A non dystopian look at modern authentication - Devops Days Tel Aviv

1. @sambego A Non-Dystopian Look at Modern Authentication Devops Days Tel Aviv

2. @sambego Sam Bellen Developer Evangelist at Auth0 @sambego

3. @sambego Authentication used to be easy* *Not really

4. @sambego Requesting a webpage

5. @sambego

6. @sambego

7. @sambego

8. @sambego Authenticating

9. @sambego

10. @sambego { username / password }

11. @sambego { username / password } { sid 123 }

12. @sambego Requesting a page while authenticated

13. @sambego

14. @sambego { sid 123 }

15. @sambego { HTML } { sid 123 }

16. @sambego Modern authentication is complex

17. @sambego Grant types

18. @sambego Auth flows

19. @sambego Platforms

20. @sambego 4 types of authentication

21. @sambego Web

22. @sambego API

23. @sambego SPA

24. @sambego Native

25. @sambego OAuth 2.0

26. @sambego An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. OAuth 2.0

27. @sambego An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. OAuth 2.0

28. @sambego OAuth 2.0 Roles

29. @sambego Resource owner The entity that can grant access to a protected resource. Typically this is the end-user.

30. @sambego Resource server The server hosting the protected resources. This is the API you want to access.

31. @sambego Client The app requesting access to a protected resource on behalf of the resource owner.

32. @sambego Authorization server The server that authenticates the resource owner, and issues tokens.

33. @sambego OAuth 2.0 Endpoints

34. @sambego Authorization Used to interact with the resource owner and get the authorization to access the protected resource.

35. @sambego Token Used by the application in order to get an Access Token or a Refresh Token. (Not used in Implicit Flow)

36. @sambego Authorization code vs Access token

37. @sambego Authorization code vs Access token vs Refresh token

38. @sambego Authorization code vs Access token vs Refresh token vs ID token

39. @sambego Authorization code An opaque string, meant to be exchanged with an Access Token at the token endpoint.

40. @sambego Acces token An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.

41. @sambego Refresh token A special kind of token containing the information required to obtain a new Access token or ID token.

42. @sambego ID Token A JWT that contains user profile information (name, email, etc.), represented in the form of claims.

43. @sambego OAuth 2.0 Flows

44. @sambego Authorization Code

45. @sambego Authorization Code with Proof Key for Code Exchange (PKCE)

46. @sambego Implicit

47. @sambego Client Credentials

48. @sambego Authorization code flow Web Application Traditional

49. @sambego Baseline

50. @sambego

51. @sambego

52. @sambego { HTML }

53. @sambego Authentication

54. @sambego

55. @sambego

56. @sambego /callback?code={123}

59. @sambego /callback?code={123} {tokens }

60. @sambego { sid 123 } /callback?code={123} {tokens }

61. @sambego Authenticated

62. @sambego

63. @sambego

64. @sambego { HTML }

65. @sambego User changes

66. @sambego

67. @sambego

68. @sambego {change passw ord }

69. @sambego {ok } {change passw ord }

70. @sambego { success } {ok } {change passw ord }

71. @sambego Client credentials grant flow Backend API

73. @sambego

74. @sambego { JSON }

75. @sambego { JSON } { JSON }

77. @sambego

78. @sambego

79. @sambego

81. @sambego

84. @sambego Refresh token

85. @sambego

86. @sambego

87. @sambego

88. @sambego Getting a new access token

89. @sambego

90. @sambego

91. @sambego

94. @sambego Implicit grant flow Single Page Application SPA

96. @sambego

97. @sambego

100. @sambego

101. @sambego

102. @sambego

104. @sambego

107. @sambego Silent authentication

108. @sambego

109. @sambego

110. @sambego

111. @sambego

112. @sambego

115. @sambego Next visit

116. @sambego

117. @sambego ifram e

120. @sambego { JSON } ifram e

121. @sambego { JSON } { JSON } ifram e

122. @sambego Authorization Code with PKCE grant flow Mobile, desktop Native

124. @sambego

125. @sambego

128. @sambego

129. @sambego {code_challenge }

130. @sambego code={123} {code_challenge }

131. @sambego

132. @sambego {code={123}code_verifier}

136. @sambego

139. @sambego Summary

140. @sambego Summary Modern authentication is complex.

141. @sambego Summary Modern authentication is complex. OAuth 2.0 offers solutions / flows for most use cases.

142. @sambego Summary Modern authentication is complex. OAuth 2.0 offers solutions / flows for most use cases.

143. @sambego Summary Modern authentication is complex. OAuth 2.0 offers solutions / flows for most use cases. Implementing OAuth 2.0 can provide a competitive advantage.

144. @sambego Resources OAuth 2.0 Official Website https://oauth.net/2/ OAuth 2.0 Complete Guide http://bit.ly/oauth-complete OAuth 2.0 Scopes http://bit.ly/oauth-scopes

145. @sambego Thanks! http://bit.ly/modern-auth-tel-aviv

A non dystopian look at modern authentication - Devops Days Tel Aviv

Recommended

Recommended

More Related Content

Similar to A non dystopian look at modern authentication - Devops Days Tel Aviv

Similar to A non dystopian look at modern authentication - Devops Days Tel Aviv (20)

Recently uploaded

Recently uploaded (20)

A non dystopian look at modern authentication - Devops Days Tel Aviv