Resources ● RFC 6749 - OAuth 2.0 ● RFC 6750 - Bearer Tokens ● RFC 7636 - Proof Key for Code Exchange ● OpenID Connect Specifications ● The OpenID Connect Handbook - Auth0 ● Learn Identity Video Series - Auth0

OAuth2 & OIDC Stephanie Chamblee @stephchamblee

Stephanie Chamblee Software Developer at BrightLink (we’re hiring!) Auth0 Ambassador stephaniechamblee.com schamblee@thebrightlink.com @stephchamblee

Overview 1 CONTEXT Open Standards Brief History of Identity 2 FOUNDATION Four roles in OAuth Tokens Authorization Flows 3 OAUTH & OIDC AUTHORIZATION CODE FLOW OAuth 2.0 & OpenID Connect (OIDC) Walkthrough

CONTEXT

OAuth2 OpenID Connect

Thanks! Stephanie Chamblee @stephchamblee

OPEN STANDARDS

Open Standards in Identity * SAML * JWT * OAuth2 * OIDC

HISTORY OF IDENTITY

HISTORY OF IDENTITY 1960s Passwords 2002 2010 2014

Computer User Password

Simple Login Security * Password Strength Requirements * Password Hashing * Two-Factor Authentication

haveibeenpwned.com

ABC Company

HISTORY OF IDENTITY SAML 1960s Passwords 2002 2010 2014

HISTORY OF IDENTITY SAML 1960s Passwords 2002 2012 OAuth2 2014

DELEGATED AUTHORIZATION

Authorization vs. Authentication

Authorization

Authentication

HISTORY OF IDENTITY OIDC SAML 1960s Passwords 2002 2012 OAuth2 2014

CONTEXT SUMMARY

FOUNDATION

Four Roles Defined by OAuth2

OAuth 2.0 Roles End User who provides consent for scopes Resource Owner (RO)

Resource Owner (RO) end user scopes

OAuth 2.0 Roles End User who provides consent for scopes Resource Owner (RO) Resource Server (RS) API or Application controlling the data

Resource Server (RS) Application Controlling the data

OAuth 2.0 Roles Application handling delegated authorization decisions End User who provides consent for scopes Resource Owner (RO) Resource Server (RS) API or Application controlling the data Authorization Server (AS)

OAuth 2.0 Roles Application handling delegated authorization decisions End User who provides consent for scopes Client Resource Owner (RO) Resource Server (RS) API or Application controlling the data Authorization Server (AS) Client Application requesting the data

Client Application requesting the data

Let’s review.

SomeApp

SomeApp

Resource Owner SomeApp

SomeApp

Resource Server + Authorization Server SomeApp

SomeApp

Client SomeApp

SomeApp

Scopes SomeApp

Resource Server + Authorization Server Resource Owner Client SomeApp Scopes Consent

Tokens

Tokens Access Token Refresh Token ID Token

Access Token

Refresh Token

ID Token

ID Token JSON Web Token (JWT)

JSON Web Token (JWT) ● Encoded Claims (user data) ● Stateless validation ● Signed for authenticity

3 parts of JWT Header Payload Signature hhhhhhhhhhh . ppppppppppppp . sssssssssssssssss

3 parts of JWT hhhhhhhhhhh . ppppppppppppp Header Payload . sssssssssssssssss Signature

HEADER

PAYLOAD { “iss”: “https://example.com”, “sub”: “123”, “aud”: “some-client-id”, “exp”: 1311281970, “iat”: 1311280970 }

SIGNATURE

Parts of a JWT Summary Header - alg (algorithm) & type (JWT) Payload - claims (data about the user) Signature - uses payload, header and secret and specified algorithm verify that a token is authentic

Authorization Grants

Authorization Grants methods for a client application to acquire an access token which represents a user’s permission for the client to access their data

Authorization Grant Flows * Authorization Code * Authorization Code + PKCE * Client Credentials

Front-Channel Browser to API Not-so secure Back-Channel Server to API Very Secure

Authorization Code Flow Back Channel + Front Channel

Implicit Authorization Code + PKCE Front Channel Only SPA/Mobile

Client Credentials Flow Back Channel Only Machine-to-Machine example: microservices

FOUNDATION SUMMARY

OAUTH & OIDC FLOW

CLIENT RO User my app AS Auth0 RS Google

CLIENT RO User my app AS Auth0 RS Google

CLIENT ? n o i t a my app n a C h I z i r o h t u a e v a RO User AS Auth0 RS Google

https://auth-server.com/authorize? response_type=code& client_id=client_id123& redirect_uri=https://example.com/callback& scope=openid+profile+email& state=some_random_string

RO User CLIENT my app Here’s your auth code! AS Auth0 RS Google

https://example.com/callback? code=123& state=some_random_string

RO User CLIENT my app a e v a h I n Ca ? n e tok s s e c c a n AS Auth0 RS Google

POST https://auth-server.com/token grant_type=authorization_code& code=123& redirect_uri=https://example.com/callback& client_id=client_id123&

RO User CLIENT my app s s e c c a r u o y s d ’ n e r a e n H e k o t h s e r f e r , n e tok ! n e k ID to AS Auth0 RS Google

RO User CLIENT my app AS Auth0 Can I h ave us e r data? RS Google

RO User CLIENT my app AS Auth0 Here’s the use r data! RS Google

RO User CLIENT my app r e h t o n a e v a h I n Ca ? n e k o t s s e acc AS Auth0 RS Google

RO User CLIENT my app r e h t o n a s ’ e r He ! n e k o t s s e c ac AS Auth0 RS Google

RS Google CLIENT my app AS Auth0 Can I h ave us e r data RS Google

RS Google CLIENT my app AS Auth0 YEAH! RS Google

DEMO

Summary 1 CONTEXT Open Standards Brief History of Identity 2 FOUNDATION Four roles in OAuth Tokens Authorization Flows 3 OAUTH & OIDC AUTHORIZATION CODE FLOW OAuth 2.0 & OpenID Connect (OIDC) Walkthrough

Resources ● RFC 6749 - OAuth 2.0 ● RFC 6750 - Bearer Tokens ● RFC 7636 - Proof Key for Code Exchange ● OpenID Connect Specifications ● The OpenID Connect Handbook - Auth0 ● Learn Identity Video Series - Auth0

Thanks! Stephanie Chamblee @stephchamblee