mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
5.3 KiB
5.3 KiB
OAuth 2.0 Authorization Flow Workflows
Workflow 1: Authorization Code Flow with PKCE
Client Auth Server Resource Server
| | |
|-- Generate code_verifier --| |
|-- Compute code_challenge --| |
| | |
|--- AuthZ Request --------->| |
| (code_challenge, state) | |
| |-- User Authenticates -->|
| |<- User Consents --------|
|<-- AuthZ Code + state -----| |
| | |
|--- Token Request --------->| |
| (code + code_verifier) | |
|<-- Access + Refresh Token--| |
| | |
|--- API Request (Bearer) ---|------------------------>|
|<-- API Response ---------- |<------------------------|
Step-by-Step:
- Client generates
code_verifier: random 43-128 char string (A-Z, a-z, 0-9, -._~) - Client computes
code_challenge = BASE64URL(SHA256(code_verifier)) - Client redirects to:
GET /authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=RANDOM&code_challenge=xxx&code_challenge_method=S256 - User authenticates and consents at authorization server
- Server redirects to:
redirect_uri?code=AUTH_CODE&state=RANDOM - Client validates state matches original
- Client exchanges code:
POST /tokenwithgrant_type=authorization_code&code=AUTH_CODE&code_verifier=xxx&redirect_uri=xxx - Server validates SHA256(code_verifier) matches stored code_challenge
- Server returns access_token, refresh_token, id_token (if OIDC)
Workflow 2: Client Credentials Flow (Machine-to-Machine)
Service A Auth Server Service B (API)
| | |
|--- Token Request --------->| |
| (client_id, secret, scope)| |
|<-- Access Token -----------| |
| | |
|--- API Request (Bearer) ---|------------------------>|
|<-- API Response ---------- |<------------------------|
Step-by-Step:
- Service registers with auth server (client_id + client_secret)
- Service requests token:
POST /tokenwithgrant_type=client_credentials&scope=api:read - Auth server validates client credentials
- Auth server returns access_token (no refresh token, no user context)
- Service calls API with
Authorization: Bearer ACCESS_TOKEN
Workflow 3: Token Refresh with Rotation
Client Auth Server
| |
|--- Refresh Request ------->|
| (refresh_token_v1) |
|<-- New Access Token -------|
|<-- New Refresh Token (v2) -|
| (v1 invalidated) |
| |
|--- Refresh Request ------->|
| (refresh_token_v2) |
|<-- New Access Token -------|
|<-- New Refresh Token (v3) -|
| |
|--- THEFT: Reuse v1 ------->|
| (DETECTED: v1 reused) |
|<-- REVOKE ALL TOKENS ------|
Rotation Detection:
- Each refresh token is single-use
- On reuse of an old refresh token, server detects theft
- All tokens in the grant chain are revoked
- User must re-authenticate
Workflow 4: Device Authorization Grant
Device Auth Server User (Browser)
| | |
|--- Device AuthZ Request -->| |
|<-- device_code, | |
| user_code, | |
| verification_uri -------| |
| | |
|-- Display user_code ------>| |
| to user on screen | |
| |<-- User visits URI -----|
| |<-- Enters user_code ----|
| |<-- Authenticates -------|
| |<-- Consents ------------|
| | |
|--- Poll Token Endpoint --->| |
| (device_code) | |
|<-- Access Token -----------| |
Workflow 5: Token Revocation
Steps:
- Client sends revocation request:
POST /revokewithtoken=xxx&token_type_hint=refresh_token - Auth server invalidates the token
- If refresh token revoked, all associated access tokens also invalidated
- Server returns 200 OK regardless of whether token was valid (prevents token fishing)
Workflow 6: Security Incident - Token Compromise Response
Steps:
- Detect suspicious token usage (unusual IP, impossible travel)
- Immediately revoke the compromised token via revocation endpoint
- If refresh token compromised, revoke entire token family
- Force re-authentication for affected user
- Audit all API calls made with compromised token
- Check for scope escalation attempts
- Review authorization logs for the compromised session
- Notify affected user and security team