Catatan Seekor Oauth

<� Quick Start: Panduan lengkap implementasi OAuth 2.0 dan OpenID Connect untuk secure authentication dan authorization dalam aplikasi modern.

=� Daftar Isi

• <� Overview

• = OAuth 2.0 Fundamentals

• = Grant Types

• <� OpenID Connect (OIDC)

• [=� Implementation](#-implementation)

• =' Security Best Practices

• =� Common Vulnerabilities

• =� Testing & Validation

• = Integration Examples

• =� Resources

<� Overview

OAuth 2.0 adalah authorization framework yang memungkinkan third-party applications untuk mendapatkan akses terbatas ke user accounts pada layanan HTTP, melalui proses authorization yang user-approved. OpenID Connect (OIDC) adalah extension dari OAuth 2.0 yang menambahkan authentication layer.

< Mengapa OAuth/OIDC?

• = Secure Delegation: User dapat memberikan akses tanpa sharing credentials

• <� Fine-Grained Access: Kontrol yang presisi atas resource yang dapat diakses

• = Token-Based: Stateless authentication dengan access tokens

• < Standard Protocol: Industry standard yang didukung secara luas

• =� Cross-Platform: Works untuk web, mobile, dan desktop applications

= OAuth 2.0 Fundamentals

<� Core Concepts

Actors:
  Resource Owner: User yang memiliki data
  Client: Application yang meminta akses
  Authorization Server: Server yang mengeluarkan tokens
  Resource Server: Server yang host protected resources

Tokens:
  Access Token: Credential untuk mengakses resources
  Refresh Token: Credential untuk mendapatkan access token baru
  ID Token: JWT yang berisi user info (OIDC)

= OAuth 2.0 Flow

1. Authorization Request
   Client � Authorization Server: "I need permission to access user data"

2. User Authentication & Consent
   Authorization Server � User: "Do you authorize this application?"

3. Authorization Grant
   Authorization Server � Client: "User approved, here's authorization code"

4. Token Exchange
   Client � Authorization Server: "Exchange code for access token"

5. Access Resource
   Client � Resource Server: "Access user data with access token"

=� Token Structure

{
  "access_token": "eyJz93a...k4laUWw",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  "scope": "read write",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6..."
}

= Grant Types

= Authorization Code Flow (Recommended)

Use Case: Web applications with server-side backend
Security: High (tokens never exposed to browser)
PKCE Support: Yes (required for SPAs)

Flow:
  1. Redirect user to authorization server
  2. User authenticates and consents
  3. Receive authorization code
  4. Exchange code for tokens (server-side)

Implementation Example:

// Frontend: Authorization Request
const authUrl = 'https://auth.example.com/authorize?' +
  'response_type=code&' +
  'client_id=your_client_id&' +
  'redirect_uri=https://yourapp.com/callback&' +
  'scope=read write&' +
  'state=random_string&' +
  'code_challenge=generated_challenge&' +
  'code_challenge_method=S256';

window.location.href = authUrl;

// Backend: Token Exchange
const tokenResponse = await fetch('https://auth.example.com/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
  },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authorizationCode,
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
    redirect_uri: 'https://yourapp.com/callback',
    code_verifier: storedVerifier
  })
});

=� Client Credentials Flow

Use Case: Machine-to-Machine (M2M) authentication
Security: High (no user interaction)
Scope: Application-level permissions

Flow:
  1. Client authenticates with client credentials
  2. Receive access token directly
  3. Use token to access resources

Implementation Example:

const tokenResponse = await fetch('https://auth.example.com/token', {
  method: 'POST',
  headers: {
    'Authorization': 'Basic ' + btoa('client_id:client_secret'),
    'Content-Type': 'application/x-www-form-urlencoded',
  },
  body: 'grant_type=client_credentials&scope=read write'
});

=d Resource Owner Password Credentials Flow

Use Case: First-party applications (high trust)
Security: Medium (credentials handled by client)
Warning: Not recommended for third-party apps

Flow:
  1. User provides credentials to client
  2. Client exchanges credentials for tokens
  3. Use tokens for resource access

=� Implicit Flow (Deprecated)

Status: Deprecated - Use Authorization Code + PKCE instead
Security Issues: Tokens exposed in URL
Alternative: Authorization Code Flow with PKCE

<� OpenID Connect (OIDC)

<� OIDC vs OAuth 2.0

OAuth 2.0: Authorization framework
OpenID Connect: Authentication layer + OAuth 2.0

Key Features:
  - ID Token with user claims
  - UserInfo endpoint
  - Discovery document
  - Dynamic client registration

=

ID Token Structure

{
  "header": {
    "alg": "RS256",
    "typ": "JWT",
    "kid": "key_id"
  },
  "payload": {
    "iss": "https://auth.example.com",
    "sub": "user_id_123",
    "aud": "client_id",
    "exp": 1640995200,
    "iat": 1640991600,
    "email": "user@example.com",
    "name": "John Doe",
    "picture": "https://example.com/avatar.jpg"
  }
}

=

OIDC Endpoints

Discovery: https://auth.example.com/.well-known/openid-configuration

Key Endpoints:
  - authorization_endpoint
  - token_endpoint
  - userinfo_endpoint
  - jwks_uri
  - end_session_endpoint

=� Implementation

<� Server-Side Implementation (Node.js)

const express = require('express');
const { auth, requiresAuth } = require('express-openid-connect');

const config = {
  authRequired: false,
  auth0Logout: true,
  secret: 'a-long-random-string',
  baseURL: 'http://localhost:3000',
  clientID: 'your_client_id',
  issuerBaseURL: 'https://your-tenant.auth0.com'
};

app.use(auth(config);

// Protected route
app.get('/profile', requiresAuth(), (req, res) => {
  res.send(JSON.stringify(req.oidc.user));
});

// Authentication callback
app.get('/auth/callback', (req, res) => {
  res.redirect('/profile');
});

<� Client-Side Implementation (React)

import { Auth0Provider, useAuth0 } from '@auth0/auth0-react';

function App() {
  return (
    <Auth0Provider
      domain="your-tenant.auth0.com"
      clientId="your_client_id"
      redirectUri={window.location.origin}>
      <ProtectedRoute component={Dashboard} path="/dashboard" />
    </Auth0Provider>
  );
}

function useAuth() {
  const {
    isAuthenticated,
    user,
    loginWithRedirect,
    logout
  } = useAuth0();

  return {
    isAuthenticated,
    user,
    login: () => loginWithRedirect(),
    logout: () => logout({ returnTo: window.location.origin })
  };
}

=

Python Implementation (FastAPI)

from fastapi import FastAPI, Depends, HTTPException
from fastapi.security import OAuth2AuthorizationCodeBearer
import httpx

app = FastAPI()

oauth2_scheme = OAuth2AuthorizationCodeBearer(
    authorizationUrl="https://auth.example.com/authorize",
    tokenUrl="https://auth.example.com/token"
)

async def get_current_user(token: str = Depends(oauth2_scheme)):
    async with httpx.AsyncClient() as client:
        response = await client.get(
            "https://auth.example.com/userinfo",
            headers={"Authorization": f"Bearer {token}"}
        )

    if response.status_code != 200:
        raise HTTPException(status_code=401, detail="Invalid token")

    return response.json()

@app.get("/profile")
async def profile(current_user: dict = Depends(get_current_user)):
    return current_user

=' Security Best Practices

=� State Management

// Generate cryptographically random state
function generateState() {
  const array = new Uint32Array(10);
  crypto.getRandomValues(array);
  return Array.from(array, dec => ('0' + dec.toString(16)).substr(-2)).join('');
}

// Store state in session
sessionStorage.setItem('oauth_state', generatedState);

// Verify state on callback
const returnedState = new URLSearchParams(window.location.search).get('state');
const storedState = sessionStorage.getItem('oauth_state');

if (returnedState !== storedState) {
  throw new Error('Invalid state - CSRF attack detected');
}

= PKCE (Proof Key for Code Exchange)

// Generate PKCE verifier and challenge
async function generatePKCE() {
  const verifier = generateRandomString(128);
  const encoder = new TextEncoder();
  const data = encoder.encode(verifier);
  const digest = await crypto.subtle.digest('SHA-256', data);

  const challenge = btoa(String.fromCharCode(...new Uint8Array(digest)))
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=+$/, '');

  return { verifier, challenge };
}

// Store verifier for token exchange
sessionStorage.setItem('pkce_verifier', verifier);

= Token Storage

Recommended Storage:
  Access Token: Memory or sessionStorage
  Refresh Token: Secure, HttpOnly cookie
  ID Token: Memory (parse once)

Avoid:
  - LocalStorage for sensitive tokens
  - URL parameters for tokens
  - Unsecured cookie transmission

=� Token Validation

// Validate JWT token structure
function validateIDToken(token) {
  try {
    const parts = token.split('.');
    if (parts.length !== 3) {
      throw new Error('Invalid JWT structure');
    }

    const header = JSON.parse(atob(parts[0]));
    const payload = JSON.parse(atob(parts[1]));

    // Verify required claims
    if (!payload.iss || !payload.sub || !payload.aud || !payload.exp) {
      throw new Error('Missing required claims');
    }

    // Verify expiration
    if (Date.now() >= payload.exp * 1000) {
      throw new Error('Token expired');
    }

    return { header, payload };
  } catch (error) {
    console.error('Token validation failed:', error);
    return null;
  }
}

=� Common Vulnerabilities

=

1. Authorization Code Interception

Vulnerability: Attacker intercepts authorization code
Mitigation: Use PKCE (Proof Key for Code Exchange)
Impact: Prevents code injection attacks

=

2. CSRF Attacks

Vulnerability: Cross-site request forgery
Mitigation: Use state parameter with random values
Impact: Prevents unauthorized authorization

=

3. Token Leakage

Vulnerability: Tokens exposed in URLs or logs
Mitigation: Use POST for token requests, secure storage
Impact: Prevents token theft

=

4. Invalid Redirect URIs

Vulnerability: Open redirect parameter manipulation
Mitigation: Whitelist allowed redirect URIs
Impact: Prevents token theft via malicious redirects

=

5. Insufficient Scope Validation

Vulnerability: Client receives more permissions than needed
Mitigation: Implement principle of least privilege
Impact: Reduces attack surface

=� Testing & Validation

>� Token Testing

// Test token endpoint
async function testTokenEndpoint() {
  try {
    const response = await fetch('https://auth.example.com/token', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
      },
      body: new URLSearchParams({
        grant_type: 'client_credentials',
        client_id: 'test_client',
        client_secret: 'test_secret',
        scope: 'read'
      })
    });

    const data = await response.json();

    if (!response.ok) {
      throw new Error(`Token request failed: ${data.error_description}`);
    }

    return data;
  } catch (error) {
    console.error('Token test failed:', error);
    throw error;
  }
}

=

OAuth 2.0 Security Test Suite

Test Cases:
  1. Valid authorization flow
  2. Invalid client credentials
  3. Expired token rejection
  4. Invalid scope requests
  5. CSRF protection validation
  6. PKCE challenge verification
  7. Redirect URI validation
  8. Token revocation testing

=� Security Headers

// Implement security headers
app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'DENY');
  res.setHeader('X-XSS-Protection', '1; mode=block');
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  res.setHeader('Content-Security-Policy', "default-src 'self'");
  next();
});

= Integration Examples

= Social Login Implementation

// Google OAuth 2.0 Integration
const googleConfig = {
  client_id: 'your_google_client_id',
  redirect_uri: 'https://yourapp.com/auth/google/callback',
  scope: 'openid email profile',
  authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
  token_endpoint: 'https://oauth2.googleapis.com/token',
  userinfo_endpoint: 'https://www.googleapis.com/oauth2/v2/userinfo'
};

function initiateGoogleAuth() {
  const authUrl = `${googleConfig.authorization_endpoint}?` +
    `client_id=${googleConfig.client_id}&` +
    `redirect_uri=${googleConfig.redirect_uri}&` +
    `response_type=code&` +
    `scope=${googleConfig.scope}&` +
    `state=${generateState()}`;

  window.location.href = authUrl;
}

= Enterprise SSO (SAML + OAuth)

Integration Pattern:
  1. User authenticates via SAML SSO
  2. Identity provider issues SAML assertion
  3. OAuth bridge converts SAML to OAuth tokens
  4. Application receives OAuth tokens
  5. Access resources with tokens

Providers: Okta, Azure AD, ADFS, OneLogin

=� Mobile OAuth Implementation

// iOS OAuth Implementation
import AppAuth

class OAuthManager {
    private var currentAuthorizationFlow: OIDExternalUserAgentSession?

    func authenticateWithOAuth() {
        let configuration = OIDServiceConfiguration(
            authorizationEndpoint: URL(string: "https://auth.example.com/auth")!,
            tokenEndpoint: URL(string: "https://auth.example.com/token")!
        )

        let request = OIDAuthorizationRequest(
            configuration: configuration,
            clientId: "your_client_id",
            clientSecret: nil,
            scopes: ["openid", "profile", "email"],
            redirectURL: URL(string: "yourapp://oauth/callback")!,
            responseType: OIDResponseTypeCode,
            additionalParameters: nil
        )

        // Perform authentication
        currentAuthorizationFlow = OIDAuthState.authState(
            byPresenting: request,
            presenting: self,
            callback: { authState, error in
                if let authState = authState {
                    // Successfully authenticated
                    self.handleAuthenticationSuccess(authState)
                } else {
                    // Authentication failed
                    self.handleAuthenticationError(error)
                }
            })
    }
}

=� Resources

=� Official Documentation

• OAuth 2.0 RFC 6749

• OpenID Connect Core 1.0

• OAuth 2.1 Draft

=' Libraries & SDKs

• Node.js: Passport.js

• Java: Spring Security OAuth

• Python: Authlib

• Ruby: Doorkeeper

>� Testing Tools

• OAuth 2.0 Playground

• OAuth 2.0 Debugger

• JWT.io

=� Security Guidelines

• OWASP OAuth 2.0 Cheat Sheet

• OAuth 2.0 Security Best Current Practice

---

=� Implementation Checklist

Security Configuration

• Implement PKCE for public clients

• Use cryptographically random state parameter

• Validate redirect URIs (whitelist approach)

• Implement proper token storage

• Add token expiration handling

• Secure token endpoint communication

Functionality Testing

• Test complete authorization flow

• Verify token validation logic

• Test error handling scenarios

• Validate scope enforcement

• Test token refresh mechanism

• Verify logout/revocation process

Compliance & Standards

• Follow OAuth 2.0 security best practices

• Implement GDPR-compliant user data handling

• Add audit logging for security events

• Document security architecture

• Perform regular security assessments

---

Catatan Seekor: OAuth - Comprehensive OAuth 2.0 and OpenID Connect implementation guide