Can OAuth2.0 be used when there is no third-party application?

0
votes

My understanding of OAuth2.0 is that it defines an authorization protocol where a server, AUTHORIZATION_SERVER, manages the workflow needed to authorize a third-party client app, CLIENT, to access resources owned by a server, RESOURCE_SERVER, on behalf of a user, RESOURCE_OWNER.

This is taken from OAuth spec https://tools.ietf.org/html/draft-ietf-oauth-v2-17:

The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

The authorization flow itself is clear and there are many examples on how OAuth can be implemented (like some app gaining partial access to a Facebook user's account).

Now, I'm trying to implement an Authorization server for few apps where I have a simpler flow than the one specified by OAuth (no third-party apps involved):

  1. a USER tries to access an APP.

  2. APP authenticates the user (out of scope for this question).

  3. APP authorizes the user against an AUTHORIZATION_SERVER.

After doing some search, I found that several apps seem to use OAuth for very similar use cases.

So here are the questions I have:

  1. is the above example a valid use case for OAuth?

notice that in the example, APP plays two OAuth roles: CLIENT and RESOURCE_SERVER. In OAuth, CLIENT should never have direct access to resources. Instead, it's the RESOURCE_SERVER that retrieves resources for CLIENT after it's been successfully authorized on behave of the user, RESOURCE_OWNER, by AUTHORIZATION_SERVER.

In other words, is this APP double-role of CLIENT/RESOURCE_SERVER acceptable? does it introduce any other consequences other than the extra complexity needed to manage an extra role that doesn't exist in this scenario?

  1. The OAuth authorization server I experimented with was Keycloak. Given the use case I mentioned above, do you think Keycloak is a good choice?

Do you suggest other candidates?

Background: all my applications are Java based, and the authorization policy that I need should be hybrid (both role/permission-based and policy-based).

2
oauthoauth-2.0authorizationkeycloak

2 Answers

1
votes

It seems like you're better off querying a (local) LDAP server or database for the type of authorization information you need. OAuth was specifically designed to avoid having the app authenticating the user.

0
votes

For what I understand Oauth2 : You have a 3rd Party App asking a User to allow her to ask data to an App in his name. The 3rd Party App here may be a webpage, an mobile application, etc.

  1. OAuth2 is like OAuth but with a security protocole using SSL instead of an other cryptographic solution, see this response : so yes, if you make your application work with OAuth then it should work with OAuth2.

  2. Don't implement the OAuth2 protocole yourself but use an existing lib instead : more reliable, updated, etc.

  3. Launch this OAuth2 code on a separate server : easier to replace/update separatly from your application code

EDIT : the response I gave you also feature some nice diagrams to help you understand :)

EDIT2 : an other reason for using separate servers for OAuth2 and your applications is so if someday you have multiple sources of data (multiple API) but suddenly you don't need the first one, the one where the OAuth code was put, what do you do ? Your OAuth2 routes will be nicer and more reliable if you put it on separate server.