in your database.

You do it on the protected side of the well:

  1. Remove the access sticker from the application. (RFC 6750)
  2. For detailed information about the badge, see the section on authorisation. (RFC 7662)
  3. Check your access card. The check shall consist of verifying (a) whether the access sign has expired and (b) whether the access sign relates to the zones (authorisations) required for the end point of the protected resource.

Steps 1 to 3 above are used to control access to client applications. OAuth 2.0 (RFC 6749) for this purpose. For more information on these steps, see the section Protected Sources in Authlete (by me).

After following the steps described above, do this:

  1. Remove the object from the access token. Again, the subject is a unique identifier.
  2. Remove the user rights from your database.
  3. Check the applications at your convenience.

Steps 4 to 6 above form the user access control. OAuth 2.0 is not suitable for this purpose.

The fundamental goal of OpenID Connect is to receive an identification mark in a verifiable manner. You can confirm that the identifier has been issued from the right by checking the signature attached to the identifier. Look, look, look, look, look, look. JSON Web Signature (JWS) (RFC 7515) for detailed signature information.

The identifier itself is not a Web API protection technology. But you can use it for this purpose if you use the at_hash statement in an identification token correctly (see 3.1.3.6. Token ID in OpenID Connect Core 1.0). However, with a protected source it is much easier to obtain measurements directly from the database than to analyse an identifier.

[Supplementary answer No 1 for comments]

In your case, you don’t need identification. Indeed, the access mark already contains information about the user’s object. Normally the information corresponds to the cost of a subscription in an overview.

So you don’t need an identifier to get the user’s subject. In the description of step 4 you will find the extraction of the object from the access token.

[Supplementary answer #2 for comment]

Is it therefore wrong to remove a subject from such an access pass and check a request? Or is that the right way?

There’s no objection to that. For example, suppose you define the Web API, https://api.example.com/profile, which displays information about the user’s profile. Normally this API accepts the access mark and then extracts the subject from the access mark to determine which user should be contacted. On the other hand, if the API does not remove the subject from the access token, it must ask the subject as a query parameter to determine which user to contact (or ask the identification token with a sub-element). However, the API must verify that the object specified by the request parameter is identical to the object associated with the access token, otherwise it would pose a security problem.

The verification of claims after deletion of the object is also a normal step. For example, you may limit the functionality of your service depending on the rate you pay (Free Rate, Lite Rate, Enterprise Rate or any other rate). In this case, you must complain about the plan. Of course, such a declaration can only be verified after the subject of the access pass has been unpacked.

Therefore, (1) extracting the subject from the access token and then (2) verifying the user’s statements are normal and even typical steps in the implementation of protected source endpoints.

Decision No 2:

You’re right, OAuth is not an authentication protocol, it’s a delegation protocol.

OpenID Connect adds two important identification structures to the OAuth 2.0 token sharing model.

  • Identity card –
    can provide federated identity SoAs from one side to the other.
  • Standardized Identification Attribute API – where the
    client can obtain the required identification attributes for that user.

The TOken identification can be displayed in userinfo_endpoint for information and provides assurance that the user has been authenticated by the OpenID provider.

COSTATI: This subsection is only unique in the context of the authorization server. It is advisable to save a submarine so that you can also save something like iss-sub. The thoughts on Google may not be on Twitter.

Good luck!

oidc vs oauth2,box oidc,openid connect popularity,oidc flow,servicenow openid connect,nobody cares about oauth or openid connect,okta authentication flow diagram,okta oauth service application,okta oauth2 spring boot,okta service to service authentication,okta authorization server,okta oidc ios,azure ad openid connect setup,azure ad openid connect asp.net core,microsoft oauth javascript,azure ad endpoint v1 vs v2,on behalf of oauth2,azure api management oauth client credentials,oauth authentication c#,oauth2 authorization code example,oauth authentication example,oauth authentication flow,oauth2 authorization server,tls is a protocol,openid connect flow,google openid,openid connect c#,how to get access token google api,openid connect rfc,openid scope,what does oauth provide?,openid connect google,openid connect sso,what is openid connect,openid connect authorization code flow,auth0 openid connect,auth0 openid endpoints,openid connect providers,sample openid configuration,oauth 2.0 protocol,openid connect rest api,openid connect web api c#,openid connect spa,need oauth login first universal,openid connect vs oauth,openid connect vs oauth2,oauth 2.0 and openid connect (in plain english),oauth2 introspection example,okta openid connect,introspection endpoint,openid connect vs saml,openid vs oauth2 vs saml

You May Also Like

Start Earning By Increasing Your Instagram Followers  •

Nowadays people spend most of their time on social networks. For most…

246869 Windows systems are still vulnerable to the BlueKeep flawSecurity Affairs

In May 2019, Microsoft discovered the vulnerability of BlueKeep; more than a…

Marketing definition of SEO (Search Engine Optimization)

What is natural referencing? Natural referencing, or SEO in English for Search…

That’s the difference between SEA and SEO

Online marketing has become very popular in recent years. Terms like SEO (Search…