SlideShare a Scribd company logo

OAuth 2

Download as pptx, pdf
C
ChrisWood262

OAuth 2 is an authorization framework that allows applications to access user data and perform actions on their behalf. It defines flows for applications to request access, and provides short-lived credentials in response. The main roles in OAuth are the resource owner (user), client (application), resource server (API), and authorization server (issues tokens). Common grant types include authorization code, implicit, and client credentials flows. Tokens returned include access and refresh tokens, and OpenID Connect adds optional ID tokens containing user information.

1 of 20
Downloaded 17 times
1
OAuth 2 Some witty subtitle here if anyone can read this Chris Wood - https://chriswoodcodes.net
2
Basic overview of things to cover  What is OAuth  Grant Types  Tokens Chris Wood - https://chriswoodcodes.net Chris Wood - https://chriswoodcodes.net
3
OAuth  OAuth is an authorisation framework, allowing an application to access details about you or perform operations on your behalf  It defines various flows for that application to request access  The application is provided a limited and short lived credential to do what it requested of you  This means that the application doesn’t need to know your credentials  For example can create an account with an application using an account from another application simplifying the signup process. Can also benefit from SSO. Chris Wood - https://chriswoodcodes.net
Most read
4
OAuth Roles  Resource Owner: typically the User.  Resource Server: the API the Client wants to access.  Client: the application requesting access to the Resource Server, on behalf of the Resource Owner.  Authorization Server: authenticates the Resource Owner and issues tokens. May be the same service as the Resource Server. Chris Wood - https://chriswoodcodes.net
Most read
5
OAuth Flow Ref: https://docs.authlib.org/en/latest/oauth/2/intro.html Chris Wood - https://chriswoodcodes.net
Most read
6
Client  In Azure, configured as an App Registration  Defines Redirect URI  Allowed Response Types  Permissions required of a user (i.e. to access their profile photo)  Public or Confidential  Public, usually for SPAs or mobile apps. Where the Client Secret can’t be secured  Confidential, where the Client Secret can be secured  Type of app, web app (server side, spa, mobile app, native)  Demo: App Registration in the Azure Portal Chris Wood - https://chriswoodcodes.net
7
Grant Type  Also called ‘authorization flows’  It’s how the Client receives the token from the Authorization Server  Either ‘interactive’ or ‘non-interactive’  Examples include:  Implicit  ROPC/Password Grant  Device Code  Client Credential  Refresh Token  Authorisation Code  Authorisation Code + PKCE Chris Wood - https://chriswoodcodes.net
8
Grant Type – Components  Common components of using the different Grant Types  Client Id: generated by the App Registration  Redirect URI: specified on the App Registration  Scope: What the Client is requesting (appears as permissions for the User to approve)  Response Type: the Grant Type to use  Response Mode  Query: i.e. url?token=ASDFG  Fragment: url#token=ASDFG  Form Post: POST url, Body: ASDFG  State/Nonce: to help validate the request when returned  Endpoints: /authorize and /token Chris Wood - https://chriswoodcodes.net
9
Grant Type – Implicit  Response Type: token  Interactive  Benefits  Easy to use  Negatives  Legacy  Lacks client authentication  Relies on redirect URL  Demo: <website using Implicit Flow> Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
10
Grant Type – ROPC/Password Grant  Resource Owner Password Credential  Allows us to get the users credentials and send them to a 3rd party to authenticate  Legacy  Might/might not be interactive  Benefits  Simple  Negatives  Ideally, we should never handle credentials, we don’t want the responsibility  Need to make sure the details aren’t leaked somewhere (i.e. logs)  Most services don’t support this anymore Chris Wood - https://chriswoodcodes.net
11
Grant Type – Device Code  Interactive  Device displays a code that you enter into a web browser, after logging in  Device is given a code to authenticate going forward Chris Wood - https://chriswoodcodes.net
12
Grant Type – Client Credential  Not interactive  Used by Service Principals  The application itself requesting access to a resource which it has been authorized  Primarily through credentials such as Client Id and Client Secret  Alternatively certificates can be used Chris Wood - https://chriswoodcodes.net
13
Grant Type – Auth Code  Short for Authorization Code  Response Type: code  Interactive  /authorize returns a Code  The Code is exchanged for tokens in the backend  /token endpoint  For Confidential apps, specify Client Secret  Code can only be exchanged once for a Token  Token is not accessible by the User Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
14
Grant Type – Auth Code + PKCE  Same as Auth Code, but more awesome  Short for Proof Key Code Exchange  Code Verifier: Cryptographically-random string  Code Challenge: SHA256 Hash of the Code Verifier  As part of request to /authorize, the Code Challenge is provided  In the backend as part of exchanging the Code for a Token, we also provide the Code Verifier  The Authorization Server will hash the Code Verifier and see that it matches the Code Challenge we sent earlier, this confirms on their side that we are the one that initiated the authorize request  Pros  So even if someone malicious was able to see the Code, they wouldn’t be able to exchange the Code for a Token without knowing the Code Verifier  When using the Client Secret, the Authorization Server can authenticate the Client  Cons  More complex to setup compared to other Grant Types  Demo: <website using Auth Code + PKCE> Chris Wood - https://chriswoodcodes.net
15
Tokens  These flows by default return Access and Refresh tokens  Access token  Can access an API on the User’s behalf, i.e. access to their profile photo  Usually a JWT but doesn’t have to be  Refresh token  Only used to get newer Access and Id Tokens  Are longer lived  Usually a JWT but doesn’t have to be  To request an Id Token, must specify ‘openid’ in the ‘scope’ of the /authorize request. (OIDC) Chris Wood - https://chriswoodcodes.net
16
OIDC (OpenID Connect)  Identity layer on top of OAuth  Defines an Id Token, containing information about the User  Is a JWT (JSON Web Tokens)  Contains a standard set of claims  Can be extend with other claims (configured on the App Registration/Client)  The Id Token can be used to verify information about the User, compared to an Access Token which can perform an operation on behalf of the User  If you only need to confirm someone's identity, the Access/Refresh tokens can be ignored  Demo: JWT Chris Wood - https://chriswoodcodes.net
17
Tokens – Validation  Need to validate the Tokens to make sure it comes from who we were expecting, and not someone pretending to be them  Confirm the authenticity of the token  Signed by the Authorization Server  Not expired  Correct Issuer  Correct Audience  After that, can authorize the user (if they are signing in)  Includes what Role or Groups they are assigned to  Or using an identifier (i.e. UPN) lookup their permissions in the Client Chris Wood - https://chriswoodcodes.net
18
Last thing, how it looks in the code Chris Wood - https://chriswoodcodes.net
19
Questions? Chris Wood - https://chriswoodcodes.net
20
Resources  https://oauth.net/  https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-v2-protocols  https://auth0.com/docs/protocols/protocol-oauth2 Chris Wood - https://chriswoodcodes.net
OAuth 2 Some witty subtitle here if anyone can read this Chris Wood - https://chriswoodcodes.net
Basic overview of things to cover  What is OAuth  Grant Types  Tokens Chris Wood - https://chriswoodcodes.net Chris Wood - https://chriswoodcodes.net
OAuth  OAuth is an authorisation framework, allowing an application to access details about you or perform operations on your behalf  It defines various flows for that application to request access  The application is provided a limited and short lived credential to do what it requested of you  This means that the application doesn’t need to know your credentials  For example can create an account with an application using an account from another application simplifying the signup process. Can also benefit from SSO. Chris Wood - https://chriswoodcodes.net
OAuth Roles  Resource Owner: typically the User.  Resource Server: the API the Client wants to access.  Client: the application requesting access to the Resource Server, on behalf of the Resource Owner.  Authorization Server: authenticates the Resource Owner and issues tokens. May be the same service as the Resource Server. Chris Wood - https://chriswoodcodes.net
OAuth Flow Ref: https://docs.authlib.org/en/latest/oauth/2/intro.html Chris Wood - https://chriswoodcodes.net
Client  In Azure, configured as an App Registration  Defines Redirect URI  Allowed Response Types  Permissions required of a user (i.e. to access their profile photo)  Public or Confidential  Public, usually for SPAs or mobile apps. Where the Client Secret can’t be secured  Confidential, where the Client Secret can be secured  Type of app, web app (server side, spa, mobile app, native)  Demo: App Registration in the Azure Portal Chris Wood - https://chriswoodcodes.net
Grant Type  Also called ‘authorization flows’  It’s how the Client receives the token from the Authorization Server  Either ‘interactive’ or ‘non-interactive’  Examples include:  Implicit  ROPC/Password Grant  Device Code  Client Credential  Refresh Token  Authorisation Code  Authorisation Code + PKCE Chris Wood - https://chriswoodcodes.net
Grant Type – Components  Common components of using the different Grant Types  Client Id: generated by the App Registration  Redirect URI: specified on the App Registration  Scope: What the Client is requesting (appears as permissions for the User to approve)  Response Type: the Grant Type to use  Response Mode  Query: i.e. url?token=ASDFG  Fragment: url#token=ASDFG  Form Post: POST url, Body: ASDFG  State/Nonce: to help validate the request when returned  Endpoints: /authorize and /token Chris Wood - https://chriswoodcodes.net
Grant Type – Implicit  Response Type: token  Interactive  Benefits  Easy to use  Negatives  Legacy  Lacks client authentication  Relies on redirect URL  Demo: <website using Implicit Flow> Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
Grant Type – ROPC/Password Grant  Resource Owner Password Credential  Allows us to get the users credentials and send them to a 3rd party to authenticate  Legacy  Might/might not be interactive  Benefits  Simple  Negatives  Ideally, we should never handle credentials, we don’t want the responsibility  Need to make sure the details aren’t leaked somewhere (i.e. logs)  Most services don’t support this anymore Chris Wood - https://chriswoodcodes.net
Grant Type – Device Code  Interactive  Device displays a code that you enter into a web browser, after logging in  Device is given a code to authenticate going forward Chris Wood - https://chriswoodcodes.net
Grant Type – Client Credential  Not interactive  Used by Service Principals  The application itself requesting access to a resource which it has been authorized  Primarily through credentials such as Client Id and Client Secret  Alternatively certificates can be used Chris Wood - https://chriswoodcodes.net
Grant Type – Auth Code  Short for Authorization Code  Response Type: code  Interactive  /authorize returns a Code  The Code is exchanged for tokens in the backend  /token endpoint  For Confidential apps, specify Client Secret  Code can only be exchanged once for a Token  Token is not accessible by the User Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
Grant Type – Auth Code + PKCE  Same as Auth Code, but more awesome  Short for Proof Key Code Exchange  Code Verifier: Cryptographically-random string  Code Challenge: SHA256 Hash of the Code Verifier  As part of request to /authorize, the Code Challenge is provided  In the backend as part of exchanging the Code for a Token, we also provide the Code Verifier  The Authorization Server will hash the Code Verifier and see that it matches the Code Challenge we sent earlier, this confirms on their side that we are the one that initiated the authorize request  Pros  So even if someone malicious was able to see the Code, they wouldn’t be able to exchange the Code for a Token without knowing the Code Verifier  When using the Client Secret, the Authorization Server can authenticate the Client  Cons  More complex to setup compared to other Grant Types  Demo: <website using Auth Code + PKCE> Chris Wood - https://chriswoodcodes.net
Tokens  These flows by default return Access and Refresh tokens  Access token  Can access an API on the User’s behalf, i.e. access to their profile photo  Usually a JWT but doesn’t have to be  Refresh token  Only used to get newer Access and Id Tokens  Are longer lived  Usually a JWT but doesn’t have to be  To request an Id Token, must specify ‘openid’ in the ‘scope’ of the /authorize request. (OIDC) Chris Wood - https://chriswoodcodes.net
OIDC (OpenID Connect)  Identity layer on top of OAuth  Defines an Id Token, containing information about the User  Is a JWT (JSON Web Tokens)  Contains a standard set of claims  Can be extend with other claims (configured on the App Registration/Client)  The Id Token can be used to verify information about the User, compared to an Access Token which can perform an operation on behalf of the User  If you only need to confirm someone's identity, the Access/Refresh tokens can be ignored  Demo: JWT Chris Wood - https://chriswoodcodes.net
Tokens – Validation  Need to validate the Tokens to make sure it comes from who we were expecting, and not someone pretending to be them  Confirm the authenticity of the token  Signed by the Authorization Server  Not expired  Correct Issuer  Correct Audience  After that, can authorize the user (if they are signing in)  Includes what Role or Groups they are assigned to  Or using an identifier (i.e. UPN) lookup their permissions in the Client Chris Wood - https://chriswoodcodes.net
Last thing, how it looks in the code Chris Wood - https://chriswoodcodes.net
Questions? Chris Wood - https://chriswoodcodes.net
Resources  https://oauth.net/  https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-v2-protocols  https://auth0.com/docs/protocols/protocol-oauth2 Chris Wood - https://chriswoodcodes.net
Ad

Recommended

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PATOLOGÍA DE LA CAVIDAD PELVIANA EN ECOGRAFÍA.
PATOLOGÍA DE LA CAVIDAD PELVIANA EN ECOGRAFÍA.PATOLOGÍA DE LA CAVIDAD PELVIANA EN ECOGRAFÍA.
PATOLOGÍA DE LA CAVIDAD PELVIANA EN ECOGRAFÍA.
Nadia Rojas
 
Radiologia e Imagen retroperitoneal
Radiologia e Imagen retroperitonealRadiologia e Imagen retroperitoneal
Radiologia e Imagen retroperitoneal
Gaspar Alberto Motta Ramírez
 
Jetpack Compose beginner.pdf
Jetpack Compose beginner.pdfJetpack Compose beginner.pdf
Jetpack Compose beginner.pdf
AayushmaAgrawal
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
Cleo
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
O auth
O authO auth
O auth
Ashok Kumar N
 

More Related Content

What's hot (20)

Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
Cleo
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
Cleo
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 

Similar to OAuth 2 (20)

Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
O auth
O authO auth
O auth
Ashok Kumar N
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
OAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationOAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration Presentation
Knoldus Inc.
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
Y U No OAuth?!?
Y U No OAuth?!?Y U No OAuth?!?
Y U No OAuth?!?
Jason Robert
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
O auth
O authO auth
O auth
Ashok Kumar N
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
OAuth2
OAuth2OAuth2
OAuth2
SPARK MEDIA
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
OAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration PresentationOAuth 2 Spring Boot 3 Integration Presentation
OAuth 2 Spring Boot 3 Integration Presentation
Knoldus Inc.
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
Dave Syer
 
Y U No OAuth?!?
Y U No OAuth?!?Y U No OAuth?!?
Y U No OAuth?!?
Jason Robert
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Ad

Recently uploaded (20)

Compliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf textCompliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf text
Earthling security
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Scott M. Graffius
 
Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.
hok12341073
 
If You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FMEIf You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FME
Safe Software
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
LSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection FunctionLSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection Function
Takahiro Harada
 
Evaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical ContentEvaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical Content
Paul Groth
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Anish Kumar
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
Oracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI ProfessionalOracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI Professional
VICTOR MAESTRE RAMIREZ
 
Soulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate reviewSoulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate review
Soulmaite
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
Compliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf textCompliance-as-a-Service document pdf text
Compliance-as-a-Service document pdf text
Earthling security
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Mark Zuckerberg teams up with frenemy Palmer Luckey to shape the future of XR...
Scott M. Graffius
 
Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.
hok12341073
 
If You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FMEIf You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FME
Safe Software
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Azure vs AWS Which Cloud Platform Is Best for Your Business in 2025
Infrassist Technologies Pvt. Ltd.
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
LSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection FunctionLSNIF: Locally-Subdivided Neural Intersection Function
LSNIF: Locally-Subdivided Neural Intersection Function
Takahiro Harada
 
Evaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical ContentEvaluation Challenges in Using Generative AI for Science & Technical Content
Evaluation Challenges in Using Generative AI for Science & Technical Content
Paul Groth
 
Securiport - A Border Security Company
Securiport - A Border Security CompanySecuriport - A Border Security Company
Securiport - A Border Security Company
Securiport
 
Jeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software DeveloperJeremy Millul - A Talented Software Developer
Jeremy Millul - A Talented Software Developer
Jeremy Millul
 
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Anish Kumar
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
Data Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any ApplicationData Virtualization: Bringing the Power of FME to Any Application
Data Virtualization: Bringing the Power of FME to Any Application
Safe Software
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
Oracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI ProfessionalOracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI Professional
VICTOR MAESTRE RAMIREZ
 
Soulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate reviewSoulmaite review - Find Real AI soulmate review
Soulmaite review - Find Real AI soulmate review
Soulmaite
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
Ad

OAuth 2

  • 1. OAuth 2 Some witty subtitle here if anyone can read this Chris Wood - https://chriswoodcodes.net
  • 2. Basic overview of things to cover  What is OAuth  Grant Types  Tokens Chris Wood - https://chriswoodcodes.net Chris Wood - https://chriswoodcodes.net
  • 3. OAuth  OAuth is an authorisation framework, allowing an application to access details about you or perform operations on your behalf  It defines various flows for that application to request access  The application is provided a limited and short lived credential to do what it requested of you  This means that the application doesn’t need to know your credentials  For example can create an account with an application using an account from another application simplifying the signup process. Can also benefit from SSO. Chris Wood - https://chriswoodcodes.net
  • 4. OAuth Roles  Resource Owner: typically the User.  Resource Server: the API the Client wants to access.  Client: the application requesting access to the Resource Server, on behalf of the Resource Owner.  Authorization Server: authenticates the Resource Owner and issues tokens. May be the same service as the Resource Server. Chris Wood - https://chriswoodcodes.net
  • 6. Client  In Azure, configured as an App Registration  Defines Redirect URI  Allowed Response Types  Permissions required of a user (i.e. to access their profile photo)  Public or Confidential  Public, usually for SPAs or mobile apps. Where the Client Secret can’t be secured  Confidential, where the Client Secret can be secured  Type of app, web app (server side, spa, mobile app, native)  Demo: App Registration in the Azure Portal Chris Wood - https://chriswoodcodes.net
  • 7. Grant Type  Also called ‘authorization flows’  It’s how the Client receives the token from the Authorization Server  Either ‘interactive’ or ‘non-interactive’  Examples include:  Implicit  ROPC/Password Grant  Device Code  Client Credential  Refresh Token  Authorisation Code  Authorisation Code + PKCE Chris Wood - https://chriswoodcodes.net
  • 8. Grant Type – Components  Common components of using the different Grant Types  Client Id: generated by the App Registration  Redirect URI: specified on the App Registration  Scope: What the Client is requesting (appears as permissions for the User to approve)  Response Type: the Grant Type to use  Response Mode  Query: i.e. url?token=ASDFG  Fragment: url#token=ASDFG  Form Post: POST url, Body: ASDFG  State/Nonce: to help validate the request when returned  Endpoints: /authorize and /token Chris Wood - https://chriswoodcodes.net
  • 9. Grant Type – Implicit  Response Type: token  Interactive  Benefits  Easy to use  Negatives  Legacy  Lacks client authentication  Relies on redirect URL  Demo: Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
  • 10. Grant Type – ROPC/Password Grant  Resource Owner Password Credential  Allows us to get the users credentials and send them to a 3rd party to authenticate  Legacy  Might/might not be interactive  Benefits  Simple  Negatives  Ideally, we should never handle credentials, we don’t want the responsibility  Need to make sure the details aren’t leaked somewhere (i.e. logs)  Most services don’t support this anymore Chris Wood - https://chriswoodcodes.net
  • 11. Grant Type – Device Code  Interactive  Device displays a code that you enter into a web browser, after logging in  Device is given a code to authenticate going forward Chris Wood - https://chriswoodcodes.net
  • 12. Grant Type – Client Credential  Not interactive  Used by Service Principals  The application itself requesting access to a resource which it has been authorized  Primarily through credentials such as Client Id and Client Secret  Alternatively certificates can be used Chris Wood - https://chriswoodcodes.net
  • 13. Grant Type – Auth Code  Short for Authorization Code  Response Type: code  Interactive  /authorize returns a Code  The Code is exchanged for tokens in the backend  /token endpoint  For Confidential apps, specify Client Secret  Code can only be exchanged once for a Token  Token is not accessible by the User Ref: http://bernardopacheco.net/how-oauth-and-openid-connect-work Chris Wood - https://chriswoodcodes.net
  • 14. Grant Type – Auth Code + PKCE  Same as Auth Code, but more awesome  Short for Proof Key Code Exchange  Code Verifier: Cryptographically-random string  Code Challenge: SHA256 Hash of the Code Verifier  As part of request to /authorize, the Code Challenge is provided  In the backend as part of exchanging the Code for a Token, we also provide the Code Verifier  The Authorization Server will hash the Code Verifier and see that it matches the Code Challenge we sent earlier, this confirms on their side that we are the one that initiated the authorize request  Pros  So even if someone malicious was able to see the Code, they wouldn’t be able to exchange the Code for a Token without knowing the Code Verifier  When using the Client Secret, the Authorization Server can authenticate the Client  Cons  More complex to setup compared to other Grant Types  Demo: Chris Wood - https://chriswoodcodes.net
  • 15. Tokens  These flows by default return Access and Refresh tokens  Access token  Can access an API on the User’s behalf, i.e. access to their profile photo  Usually a JWT but doesn’t have to be  Refresh token  Only used to get newer Access and Id Tokens  Are longer lived  Usually a JWT but doesn’t have to be  To request an Id Token, must specify ‘openid’ in the ‘scope’ of the /authorize request. (OIDC) Chris Wood - https://chriswoodcodes.net
  • 16. OIDC (OpenID Connect)  Identity layer on top of OAuth  Defines an Id Token, containing information about the User  Is a JWT (JSON Web Tokens)  Contains a standard set of claims  Can be extend with other claims (configured on the App Registration/Client)  The Id Token can be used to verify information about the User, compared to an Access Token which can perform an operation on behalf of the User  If you only need to confirm someone's identity, the Access/Refresh tokens can be ignored  Demo: JWT Chris Wood - https://chriswoodcodes.net
  • 17. Tokens – Validation  Need to validate the Tokens to make sure it comes from who we were expecting, and not someone pretending to be them  Confirm the authenticity of the token  Signed by the Authorization Server  Not expired  Correct Issuer  Correct Audience  After that, can authorize the user (if they are signing in)  Includes what Role or Groups they are assigned to  Or using an identifier (i.e. UPN) lookup their permissions in the Client Chris Wood - https://chriswoodcodes.net
  • 18. Last thing, how it looks in the code Chris Wood - https://chriswoodcodes.net
  • 19. Questions? Chris Wood - https://chriswoodcodes.net
  • 20. Resources  https://oauth.net/  https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-v2-protocols  https://auth0.com/docs/protocols/protocol-oauth2 Chris Wood - https://chriswoodcodes.net