SlideShare a Scribd company logo

Understanding OAuth and OpenID Connect Specs

Ortus Solutions, Corp
Ortus Solutions, Corp

This document provides an overview of OAuth and OpenID Connect specifications and grant types. It begins with introductions and defining key terms like tokens, scopes, and claims. It then explains the four main grant types - Authorization Code Flow, Implicit Flow, Resource Owner Password Flow, and Client Credentials Flow. The document notes extensions and recommends the Authorization Code Flow with PKCE for most use cases. It discusses related specifications around JSON Web Tokens, introspection, and revocation. It closes by emphasizing the need to understand which combination of specifications are required for a given implementation.

Software
1 of 51
Download to read offline
The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023
© ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
01 Who am I?
© ngrok. All rights reserved. Confidential Information of ngrok Who am I?
© ngrok. All rights reserved. Confidential Information of ngrok Who am I? https://www.youtube.com/@geekamongthetrees
02 OAuth Vocab
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
© ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
© ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
© ngrok. All rights reserved. Confidential Information of ngrok Hotel Key Cards but for Apps
03 Grant Types
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow User Auth Client Auth
© ngrok. All rights reserved. Confidential Information of ngrok Implicit Flow User Auth No Client Auth!
© ngrok. All rights reserved. Confidential Information of ngrok Resource Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
© ngrok. All rights reserved. Confidential Information of ngrok Client Credential Flow Client Auth No User Auth!?
04 Which should I use?
© ngrok. All rights reserved. Confidential Information of ngrok Which do I use? Wait. Where did that come from?
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow with PKCE (RFC 7636) User Auth Client Auth
© ngrok. All rights reserved. Confidential Information of ngrok SAML 2.0 Assertion Flow Client Auth No User Auth!?
© ngrok. All rights reserved. Confidential Information of ngrok Which do I use?
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
Specifications 05
© ngrok. All rights reserved. Confidential Information of ngrok OAuth (RFC 6749)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
© ngrok. All rights reserved. Confidential Information of ngrok What about those tokens?
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
© ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect
© ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..
© ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!
© ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
06 Closing Thoughts
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
© ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap
Thank you
The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023

Recommended

OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 

Recommended

OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Stateless authentication for microservices - Spring I/O 2015
Stateless authentication for microservices - Spring I/O 2015Alvaro Sanchez-Mariscal
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDCForgeRock Identity Tech Talks
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTWChris Messina
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Leonard Moustacchis
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsForgeRock Identity Tech Talks
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodLohika_Odessa_TechTalks
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Ortus Government.pdf
Ortus Government.pdfOrtus Government.pdf
Ortus Government.pdfOrtus Solutions, Corp
 

More Related Content

Similar to Understanding OAuth and OpenID Connect Specs

De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Alvaro Sanchez-Mariscal
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Leonard Moustacchis
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodLohika_Odessa_TechTalks
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 

Similar to Understanding OAuth and OpenID Connect Specs (20)

De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTW
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID Connect
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flows
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 

More from Ortus Solutions, Corp

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionOrtus Solutions, Corp
 
Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Ortus Solutions, Corp
 
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfOrtus Solutions, Corp
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfOrtus Solutions, Corp
 
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfOrtus Solutions, Corp
 
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfOrtus Solutions, Corp
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfOrtus Solutions, Corp
 
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfOrtus Solutions, Corp
 
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfOrtus Solutions, Corp
 
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfOrtus Solutions, Corp
 
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfOrtus Solutions, Corp
 
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfOrtus Solutions, Corp
 
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfOrtus Solutions, Corp
 
ITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdfITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdfOrtus Solutions, Corp
 
Enterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdfEnterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdfOrtus Solutions, Corp
 

More from Ortus Solutions, Corp (20)

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Ortus Government.pdf
Ortus Government.pdfOrtus Government.pdf
Ortus Government.pdf
 
Luis Majano The Battlefield ORM
Luis Majano The Battlefield ORMLuis Majano The Battlefield ORM
Luis Majano The Battlefield ORM
 
Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusion
 
Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023
 
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
 
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
 
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
 
ITB_2023_CBWire_v3_Grant_Copley.pdf
ITB_2023_CBWire_v3_Grant_Copley.pdfITB_2023_CBWire_v3_Grant_Copley.pdf
ITB_2023_CBWire_v3_Grant_Copley.pdf
 
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
 
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
 
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
 
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
 
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
 
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
 
ITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdfITB2023 Developing for Performance - Denard Springle.pdf
ITB2023 Developing for Performance - Denard Springle.pdf
 
Enterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdfEnterprise Messaging with RabbitMQ.pdf
Enterprise Messaging with RabbitMQ.pdf
 

Recently uploaded

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 

Recently uploaded (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 

Understanding OAuth and OpenID Connect Specs

  • 1. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023
  • 2. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
  • 4. © ngrok. All rights reserved. Confidential Information of ngrok Who am I?
  • 5. © ngrok. All rights reserved. Confidential Information of ngrok Who am I? https://www.youtube.com/@geekamongthetrees
  • 7. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
  • 8. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
  • 9. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
  • 10. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
  • 11.
  • 12. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
  • 13. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
  • 14. © ngrok. All rights reserved. Confidential Information of ngrok Hotel Key Cards but for Apps
  • 16. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  • 17. © ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow User Auth Client Auth
  • 18. © ngrok. All rights reserved. Confidential Information of ngrok Implicit Flow User Auth No Client Auth!
  • 19. © ngrok. All rights reserved. Confidential Information of ngrok Resource Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
  • 20. © ngrok. All rights reserved. Confidential Information of ngrok Client Credential Flow Client Auth No User Auth!?
  • 22. © ngrok. All rights reserved. Confidential Information of ngrok Which do I use? Wait. Where did that come from?
  • 23. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  • 24. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  • 25. © ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow with PKCE (RFC 7636) User Auth Client Auth
  • 26. © ngrok. All rights reserved. Confidential Information of ngrok SAML 2.0 Assertion Flow Client Auth No User Auth!?
  • 27. © ngrok. All rights reserved. Confidential Information of ngrok Which do I use?
  • 28. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  • 30. © ngrok. All rights reserved. Confidential Information of ngrok OAuth (RFC 6749)
  • 31. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
  • 32. © ngrok. All rights reserved. Confidential Information of ngrok What about those tokens?
  • 33. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
  • 34. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
  • 35. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 36. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 37. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 38. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 39. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
  • 40. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
  • 41. © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect
  • 42. © ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..
  • 43. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!
  • 44. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
  • 46. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
  • 47. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
  • 48. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
  • 49. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap
  • 51. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023