Implementing Log in with Facebook Oauth 2 demystified
Implementing “Log in with Facebook” Oauth 2 demystified
What is Oauth 2. 0?
3 use cases
How does it work? 1. Identification
Step by step
Get info
Login page
Login page https: //accounts. google. com/o/oauth 2/auth ? response_type=code &client_id=… &redirect_uri=http%3 A%2 F%2 Flocalhost%3 A 11080%2 Fident%2 Foauth 2 callback &scope=profile%20 email &state=google
https: //accounts. google. com/o/oauth 2/auth
Redirect to redirect. URL + some stuff
http: //localhost: 11080/ident ? state=google &code=4/v. H 63 y…
POST https: //accounts. google. com/o/oauth 2/token code=4/v. H 63 ytr… &client_id=772487…. &client_secret=SETp 7 A… &redirect_uri=http: //localhost: 11080/ident/oauth 2 callback &grant_type=authorization_code
{ } "access_token" : "ya 29…", "token_type" : "Bearer", "expires_in" : 3600, "id_token" : "ey. Jh…“
{ } "iss": "accounts. google. com", "id": "113339841342803744186", "sub": "113339841342803744186", "azp": "7724870588…", "email": "johannes@brodwall. com", "at_hash": "Qmq. GGPen. EAd 6 Fny. X 3 pdg. Gw", "email_verified": true, "aud": "772487…", …
Welcome johannes @brodwall. com
In summary
2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Parse token
What do you need?
1. Redirect 4. Submit code 5. Request token 6. Parse token
Create your application credentials
Create auth URL
private String get. Auth. Url(Http. Servlet. Request req) { String redirect. Uri = req. get. Scheme() + ": //" + req. get. Server. Name() + ": " + req. get. Server. Port() + req. get. Context. Path() + "/oauth 2 callback"; return get. Auth. Url() https: //accounts. google. com/o/oauth 2/auth + "? response_type=code" + "&client_id=" + get. Client. Id() + "&redirect_uri=" + URLEncoder. encode(redirect. Url, "UTF-8") + "&scope=" + get. Scope() + "&state=" + provider. Name; }
Handle response
@Override void do. Get(Http. Servlet. Request req, Http. Servlet. Response resp) { User. Session user. Session = get. Session. Object(User. Session. class, req); Oauth. Provider. Session provider. Session = user. Session. get. Provider. Session(req. get. Parameter("state")); if (req. get. Parameter("error") != null) { } String redirect. Uri = get. Context. Url(req) + "/oauth 2 callback"; provider. Session. fetch. Auth. Token(req. get. Parameter("code"), redirect. Uri); resp. send. Redirect("/"); }
Request and parse token
public void fetch. Auth. Token(String code, String redirect. Uri) { Json. Object token. Response = Http. Utils. http. Post. Json( https: //accounts. google. com/o/oauth 2/token new URL(provider. get. Token. Url()), provider. get. Token. Request. Payload(code, redirect. Uri)); parse. Token(token. Response); }
String get. Token. Request. Payload(String code, String redirect. Uri) { return ("code=" + code + "&client_id=" + get. Client. Id() + "&client_secret=" + get. Client. Secret() + "&redirect_uri=" + redirect. Uri + "&grant_type=authorization_code"); }
Parse JWT token
private void parse. Token(Json. Object token. Response) { String id. Token = token. Response. get("id_token"). as. String(); String id. Token. Payload = base 64 Decode(id. Token. split("\. ")[1]); Json. Object payload = Json. Object. read. From(id. Token. Payload); username = payload. get("email"). as. String(); access. Token = token. Response. get("access_token"). as. String(); }
How does it work? 2. Impersonation
Step by step
Get info
Login page
https: //www. facebook. com/dialog/oauth ? response_type=code &client_id=234369443417415 &redirect_uri=http%3 A%2 F%2 Flocalhost%3 A 11080%2 Fident%2 Foauth 2 callback &scope=email &state=facebook
http: //localhost: 11080/ident/oauth 2 callback ? code=AQCUwj… &state=facebook
GET https: //graph. facebook. com/oauth/access_token ? code=AQDw. PHudo 8 t 2 FK… &client_id=234369443417415 &client_secret=…. &redirect_uri=… &grant_type=authorization_code
access_token=CAADVKGNrz. Uc. BA… &expires=5183997
https: //graph. facebook. com/me? access_token=CA. . .
{ "bio" : ". . ", "education" : [. . . ], "email" : "jhannes@gmail. com", "gender" : "male", "id" : "576856096", "name" : "Johannes Brodwall", "timezone" : 2, "updated_time" : "2014 -08 -07 T 07: 50: 10+0000", "username" : "johannes. brodwall", "verified" : true, "work" : [. . . ] }
Welcome Johannes Brodwall <jhannes@gmail. com>
https: //www. googleapis. com/plus/v 1/people/me Authentication: Bearer dfsmaslwmsrpe
{ } "email" : "jhannes@gmail. com", "gender" : "male", "id" : "114882493954685290859", “display. Name" : "Johannes Brodwall", "timezone" : 2, "verified" : true,
In summary
2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. Fetch profile 8. Profile
2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. API call
What do you need?
public void fetch. Profile() throws IOException { Json. Object object = Http. Utils. http. Get. With. Token( provider. get. Profile. Url(), access. Token); full. Name = object. get("display. Name"). as. String(); } Json http. Get. With. Token(String request. Url, String access. Token) { Http. URLConnection conn = (Http. URLConnection) new URL(request. Url). open. Connection(); conn. set. Request. Method("GET"); conn. set. Request. Property("Authorization", "Bearer " + access. Token);
How does it work? 3. Federation
2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. API call
2. Authenticate and approve 1. Redirect 3. Redirect 4. Submit code 5. Request token 6. Token 7. API call
2. Authenticate and approve 1. Redirect 4. Submit code 3. Redirect 5. Request token 6. Token 7. API call 8. Verify token 9. Respond
What is Oauth 2. 0?
A secure and simple way to authorize users across the internet
Supported by major players
Implemented with variations
johannes@brandmaster. com http: //Johannes. Brodwall. com http: //github. com/jhannes/oauth 2 -fun
- Slides: 68