SlideShare a Scribd company logo

Devteach 2017 OAuth and Open id connect demystified

Download as PPTX, PDF
T
Taswar Bhatti

DevTeach Montreal 2017 Talk on OAuth and OpenId Connect, how the technology works the communication channels used and the different kind of grants in OAuth and how OpenId Connect plays in the entire ecosystem

Software
1 of 61
OAUTH2 & OPENID CONNECT DEMYSTIFIED Taswar Bhatti (Microsoft MVP) GEMALTO @taswarbhatti http://taswar.zeytinsoft.co m taswar@gmail.com
WHO AM I?? - 4 years Microsoft MVP - 17 years in software - Author of Instant Automapper (Packt) - Currently working at as System Architect at Enterprise Security Space (Gemalto) - You may not have heard of Gemalto but 1/3 of the world population uses Gemalto but they just dont know that
WHAT WE WILL COVER TODAY? OAuth 2.0 OAuth flows OpenID JWT (JavaScript Web Token) some says “jot” OpenID Connect Demo (Keycloak IDP)
WHAT IS OAUTH? An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
OAUTH HISTORY OAuth started circa 2007 2010 - RFC 5849 defines OAuth 1.0 2010 - OAuth 2.0 work begins in IETF Working deployments of various drafts & versions at Google, Microsoft, Facebook, Github , Twitter, Flickr, Dropbox … Mid 2012 – Lead author and editor resigned & withdraws his name from all specs (DRAMA……) October 2012 – RFC 6749, RFC 6750
THE GOOD OAuth 2.0 is easier to implement than OAuth 1.0 Wide spread and continue growing Shorted lived token Encapsulated Token OAuth2 makes it HTTP/JSON friendly to request and transmit tokens Takes "multiple client" architectures into account Clients can have varying trust levels
OAUTH 2.0 - Transport Security : Using HTTPS and TLS - Ease : Usable (no digital certs to verify) - Flexible : Mobile, Web SPA apps, etc - Decoupled: Resource server and authorization server - Bearer Token : Easy for integration; Id Token also known as keys 9/24/2017 7
SO I CAN USE MY PASSWORD??? 9/24/2017 8
OAUTH IS LIKE A VALET KEY - Provides another domain delegated access to your application server resources 9/24/2017 9
OAUTH ROLES 9/24/2017 10 User Application API
OAUTH ROLES 9/24/2017 11 User Application API
OAUTH MISCONCEPTION Ohh this is easy!! When I login to Spotify with Twitter, it grabs by username and password from Twitter…. Wrong !!!!!!!!!!!!!! 9/24/2017 12 Developer
OAUTH IS NOT FOR 9/24/2017 13 - Traditional Access Control - Not for authentication - Not for Federation - OAuth should be used for delegation
BEARER TOKEN GET /somedata HTTP/1.1 Host: someserver.com Authorization: Bearer a3b4c55cf The access token can be JWT format - A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can 9/24/2017 14
OAUTH TERMINOLOGY - Client or Consumer Application : Is typically a web based or mobile application that wants to access User’s Protected Resources - Resource Server or the Resource Provider: Is a web site or web service API where the User keeps his/her protected data - Authorized Server : The server issuing access tokens to the client after successfully authenticating the resources and obtaining authorization - User or the Resource Owner : Is a member of the Resource Provider, wanting to share certain resources with a third party - Client Credentials : Are the consumer keys and consumer secret used to authenticated the Client - Tokens : are the access token generated by server after request from client
OAUTH TOKEN TYPES - Access Token : Used to directly access protected resources on behalf of a user or service - Refresh Token : When given to an authorization server, it will give you a new access token - Authorization Code Token : Use only in the authorization code grant type for access token or refresh token 9/24/2017 16
HIGH LEVEL FLOW OF OAUTH 2 - An app registers him/herself on an oauth service provider (lets say twitter) - S/he gets an app key/secret for each app that s/he registers - When users login they are redirected to the service provider to provide the credentials - If user approves then a token is issued to the app for a limited time - Finally the client uses the token to access the resource
OAUTH USAGE In OAuth [authorization] You are in BigPhotoPrintingCorp.net account and you need to access your images from AwesomeImage.com site BigPhotoPrintingCorp.net site will redirect you to AwesomeImage.com site You enter you credential to AwesomeImage.com site and authenticated your self. This is like in openId AwesomeImage.com site will ask if you want to give permission to access only photos of AwesomeImage.com site you select yes AwesomeImage.com site will redirect back to BigPhotoPrintingCorp.net site BigPhotoPrintingCorp.net can access AwesomeImage.com site
GRANTING THE WRONG PERMISSIONS 9/24/2017 19
4 TYPES OF OAUTH FLOW Authorization Code Grant : for apps running on a web server, long lived tokens Implicit Grant : For browser-based or mobile apps, during user is logged in, short lived tokens Resource Owner Credentials Grant : For logging in with a username and password, trusted application Client credentials Grant : for application access machine to machine
AUTHORIZATION CODE FOR APPS RUNNING ON A WEB SERVER This is the most common type of application you have when dealing with OAuth servers. Web apps are run on a server where the source code of the application is not available to the public. This case your site will REDIRECT you to particular authorization server. If webserver making multiple request it can use STATE parameter for map callback response with request One of the most complicated one in OAuth
YOU HAVE SEEN THIS BEFORE 9/24/2017 22
IMPLICIT FOR BROWSER-BASED OR MOBILE APPS Browser-based apps run entirely in the browser after getting source code from a web server. Since the entire source code is available to the public, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case One will make api calls with the token that is assign to it For mobile apps also cannot maintain the confidentiality of their client secret. Because of this, mobile apps must also use an OAuth flow that does not require a client secret. With this concept token is exposed to local operating system. So there are no refresh tokens.
PASSWORD FOR LOGGING IN WITH A USERNAME AND PASSWORD OAuth 2 also provides a “password” grant type which can be used to exchange a username and password for an access token directly. This obviously requires the application to collect the user’s password. As a result users may hesitate to use this service unless this app comes from the auth service provider. Only used in highly trusted application, your social media Facebook app, rather than 3rd party apps (Batman Fancy Facebook app)
MEET THE ACTORS IN OUR OAUTH 9/24/2017 25 Resource Owner Or User Application Authorization Server Resource Server Or API
CLIENT CREDENTIALS FOR APPLICATION ACCESS There are scenarios that applications may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client credentials grant type for this purpose. This is machine to machine communication sort of concept
9/24/2017 27
TOKEN – CLIENT CREDENTIAL GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d 'grant_type=client_credentials’ -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret' 9/24/2017 28
TOKEN – CLIENT CREDENTIAL GRANT Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope":null } 9/24/2017 29
PASSWORD GRANT TYPE 9/24/2017 30
PASSWORD GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=password’ -d ‘username=batman’ -d ‘password=nananananananannaBatman’ 9/24/2017 31
SCOPES AKA PERMISSIONS - Roles, Authority where you want to give access control to who can do what with it - The name of permissions - User scopes - Client/Applications Scopes - Token contains intersection 9/24/2017 32
SCOPES 9/24/2017 33 CarKey.Ignite
SCOPES 9/24/2017 34 CarKey.OpenTrunk CarKey.Ignite
SCOPES IN TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 35
AUTHORIZATION CODE GRANT TYPE 9/24/2017 36
AUTHORIZATION GRANT $ https://fancy.mysite.com/oidc #Reaching out to application, are you logged in? 302 HTTP Redirect https://api.mysite.com/authorize?response_type=code&client_id=Te stClient&redirect_uri=https://fancy.mysite.com/oidc 9/24/2017 37
AUTHORIZATION CODE GRANT GET /oauth/authorize #Login to the app SUCCESS you get back a code HTTP 302 redirect back to redirect_uri https://fancy.mysite.com/oidc?code=SplxlOBeZQQYbYS6WxSbIA&stat e=xyz 9/24/2017 38
AUTHORIZATION CODE GETTING THE TOKEN $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=authorization_code’ -d ‘code=SplxlOBeZQQYbYS6WxSbIA’ 9/24/2017 39
ACCESS TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600,“ token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 40
RESOURCE SERVER CHECK TOKEN - If it is a Jwt token you can verify the key who signed it - Endpoint to check the token returning the scopes to verify if valid token 9/24/2017 41
IMPLICT GRANT TYPE - Used for clients that can easily be impersonated like phone or mobile application - 3rd party application - A simplified Authorization Code Grant with eliminating the code step - Access token is given directly to the app - No Refresh Token are given, Access token are short lived - Requires Resource Owner to invoke for new Access Token 9/24/2017 42
IMPLICIT GRANT FLOW
OPENID Sharing a single Identity with different consumers Decentralized OpenID is a form of Single Sign On (SSO) OpenID is a URL http://myname.myopenid.com
WHAT CAN YOU DO? One can claim and prove they own the openid Use it for authentication At a high level its like Microsoft Passport It’s a form of authentication, if you have a system you still will need to populate your fields (e.g firstname, email, etc) OpenId does not provide you with those information
OPENID USAGE In OpenId [authentication] You want to access your account on bigcorp.net bigcorp.net is asking your openId You entered your username for openId bigcorp.net will redirect you to the your openid providers site User give password to openId provider and authenticate him/her self openId provider will redirect user back to bigcorp.net site bigcorp.net will grant you to access your account
OPENID CONNECT We have talked about OAuth and OpenId and there is also OpenId Connect It’s the new SSO authentication for the internet OpenId Connect build on top of OAuth2 since sometimes you may just need authentication Remember OAuth2 is for authorization OpenID Connect provides Implict flows and Authorization code flow
OPENID CONNECT FLOW - SIMPLE 9/24/2017 48
OPENID CONNECT TOKEN { "sub" : "alice", “user_name” : “Taswar” "iss" : "https://openid.c2id.com", "aud" : "client-12345", “auth_time” : 123456789, "iat" : 1311280970, "exp" : 1311281970, “email” : Taswar@gmail.com, “phone_number”: 123-4567 } 9/24/2017 49
OPENID CONNECT - HYBRID 9/24/2017 50
JWT (JAVA WEB TOKEN) JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
JWT CONT JWT Token looks like this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEzODY4OTkxMzEsI mlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQx ZGY3YmM5MGM4YWI2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdi NDYxNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ.uKqU9dTB6gK wG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo Ok great…………. Once you understand the format, it's actually pretty simple: <base64-encoded header>.<base64-encoded claims>.<base64- encoded signature> [header].[payload].[signature]
JWT CONT In other words: You create a header object, with the JSON format. Then you encode it as a base64 You create a claims object, with the JSON format. Then you encode it in base64 You create a signature for the URI. Then you encode it in base64 You concatenate the three items, with the "." separator
BENEFITS JSON Web Tokens work across different programming languages: JWTs work in .NET, Python, Node.js, Java, PHP, Ruby, Go, JavaScript, and Haskell. So you can see that these can be used in many different scenarios. JWTs are self-contained: They will carry all the information necessary within itself. This means that a JWT will be able to transmit basic information about itself, a payload (usually user information), and a signature. JWTs can be passed around easily: Since JWTs are self-contained, they are perfectly used inside an HTTP header when authenticating an API. You can also pass it through the URL.
HEADER The header carries 2 parts (JWT and the hashing algorithm like below) { “typ”: “JWT”. “algo”, “HS256” } Then base64 encode it
PAYLOAD & CLAIMS The payload will carry the bulk of our JWT, also called the JWT Claims. This is where we will put the information that we want to transmit and other information about our token. There are multiple claims that we can provide. This includes registered claim names, public claim names, and private claim names. { "iss": “taswar.zeytinsoft.com", "exp": 1300819380, "name": “Taswar Bhatti", "admin": true }
SIGNATURE The third and final part of our JSON Web Token is going to be the signature. This signature is made up of a hash of the following components: the header the payload Secret The secret is the signature held by the server. This is the way that our server will be able to verify existing tokens and sign new ones. var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'secret');
ENDPOINTS OF OPENID CONNECT Authorization Endpoint (Regular OAuth) Identity Endpoint (username/pass, hardware token, biometrics) UserInfo Endpoint (name, birthday, picture, etc) Optionals (Session Endpoint, WebFinger etc)
OPENID CONNECT TOKENS The OpenID Connect server provides client applications with two key tokens: ID token - asserts the users identity in a signed and verifiable way. Access token - provides access to the user’s details at the UserInfo endpoint and other protected web APIs.
DEMO
THANK YOU Questions? Contact: Taswar@gmail.com Blog: http://Taswar.zeytinsoft.com Twitter: @taswarbhatti And a special thanks to Lego Batman !

Recommended

Introduction to the Microsoft Bot Framework v4
Introduction to the Microsoft Bot Framework v4Introduction to the Microsoft Bot Framework v4
Introduction to the Microsoft Bot Framework v4Bob German
 
An introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkAn introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkTaswar Bhatti
 
Programming the Microsoft Bot Framework
Programming the Microsoft Bot FrameworkProgramming the Microsoft Bot Framework
Programming the Microsoft Bot FrameworkStefano Tempesta
 
Building intelligent chat bot with microsoft bot framework
Building intelligent chat bot with microsoft bot frameworkBuilding intelligent chat bot with microsoft bot framework
Building intelligent chat bot with microsoft bot frameworkRukshan Dangalla
 
Introduction to Microsoft Bot Framework
Introduction to Microsoft Bot FrameworkIntroduction to Microsoft Bot Framework
Introduction to Microsoft Bot FrameworkSam Fernando
 
Microsoft bot framework
Microsoft bot frameworkMicrosoft bot framework
Microsoft bot frameworkSoftware Infrastructure
 
Azure Bot Services - Malaysia
Azure Bot Services - MalaysiaAzure Bot Services - Malaysia
Azure Bot Services - MalaysiaCheah Eng Soon
 
Build intelligent chatbot with bot framework
Build intelligent chatbot with bot frameworkBuild intelligent chatbot with bot framework
Build intelligent chatbot with bot frameworkPuja Pramudya
 

Recommended

Introduction to the Microsoft Bot Framework v4
Introduction to the Microsoft Bot Framework v4Introduction to the Microsoft Bot Framework v4
Introduction to the Microsoft Bot Framework v4Bob German
 
An introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkAn introduction to Microsoft Bot Framework
An introduction to Microsoft Bot FrameworkTaswar Bhatti
 
Programming the Microsoft Bot Framework
Programming the Microsoft Bot FrameworkProgramming the Microsoft Bot Framework
Programming the Microsoft Bot FrameworkStefano Tempesta
 
Building intelligent chat bot with microsoft bot framework
Building intelligent chat bot with microsoft bot frameworkBuilding intelligent chat bot with microsoft bot framework
Building intelligent chat bot with microsoft bot frameworkRukshan Dangalla
 
Introduction to Microsoft Bot Framework
Introduction to Microsoft Bot FrameworkIntroduction to Microsoft Bot Framework
Introduction to Microsoft Bot FrameworkSam Fernando
 
Microsoft bot framework
Microsoft bot frameworkMicrosoft bot framework
Microsoft bot frameworkSoftware Infrastructure
 
Azure Bot Services - Malaysia
Azure Bot Services - MalaysiaAzure Bot Services - Malaysia
Azure Bot Services - MalaysiaCheah Eng Soon
 
Build intelligent chatbot with bot framework
Build intelligent chatbot with bot frameworkBuild intelligent chatbot with bot framework
Build intelligent chatbot with bot frameworkPuja Pramudya
 
Developing intelligent bots from the beginning
Developing intelligent bots from the beginningDeveloping intelligent bots from the beginning
Developing intelligent bots from the beginningSuthahar J
 
DDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkDDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkJames Mann
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
Azure Bot Framework
Azure Bot FrameworkAzure Bot Framework
Azure Bot FrameworkPhat Nguyen
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Sorin Peste
 
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureArtificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureMarvin Heng
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Introduction to widgets
Introduction to widgetsIntroduction to widgets
Introduction to widgetsThomas Robbins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...Luis Beltran
 
Fear and Loathing of 2fa
Fear and Loathing of 2faFear and Loathing of 2fa
Fear and Loathing of 2faIgor Bulatenko
 
Silverlight as a desktop application
Silverlight as a desktop applicationSilverlight as a desktop application
Silverlight as a desktop applicationmsarangam
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittalManoj Mittal
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Srikar Ananthula
 
Mozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onMozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onVlad Filippov
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkAkshay Deshmukh
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the WildVictor Rentea
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 

More Related Content

What's hot

Developing intelligent bots from the beginning
Developing intelligent bots from the beginningDeveloping intelligent bots from the beginning
Developing intelligent bots from the beginningSuthahar J
 
DDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkDDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkJames Mann
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
Azure Bot Framework
Azure Bot FrameworkAzure Bot Framework
Azure Bot FrameworkPhat Nguyen
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Sorin Peste
 
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureArtificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureMarvin Heng
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Introduction to widgets
Introduction to widgetsIntroduction to widgets
Introduction to widgetsThomas Robbins
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...Luis Beltran
 
Fear and Loathing of 2fa
Fear and Loathing of 2faFear and Loathing of 2fa
Fear and Loathing of 2faIgor Bulatenko
 
Silverlight as a desktop application
Silverlight as a desktop applicationSilverlight as a desktop application
Silverlight as a desktop applicationmsarangam
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittalManoj Mittal
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Srikar Ananthula
 
Mozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onMozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onVlad Filippov
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkAkshay Deshmukh
 

What's hot (20)

Developing intelligent bots from the beginning
Developing intelligent bots from the beginningDeveloping intelligent bots from the beginning
Developing intelligent bots from the beginning
 
DDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot FrameworkDDD12 - Introduction to Microsoft Bot Framework
DDD12 - Introduction to Microsoft Bot Framework
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
 
Azure Bot Framework
Azure Bot FrameworkAzure Bot Framework
Azure Bot Framework
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)Build an Intelligent Bot (Node.js)
Build an Intelligent Bot (Node.js)
 
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & AzureArtificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
Artificial Intelligent: Intelligent Bot With Microsoft Bot Framework & Azure
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
 
Introduction to widgets
Introduction to widgetsIntroduction to widgets
Introduction to widgets
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
 
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
virtual-2021-data.sql_.saturday.la-Building database interactions with users ...
 
Fear and Loathing of 2fa
Fear and Loathing of 2faFear and Loathing of 2fa
Fear and Loathing of 2fa
 
Silverlight as a desktop application
Silverlight as a desktop applicationSilverlight as a desktop application
Silverlight as a desktop application
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014Mozilla Persona Talk at FOSDEM 2014
Mozilla Persona Talk at FOSDEM 2014
 
Mozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-onMozilla Persona: Simplified Sign-on
Mozilla Persona: Simplified Sign-on
 
Getting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot FrameworkGetting Started with Microsoft Bot Framework
Getting Started with Microsoft Bot Framework
 

Similar to Devteach 2017 OAuth and Open id connect demystified

Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuththariyarox
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayVMware Tanzu
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 

Similar to Devteach 2017 OAuth and Open id connect demystified (20)

OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
O auth 2
O auth 2O auth 2
O auth 2
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
Api security with OAuth
Api security with OAuthApi security with OAuth
Api security with OAuth
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Cloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity GatewayCloud Foundry UAA as an Identity Gateway
Cloud Foundry UAA as an Identity Gateway
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 

More from Taswar Bhatti

Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019Taswar Bhatti
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019Taswar Bhatti
 
Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Taswar Bhatti
 
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to knowMicrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to knowTaswar Bhatti
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
8 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 20188 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 2018Taswar Bhatti
 
Intro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiIntro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiTaswar Bhatti
 
Cloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong CodeaholicsCloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong CodeaholicsTaswar Bhatti
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsTaswar Bhatti
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
Cloud patterns at Carleton University
Cloud patterns at Carleton UniversityCloud patterns at Carleton University
Cloud patterns at Carleton UniversityTaswar Bhatti
 
Cloud Design Patterns
Cloud Design PatternsCloud Design Patterns
Cloud Design PatternsTaswar Bhatti
 
Devteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearchDevteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearchTaswar Bhatti
 
Dev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar BhattiDev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar BhattiTaswar Bhatti
 
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed AssadXamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed AssadTaswar Bhatti
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET DevelopersTaswar Bhatti
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET DevelopersTaswar Bhatti
 
Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup Taswar Bhatti
 

More from Taswar Bhatti (18)

Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019Get productive with python Visual Studio 2019
Get productive with python Visual Studio 2019
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019
 
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to knowMicrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
8 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 20188 cloud design patterns you ought to know - Update Conference 2018
8 cloud design patterns you ought to know - Update Conference 2018
 
Intro elasticsearch taswarbhatti
Intro elasticsearch taswarbhattiIntro elasticsearch taswarbhatti
Intro elasticsearch taswarbhatti
 
Cloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong CodeaholicsCloud Design Patterns - Hong Kong Codeaholics
Cloud Design Patterns - Hong Kong Codeaholics
 
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs SecretsUsing Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
Cloud patterns at Carleton University
Cloud patterns at Carleton UniversityCloud patterns at Carleton University
Cloud patterns at Carleton University
 
Cloud Design Patterns
Cloud Design PatternsCloud Design Patterns
Cloud Design Patterns
 
Devteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearchDevteach 2017 Store 2 million of audit a day into elasticsearch
Devteach 2017 Store 2 million of audit a day into elasticsearch
 
Dev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar BhattiDev days 1 Introduction to Xamarin Taswar Bhatti
Dev days 1 Introduction to Xamarin Taswar Bhatti
 
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed AssadXamarin forms introduction by Taswar Bhatti and Ahmed Assad
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
 
Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup Akka.Net Ottawa .NET User Group Meetup
Akka.Net Ottawa .NET User Group Meetup
 

Recently uploaded

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 

Recently uploaded (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 

Devteach 2017 OAuth and Open id connect demystified

  • 1. OAUTH2 & OPENID CONNECT DEMYSTIFIED Taswar Bhatti (Microsoft MVP) GEMALTO @taswarbhatti http://taswar.zeytinsoft.co m taswar@gmail.com
  • 2. WHO AM I?? - 4 years Microsoft MVP - 17 years in software - Author of Instant Automapper (Packt) - Currently working at as System Architect at Enterprise Security Space (Gemalto) - You may not have heard of Gemalto but 1/3 of the world population uses Gemalto but they just dont know that
  • 3. WHAT WE WILL COVER TODAY? OAuth 2.0 OAuth flows OpenID JWT (JavaScript Web Token) some says “jot” OpenID Connect Demo (Keycloak IDP)
  • 4. WHAT IS OAUTH? An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
  • 5. OAUTH HISTORY OAuth started circa 2007 2010 - RFC 5849 defines OAuth 1.0 2010 - OAuth 2.0 work begins in IETF Working deployments of various drafts & versions at Google, Microsoft, Facebook, Github , Twitter, Flickr, Dropbox … Mid 2012 – Lead author and editor resigned & withdraws his name from all specs (DRAMA……) October 2012 – RFC 6749, RFC 6750
  • 6. THE GOOD OAuth 2.0 is easier to implement than OAuth 1.0 Wide spread and continue growing Shorted lived token Encapsulated Token OAuth2 makes it HTTP/JSON friendly to request and transmit tokens Takes "multiple client" architectures into account Clients can have varying trust levels
  • 7. OAUTH 2.0 - Transport Security : Using HTTPS and TLS - Ease : Usable (no digital certs to verify) - Flexible : Mobile, Web SPA apps, etc - Decoupled: Resource server and authorization server - Bearer Token : Easy for integration; Id Token also known as keys 9/24/2017 7
  • 8. SO I CAN USE MY PASSWORD??? 9/24/2017 8
  • 9. OAUTH IS LIKE A VALET KEY - Provides another domain delegated access to your application server resources 9/24/2017 9
  • 10. OAUTH ROLES 9/24/2017 10 User Application API
  • 12. OAUTH MISCONCEPTION Ohh this is easy!! When I login to Spotify with Twitter, it grabs by username and password from Twitter…. Wrong !!!!!!!!!!!!!! 9/24/2017 12 Developer
  • 13. OAUTH IS NOT FOR 9/24/2017 13 - Traditional Access Control - Not for authentication - Not for Federation - OAuth should be used for delegation
  • 14. BEARER TOKEN GET /somedata HTTP/1.1 Host: someserver.com Authorization: Bearer a3b4c55cf The access token can be JWT format - A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can 9/24/2017 14
  • 15. OAUTH TERMINOLOGY - Client or Consumer Application : Is typically a web based or mobile application that wants to access User’s Protected Resources - Resource Server or the Resource Provider: Is a web site or web service API where the User keeps his/her protected data - Authorized Server : The server issuing access tokens to the client after successfully authenticating the resources and obtaining authorization - User or the Resource Owner : Is a member of the Resource Provider, wanting to share certain resources with a third party - Client Credentials : Are the consumer keys and consumer secret used to authenticated the Client - Tokens : are the access token generated by server after request from client
  • 16. OAUTH TOKEN TYPES - Access Token : Used to directly access protected resources on behalf of a user or service - Refresh Token : When given to an authorization server, it will give you a new access token - Authorization Code Token : Use only in the authorization code grant type for access token or refresh token 9/24/2017 16
  • 17. HIGH LEVEL FLOW OF OAUTH 2 - An app registers him/herself on an oauth service provider (lets say twitter) - S/he gets an app key/secret for each app that s/he registers - When users login they are redirected to the service provider to provide the credentials - If user approves then a token is issued to the app for a limited time - Finally the client uses the token to access the resource
  • 18. OAUTH USAGE In OAuth [authorization] You are in BigPhotoPrintingCorp.net account and you need to access your images from AwesomeImage.com site BigPhotoPrintingCorp.net site will redirect you to AwesomeImage.com site You enter you credential to AwesomeImage.com site and authenticated your self. This is like in openId AwesomeImage.com site will ask if you want to give permission to access only photos of AwesomeImage.com site you select yes AwesomeImage.com site will redirect back to BigPhotoPrintingCorp.net site BigPhotoPrintingCorp.net can access AwesomeImage.com site
  • 20. 4 TYPES OF OAUTH FLOW Authorization Code Grant : for apps running on a web server, long lived tokens Implicit Grant : For browser-based or mobile apps, during user is logged in, short lived tokens Resource Owner Credentials Grant : For logging in with a username and password, trusted application Client credentials Grant : for application access machine to machine
  • 21. AUTHORIZATION CODE FOR APPS RUNNING ON A WEB SERVER This is the most common type of application you have when dealing with OAuth servers. Web apps are run on a server where the source code of the application is not available to the public. This case your site will REDIRECT you to particular authorization server. If webserver making multiple request it can use STATE parameter for map callback response with request One of the most complicated one in OAuth
  • 22. YOU HAVE SEEN THIS BEFORE 9/24/2017 22
  • 23. IMPLICIT FOR BROWSER-BASED OR MOBILE APPS Browser-based apps run entirely in the browser after getting source code from a web server. Since the entire source code is available to the public, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case One will make api calls with the token that is assign to it For mobile apps also cannot maintain the confidentiality of their client secret. Because of this, mobile apps must also use an OAuth flow that does not require a client secret. With this concept token is exposed to local operating system. So there are no refresh tokens.
  • 24. PASSWORD FOR LOGGING IN WITH A USERNAME AND PASSWORD OAuth 2 also provides a “password” grant type which can be used to exchange a username and password for an access token directly. This obviously requires the application to collect the user’s password. As a result users may hesitate to use this service unless this app comes from the auth service provider. Only used in highly trusted application, your social media Facebook app, rather than 3rd party apps (Batman Fancy Facebook app)
  • 25. MEET THE ACTORS IN OUR OAUTH 9/24/2017 25 Resource Owner Or User Application Authorization Server Resource Server Or API
  • 26. CLIENT CREDENTIALS FOR APPLICATION ACCESS There are scenarios that applications may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user. OAuth provides the client credentials grant type for this purpose. This is machine to machine communication sort of concept
  • 28. TOKEN – CLIENT CREDENTIAL GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d 'grant_type=client_credentials’ -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret' 9/24/2017 28
  • 29. TOKEN – CLIENT CREDENTIAL GRANT Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope":null } 9/24/2017 29
  • 31. PASSWORD GRANT $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=password’ -d ‘username=batman’ -d ‘password=nananananananannaBatman’ 9/24/2017 31
  • 32. SCOPES AKA PERMISSIONS - Roles, Authority where you want to give access control to who can do what with it - The name of permissions - User scopes - Client/Applications Scopes - Token contains intersection 9/24/2017 32
  • 35. SCOPES IN TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600, token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 35
  • 37. AUTHORIZATION GRANT $ https://fancy.mysite.com/oidc #Reaching out to application, are you logged in? 302 HTTP Redirect https://api.mysite.com/authorize?response_type=code&client_id=Te stClient&redirect_uri=https://fancy.mysite.com/oidc 9/24/2017 37
  • 38. AUTHORIZATION CODE GRANT GET /oauth/authorize #Login to the app SUCCESS you get back a code HTTP 302 redirect back to redirect_uri https://fancy.mysite.com/oidc?code=SplxlOBeZQQYbYS6WxSbIA&stat e=xyz 9/24/2017 38
  • 39. AUTHORIZATION CODE GETTING THE TOKEN $ curl –XPOST https://api.mysite.com/oauth/token -d ‘client_id=TestClient’ -d ‘client_secret=TestSecret’ -d 'grant_type=authorization_code’ -d ‘code=SplxlOBeZQQYbYS6WxSbIA’ 9/24/2017 39
  • 40. ACCESS TOKEN Response from Authorization Server { "access_token":"03807cb390319329bdf6c777d4dfae9c0d3b3c35", "expires_in":3600,“ token_type":"bearer", "scope": “CarKey.Ignite” } 9/24/2017 40
  • 41. RESOURCE SERVER CHECK TOKEN - If it is a Jwt token you can verify the key who signed it - Endpoint to check the token returning the scopes to verify if valid token 9/24/2017 41
  • 42. IMPLICT GRANT TYPE - Used for clients that can easily be impersonated like phone or mobile application - 3rd party application - A simplified Authorization Code Grant with eliminating the code step - Access token is given directly to the app - No Refresh Token are given, Access token are short lived - Requires Resource Owner to invoke for new Access Token 9/24/2017 42
  • 44. OPENID Sharing a single Identity with different consumers Decentralized OpenID is a form of Single Sign On (SSO) OpenID is a URL http://myname.myopenid.com
  • 45. WHAT CAN YOU DO? One can claim and prove they own the openid Use it for authentication At a high level its like Microsoft Passport It’s a form of authentication, if you have a system you still will need to populate your fields (e.g firstname, email, etc) OpenId does not provide you with those information
  • 46. OPENID USAGE In OpenId [authentication] You want to access your account on bigcorp.net bigcorp.net is asking your openId You entered your username for openId bigcorp.net will redirect you to the your openid providers site User give password to openId provider and authenticate him/her self openId provider will redirect user back to bigcorp.net site bigcorp.net will grant you to access your account
  • 47. OPENID CONNECT We have talked about OAuth and OpenId and there is also OpenId Connect It’s the new SSO authentication for the internet OpenId Connect build on top of OAuth2 since sometimes you may just need authentication Remember OAuth2 is for authorization OpenID Connect provides Implict flows and Authorization code flow
  • 48. OPENID CONNECT FLOW - SIMPLE 9/24/2017 48
  • 49. OPENID CONNECT TOKEN { "sub" : "alice", “user_name” : “Taswar” "iss" : "https://openid.c2id.com", "aud" : "client-12345", “auth_time” : 123456789, "iat" : 1311280970, "exp" : 1311281970, “email” : Taswar@gmail.com, “phone_number”: 123-4567 } 9/24/2017 49
  • 50. OPENID CONNECT - HYBRID 9/24/2017 50
  • 51. JWT (JAVA WEB TOKEN) JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
  • 52. JWT CONT JWT Token looks like this eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEzODY4OTkxMzEsI mlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQx ZGY3YmM5MGM4YWI2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdi NDYxNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ.uKqU9dTB6gK wG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo Ok great…………. Once you understand the format, it's actually pretty simple: <base64-encoded header>.<base64-encoded claims>.<base64- encoded signature> [header].[payload].[signature]
  • 53. JWT CONT In other words: You create a header object, with the JSON format. Then you encode it as a base64 You create a claims object, with the JSON format. Then you encode it in base64 You create a signature for the URI. Then you encode it in base64 You concatenate the three items, with the "." separator
  • 54. BENEFITS JSON Web Tokens work across different programming languages: JWTs work in .NET, Python, Node.js, Java, PHP, Ruby, Go, JavaScript, and Haskell. So you can see that these can be used in many different scenarios. JWTs are self-contained: They will carry all the information necessary within itself. This means that a JWT will be able to transmit basic information about itself, a payload (usually user information), and a signature. JWTs can be passed around easily: Since JWTs are self-contained, they are perfectly used inside an HTTP header when authenticating an API. You can also pass it through the URL.
  • 55. HEADER The header carries 2 parts (JWT and the hashing algorithm like below) { “typ”: “JWT”. “algo”, “HS256” } Then base64 encode it
  • 56. PAYLOAD & CLAIMS The payload will carry the bulk of our JWT, also called the JWT Claims. This is where we will put the information that we want to transmit and other information about our token. There are multiple claims that we can provide. This includes registered claim names, public claim names, and private claim names. { "iss": “taswar.zeytinsoft.com", "exp": 1300819380, "name": “Taswar Bhatti", "admin": true }
  • 57. SIGNATURE The third and final part of our JSON Web Token is going to be the signature. This signature is made up of a hash of the following components: the header the payload Secret The secret is the signature held by the server. This is the way that our server will be able to verify existing tokens and sign new ones. var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'secret');
  • 58. ENDPOINTS OF OPENID CONNECT Authorization Endpoint (Regular OAuth) Identity Endpoint (username/pass, hardware token, biometrics) UserInfo Endpoint (name, birthday, picture, etc) Optionals (Session Endpoint, WebFinger etc)
  • 59. OPENID CONNECT TOKENS The OpenID Connect server provides client applications with two key tokens: ID token - asserts the users identity in a signed and verifiable way. Access token - provides access to the user’s details at the UserInfo endpoint and other protected web APIs.
  • 60. DEMO
  • 61. THANK YOU Questions? Contact: Taswar@gmail.com Blog: http://Taswar.zeytinsoft.com Twitter: @taswarbhatti And a special thanks to Lego Batman !

Editor's Notes

  1. This is a newer version rather than using SAML
  2. Passwords are never passed around