During the IdentityServer workshop by Dominick Baier in London last year (here are my impressions from it) one of the questions we asked was about what to read next. Apparently, writing security standards isn’t an easy task and the resulting documents are not particularly easy to read and understand - perhaps, that’s why there aren’t too many books that really dig into the modern protocols. Dominick specifically recommended one book dedicated to explaining how OAuth 2, OpenID Connect, and their friends are supposed to work - and that was OAuth 2 In Action by Justin Richer and Antonio Sanso. So, inspired by the 3-day workshop and willing to dive deeper, I set out to read it through. This post is my brief review of the book.
Both authors are experts in the field of computer security, with Justin Richer even being a member of OpenID Foundation, and they did a tremendous job of packing the modern web security body of knowledge into 360 pages. Security is considered a hard topic for a good reason: paraphrasing Chapter 10, software systems need to be implemented securely every time, but for the hackers one vulnerability and one chance is often enough. This is why the book is quite detailed and sometimes feels dry. But hey, nobody promised that computer security was simple! I still enjoyed the writing style, very thorough, but also with real-world examples, not academic, and with a healthy dose of humor.
One chapter that justifies buying the entire book and is crucial for understanding everything else is Chapter 2, “The OAuth dance”. Most of web users these days have experienced it many times, when using Facebook or Microsoft accounts to log in on multiple sites and seeing browser redirecting back and forth several times. The concept of delegating access and trading credentials for a token are in the core of OAuth, so this chapter nicely introduces all the involved parties (Resource Owner, Client, Protected Resource, and Authorization Server) and explains every step of a single round of obtaining and using a token. It feels like an “executive summary” of the whole OAuth story, providing a bird’s-eye view, while the rest of the book discusses everything in greater detail.
Part 2 of the book (Chapters 3-6) demonstrates how a client, a protected resource, and an authorization server can be built. Not only there is an explanation of how the protocol works, but also there are working code examples (in Node.js) with all the HTTP interactions between parties. Despite mostly working with .NET stack, I found it easy to follow along, and it really was a nice demystifying experience. Seriously, from outside OAuth may seem like a magic blackbox, but it actually stands on the shoulders of giants like HTTP and cryptographic algorithms. It’s all about doing a series of carefully crafted HTTP requests and handling them correctly by each party - and all that is demonstrated in these chapters. I didn’t run the accompanying code myself, however, being somewhat familiar to the APIs and source code of IdentityServer, it wasn’t hard to recognize the patterns and flows that I have already used and implemented myself. If Chapter 2 defines “The OAuth Dance”, then these chapters define the moves of each dancer.
Following the dance analogy, Chapters 7-10 discuss the mistakes that a dancer can make and how to mitigate them. After all, OAuth 2 is just a specification, so it is up to an implementer to make sure there are no security holes. The authors describe most common vulnerabilities in client, protected resource, authorization server, and token implementations, many of them being on the OWASP Top 10 list. This part of the book will be useful for any web developer as a refresher on various types of attacks (CSRF, XSS, open redirection, session hijacking, token replays, and more), and arguably is a must-read for anyone implementing OAuth in any fashion: for example, just using IdentityServer is no good, if TLS isn’t used. I like how the book introduces every vulnerability, starting from “imagine you forgot to implement this check” and then putting the hacker’s hat on to illustrate the cost of such omission (there are links to the reports of real security breaches too).
Now, it is important to remember that in its core OAuth 2 is a only delegation protocol, so it needs to be extended to solve more concrete tasks, like user authentication. Chapters 11-16 focus on such extensions, covering JSON Web Tokens for passing useful information inside OAuth tokens (including cryptographic signing and encryption of these tokens), dynamic client registration (something that hasn’t been implemented in IdentityServer and is often discussed on GitHub and StackOverflow), OpenID Connect (user authentication on top of OAuth 2), and touching upon more niche specifications, like UMA, HEART, and iGov.
Overall, I feel that OAuth 2 In Action has deepened my understanding of the protocol implementation details and modern web security in general, so I can highly recommend it to any software engineer seeking a good introduction to this topic (yes, I have no illusions: security is hard and this book is only scratching the surface, albeit very succinctly).