OAuth2

OAuth 2.0 is an authorization framework (RFC 6749) that enables third-party applications to obtain limited access to user resources without exposing their credentials. It's the foundation for "Login with Google/Facebook/GitHub" functionality.

Key Roles

• Resource Owner: The user who authorizes access
• Client: The application requesting access
• Authorization Server: Issues tokens after authentication
• Resource Server: Hosts protected resources (APIs)

Authorization Code Flow

1. User clicks "Login with GitHub" on Client
2. Client redirects to Authorization Server:
   GET /authorize?
     response_type=code&
     client_id=CLIENT_ID&
     redirect_uri=https://client.com/callback&
     state=RANDOM_STATE&
     scope=read:user

3. User authenticates and grants permission
4. Auth Server redirects back with code:
   GET /callback?code=AUTH_CODE&state=RANDOM_STATE

5. Client exchanges code for token (server-side):
   POST /token
   {code, client_id, client_secret, redirect_uri}

6. Client receives access_token (and refresh_token)

Common Vulnerabilities

• Missing or weak state parameter (CSRF)
• Open redirect in redirect_uri
• Token leakage via Referer header
• Insufficient redirect_uri validation

PentesterLab Exercises

• OAuth Exercises

See Also

• OAuth2 Authorization Code Flow
• OAuth2 State Parameter
• OAuth2 Access Token