Implementing Log in with Facebook Oauth 2 demystified

Implementing “Log in with Facebook” Oauth 2 demystified

What is Oauth 2. 0?

3 use cases

How does it work? 1. Identification

Step by step

Get info

Login page

Login page https: //accounts. google. com/o/oauth 2/auth ? response_type=code &client_id=… &redirect_uri=http%3 A%2 F%2 Flocalhost%3 A 11080%2 Fident%2 Foauth 2 callback &scope=profile%20 email &state=google

https: //accounts. google. com/o/oauth 2/auth

Redirect to redirect. URL + some stuff

http: //localhost: 11080/ident ? state=google &code=4/v. H 63 y…

POST https: //accounts. google. com/o/oauth 2/token code=4/v. H 63 ytr… &client_id=772487…. &client_secret=SETp 7 A… &redirect_uri=http: //localhost: 11080/ident/oauth 2 callback &grant_type=authorization_code

{ } "access_token" : "ya 29…", "token_type" : "Bearer", "expires_in" : 3600, "id_token" : "ey. Jh…“

{ } "iss": "accounts. google. com", "id": "113339841342803744186", "sub": "113339841342803744186", "azp": "7724870588…", "email": "johannes@brodwall. com", "at_hash": "Qmq. GGPen. EAd 6 Fny. X 3 pdg. Gw", "email_verified": true, "aud": "772487…", …

Welcome johannes @brodwall. com

In summary

2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Parse token

What do you need?

1. Redirect 4. Submit code 5. Request token 6. Parse token

Create your application credentials

Create auth URL

private String get. Auth. Url(Http. Servlet. Request req) { String redirect. Uri = req. get. Scheme() + ": //" + req. get. Server. Name() + ": " + req. get. Server. Port() + req. get. Context. Path() + "/oauth 2 callback"; return get. Auth. Url() https: //accounts. google. com/o/oauth 2/auth + "? response_type=code" + "&client_id=" + get. Client. Id() + "&redirect_uri=" + URLEncoder. encode(redirect. Url, "UTF-8") + "&scope=" + get. Scope() + "&state=" + provider. Name; }

Handle response

@Override void do. Get(Http. Servlet. Request req, Http. Servlet. Response resp) { User. Session user. Session = get. Session. Object(User. Session. class, req); Oauth. Provider. Session provider. Session = user. Session. get. Provider. Session(req. get. Parameter("state")); if (req. get. Parameter("error") != null) { } String redirect. Uri = get. Context. Url(req) + "/oauth 2 callback"; provider. Session. fetch. Auth. Token(req. get. Parameter("code"), redirect. Uri); resp. send. Redirect("/"); }

Request and parse token

public void fetch. Auth. Token(String code, String redirect. Uri) { Json. Object token. Response = Http. Utils. http. Post. Json( https: //accounts. google. com/o/oauth 2/token new URL(provider. get. Token. Url()), provider. get. Token. Request. Payload(code, redirect. Uri)); parse. Token(token. Response); }

String get. Token. Request. Payload(String code, String redirect. Uri) { return ("code=" + code + "&client_id=" + get. Client. Id() + "&client_secret=" + get. Client. Secret() + "&redirect_uri=" + redirect. Uri + "&grant_type=authorization_code"); }

Parse JWT token

private void parse. Token(Json. Object token. Response) { String id. Token = token. Response. get("id_token"). as. String(); String id. Token. Payload = base 64 Decode(id. Token. split("\. ")[1]); Json. Object payload = Json. Object. read. From(id. Token. Payload); username = payload. get("email"). as. String(); access. Token = token. Response. get("access_token"). as. String(); }

How does it work? 2. Impersonation

Step by step

Get info

Login page

https: //www. facebook. com/dialog/oauth ? response_type=code &client_id=234369443417415 &redirect_uri=http%3 A%2 F%2 Flocalhost%3 A 11080%2 Fident%2 Foauth 2 callback &scope=email &state=facebook

http: //localhost: 11080/ident/oauth 2 callback ? code=AQCUwj… &state=facebook

GET https: //graph. facebook. com/oauth/access_token ? code=AQDw. PHudo 8 t 2 FK… &client_id=234369443417415 &client_secret=…. &redirect_uri=… &grant_type=authorization_code

access_token=CAADVKGNrz. Uc. BA… &expires=5183997

https: //graph. facebook. com/me? access_token=CA. . .

{ "bio" : ". . ", "education" : [. . . ], "email" : "jhannes@gmail. com", "gender" : "male", "id" : "576856096", "name" : "Johannes Brodwall", "timezone" : 2, "updated_time" : "2014 -08 -07 T 07: 50: 10+0000", "username" : "johannes. brodwall", "verified" : true, "work" : [. . . ] }

Welcome Johannes Brodwall <jhannes@gmail. com>

https: //www. googleapis. com/plus/v 1/people/me Authentication: Bearer dfsmaslwmsrpe

{ } "email" : "jhannes@gmail. com", "gender" : "male", "id" : "114882493954685290859", “display. Name" : "Johannes Brodwall", "timezone" : 2, "verified" : true,

In summary

2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. Fetch profile 8. Profile

2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. API call

What do you need?

public void fetch. Profile() throws IOException { Json. Object object = Http. Utils. http. Get. With. Token( provider. get. Profile. Url(), access. Token); full. Name = object. get("display. Name"). as. String(); } Json http. Get. With. Token(String request. Url, String access. Token) { Http. URLConnection conn = (Http. URLConnection) new URL(request. Url). open. Connection(); conn. set. Request. Method("GET"); conn. set. Request. Property("Authorization", "Bearer " + access. Token);

How does it work? 3. Federation

2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. API call

2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. API call

2. Authenticate and approve 1. Redirect 4. Submit code 3. Redirect 5. Request token 6. Token 7. API call 8. Verify token 9. Respond

What is Oauth 2. 0?

A secure and simple way to authorize users across the internet

Supported by major players

Implemented with variations

johannes@brandmaster. com http: //Johannes. Brodwall. com http: //github. com/jhannes/oauth 2 -fun