SlideShare a Scribd company logo

Intro to OAuth2 and OpenID Connect

L
LiamWadman

An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect

1 of 15
Download to read offline
Intro to
OAuth2/OpenID
Connect
Liam Wadman
Jan 20 2020
Straight to the point: OAuth
• OAuth is an IETF standard for allowing an application to obtain access to
an HTTP service on behalf of an end user(without a user sharing their
password!), or on its own behalf.
• OAuth is not just using signed JWTs for authentication, though a lot of
OAuth implementations use signed JWTs.
• OAuth does not Authenticate end-users (humans like us!) to
applications
• Everyone who is sane in the industry refers to “OAuth2” when saying
OAuth. OAuth1 is officially deprecated
• OpenID Connect (OIDC) is an authentication layer for end-
users(Humans!) built on top of OAuth
OAuth 2.0 Terminology
• Client: The application that is calling an API
• Resource Server: the API that is being called
• Access Token: The credential used by a client to interact with the resource server.
• Authorization Server: The server that issues access tokens. Can also be called to
validate access tokens
• Resource Owner: the person or application that an access token represents. Can
be called “end-user” if this is a human
• Authorization Code: A one time use token an end-user receives from an
authorization server and gives to an OAuth client
• Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and
how all the different components interact
OAuth Core Concepts
• Access Tokens are signed JWTs or long strings (opaque tokens)
• JWTs can be validated without phoning home to the authorization server. This means that a bad
setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating
signing keys!)
• A resource server receiving an Opaque token would have to phone home to the issuing
Authorization Server to see if it’s still valid
• The content of access tokens is defined as a standard (RFC7662)
• OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords
between services. We’d call credential sharing “impersonation”, and that is risky for users.
• End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing”
• Authorization servers should always prompt for consent before granting an OAuth token for humans,
and inform them of what permissions they’re granting the OAuth client
• Authorization servers keep a registry of a redirect URI specific for each client
• In all diagrams following we assume the user is already authenticated to the OAuth Client and
Authorization server
Client Credentials Grant
• Client Credentials grant: A system authenticates itself to the authorization
server with its own credential, and receives back an access token scoped
to its own identity.
• Think an application that queries information from a remote API for its
own usage.
OAuth Client
Authorization
Server
Resource
Server
OAuth Client’s Credentials
Access Token
Access Token, API call
Results of API call
Authorization Code Grant
• A remote system(running on a server) gains consent from a user to take an action on their behalf:
• Think entitling an inbox management software to read your gmail and unsubscribe you from
spam
• Authorization code grant clients can be given a refresh token that they can use to renew a user’s
access token without re-interacting with the user! (Best practice: refresh tokens must expire if not
redeemed within a suitable time window)
OAuth Client
Authorization
Server
Resource
Server
(1)Redirect to Authorization Server
(4) Authorization Code
(7)Access Token, API call
(8)Results of API call
End-User’s
User Agent
(5)Authorization Code+Client Credential
(6)Access Token, Optional Refresh Token
**(2)Request Authorization code (3) Return Authorization Code
(2) (3)

Recommended

OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectUbisecure
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 

More Related Content

What's hot

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 

What's hot (20)

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OAuth
OAuthOAuth
OAuth
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
OAuth 2.0 Security Reinforced
OAuth 2.0 Security ReinforcedOAuth 2.0 Security Reinforced
OAuth 2.0 Security Reinforced
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 

Similar to Intro to OAuth2 and OpenID Connect

Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessidsecconf
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformIan Foster
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 

Similar to Intro to OAuth2 and OpenID Connect (20)

Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
.NET Core, ASP.NET Core Course, Session 19
 .NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management Platform
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
OAuth
OAuthOAuth
OAuth
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth
OAuthOAuth
OAuth
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 

Recently uploaded

Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfDomotica daVinci
 
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!XfilesPro
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut meManoj Prabakar B
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...shaiyuvasv
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersThousandEyes
 
Q1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupQ1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupMemory Fabric Forum
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Memory Fabric Forum
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfSafe Software
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 

Recently uploaded (20)

Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Curtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdfCurtain Module Manual Zigbee Neo CS01-1C.pdf
Curtain Module Manual Zigbee Neo CS01-1C.pdf
 
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
5 Things You Shouldn’t Do at Salesforce World Tour Sydney 2024!
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut me
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for Partners
 
Q1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupQ1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product Lineup
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 

Intro to OAuth2 and OpenID Connect

  • 2. Straight to the point: OAuth • OAuth is an IETF standard for allowing an application to obtain access to an HTTP service on behalf of an end user(without a user sharing their password!), or on its own behalf. • OAuth is not just using signed JWTs for authentication, though a lot of OAuth implementations use signed JWTs. • OAuth does not Authenticate end-users (humans like us!) to applications • Everyone who is sane in the industry refers to “OAuth2” when saying OAuth. OAuth1 is officially deprecated • OpenID Connect (OIDC) is an authentication layer for end- users(Humans!) built on top of OAuth
  • 3. OAuth 2.0 Terminology • Client: The application that is calling an API • Resource Server: the API that is being called • Access Token: The credential used by a client to interact with the resource server. • Authorization Server: The server that issues access tokens. Can also be called to validate access tokens • Resource Owner: the person or application that an access token represents. Can be called “end-user” if this is a human • Authorization Code: A one time use token an end-user receives from an authorization server and gives to an OAuth client • Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and how all the different components interact
  • 4. OAuth Core Concepts • Access Tokens are signed JWTs or long strings (opaque tokens) • JWTs can be validated without phoning home to the authorization server. This means that a bad setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating signing keys!) • A resource server receiving an Opaque token would have to phone home to the issuing Authorization Server to see if it’s still valid • The content of access tokens is defined as a standard (RFC7662) • OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords between services. We’d call credential sharing “impersonation”, and that is risky for users. • End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing” • Authorization servers should always prompt for consent before granting an OAuth token for humans, and inform them of what permissions they’re granting the OAuth client • Authorization servers keep a registry of a redirect URI specific for each client • In all diagrams following we assume the user is already authenticated to the OAuth Client and Authorization server
  • 5. Client Credentials Grant • Client Credentials grant: A system authenticates itself to the authorization server with its own credential, and receives back an access token scoped to its own identity. • Think an application that queries information from a remote API for its own usage. OAuth Client Authorization Server Resource Server OAuth Client’s Credentials Access Token Access Token, API call Results of API call
  • 6. Authorization Code Grant • A remote system(running on a server) gains consent from a user to take an action on their behalf: • Think entitling an inbox management software to read your gmail and unsubscribe you from spam • Authorization code grant clients can be given a refresh token that they can use to renew a user’s access token without re-interacting with the user! (Best practice: refresh tokens must expire if not redeemed within a suitable time window) OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
  • 7. Implicit Grant • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services (Office 365), single page web apps accessing APIs • Implicit clients have no secret for which to authenticate themselves - we are forced to trust the user’s device’s registered URI scheme and/or DNS resolutions OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Access Token (5)Access Token, API call (6)Results of API call End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
  • 8. Resource Owner Password Grant • A user gives their password to a client, and the client requests an Access token on their behalf. • Sharing passwords is fundamentally not secure, and Resource Owner Password Grant should be avoided at all costs. If you simply must use this, have the OAuth client discard the user’s password immediately after the Access/Refresh token is received. • Can also get a refresh token, like authorization code grant OAuth Client Authorization Server Resource Server (1)Resource Owner’s Password (2) Access Token, Optional refresh token (5)Access Token, API call (6)Results of API call
  • 9. OpenID Connect • OpenID Connect is a simple identity and authentication layer built on top of OAuth2 implicit and authorization code grants • Works essentially the exact same as implicit and authorization code grant, but the client also gets an “id_token” with the user’s identity attributes (Name, email, address, date of birth, etc) • It allows an end-user who is authenticated with one application (The OpenID Provider) to authenticate to a second application using the first application’s identity • Think signing into a mobile or web app with your Google, Facebook or GitHub account. • Allows you to seamlessly integrate delegations and authentication together, simplifying the developer and user experience!
  • 10. OpenID Connect Terminology • End-User: The Resource owner. By Definition, must be human • Relying Party: The OAuth Client to which an end-user is authenticating • OpenID Provider: The Authorization Server, in OpenID terms. Issues ID_Tokens • ID_Token: The token that an End-user gets from their OpenID Provider to authenticate themselves to a relying party • Flow: OpenID term for “Grant”
  • 11. OpenID Connect Core Concepts • Trusting an OpenID Provider means you may allow your user’s account to be taken over by an attacker if their account at the OpenID Provider gets taken over! • Best practices would be to notify a user if there is a login from a new OpenID provider, and perform the same monitoring you would for normal logins on OpenID logins, or challenge them for a 2nd factor of authentication on a sensitive operation • You do not need to let a client take action on an End-User’s behalf or even issue them a valid access token at all in OpenID Connect. You can keep it to “authentication” and remove the delegation • OpenID providers should ask for consent before allowing a user to authenticate to a website, and inform a user of what data they are sharing • OpenID connect is for Humans only • In all diagrams following we assume the user is already authenticated to the OpenID provider
  • 12. Authorization Code Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)ID_token, Optional Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
  • 13. Implicit Flow • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services(office 365), single page web apps accessing APIs • Steps 5 and 6 only happen if an access token was granted OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) ID_Token, Optional Access Token (5)Access Token, API call* (6)Results of API call* End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
  • 14. Hybrid Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) • User Authentication comes before delegation, speeds up the user experience. Has the URI scheme/DNS security implication of implicit grant for the user’s information OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code, ID_Token (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code, ID_token (3) Return Authorization Code, ID_Token (2) (3)
  • 15. References OAuth RFC core RFC: https://tools.ietf.org/html/rfc6749 Access token introspection: https://tools.ietf.org/html/rfc7662 Signed JWT tokens RFC: https://tools.ietf.org/html/rfc7515 Open ID Connect Core: https://openid.net/specs/openid-connect-core-1_0.html Intro to JWTs: https://jwt.io/introduction/ Draft OAuth Device grant (emerging standard): https://tools.ietf.org/html/draft-ietf- oauth-device-flow-15 JWT as client secret: https://tools.ietf.org/html/rfc7523 XML as client secret: https://tools.ietf.org/html/rfc7522