SlideShare a Scribd company logo

Intro to OAuth2 and OpenID Connect

Download as pptx, pdf
L
LiamWadman

An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect

1 of 15
Downloaded 23 times
1
Intro to OAuth2/OpenID Connect Liam Wadman Jan 20 2020
2
Straight to the point: OAuth • OAuth is an IETF standard for allowing an application to obtain access to an HTTP service on behalf of an end user(without a user sharing their password!), or on its own behalf. • OAuth is not just using signed JWTs for authentication, though a lot of OAuth implementations use signed JWTs. • OAuth does not Authenticate end-users (humans like us!) to applications • Everyone who is sane in the industry refers to “OAuth2” when saying OAuth. OAuth1 is officially deprecated • OpenID Connect (OIDC) is an authentication layer for end- users(Humans!) built on top of OAuth
3
OAuth 2.0 Terminology • Client: The application that is calling an API • Resource Server: the API that is being called • Access Token: The credential used by a client to interact with the resource server. • Authorization Server: The server that issues access tokens. Can also be called to validate access tokens • Resource Owner: the person or application that an access token represents. Can be called “end-user” if this is a human • Authorization Code: A one time use token an end-user receives from an authorization server and gives to an OAuth client • Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and how all the different components interact
4
OAuth Core Concepts • Access Tokens are signed JWTs or long strings (opaque tokens) • JWTs can be validated without phoning home to the authorization server. This means that a bad setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating signing keys!) • A resource server receiving an Opaque token would have to phone home to the issuing Authorization Server to see if it’s still valid • The content of access tokens is defined as a standard (RFC7662) • OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords between services. We’d call credential sharing “impersonation”, and that is risky for users. • End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing” • Authorization servers should always prompt for consent before granting an OAuth token for humans, and inform them of what permissions they’re granting the OAuth client • Authorization servers keep a registry of a redirect URI specific for each client • In all diagrams following we assume the user is already authenticated to the OAuth Client and Authorization server
Most read
5
Client Credentials Grant • Client Credentials grant: A system authenticates itself to the authorization server with its own credential, and receives back an access token scoped to its own identity. • Think an application that queries information from a remote API for its own usage. OAuth Client Authorization Server Resource Server OAuth Client’s Credentials Access Token Access Token, API call Results of API call
6
Authorization Code Grant • A remote system(running on a server) gains consent from a user to take an action on their behalf: • Think entitling an inbox management software to read your gmail and unsubscribe you from spam • Authorization code grant clients can be given a refresh token that they can use to renew a user’s access token without re-interacting with the user! (Best practice: refresh tokens must expire if not redeemed within a suitable time window) OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
7
Implicit Grant • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services (Office 365), single page web apps accessing APIs • Implicit clients have no secret for which to authenticate themselves - we are forced to trust the user’s device’s registered URI scheme and/or DNS resolutions OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Access Token (5)Access Token, API call (6)Results of API call End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
8
Resource Owner Password Grant • A user gives their password to a client, and the client requests an Access token on their behalf. • Sharing passwords is fundamentally not secure, and Resource Owner Password Grant should be avoided at all costs. If you simply must use this, have the OAuth client discard the user’s password immediately after the Access/Refresh token is received. • Can also get a refresh token, like authorization code grant OAuth Client Authorization Server Resource Server (1)Resource Owner’s Password (2) Access Token, Optional refresh token (5)Access Token, API call (6)Results of API call
9
OpenID Connect • OpenID Connect is a simple identity and authentication layer built on top of OAuth2 implicit and authorization code grants • Works essentially the exact same as implicit and authorization code grant, but the client also gets an “id_token” with the user’s identity attributes (Name, email, address, date of birth, etc) • It allows an end-user who is authenticated with one application (The OpenID Provider) to authenticate to a second application using the first application’s identity • Think signing into a mobile or web app with your Google, Facebook or GitHub account. • Allows you to seamlessly integrate delegations and authentication together, simplifying the developer and user experience!
10
OpenID Connect Terminology • End-User: The Resource owner. By Definition, must be human • Relying Party: The OAuth Client to which an end-user is authenticating • OpenID Provider: The Authorization Server, in OpenID terms. Issues ID_Tokens • ID_Token: The token that an End-user gets from their OpenID Provider to authenticate themselves to a relying party • Flow: OpenID term for “Grant”
11
OpenID Connect Core Concepts • Trusting an OpenID Provider means you may allow your user’s account to be taken over by an attacker if their account at the OpenID Provider gets taken over! • Best practices would be to notify a user if there is a login from a new OpenID provider, and perform the same monitoring you would for normal logins on OpenID logins, or challenge them for a 2nd factor of authentication on a sensitive operation • You do not need to let a client take action on an End-User’s behalf or even issue them a valid access token at all in OpenID Connect. You can keep it to “authentication” and remove the delegation • OpenID providers should ask for consent before allowing a user to authenticate to a website, and inform a user of what data they are sharing • OpenID connect is for Humans only • In all diagrams following we assume the user is already authenticated to the OpenID provider
12
Authorization Code Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)ID_token, Optional Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
Most read
13
Implicit Flow • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services(office 365), single page web apps accessing APIs • Steps 5 and 6 only happen if an access token was granted OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) ID_Token, Optional Access Token (5)Access Token, API call* (6)Results of API call* End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
Most read
14
Hybrid Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) • User Authentication comes before delegation, speeds up the user experience. Has the URI scheme/DNS security implication of implicit grant for the user’s information OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code, ID_Token (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code, ID_token (3) Return Authorization Code, ID_Token (2) (3)
15
References OAuth RFC core RFC: https://tools.ietf.org/html/rfc6749 Access token introspection: https://tools.ietf.org/html/rfc7662 Signed JWT tokens RFC: https://tools.ietf.org/html/rfc7515 Open ID Connect Core: https://openid.net/specs/openid-connect-core-1_0.html Intro to JWTs: https://jwt.io/introduction/ Draft OAuth Device grant (emerging standard): https://tools.ietf.org/html/draft-ietf- oauth-device-flow-15 JWT as client secret: https://tools.ietf.org/html/rfc7523 XML as client secret: https://tools.ietf.org/html/rfc7522
Intro to OAuth2/OpenID Connect Liam Wadman Jan 20 2020
Straight to the point: OAuth • OAuth is an IETF standard for allowing an application to obtain access to an HTTP service on behalf of an end user(without a user sharing their password!), or on its own behalf. • OAuth is not just using signed JWTs for authentication, though a lot of OAuth implementations use signed JWTs. • OAuth does not Authenticate end-users (humans like us!) to applications • Everyone who is sane in the industry refers to “OAuth2” when saying OAuth. OAuth1 is officially deprecated • OpenID Connect (OIDC) is an authentication layer for end- users(Humans!) built on top of OAuth
OAuth 2.0 Terminology • Client: The application that is calling an API • Resource Server: the API that is being called • Access Token: The credential used by a client to interact with the resource server. • Authorization Server: The server that issues access tokens. Can also be called to validate access tokens • Resource Owner: the person or application that an access token represents. Can be called “end-user” if this is a human • Authorization Code: A one time use token an end-user receives from an authorization server and gives to an OAuth client • Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and how all the different components interact
OAuth Core Concepts • Access Tokens are signed JWTs or long strings (opaque tokens) • JWTs can be validated without phoning home to the authorization server. This means that a bad setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating signing keys!) • A resource server receiving an Opaque token would have to phone home to the issuing Authorization Server to see if it’s still valid • The content of access tokens is defined as a standard (RFC7662) • OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords between services. We’d call credential sharing “impersonation”, and that is risky for users. • End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing” • Authorization servers should always prompt for consent before granting an OAuth token for humans, and inform them of what permissions they’re granting the OAuth client • Authorization servers keep a registry of a redirect URI specific for each client • In all diagrams following we assume the user is already authenticated to the OAuth Client and Authorization server
Client Credentials Grant • Client Credentials grant: A system authenticates itself to the authorization server with its own credential, and receives back an access token scoped to its own identity. • Think an application that queries information from a remote API for its own usage. OAuth Client Authorization Server Resource Server OAuth Client’s Credentials Access Token Access Token, API call Results of API call
Authorization Code Grant • A remote system(running on a server) gains consent from a user to take an action on their behalf: • Think entitling an inbox management software to read your gmail and unsubscribe you from spam • Authorization code grant clients can be given a refresh token that they can use to renew a user’s access token without re-interacting with the user! (Best practice: refresh tokens must expire if not redeemed within a suitable time window) OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
Implicit Grant • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services (Office 365), single page web apps accessing APIs • Implicit clients have no secret for which to authenticate themselves - we are forced to trust the user’s device’s registered URI scheme and/or DNS resolutions OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Access Token (5)Access Token, API call (6)Results of API call End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
Resource Owner Password Grant • A user gives their password to a client, and the client requests an Access token on their behalf. • Sharing passwords is fundamentally not secure, and Resource Owner Password Grant should be avoided at all costs. If you simply must use this, have the OAuth client discard the user’s password immediately after the Access/Refresh token is received. • Can also get a refresh token, like authorization code grant OAuth Client Authorization Server Resource Server (1)Resource Owner’s Password (2) Access Token, Optional refresh token (5)Access Token, API call (6)Results of API call
OpenID Connect • OpenID Connect is a simple identity and authentication layer built on top of OAuth2 implicit and authorization code grants • Works essentially the exact same as implicit and authorization code grant, but the client also gets an “id_token” with the user’s identity attributes (Name, email, address, date of birth, etc) • It allows an end-user who is authenticated with one application (The OpenID Provider) to authenticate to a second application using the first application’s identity • Think signing into a mobile or web app with your Google, Facebook or GitHub account. • Allows you to seamlessly integrate delegations and authentication together, simplifying the developer and user experience!
OpenID Connect Terminology • End-User: The Resource owner. By Definition, must be human • Relying Party: The OAuth Client to which an end-user is authenticating • OpenID Provider: The Authorization Server, in OpenID terms. Issues ID_Tokens • ID_Token: The token that an End-user gets from their OpenID Provider to authenticate themselves to a relying party • Flow: OpenID term for “Grant”
OpenID Connect Core Concepts • Trusting an OpenID Provider means you may allow your user’s account to be taken over by an attacker if their account at the OpenID Provider gets taken over! • Best practices would be to notify a user if there is a login from a new OpenID provider, and perform the same monitoring you would for normal logins on OpenID logins, or challenge them for a 2nd factor of authentication on a sensitive operation • You do not need to let a client take action on an End-User’s behalf or even issue them a valid access token at all in OpenID Connect. You can keep it to “authentication” and remove the delegation • OpenID providers should ask for consent before allowing a user to authenticate to a website, and inform a user of what data they are sharing • OpenID connect is for Humans only • In all diagrams following we assume the user is already authenticated to the OpenID provider
Authorization Code Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)ID_token, Optional Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
Implicit Flow • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services(office 365), single page web apps accessing APIs • Steps 5 and 6 only happen if an access token was granted OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) ID_Token, Optional Access Token (5)Access Token, API call* (6)Results of API call* End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
Hybrid Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) • User Authentication comes before delegation, speeds up the user experience. Has the URI scheme/DNS security implication of implicit grant for the user’s information OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code, ID_Token (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code, ID_token (3) Return Authorization Code, ID_Token (2) (3)
References OAuth RFC core RFC: https://tools.ietf.org/html/rfc6749 Access token introspection: https://tools.ietf.org/html/rfc7662 Signed JWT tokens RFC: https://tools.ietf.org/html/rfc7515 Open ID Connect Core: https://openid.net/specs/openid-connect-core-1_0.html Intro to JWTs: https://jwt.io/introduction/ Draft OAuth Device grant (emerging standard): https://tools.ietf.org/html/draft-ietf- oauth-device-flow-15 JWT as client secret: https://tools.ietf.org/html/rfc7523 XML as client secret: https://tools.ietf.org/html/rfc7522
Ad

Recommended

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
Chris Holwerda
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
Knoldus Inc.
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 

More Related Content

What's hot (20)

OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
Chris Holwerda
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
Knoldus Inc.
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
Chris Holwerda
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
Knoldus Inc.
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 

Similar to Intro to OAuth2 and OpenID Connect (20)

Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
ForgeRock
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Y U No OAuth?!?
Y U No OAuth?!?Y U No OAuth?!?
Y U No OAuth?!?
Jason Robert
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
Oliver Pfaff
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
Amin Saqi
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
danieloskarsson
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
ForgeRock
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Y U No OAuth?!?
Y U No OAuth?!?Y U No OAuth?!?
Y U No OAuth?!?
Jason Robert
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
Oliver Pfaff
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
Amin Saqi
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
danieloskarsson
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Ad

Recently uploaded (20)

Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMEstablish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Anchore
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Scott M. Graffius
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyesEnd-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
ThousandEyes
 
IntroSlides-May-BuildWithAi-EarthEngine.pdf
IntroSlides-May-BuildWithAi-EarthEngine.pdfIntroSlides-May-BuildWithAi-EarthEngine.pdf
IntroSlides-May-BuildWithAi-EarthEngine.pdf
Luiz Carneiro
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
Boosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdf
Boosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdfBoosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdf
Boosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdf
Alkin Tezuysal
 
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to KnowWhat is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
SMACT Works
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashMCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
Bluebash
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOMEstablish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Establish Visibility and Manage Risk in the Supply Chain with Anchore SBOM
Anchore
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Scott M. Graffius
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyesEnd-to-end Assurance for SD-WAN & SASE with ThousandEyes
End-to-end Assurance for SD-WAN & SASE with ThousandEyes
ThousandEyes
 
IntroSlides-May-BuildWithAi-EarthEngine.pdf
IntroSlides-May-BuildWithAi-EarthEngine.pdfIntroSlides-May-BuildWithAi-EarthEngine.pdf
IntroSlides-May-BuildWithAi-EarthEngine.pdf
Luiz Carneiro
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
Boosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdf
Boosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdfBoosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdf
Boosting MySQL with Vector Search -THE VECTOR SEARCH CONFERENCE 2025 .pdf
Alkin Tezuysal
 
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to KnowWhat is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
SMACT Works
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | BluebashMCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
MCP vs A2A vs ACP: Choosing the Right Protocol | Bluebash
Bluebash
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
DevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical PodcastDevOps in the Modern Era - Thoughtfully Critical Podcast
DevOps in the Modern Era - Thoughtfully Critical Podcast
Chris Wahl
 
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2Agentic AI: Beyond the Buzz- LangGraph Studio V2
Agentic AI: Beyond the Buzz- LangGraph Studio V2
Shashikant Jagtap
 
Ad

Intro to OAuth2 and OpenID Connect

  • 2. Straight to the point: OAuth • OAuth is an IETF standard for allowing an application to obtain access to an HTTP service on behalf of an end user(without a user sharing their password!), or on its own behalf. • OAuth is not just using signed JWTs for authentication, though a lot of OAuth implementations use signed JWTs. • OAuth does not Authenticate end-users (humans like us!) to applications • Everyone who is sane in the industry refers to “OAuth2” when saying OAuth. OAuth1 is officially deprecated • OpenID Connect (OIDC) is an authentication layer for end- users(Humans!) built on top of OAuth
  • 3. OAuth 2.0 Terminology • Client: The application that is calling an API • Resource Server: the API that is being called • Access Token: The credential used by a client to interact with the resource server. • Authorization Server: The server that issues access tokens. Can also be called to validate access tokens • Resource Owner: the person or application that an access token represents. Can be called “end-user” if this is a human • Authorization Code: A one time use token an end-user receives from an authorization server and gives to an OAuth client • Grant: Mode of Operation. OAuth has 4 core “grants”, that define the use case and how all the different components interact
  • 4. OAuth Core Concepts • Access Tokens are signed JWTs or long strings (opaque tokens) • JWTs can be validated without phoning home to the authorization server. This means that a bad setup might issue tokens that are difficult/impossible to revoke without disrupting users!(rotating signing keys!) • A resource server receiving an Opaque token would have to phone home to the issuing Authorization Server to see if it’s still valid • The content of access tokens is defined as a standard (RFC7662) • OAuth is “delegation” and is a stand-in for the old pattern of users sharing or syncing passwords between services. We’d call credential sharing “impersonation”, and that is risky for users. • End-Users must be authenticated to the OAuth Client and Authorization server to finish “OAuthing” • Authorization servers should always prompt for consent before granting an OAuth token for humans, and inform them of what permissions they’re granting the OAuth client • Authorization servers keep a registry of a redirect URI specific for each client • In all diagrams following we assume the user is already authenticated to the OAuth Client and Authorization server
  • 5. Client Credentials Grant • Client Credentials grant: A system authenticates itself to the authorization server with its own credential, and receives back an access token scoped to its own identity. • Think an application that queries information from a remote API for its own usage. OAuth Client Authorization Server Resource Server OAuth Client’s Credentials Access Token Access Token, API call Results of API call
  • 6. Authorization Code Grant • A remote system(running on a server) gains consent from a user to take an action on their behalf: • Think entitling an inbox management software to read your gmail and unsubscribe you from spam • Authorization code grant clients can be given a refresh token that they can use to renew a user’s access token without re-interacting with the user! (Best practice: refresh tokens must expire if not redeemed within a suitable time window) OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
  • 7. Implicit Grant • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services (Office 365), single page web apps accessing APIs • Implicit clients have no secret for which to authenticate themselves - we are forced to trust the user’s device’s registered URI scheme and/or DNS resolutions OAuth Client Authorization Server Resource Server (1)Redirect to Authorization Server (4) Access Token (5)Access Token, API call (6)Results of API call End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
  • 8. Resource Owner Password Grant • A user gives their password to a client, and the client requests an Access token on their behalf. • Sharing passwords is fundamentally not secure, and Resource Owner Password Grant should be avoided at all costs. If you simply must use this, have the OAuth client discard the user’s password immediately after the Access/Refresh token is received. • Can also get a refresh token, like authorization code grant OAuth Client Authorization Server Resource Server (1)Resource Owner’s Password (2) Access Token, Optional refresh token (5)Access Token, API call (6)Results of API call
  • 9. OpenID Connect • OpenID Connect is a simple identity and authentication layer built on top of OAuth2 implicit and authorization code grants • Works essentially the exact same as implicit and authorization code grant, but the client also gets an “id_token” with the user’s identity attributes (Name, email, address, date of birth, etc) • It allows an end-user who is authenticated with one application (The OpenID Provider) to authenticate to a second application using the first application’s identity • Think signing into a mobile or web app with your Google, Facebook or GitHub account. • Allows you to seamlessly integrate delegations and authentication together, simplifying the developer and user experience!
  • 10. OpenID Connect Terminology • End-User: The Resource owner. By Definition, must be human • Relying Party: The OAuth Client to which an end-user is authenticating • OpenID Provider: The Authorization Server, in OpenID terms. Issues ID_Tokens • ID_Token: The token that an End-user gets from their OpenID Provider to authenticate themselves to a relying party • Flow: OpenID term for “Grant”
  • 11. OpenID Connect Core Concepts • Trusting an OpenID Provider means you may allow your user’s account to be taken over by an attacker if their account at the OpenID Provider gets taken over! • Best practices would be to notify a user if there is a login from a new OpenID provider, and perform the same monitoring you would for normal logins on OpenID logins, or challenge them for a 2nd factor of authentication on a sensitive operation • You do not need to let a client take action on an End-User’s behalf or even issue them a valid access token at all in OpenID Connect. You can keep it to “authentication” and remove the delegation • OpenID providers should ask for consent before allowing a user to authenticate to a website, and inform a user of what data they are sharing • OpenID connect is for Humans only • In all diagrams following we assume the user is already authenticated to the OpenID provider
  • 12. Authorization Code Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)ID_token, Optional Access Token, Optional Refresh Token **(2)Request Authorization code (3) Return Authorization Code (2) (3)
  • 13. Implicit Flow • An app running locally on a user’s device gains user consent to take an action on their behalf • Think apps on a smart phone accessing your Instagram, modern applications on your desktop connecting to back end services(office 365), single page web apps accessing APIs • Steps 5 and 6 only happen if an access token was granted OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) ID_Token, Optional Access Token (5)Access Token, API call* (6)Results of API call* End-User’s User Agent **(2)Request Access Token (3) Return Access Token (2) (3)
  • 14. Hybrid Flow • A user wants to sign in to a third party web application (e.g. Strava) that also wants to access additional information in their OpenID provider’s platform (e.g. Google) • User Authentication comes before delegation, speeds up the user experience. Has the URI scheme/DNS security implication of implicit grant for the user’s information OAuth Client Authorization Server Resource Server (1)Redirect to OpenID Provider (4) Authorization Code, ID_Token (7)Access Token, API call (8)Results of API call End-User’s User Agent (5)Authorization Code+Client Credential (6)Access Token, Optional Refresh Token **(2)Request Authorization code, ID_token (3) Return Authorization Code, ID_Token (2) (3)
  • 15. References OAuth RFC core RFC: https://tools.ietf.org/html/rfc6749 Access token introspection: https://tools.ietf.org/html/rfc7662 Signed JWT tokens RFC: https://tools.ietf.org/html/rfc7515 Open ID Connect Core: https://openid.net/specs/openid-connect-core-1_0.html Intro to JWTs: https://jwt.io/introduction/ Draft OAuth Device grant (emerging standard): https://tools.ietf.org/html/draft-ietf- oauth-device-flow-15 JWT as client secret: https://tools.ietf.org/html/rfc7523 XML as client secret: https://tools.ietf.org/html/rfc7522