Download to read offline
More Related Content
Similar to Seamless OAuth2.0 and OpenID Connect in VAST
![OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...](https://cdn.slidesharecdn.com/ss_thumbnails/gluecon2014-oidc-140521065808-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...](https://cdn.slidesharecdn.com/ss_thumbnails/apidays-interface-johannstalk-210709062455-thumbnail.jpg?width=640&height=640&fit=bounds)
![ESUG 2009: [Project planning], by Tim Mackinnon](https://cdn.slidesharecdn.com/ss_thumbnails/esug2009-planning-251028124040-b55d3034-thumbnail.jpg?width=640&height=640&fit=bounds)
Seamless OAuth2.0 and OpenID Connect in VAST
- 1. Johan Brichau VAST Consultantand Senior Software Engineer Seamless OAuth2.0 and OpenID Connect in VAST jbrichau@instantiations.com
- 2. ◦ What isOAuth2.0 ? ◦ Demo - Seaside application flow with Github ◦ OAuth2.0 client code example ◦ What is OpenID Connect (OIDC) ? ◦ Demo – Seaside and Desktop application flow with Google/Microsoft ◦ Convenience with VAST Async framework ◦ Json Web Token ◦ Final Remarks Agenda
- 3.
- 4. What is OAuth2.0? Resource owner Client Application Resource server uses authenticates with Application developer Authentication server Github Auth Johan Github API (Seaside or Desktop) VAST Application jbrichau:secretpassword
- 5. What is OAuth2.0? ◦ Industry-standard authorization protocol ◦ Access a protected (web) service ◦ Defines authorization through delegation ◦ Works over HTTPS ◦ Framework + extensions User can authorize an application to use a service without sharing his/her credentials with that application.
- 6. Demo: Github OAuthApplication ◦ Register client application with the OAuth2.0 provider (Github)
- 7. Demo: Github OAuthApplication ◦ Retrieve Client ID and Client secret
- 8. Demo: Github OAuthApplication ◦ Define the application’s callback url
- 9. Demo: Github OAuth2.0Seaside application
- 10.
- 11.
- 12.
- 13.
- 14. OAuth2.0 redirection inSeaside (1)
- 15. OAuth2.0 redirection inSeaside (2)
- 16. OAuth2.0 is aframework. VAST client supports: ◦ OAuth2.0 (rfc 6749) ◦ Grant types: ◦ Authorization Code Grant - (Most common and web-based) ◦ Client Credentials Grant - (Machine-machine communication, no user involved) ◦ Implicit Grant - (not supported, useful for clients running in browser) ◦ Resource Owner Password Grant - (deprecated, exists for compatibility) ◦ JWT Authorization/Bearer Grant (rfc 7523) - (Existing trust relationship) ◦ PKCE (rfc 7636) ◦ OAuth 2.0 for Native Apps (rfc 8252) ◦ Threat Model and Security Considerations (rfc 6819) ◦ Towards OAuth2.1 ◦ OAuth2.0 with existing extensions and additions ◦ OAuth2.0 without insecure options
- 17.
- 18. OpenID Connect (OIDC) ◦Authentication protocol built on top of OAuth2.0 ◦ Verifies the identity of a user through an Identity Provider ◦ Uses JSON Web Token with identity claims ◦ Typically used to implement Single Sign-On ◦ An alternative to the more complex SAML 2.0 protocol User authentication and identity management delegated to a trusted party.
- 19. OpenID Connect (OIDC) User RelyingParty Identity Provider Identity Provider /userinfo authenticates with Application developer Johan (Seaside or Desktop) VAST Application Google / Microsoft Google OIDC Microsoft Entra
- 20. OIDC Discovery ◦ Eachissuer has a well-known url with meta-document ◦ Meta-document describes OIDC Issuer ◦ Automated configuration of OAuth2.0 client ◦ Endpoint urls ◦ Possible values for different configuration parameters ◦ Encryption keys for JWT signature verification https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration https://accounts.google.com/.well-known/openid-configuration
- 21. OIDC Google /Microsoft
- 22. OIDC Google /Microsoft
- 23. OIDC Google /Microsoft
- 24.
- 25. OIDC Google /Microsoft
- 26. OIDC Google /Microsoft
- 27. Json Web Token ◦Standard and web-safe transmission of trusted information (rfc 7519) ◦ Client library verifies: ◦ Signature (RSA 256) ◦ Issuer ◦ Validity ◦ … ◦ Separate VAST Library
- 28.
- 29.
- 30. OAuth2.0 / OIDCClient in VAST ◦ Additional API parameters ◦ Convenience API for Google and Microsoft
- 31. Recap and FinalRemarks ◦ VAST Library passes OIDC conformance tests for Basic Relying Party Profile ◦ Client support for OAuth2.0 APIs and OpenID Connect ◦ Compatible with SstHttpClient ◦ Convenience methods for Microsoft Entra and Google OIDC ◦ Desktop and Seaside example ◦ External webbrowser and Webview2 ◦ Convenience integration with VAST’s Async framework ◦ Included with VAST 15 (2026) ◦ Preview available on request for VAST 14
- 32. Contact General Inquiry info@instantiations.com Sales sales@instantiations.com VAST SupportPortal vast-support.instantiations.com North America, Toll Free 855 476 2558 International +1 503 263 0058 © Instantiations, Inc. All rights reserved. 'Instantiations' and the 'intersecting circle design’ are registered trademarks of Instantiations, Inc. in the United States. All product names, trademarks, and registered trademarks are property of their respective owners. Company, product, and service names not owned by Instantiations are used for identification purposes only. Use of these names, trademarks, and brands does not imply endorsement. Johan Brichau VAST Consultant and Senior Software Engineer Seamless OAuth2.0 & OpenID Connect in VAST Thank you for listening! Questions? jbrichau@instantiations.com