What exactly is OAuth (Open Authorization)?

What exactly is OAuth (Open Authorization)? OAuth allows notifying a resource provider (e.g. Facebook) that the resource owner (e.g. you) grants permission to a third-party (e.g. a Facebook Application) access to their information (e.g. the list of your friends). If you read it stated plainly, I would understand your confusion. So let’s go with a … Read more

Spring OAuth redirect_uri not using https

After digging manually through the configuration classes I was able to find and add the following, which did the trick… security.oauth2.client.pre-established-redirect-uri=https://[application_host]/login security.oauth2.client.registered-redirect-uri=https://[application_host]/login security.oauth2.client.use-current-uri=false I’m not convinced there isn’t a better way to solve the problem of forcing a HTTPS redirect URL, but this fix worked for me.

Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?

State and nonce seem to be similar. But if you dig deep, you will find that they serve different purposes. State is there to protect the end user from cross site request forgery(CSRF) attacks. It is introduced from OAuth 2.0 protocol RFC6749. Protocol states that, Once authorization has been obtained from the end-user, the authorization … Read more

OAuth 2.0: Benefits and use cases — why?

Background: I’ve written client and server stacks for OAuth 1.0a and 2.0. Both OAuth 1.0a & 2.0 support two-legged authentication, where a server is assured of a user’s identity, and three-legged authentication, where a server is assured by a content provider of the user’s identity. Three-legged authentication is where authorization requests and access tokens come … Read more

Why do access tokens expire?

This is very much implementation specific, but the general idea is to allow providers to issue short term access tokens with long term refresh tokens. Why? Many providers support bearer tokens which are very weak security-wise. By making them short-lived and requiring refresh, they limit the time an attacker can abuse a stolen token. Large … Read more