IT:AD:OAuth

Summary

OAuth is:

  • an Access Granting Protocol
    • It's for Authorisation – if you want Authentication, use IT:AD:OpenID.
    • Also known as Delegation
  • an open standard for secure authorization (note: not authentication) from web, mobile and desktop applications.
  • provides a method for client apps to access resources on resources servers on behalf of a resource owner
  • provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (username/pwd), using user-agent redirections.
  • IT:AD:OAuth by itself is not appropriate for Authentication.
  • IT:AD:OpenId Connect (OIDC) is an extension to IT:AD:OAuth for Authentication.
  • Facebook did not implement IT:AD:OpenId Connect (OIDC) – instead they developed their own extension to IT:AD:OAuth (called IT:AD:Facebook Login) which only works with Facebook. It uses a signed request (which is essentially the same as IT:AD:OpenId Connect (OIDC)'s ID Token in IT:AD:OpenId Connect (OIDC)).
  • IT:AD:OAuth 1.0 had only one flow (Authentication Code Grant Type/Flow). Auth added more.
  • The 'default' flow (Authentication Code Grant Type/Flow) uses an intermediate token (the short lived authorisation code) in order to safely retrieve the access token.
  • OAuth 2.0 does not support signature, encryption, channel binding, or client verification. Instead, it relies completely on TLS for confidentiality, and therefore is at risk of Phishing.