7 OAuth2 and OpenID Connect

In the last few chapters, you’ve implemented user authentication methods that are suitable for the Natter UI and your own desktop and mobile apps. Increasingly, APIs are being opened to third-party apps and clients from other businesses and organizations. Natter is no different, and your newly appointed CEO has decided that you can boost growth by encouraging an ecosystem of Natter API clients and services. In this chapter you’ll integrate an OAuth2 Authorization Server to allow your users to delegate access to third-party clients. By using scoped tokens, users can restrict which parts of the API those clients can access. Finally, you’ll see how OAuth provides a standard way to centralize token-based authentication within your organization to achieve single sign-on across different APIs and services. The OpenID Connect standard builds on top of OAuth2 to provide a more complete authentication framework when you need finer control over how a user is authenticated.

7.1      Scoped tokens

7.1.1   Adding scoped tokens to Natter

7.1.2   The difference between scopes and permissions

7.2      Introducing OAuth2

7.2.1   Types of clients

7.2.2   Authorization grants

7.2.3   Discovering OAuth2 endpoints

7.3      The Authorization Code grant

7.3.1   Redirect URIs for different types of client

7.3.2   Hardening code exchange with PKCE

7.3.3   Refresh tokens

7.4      Validating an access token

7.4.1   Token introspection

7.4.2   Securing the HTTPS client configuration

7.4.3   Token revocation

7.4.4   JWT access tokens

7.4.5   Encrypted JWT access tokens

7.4.6   Letting the AS decrypt the tokens

7.5      Single sign-on

7.6      OpenID Connect

7.6.1   ID tokens

7.6.2   Hardening OIDC

7.6.3   Passing an ID token to an API

7.7      Summary