Manning.OAuth.2.in.Action.2017

所需积分/C币:50 2017-05-28 13:06:04 10.99MB PDF

Title: OAuth 2 in Action Author: Antonio Sanso, Justin Richer Length: 360 pages Edition: 1 Language: English Publisher: Manning Publications Publication Date: 2017-03-18 ISBN-10: 161729327X ISBN-13: 9781617293276
For online information and ordering of this and other Manning books, please visit www.manning.com.Thepublisheroffersdiscountsonthisbookwhenorderedinquantity For more information, please contact Special sales department Manning publications co 20 Baldwin road PO Box 261 Shelter island. nY11964 Emailorders@manning.com a2017 by Manning Publications Co. All rights reserved No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher: Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps oo Recognizing the importance of preserving what has been written, it is Mannings policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine Manning Publications Co Development editor: Jennifer Stout 20 Baldwin Road Technical development editors: Dennis sellinger PO Box 261 David Fombella pombal Shelter island. nY11964 Copyeditor: Progressive Publishing Services Technical proofreader: Ivan Kirkpatrick Composition: Progressive Publishing Services Cover design: Marija Tudor ISBN:9781617993276 Printed in the United states of america 12345678910-EBM-222120191817 brief contents PARTI FIRST STEPS I What is OAuth 2.0 and why should you care? 3 The oauth dance 21 PART 2 BUILDING AN OAUTH 2 ENVIRONMENT......41 Building a simple oauth client 43 4 Building a simple OAuth protected resource 59 Building a simple oauth authorization server 75 6 OAuth 2.0 in the real world 93 PART 3 OAUTH 2 IMPLEMENTATION AND VULNERABILITIES 119 7 Common client vulnerabilities 121 Common protected resources vulnerabilities 138 9 Common authorization server vulnerabilities 154 10 Common oauth token vulnerabilities 168 BRIEF CONTENTS PART 4 TAKING OAUTH FURTHER 00000000。o。000000。。000000000。。0。00。0。00 179 11■ OAuth tokens18l Dynamic client registration 208 13 User authentication with OAuth 2.0 236 14 Protocols and profiles using OAuth 2.0 262 15 Beyond bearer tokens 282 16 Summary and conclusions 298 contents preface xiu acknowledgments xvii about this book xx about the authors xx about the cover illustration xxvi PART I FIRST STEPS What is OAuth 2.0 and why should you care? 3 1.1 What is OAuth 2.0 3 1. 2 The bad old days: credential sharing(and credential theft) 7 1. 3 Delegating access 1l BeyondhttpBasicandthepassword-sharingantipattern13 Authorization delegation: why it matters and how it's used 14 User-driven security and user choice 15 1.4 OAuth 2.0: the good, the bad, and the ugly 16 1. 5 What OAuth 2.0 isnt 18 1.6 Summary 20 CoNTENTS The Oauth dance 21 2.1 Overview of the OAuth 2.0 protocol: getting and using tokens 21 2.2 Following an Oauth 2.0 authorization grant in detail 2.3 OAuth's actors: clients. authorization servers resource owners and protected resources 31 2.4 OAuth's components: tokens, scopes, and authorization grants 32 Access tokens 32. Scopes 32. Refresh tokens 33 Authorization grants 34 2.5 Interactions between OAuth's actors and components: back channel, front channel, and endpoints 35 Back-channel communication 35 Front-channel communication 36 2.6 Summary 39 PART 2 BUILDING AN OAUTH 2 ENVIRONMENT 3 Building a simple OAuth client 43 3.1 Register an OAuth client with an authorization server 44 8.2 Get a token using the authorization code grant type 46 Sending the authorization request 47 Processing the authorization response 49 Adding cross-site protection with the state parameter 5 3.3 Use the token with a protected resource 51 3.4 Refresh the access token 54 3.5 Summary 58 4 Building a simple OAuth protected resource 59 4.1ParsingtheOauthtokenfromthehttprequest60 4.2 Validating the token against our data store 62 4.3 Serving content based on the token 65 Different scopes for different actions 66. Different scopes for different data results 68 Different users for different data results 70 Additional access controls 73 4.4 Summary 74 CONTENTS Building a simple OAuth authorization server 75 5. 1 Managing OAuth client registrations 76 5.2 Authorizing a client 77 The authorization endpoint 78 Authorizing the client 79 5.3 Issuing a token 82 Authenticating the client 83 Processing the authorization grant request 84 5.4 Adding refresh token support 86 5.5 Adding scope support 88 5.6 Summary 92 6 OAuth 2.0 in the real world 93 6.1 Authorization grant types 93 Implicit grant type 94 Client credentials grant type 97 Resource owner credentials grant type 101 .Assertion grant types 106 .Choosing the appropriate grant type 108 6.2 Client deployments 109 Web applications 109. Browser applications 110. Native applications 112. Handling secrets 117 6.8 Summary 118 PART 3 OAUTH 2 IMPLEMENTATION AND VULNERABILITIES 119 Common client vulnerabilities 121 7.1 General client security 121 7.2 CSRF attack against the client 122 7. 3 Theft of client credentials 125 7.4 Registration of the redirect URI 127 Stealing the authorization code through the referrer 128 Stealing the token through an open redirector 132 7.5 Theft of authorization codes 134 7. 6 Theft of tokens 134 7.7 Native applications best practices 136 7. 8 Summary 197 CONTENTS 8 Common protected resources vulnerabilities 138 8.1 How are protected resources vulnerable? 138 8.2 Design of a protected resource endpoint 139 How to protect a resource endpoint 140 Adding implicit grant support 148 8.3 Token replays 151 8.4 Summary 153 C Common authorization server vulnerabilities 154 9.1 General security 154 9.2 Session hijacking 155 9.3 Redirect URI manipulation 157 9.4 Client impersonation 162 9.5 Open redirector 164 9.6 Summary 167 10 Common oauth token vulnerabilities 168 10.1 What is a bearer token? 168 10.2 Risks and considerations of using bearer tokens 170 10.3 How to protect bearer tokens 170 At the client 171. At the authorization server 172 At the protected resource 173 10.4 Authorization code 173 Proof Key for Code Exchange(PKCE)174 10.5 Summary 178 PART 4 TAKING OAUTH FURTHER ...000909000090....179 11 OAuth tokens 181 11.1 What are OAuth tokens? 181 1. 2 Structured tokens: SoN Web Token ( WT) 188 The structure of a /WT 183"/WT claims 185. Implementing /WTin our servers 186 CONTENTS 11.3 Cryptographic protection of tokens: SoN Object Signing and Encryption gosE) 188 Symmetric signatures using HS256 189. Asymmetric signatures using RS256 191. Other token protection options 195 11. Looking up a tokens information online: token introspection 196 The introspection protocol 196. Building the introspection endpoint 198 Introspecting a token 200. Combining introspection and WT 201 11.5 Managing the token lifecycle with token revocation 202 The token revocation protocol 202.Implementing the revocation endpoint 203 Revoking a token 204 11.6 The OAuth token lifecycle 207 11.7 Summary 207 12.pn mamic client registration 208 12.1 How the server knows about the client 209 12.2 Registering clients at runtime 210 How the protocol works 210 Why use dynamic registration? 212 Implementing the registration endpoint 214 Having a client register itself 217 12.3 Client metadata 219 Table of core client metadata field names 220 Internationalization oj human-readable client metadata 220 software statements 223 12.4 Managing dynamically registered clients 225 How the management protocol works 225 Implementing the dynamic client registration management API 228 12.5 Summary 285 13 User authentication with OAuth 2.0 236 13. 1 Why OAuth 2.0 is not an authentication protocol 237 Authentication us. authorization: a delicious metaphor 237 18.2 Mapping OAuth to an authentication protocol 288 13.3 How OAuth 2.0 uses authentication 241

...展开详情

评论 下载该资源后可以进行评论 9

疯狂的风筝 确实挺不错的书
2018-11-03
回复
coxx_jie 很好思想的一本书
2017-10-11
回复
架构师波波 好书,非常感谢!
2017-10-08
回复
bursting 好书,非常感谢
2017-09-23
回复
hejianhuacn 完整清晰,非常感谢
2017-09-15
回复
img
DoomLord
  • 至尊王者

    成功上传501个资源即可获取

关注 私信 TA的资源

上传资源赚积分,得勋章
最新资源