Secure REST API and Mobile(1)Document Read and Understand OAUTH2

Secure REST API and Mobile(1)Document Read and Understand OAUTH2

I used to use OAuth1 before, but it seems that it is different from OAuth2.

1. Introduction on OAuth2
Resource Owner  — User
Client — App
Authorization Server
Resource Server — API

Client should be registered first.
Client Registration
Client ID
Client Secret
Redirect URI

Public V.S. Confidential Client
Confidential - Server-side Application,  send Client ID+Secret to Auth.Server
Public - Moible App/ JavaScript App

Endpoints
Authorization Endpoint — User authorize — Web Page — Grant — 302 to Client Redirect URI
Token Endpoint — Client fetch the token - JSON API - fetch the Token with Grant
Redirection Endpoint — Client receive the info

SSL, Auth.Server endpoints must be HTTPS, Client Redirection Endpoint is not.

Resource Server
Client use Token to fetch the info from Resource Server - Password-Free API

There are several flows (Taobao Top as example)
user       ———    browser ———— ———— app ————— TOP
                                get app URL ——————>
                                 <———  send 302 to Oauth
                                GET /authorize — — ——————————>
Logon and Grant —————————————————————>
                                <— —————— ——— redirect to redirect_URI
                                get redirect URI ————>
                                                                        POST token————>
                                                                        <—— — Access Token


2. Public Clients - Implicit Grant Flow
only for public client, Android App, iOS App, Javascript App.
Grant will not be transferred to Client, directly give Token
No Token Endpoint
Token has short lifetime
No Refresh Token

OAuth2 Provider
Facebook — Auth Code, Implicit, Client Cred.
Github — Auth Code, Password
Twitter — Client Cred.
Google — Auth Code, Implicit
Microsoft — Auth Code, Implicit
Dropbox — Auth Code, Implicit
Amazon — Auth Code, Implicit
Bitly — Auth Code, Password
Sina weibo — Auth Code
Douban — Auth Code, Implicit
BOX — Auth Code
Basecamp — Auth Code

3. Try to secure our API
It seems to me that we need to use other provide for authentication, we need to do the authorization ourselves.

Next step I will investigate PHP codes from our company, hello.js and some customized projects.
http://adodson.com/hello.js/

https://github.com/tcompiegne/oauth2-resource-server-samples
https://github.com/tcompiegne/oauth2-server
https://github.com/tcompiegne/oauth2-client-samples

References:
OAuth
http://sillycat.iteye.com/blog/1265917 protocol and the example
http://sillycat.iteye.com/blog/1265918 sample provider
http://sillycat.iteye.com/blog/1265922 sample provider
http://sillycat.iteye.com/blog/1265923 all about the protocol

OAuth2
http://oauth.net/2/

http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html

Very good MIT Library
https://github.com/MrSwitch/hello.js
http://adodson.com/hello.js/

http://security.stackexchange.com/questions/67343/secure-rest-api-and-single-page-app-by-using-external-oauth-2-authorization-code

example
https://github.com/jcleblanc/oauth

OpenId
http://sillycat.iteye.com/blog/1004721
http://sillycat.iteye.com/blog/1004723
http://sillycat.iteye.com/blog/1543234
http://sillycat.iteye.com/blog/1543929
http://sillycat.iteye.com/blog/1543974

oauth provider
https://oauth.io/providers

powerful OAUTH2 client
http://adodson.com/hello.js/

OAUTH2 providers
https://github.com/tcompiegne/oauth2-resource-server-samples
https://github.com/tcompiegne/oauth2-server
https://github.com/tcompiegne/oauth2-client-samples