So you implemented an OAuth 2.0 API...

So you implemented an OAuth 2.0 API...

January 15, 2015
While OAuth 2.0 is a good framework for building an API, the spec itself leaves many things un-specified, and it's up to the implementer to make a decision based on their own security requirements. As such, most OAuth 2.0 implementations are not interoperable, which is often cited as a failure of OAuth 2.0. On the other hand, the current state of OAuth 2.0 implementations is that they are often similar enough that developers don't need to learn too many new concepts when dealing with them.

This post documents all the ways in which OAuth 2.0 implementations may differ. All implementations of OAuth 2.0 have made decisions about these things (whether intentional or not), otherwise they are incomplete implementations.

Every place in the spec that mentions things are a "MUST" are assumed to be implemented correctly. In other words, this does not ask you to verify that you implemented required parts of the framework correctly.

Client Registration (Section 2)

How do developers register a new client application?
- on a web page (link to registration page)
- programmatically (link to docs)
- other (please describe)
Aside from the client type and redirect URIs, what information is required or requested when registering an application?
- application name
- web page
- description
- logo image
- acceptance of legal terms
- other info:
Client ID (Section 2.2)

Clients should avoid making assumptions about the length of the client ID.

What is the maximum string length of client IDs issued?

Client Authentication (Section 2.3)

What form of client authentication is supported?
- Client ID and secret (this is the most common)
- Public/private key pair
- Other
Client Password (Section 2.3.1)

If clients are issued a client_secret, which authentication mechanisms are supported for client identification:
- HTTP Authorization header (HTTP Basic Auth)
- POST body parameters, client_id and client_secret (not recommended)
Other Client Authentication Methods (Section 2.3.2)

If clients are not issued a client_secret, describe any other HTTP authentication schemes used to authenticate clients:

Protocol Endpoints (Section 3)

Please specify the authorization endpoint and token endpoints. (note: this is only required here if your endpoints are specified in your documentation)
- Authorization endpoint:
- Token endpoint:
How do clients obtain the location of the authorization and token endpoints? The most common way is to specify them in the API documentation, although an automatic discovery method may be used instead.
- API Documentation
- Other method:
Authorization Endpoint (Section 3.1)

How does the authorization endpoint authenticate users? (e.g. requires username and password logins each visit? maintains session cookies?)

Response Types (Section 3.1.1)

Aside from "code" and "token", are any additional response types supported?
- Yes, additional types:
- No
Redirect Endpoint Confidentiality (Section 3.1.2.1)
- Are redirect endpoints required to be HTTPS? Yes No
- If HTTPS is not required, does the authorization endpoint warn users about the insecure redirect endpoint? Yes No
Redirect URI Registration (Section 3.1.2.2)

Registration of the redirect endpoints is required for public clients and clients using the "implicit" grant type. Aside from these uses, are all clients required to register redirect URIs?
- Are all clients required to register their redirect URIs? Yes No
- Is the registered redirect URI required to match exactly? Yes No
- If both previous answers are "no", does the authorization server support a variable query string component of the registered redirect URI? Yes No
- Can clients register multiple redirect URIs? Yes No
Note: if registration of redirect URIs is not required for all clients, then your authorization endpoint can be used by an attacker as an open redirector.

Invalid Redirect Endpoint (Section 3.1.2.4)
- Does the authorization endpoint inform the user that a given redirect endpoint is invalid?
  Yes No
If the answer is "no", please describe what happens when an invalid redirect URI is provided in an authorization request. (The authorization endpoint must not redirect to this endpoint.)

Access Token Scope (Section 3.3)
- Is it possible for the authorization server to ignore (or add) scopes to the values requested during authorization? (For example, giving users the ability to not grant certain scopes requested by the application.) Yes No
- Does the authorization server document the default scope if none is specified during authorization? Yes (Documentation URL: ) No
Authorization Response (Section 4.1.2)
- What is the lifetime of authorization codes? (Maximum of 10 minutes is recommended)
- If an authorization code is used more than once, does the authorization server revoke all access tokens granted using the authorization code? Yes No
- What is the maximum size of authorization codes issued?
List any other parameters returned, as well as their maximum sizes:

Authorization Error Response (Section 4.1.2.1)
- If the request fails due to an invalid redirect URI or missing client ID, does the authorization server inform the user of the error? Yes No
- Does the error response contain an error_description field with a human-readable description of the error that occurred? Yes No
- Does the error response contain an error_uri field which links to a human-readable web page about the error? Yes No
Implicit Grant (Section 4.2)

Implicit Grant Access Token Response (Section 4.2.2)

When does the access token response include an expires_in parameter?
- Always
- Sometimes
- Never
If the expires_in parameter is not returned, the default value of the expiration is:
- Does the response always include the scope of the access token? (Optional if it's identical to the scope requested by the client.) Yes No
- What is the maximum size of authorization codes issued?
List any other parameters returned, as well as their maximum sizes:

Authorization Error Response (Section 4.2.2.1)
- If the request fails due to an invalid redirect URI or missing client ID, does the authorization server inform the user of the error? Yes No
- Does the error response contain an error_description field with a human-readable description of the error that occurred? Yes No
- Does the error response contain an error_uri field which links to a human-readable web page about the error? Yes No
Password Credentials Grant Type (Section 4.3)

Describe what types of clients can use the password credentials grant type:

Authorization Request (Section 4.3.1)

Describe how the user enters their credentials, e.g. a username and password prompt, client certificate auth, or whether the server uses or requires two-factor auth:

Access Token Request (Section 4.3.2)

Since the access token request involves sending the user's password to the authorization server, the server must protect against brute-force attacks. Describe what type of protection is used, e.g. rate limiting, sending alerts to the user, etc:

Access Token Response (Section 4.3.3)
- Does the client receives a refresh token when using the password credentials grant type? Yes No
Client Credentials Grant (Section 4.4)

What type of client authentication is used for the client credentials grant? e.g. client ID and secret, public key auth, etc.
- Client Credentials (client ID and secret)
- Others:
Can clients use the client credentials grant to request access to resources of other users who have been previously authorized? Yes No

If yes, describe how clients indicate which user they requesting an access token for. E.g. specifying a username, user ID, opaque token, etc.

Access Token Response (Section 4.4.3)
- Does the client receive a refresh token when using the client credentials grant type? (Not recommended) Yes No
Extension Grants (Section 4.5)

Authorization servers may support additional extension grant types such as SAML. List any additional grant types that are supported, along with links to their documentation.

Successful Access Token Response (Section 5.1)
- Does the access token response include an expires_in parameter indicating the lifetime in seconds of the access token? Yes No
- If not, what is the default value: , or describe another way the expiration time is indicated:
- Refresh tokens are returned for the following grant types:
  
  Authorization Code
  
  Implicit
  
  Client Credentials
  
  Refresh Token
  
  None of the above
  
  Describe any other conditions under which a refresh token is or is not returned when requesting an access token. E.g. only for specific clients, etc:
- What is the maximum size of access tokens issued?
- What is the maximum size of refresh tokens issued?
- List any other parameters returned, as well as their maximum sizes:
Error Response (Section 5.2)
- Does the error response contain an error_description field with a human-readable description of the error that occurred? Yes No
- Does the error response contain an error_uri field which links to a human-readable web page about the error? Yes No
Refreshing an Access Token (Section 6)
- Does the authorization server issue new refresh tokens when a refresh token is used? Yes No
- If a new refresh token is issued, is the existing refresh token revoked? Yes No
Accessing Protected Resources (Section 7)

Describe how the resource server validates access tokens: (e.g. uses the authorization server's private API, shares cryptography keys, shares a database connection)

Describe how clients send the access token to the resource server. This typically involves sending the access token in the "Authorization" request header.

Access Token Type (Section 7.1)

Which access token types are accepted?
- Bearer tokens
- MAC tokens
- Others:
Error Response (Section 7.2)

Does the resource server inform the client of an error? Yes No

New Authentication Schemes

If you are using a new authentication scheme (other than Bearer tokens), there are several things to take into account when handling error responses. Please describe the following:
- How your new authentication scheme provides error status codes to the client
- What is the name of the error parameter? (e.g. error)
- Does your scheme also return an error_description parameter? Yes No
- Does your scheme also return an error_uri parameter? Yes No
Security Considerations (Section 10)

Client Authentication (Section 10.1)
- Are client passwords (or other credentials) issued to clients for specific devices? (e.g. an individual installation of an application on a device gets unique credentials.) Yes No
- When clients are unable to use authentication such as a client_secret, does the authorization server employ other means to validate the client's identity?
  
  Requires registration of redirect URIs for clients
  
  Involves the user in confirming the client's identity
  
  Other:
  
  No
Client Impersonation (Section 10.2)
- Does the authorization server provide the user with information about the client? Yes No
- ... about the requested scope? Yes No
- ... and lifetime of the request? Yes No
- Describe the security measures taken to ensure repeated authorization requests come from the original client and not an impersonator:
Thu, Jan 15, 2015 12:15pm -08:00 #oauth #oauth2 #standards #web #authentication #checklist

19 likes 6 reposts 3 replies 5 mentions
Have you written a response to this? Let me know the URL:
- Big Dada tinyurl.com/ysf
  
  @aaronpk Did you ever post a follow-up w/results from "So you implemented an OAuth 2.0 API"?
  
  Tue, Sep 8, 2015 7:07pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  @zenobase oh crap! Sorry, I'll fix that! At least I made it save progress with a cookie!
  
  Fri, Jan 16, 2015 6:27am +00:00 (via brid-gy.appspot.com)
- Zenobase zenobase.com
  
  @aaronpk what's up with having the arrow keys navigate away from the page when you are filling out the form?
  
  Fri, Jan 16, 2015 6:24am +00:00 (via brid-gy.appspot.com)
Other Mentions
- Camilo Aguilar www.linkedin.com/in/c4milo
  
  @aaronpk great! working on your survey right now!
  
  Mon, Jan 26, 2015 6:18pm +00:00 (via brid-gy.appspot.com)
- Camilo Aguilar twitter.com/c4milo
  Camilo Aguilar favorited this.
  Mon, Jan 26, 2015 10:08am -08:00 (via brid-gy.appspot.com)
- Camilo Aguilar www.linkedin.com/in/c4milo
  Camilo Aguilar retweeted this.
  Mon, Jan 26, 2015 6:07pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  @c4milo I turned it in to a blog post! http://aaronparecki.com/articles/2015/01/15/1/so-you-implemented-an-oauth2-api
  
  Mon, Jan 26, 2015 10:07am -08:00
- Aaron Parecki aaronparecki.com
  So you implemented an OAuth 2.0 API...
  Thu, Jan 15, 2015 12:15pm -08:00

Posted in /articles

Aaron Parecki

Client Registration (Section 2)

Client ID (Section 2.2)

Client Authentication (Section 2.3)

Client Password (Section 2.3.1)

Other Client Authentication Methods (Section 2.3.2)

Protocol Endpoints (Section 3)

Authorization Endpoint (Section 3.1)

Response Types (Section 3.1.1)

Redirect Endpoint Confidentiality (Section 3.1.2.1)

Redirect URI Registration (Section 3.1.2.2)

Invalid Redirect Endpoint (Section 3.1.2.4)

Access Token Scope (Section 3.3)

Authorization Response (Section 4.1.2)

Authorization Error Response (Section 4.1.2.1)

Implicit Grant (Section 4.2)

Implicit Grant Access Token Response (Section 4.2.2)

Authorization Error Response (Section 4.2.2.1)

Password Credentials Grant Type (Section 4.3)

Authorization Request (Section 4.3.1)

Access Token Request (Section 4.3.2)

Access Token Response (Section 4.3.3)

Client Credentials Grant (Section 4.4)

Access Token Response (Section 4.4.3)

Extension Grants (Section 4.5)

Successful Access Token Response (Section 5.1)

Error Response (Section 5.2)

Refreshing an Access Token (Section 6)

Accessing Protected Resources (Section 7)

Access Token Type (Section 7.1)

Error Response (Section 7.2)

New Authentication Schemes

Security Considerations (Section 10)

Client Authentication (Section 10.1)

Client Impersonation (Section 10.2)

Other Mentions