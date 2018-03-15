Successfully reported this slideshow.
I Don’t Care About Security And Neither Should You
@joel__lord #confoo About Me @joel__lord joellord
That reminds me of OAuth!
But Why?
Delegation!
Traditional Applications ! Browser requests a login page ! The server validates on its database
Traditional Applications ! Browser requests a login page ! The server validates on its database 👍
Traditional Applications ! Browser requests a login page ! The server validates on its database ! It creates a session and...
What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing creden...
OAuth - The Flows Authorization Code
Authentication Flows Authorization Code
Authentication Flows Authorization Code
Authentication Flows Authorization Code
Authentication Flows Authorization Code
Authentication Flows Authorization Code
Authentication Flows Authorization Code
Tokens 101
OAuth Tokens Access Token Refresh Token ! Give you access to a resource ! Controls access to your API ! Short lived ! Enab...
OAuth Tokens ! WS-Federated ! SAML ! JWT ! Custom stuff ! More…
JSON Web Token ! Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name...
JSON Web Token ! Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkw...
JSON Web Token ! Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6Ik...
JSON Web Token ! Header ! Payload ! Signature Image: https://jwt.io
OAuth - The Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Codiiiing Time!
Auth Server API
Live Demo github.com/joellord/idontcare
Delegation!
OpenID Connect Flow
OpenID Connect Flow
OpenID Connect Flow
This is just like OpenID Connect
OpenID Connect ! Built on top of OAuth 2.0 ! OpenID Connect (OIDC) is to OpenID what Javascript is to Java ! Provides Iden...
OpenID Connect Scopes ! openid ! profile ! email ! address ! phone
OpenID Connect Flows Authorization Code scope=openid%20profile
Authentication Flows Authorization Code
Authentication Flows Authorization Code
Authentication Flows Authorization Code /userinfo
OpenID Connect Full flow https://openidconnect.net
Delegation!
I Don’t Care About Security Montreal Front-End Developers, March 2018 @joel__lord joellord
I Don't Care About Security (And Neither Should You)
Remember that time where setting up a login page was easy? It seems like nowadays, it take many weeks to start a project just to create a signup form, a login form and a forget password screen. And that is if you don’t need 2 factor authentication or passwordless authentication. During this presentation, the attendees will be introduced to OpenID and OAuth. They will also learn how to leverage this to create secure application or, most importantly, how to delegate to a third party so they can focus on their real work.

I Don't Care About Security (And Neither Should You)

  6. 6. That reminds me of OAuth!
  13. 13. But Why?
  14. 14. Delegation!
  18. 18. Traditional Applications ! Browser requests a login page ! The server validates on its database
  19. 19. Traditional Applications ! Browser requests a login page ! The server validates on its database 👍
  20. 20. Traditional Applications ! Browser requests a login page ! The server validates on its database ! It creates a session and provides a cookie identifier
  21. 21. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
  25. 25. OAuth - The Flows Authorization Code
  32. 32. Tokens 101
  33. 33. OAuth Tokens Access Token Refresh Token ! Give you access to a resource ! Controls access to your API ! Short lived ! Enables you to get a new token ! Longed lived ! Can be revoked
  34. 34. OAuth Tokens ! WS-Federated ! SAML ! JWT ! Custom stuff ! More…
  35. 35. JSON Web Token ! Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "Joel Lord", "admin": true } Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  36. 36. JSON Web Token ! Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG 9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY WQgcG9zdHM6d3JpdGUifQ Signature XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
  37. 37. JSON Web Token ! Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d 3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
  38. 38. JSON Web Token ! Header ! Payload ! Signature Image: https://jwt.io
  39. 39. OAuth - The Flows Implicit Flow
  46. 46. Codiiiing Time!
  47. 47. Auth Server API
  48. 48. Live Demo github.com/joellord/idontcare
  49. 49. Delegation!
  50. 50. OpenID Connect Flow
  53. 53. This is just like OpenID Connect
  54. 54. OpenID Connect ! Built on top of OAuth 2.0 ! OpenID Connect (OIDC) is to OpenID what Javascript is to Java ! Provides Identity Tokens in JWT format ! Uses a /userinfo endpoint to provide the info
  55. 55. OpenID Connect Scopes ! openid ! profile ! email ! address ! phone
  56. 56. OpenID Connect Flows Authorization Code scope=openid%20profile
  59. 59. Authentication Flows Authorization Code /userinfo
  60. 60. OpenID Connect Full flow https://openidconnect.net
  61. 61. Delegation!
  62. 62. I Don’t Care About Security Montreal Front-End Developers, March 2018 @joel__lord joellord

