XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
====IGNORE EVERYTHING BELOW THIS (ABOUT TO BE DELETED)=====¶
⭑ Note: When the login succeeds you get the access token directly instead of a code to exchange for an access token (PKCE etc.). This is deprecated, so instead we use the code.??
Desktop browser case¶
There are two endpoints that the end-user contacts during the login procedure, an authorization endpoint (Unbox) and a token endpoint (whatever entity the user permits interactions with, such as ).
An end user opens their desktop browser and goes to the LITTER (branded) landing page.
On the LITTER landing page, they click on the Login button.
1. LITTER requests access to MyUnbox (with code verifier and code challenge)¶
The LITTER page creates two strings of numbers and letters used to identify the end user throughout the process:
-
code_verifier (AKA clear value): a random string of 43-128 characters
-
code_challenge (AKA hash value): a transformed/encoded version of the above using a strong encoding method like SHA256 (impractical to reverse-engineer)
The Login page redirects the user to a page with a QR code, which is valid for a brief window of time (currently 3 minutes).
The QR code is a kind of stamped envelope in the form of a link with a code. Here's an example of what that link might look like:
https://a.nbx.cl/oauth2./authorize/login/A1FP6u4VdTpEBb9QrByJsjKLxnjkbHfDGHfdDoKQYdj3
This envelope contains the code_challenge (above in italics) which says:
"The holder of this piece of code (1 of 2) is the person who clicked on the Login button less than 3 minutes ago."
LITTER asks the user to scan the QR code to give LITTER access to the user's MyUnbox/XYZ app.
The requested access has limited scope (openid).
The user scans the QR with their mobile phone, which opens up their MyUnbox/XYZ app (or gets them to download it).
MyUnbox/XYZ understands this envelope as an instruction to automatically go to the provided URL.
2. Client Sends the Code Challenge with the Authorization Request¶
As part of the initial authorization request, MyUnbox/XYZ sends the code_challenge (the encoded version of the code_verifier) to the authorization server. The request also includes mention of which method was used to encode the code_verifier into the code_challenge.
The authorization server notes these down for a brief time for the purposes of the imminent second step.
It sends the code to be signed to a webpage that gets shown to the end user. Specifically in this case, the returned authorization code appears as
signing the code received from the authorization server using their MyUnbox (or their Cardano private key).
_______________________
-
client: application linked to MyUnbox which is allowed to trigger user authentication and receive a JWT.
-
user: an end user, using the client application and MyUnbox.
A couple discrepancies between the OA2 flow and ours.
JWT is just a way to implement a format of information.
When we say JWT, we mean the bearer token, which is the access token.
You have the access token, its type is bearer.
***
The Auth server presents you with a login_code_to_sign.
You are XYZ. You use your private key to sign it. This generates a signature.
Now you have the signature and the login_code_to_sign (which match?)
From your private key you generate your public key, then you send the three things to the server.
The server says: "Oh, I know the login_code_to_sign, because the one I sent to you (or someone), I can verify that the public key is matching the signature and is matching the login_code_to_sign.
That's how I know you hold the private key of the public key, and I can generate to you a code that you can exchange for the final access token.
***
What we are going to deliver to the website or back end is proof that you are who you say you are.
That
+--------+ +---------------+\ | |--(A)- Authorization Request ->| Resource |\ | | | Owner |\ | |\<-(B)-- Authorization Grant ---| (end-user) |\ | | +---------------+\ | |\ | | +---------------+\ | |--(C)-- Authorization Grant -->| Authorization |\ | Client | | Server |\ |(client app |\<-(D)----- Access Token -------| (Unbox) |\ | or | +---------------+\ | client.org |\ | on | +---------------+\ | desk |--(E)----- Access Token ------>| Resource |\ | top) | | Server |\ | |\<-(F)--- Protected Resource ---| |\ +--------+ +---------------+
OAuth provides a method for clients to access a protected resource on behalf of a resource owner. In the general case, before a client can access a protected resource, it must first obtain an authorization grant from the resource owner and then exchange the authorization grant for an access token.
The access token represents the grant\'s scope, duration, and other attributes granted by the authorization grant. The client accesses the protected resource by presenting the access token to the resource server. In some cases, a client can directly present its own credentials to an authorization server to obtain an access token without having to first obtain an authorization grant from a resource owner. The access token provides an abstraction, replacing different authorization constructs (e.g., username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server\'s need to understand a wide range of authentication schemes.
+--------+ +---------------+\ | |--(A)- Authorization Request ->| Resource |\ | | | Owner |\ | |\<-(B)-- Authorization Grant ---| |\ | | +---------------+\ | |\ | | +---------------+\ | |--(C)-- Authorization Grant -->| Authorization |\ | Client | | Server |\ | |\<-(D)----- Access Token -------| |\ | | +---------------+\ | |\ | | +---------------+\ | |--(E)----- Access Token ------>| Resource |\ | | | Server |\ | |\<-(F)--- Protected Resource ---| |\ +--------+ +---------------+\ \ Figure 1: Abstract Protocol Flow
The abstract OAuth 2.0 flow illustrated in Figure 1 describes the\ interaction between the client, resource owner, authorization server,\ and resource server (described in [RFC6749]). The following two\ steps are specified within this document:\ \ (E) The client requests the protected resource from the resource\ server and authenticates by presenting the access token.\ \ (F) The resource server validates the access token, and if valid,\ serves the request.