Login/Register
OAuth2 different client authentication methods
Asked Answered
Solved authenticationoauth-2.0dotnetopenauth
U

1

3

I have a web service that acts as a OAuth 1.0a provider. Web applications go through the OAuth 1 workflow to gain access to user resources. So far so good.

The client web application has the need to communicate with the service for other needs, to exchange private data NOT linked to a particular user/resource owner. For that, a good idea seems to use OAuth2, in particular Client Credentials Grant (4.4)(which was designed exactly for this). From a "confidential client" (and a web application falls into this category, according to the OAuth specs) you can directly authenticate your client and get an access token.

EDIT: of course, the kind of web application I am talking about is html+javascript BUT authentication and communication with the provider/web service happens entirely server-side. Credentials (client secret, keys, etc.) are all stored on (and never leave) the server.

According to the specs, authentication can happen with "username+password" (client password with HTTP Basic authentication scheme) or "other authorization methods".

I was not able to find any clue of what these "other authorization methods" may be. Since we use private/public key pairs for OAuth1, can we use them for this task too? The specs seem very liberal (and very vague!) on this point.

I would like something that is supported by the various libraries, so that a 3rd party client can implement it easily using standard libraries (like DotNetOpenAuth for example). If needed, it is reasonable to assume that some coding needs to be done for the custom method, as long as it can accommodate existing libraries (plugin?)

Is there anything "standard" or easily usable other than HTTP Basic, for OAuth 2 authentication?

Ultramundane answered 6/8, 2013 at 9:32 Comment(0)
O
3

If by web application you mean a JavaScript and HTML app that runs in the client browser and needs to make secure requests to your service, that is not a "confidential client". You cannot store secrets in a browser based app, as they will be visible to all.

If by web application you mean a server-side application that needs to make server to server requests, that is a "confidential client" because the executing code and secrets are not available to public scrutiny.

I interpret the "other authentication methods" to mean any authentication scheme that is customary over http (or https) that can be completed in one request. Client certificate authentication using TLS might also fall into this bucket. I think the main part of the OAuth2 4.4 Client Credentials Grant is that the client app presents credentials directly to the OAuth token service via existing authentication methods. The example uses HTTP Basic authentication, but that's just one example.

Client credentials grant differs from the resource owner credentials grant (4.3) primarily in that the resource owner grant presents the user credentials in the body of the http request instead of in the Authorization header. It would be difficult to use other authorization methods with resource owner grant.

The greatest caveat in using other authentication methods with the Client Credentials Grant is that support for anything other than HTTP Basic auth by OAuth2 client libraries will likely be spotty at best. Even if your use of digest or client cert auth with Client Credentials is within the OAuth2 spec, I'm doubtful that existing OAuth2 client libs will have built-in support for your particular permutation. See if you can find examples of client credentials grant using anything other than HTTP Basic auth by some of the big players such as Google or Yahoo. Things used there are more likely to be supported by OAuth client libs (especially the libs they ship!).

If you own both ends of the connection, this doesn't really matter. You can do whatever you want and find a client lib that will let you tweak or tailor the request to fit your needs.

If you want arbitrary clients to connect to your service using client credentials grant, you should plan on providing documentation and sample code of how clients should present the credentials you require. Off the shelf OAuth2 client libs probably won't provide automatic support for your scheme.

Omalley answered 6/8, 2013 at 17:4 Comment(3)
Yes, of course the part that performs the authentication with the resource provider is server-side, but thank you for pointing it out for future readers.Rigby
I currently own both ends, but the service will be open to third-party clients. I just wanted to know if anyone have ever found a OAuth2 provider that supported a different method (I have not found any, but my knowledge is limited :) ) before trying it myself. I hate to reinvent the wheel, especially when it means implementing something potentially non-standard.Rigby
As an implementer of an OAuth2 token service, I'm familiar with the spec requirements for the various grant types, but I haven't encountered an OAuth2 client lib that advertises that it supports client credentials grant with anything other than Basic auth. Such may exist, I just haven't seen it.Omalley

© 2022 - 2024 — McMap. All rights reserved.