A presentation at Connect.Tech in in Atlanta, GA, USA by Stephanie Chamblee
Resources ● RFC 6749 - OAuth 2.0 ● RFC 6750 - Bearer Tokens ● RFC 7636 - Proof Key for Code Exchange ● OpenID Connect Specifications ● The OpenID Connect Handbook - Auth0 ● Learn Identity Video Series - Auth0
OAuth2 & OIDC Stephanie Chamblee @stephchamblee
Stephanie Chamblee Software Developer at BrightLink (we’re hiring!) Auth0 Ambassador stephaniechamblee.com schamblee@thebrightlink.com @stephchamblee
Overview 1 CONTEXT Open Standards Brief History of Identity 2 FOUNDATION Four roles in OAuth Tokens Authorization Flows 3 OAUTH & OIDC AUTHORIZATION CODE FLOW OAuth 2.0 & OpenID Connect (OIDC) Walkthrough
CONTEXT
OAuth2 OpenID Connect
Thanks! Stephanie Chamblee @stephchamblee
OPEN STANDARDS
Open Standards in Identity * SAML * JWT * OAuth2 * OIDC
HISTORY OF IDENTITY
HISTORY OF IDENTITY 1960s Passwords 2002 2010 2014
Computer User Password
Simple Login Security * Password Strength Requirements * Password Hashing * Two-Factor Authentication
haveibeenpwned.com
ABC Company
HISTORY OF IDENTITY SAML 1960s Passwords 2002 2010 2014
HISTORY OF IDENTITY SAML 1960s Passwords 2002 2012 OAuth2 2014
DELEGATED AUTHORIZATION
Authorization vs. Authentication
Authorization
Authentication
HISTORY OF IDENTITY OIDC SAML 1960s Passwords 2002 2012 OAuth2 2014
CONTEXT SUMMARY
FOUNDATION
Four Roles Defined by OAuth2
OAuth 2.0 Roles End User who provides consent for scopes Resource Owner (RO)
Resource Owner (RO) end user scopes
OAuth 2.0 Roles End User who provides consent for scopes Resource Owner (RO) Resource Server (RS) API or Application controlling the data
Resource Server (RS) Application Controlling the data
OAuth 2.0 Roles Application handling delegated authorization decisions End User who provides consent for scopes Resource Owner (RO) Resource Server (RS) API or Application controlling the data Authorization Server (AS)
OAuth 2.0 Roles Application handling delegated authorization decisions End User who provides consent for scopes Client Resource Owner (RO) Resource Server (RS) API or Application controlling the data Authorization Server (AS) Client Application requesting the data
Client Application requesting the data
Let’s review.
SomeApp
SomeApp
Resource Owner SomeApp
SomeApp
Resource Server + Authorization Server SomeApp
SomeApp
Client SomeApp
SomeApp
Scopes SomeApp
Resource Server + Authorization Server Resource Owner Client SomeApp Scopes Consent
Tokens
Tokens Access Token Refresh Token ID Token
Access Token
Refresh Token
ID Token
ID Token JSON Web Token (JWT)
JSON Web Token (JWT) ● Encoded Claims (user data) ● Stateless validation ● Signed for authenticity
3 parts of JWT Header Payload Signature hhhhhhhhhhh . ppppppppppppp . sssssssssssssssss
3 parts of JWT hhhhhhhhhhh . ppppppppppppp Header Payload . sssssssssssssssss Signature
HEADER
PAYLOAD { “iss”: “https://example.com”, “sub”: “123”, “aud”: “some-client-id”, “exp”: 1311281970, “iat”: 1311280970 }
SIGNATURE
Parts of a JWT Summary Header - alg (algorithm) & type (JWT) Payload - claims (data about the user) Signature - uses payload, header and secret and specified algorithm verify that a token is authentic
Authorization Grants
Authorization Grants methods for a client application to acquire an access token which represents a user’s permission for the client to access their data
Authorization Grant Flows * Authorization Code * Authorization Code + PKCE * Client Credentials
Front-Channel Browser to API Not-so secure Back-Channel Server to API Very Secure
Authorization Code Flow Back Channel + Front Channel
Implicit Authorization Code + PKCE Front Channel Only SPA/Mobile
Client Credentials Flow Back Channel Only Machine-to-Machine example: microservices
FOUNDATION SUMMARY
OAUTH & OIDC FLOW
CLIENT RO User my app AS Auth0 RS Google
CLIENT RO User my app AS Auth0 RS Google
CLIENT ? n o i t a my app n a C h I z i r o h t u a e v a RO User AS Auth0 RS Google
https://auth-server.com/authorize? response_type=code& client_id=client_id123& redirect_uri=https://example.com/callback& scope=openid+profile+email& state=some_random_string
RO User CLIENT my app Here’s your auth code! AS Auth0 RS Google
https://example.com/callback? code=123& state=some_random_string
RO User CLIENT my app a e v a h I n Ca ? n e tok s s e c c a n AS Auth0 RS Google
POST https://auth-server.com/token grant_type=authorization_code& code=123& redirect_uri=https://example.com/callback& client_id=client_id123&
RO User CLIENT my app s s e c c a r u o y s d ’ n e r a e n H e k o t h s e r f e r , n e tok ! n e k ID to AS Auth0 RS Google
RO User CLIENT my app AS Auth0 Can I h ave us e r data? RS Google
RO User CLIENT my app AS Auth0 Here’s the use r data! RS Google
RO User CLIENT my app r e h t o n a e v a h I n Ca ? n e k o t s s e acc AS Auth0 RS Google
RO User CLIENT my app r e h t o n a s ’ e r He ! n e k o t s s e c ac AS Auth0 RS Google
RS Google CLIENT my app AS Auth0 Can I h ave us e r data RS Google
RS Google CLIENT my app AS Auth0 YEAH! RS Google
DEMO
Summary 1 CONTEXT Open Standards Brief History of Identity 2 FOUNDATION Four roles in OAuth Tokens Authorization Flows 3 OAUTH & OIDC AUTHORIZATION CODE FLOW OAuth 2.0 & OpenID Connect (OIDC) Walkthrough
Resources ● RFC 6749 - OAuth 2.0 ● RFC 6750 - Bearer Tokens ● RFC 7636 - Proof Key for Code Exchange ● OpenID Connect Specifications ● The OpenID Connect Handbook - Auth0 ● Learn Identity Video Series - Auth0
Thanks! Stephanie Chamblee @stephchamblee
for free. You
can too.