Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DDD Melbourne 2019 : Modern Authentication 101

182 visualizaciones

Publicado el

There has never been more emphasis in security than in the modern environment of distributed computing and increased sharing of data. Our data does not sit inside silos consumed by one application anymore. In this context the modern distributed applications need to securely access protected resources without having to share passwords. We need scalable solutions that work with things like single page applications. We will dive in and explore terms like "OAuth", "OpenId Connect" and "JWT" and how they relate to authentication and authorisation. This presentation hopes to give you a good understanding of what, where and how to get started with the modern approaches to authentication.

Publicado en: Tecnología
  • Sé el primero en comentar

DDD Melbourne 2019 : Modern Authentication 101

  1. 1. Dasith Wijesiriwardena A Story of Identity, Set Amongst The Clouds
  2. 2. About Me
  3. 3. 1. Identity & Trust > Identity, authentication and authorization > Trust and claims based identity > Parties involved > What do they solve? > Concepts and Acronyms > Main Flows 3. OAuth and OpenID Connect 2. Tokens > SAML and JWT
  4. 4. Definitions Identity: Unique name of a person, device, or combination of both. Authentication: Process of verifying that identity. Authorization: Function of specifying access rights/privileges to resources.
  5. 5. Definitions Access Token An object which represents the right to perform some operation. Identity Token An object that aids in proving the user's identity and authenticating that user.
  6. 6. Traditional Approach Credentials Application Lookup User Database User / Browser / UI
  7. 7. Identity Islands Pet Sitting Service Rent A Car Flight Bookings @#*()!~<+|> You have been pwned Breach
  8. 8. Scenario: Renting a Car Hi. I’m Dilbert. I like to rent your finest car. Hi Dilbert. My name is Amy. Can you please provider a driver’s license or passport? Trust
  9. 9. Claims Based Identity A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. The subject making the claim or claims is the provider. - Wikipedia.org
  10. 10. Dilbert Adams Drivers License as an Identity Token Claims about the Subject • Name • Address • Date of birth • Photo Issuer (Identity Provider) • VicRoads Validation • Holographic Logo
  11. 11. • User • Subject (Sub) • Resource Owner (RO) • Relying Party (RP) • Client • Audience (Aud) • Resource • Identity Provider (IdP) • Authorization Server (AS) • Issuing Authority (ISS) • Token Issuer • Security Token Service (STS) • Login Server So many names… Application
  12. 12. Modern Approach Identity Provider Trust Credentials Token Token Application User / Browser / UI Validation
  13. 13. Recap • Authentication vs Authorization • Claims based identity • Parties involved • Traditional and modern approaches • Leveraging existing trust relationships • Terms • User, Subject, Resource Owner • Relying Party, Client • Id Provider, Auth Server, Token Issuer
  14. 14. Passwords 1. Password 2. Password Access TokensVS 1. Password2. Token 3. Token If token is a reference token, exchange it for identity claims from the IdP 4. Ref Token 5. Claims
  15. 15. Security Assertion Markup Language Open standard for exchanging authentication and authorization data between parties.
  16. 16. https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
  17. 17. Anatomy of a SAML Token
  18. 18. Assertion Anatomy of a SAML Token
  19. 19. Anatomy of a SAML Token Subject
  20. 20. Anatomy of a SAML Token Conditions
  21. 21. Anatomy of a SAML Token Auth Stmnt
  22. 22. Anatomy of a SAML Token Attributes
  23. 23. JSON Web Tokens Internet standard for creating JSON-based tokens Header Algorithm & Token Type { "alg": "HS256", "typ": "JWT" } Payload Data { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } Signature Verification HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), Client Secret )
  24. 24. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Anatomy of a JWT
  25. 25. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Header Anatomy of a JWT
  26. 26. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Payload Anatomy of a JWT
  27. 27. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Anatomy of a JWT Signature
  28. 28. Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data
  29. 29. Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data base64ue base64ue Header Payload
  30. 30. Header Payload Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data
  31. 31. Header Payload Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data
  32. 32. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  33. 33. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  34. 34. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  35. 35. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  36. 36. JWT and Drivers License Dilbert Adams
  37. 37. JWT and Drivers License Dilbert Adams
  38. 38. JWT and Drivers License Dilbert Adams
  39. 39. JWT and Drivers License Dilbert Adams
  40. 40. JWT and Drivers License Dilbert Adams
  41. 41. JWT and Drivers License Dilbert Adams
  42. 42. Recap • Passwords vs Tokens • Why tokens are preferred • SAML (Security Assertion Markup Language) • JWT (JSON Web Token) • Header, Payload, Signature • Constructing • Verifying
  43. 43. OAuth 2.0 OAuth 2.0 is the industry-standard protocol for authorization. It focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. - OAuth.net
  44. 44. History of OAuth 2007 December OAuth 1.0 Final Draft 2010 April Standardized via IETF 2012 October OAuth 2.0 Implicit, Auth Code, Resource Owner, Client Credentials flows Today Device Code, Token Exchange etc
  45. 45. Limitation of OAuth • Only specifies a solution to authorization concerns • No standard way of describing claims Enter “OpenID Connect”
  46. 46. OpenID Connect OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows. - OpenID.net (Identity, Authentication) + OAuth 2.0 = OpenID Connect
  47. 47. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  48. 48. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  49. 49. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  50. 50. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  51. 51. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  52. 52. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  53. 53. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  54. 54. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  55. 55. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  56. 56. Token Types Key representing access to a resource. Can be self contained or a reference token. access_token Contains identity information in the form of a (self contained) JWT. id_token A reference token that can be used to obtain a new access_token when the current one is no longer valid. refresh_token A reference token that can be exchanged for the access_token. code (authorization code)
  57. 57. Endpoints Authorization Token Userinfo Performs the authorization and returns a supported combination of access_token, id_token , refresh_token, and/or code Exchanges a reference token (code or refresh_token) to an access_token, id_token and/or refresh_token. Exchange the access_token for a set of claims about the identity of the subject.
  58. 58. Application Types Confidential Clients Public Clients Other WebApp (running on backend) Single Page Apps (Javascript) Input Constrained Devices WebApi Native App Native App Daemon Apps
  59. 59. Some OAuth 2.0 Flows • Implicit grant • Authorization code grant • Hybrid flow • Token Exchange (On-behalf-of) • Client credentials grant • Device code grant • Resource owner password grant*
  60. 60. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
  61. 61. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow GET https://idp.com/authorize? client_id=my_client_id &response_type=id_token &redirect_uri=callback_url &scope=openid&response_mode=fragment &state=12345&nonce=678910
  62. 62. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
  63. 63. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow GET https://localhost/myapp/# access_token=jwt_here &token_type=Bearer &expires_in=3599 &scope=valid_scopes &id_token=jwt_here &state=12345
  64. 64. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow Authorization: Bearer access_token
  65. 65. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  66. 66. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow GET https://idp.com/authorize? client_id=my_client_id &response_type=code &redirect_uri=callback_url &scope=openid &response_mode=query &state=12345 &nonce=678910
  67. 67. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  68. 68. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow GET https://localhost/webapp? code=reference_token_here &state=12345
  69. 69. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow GET https://idp.com/token? client_id=my_client_id &client_secret=some_secret &grant_type=authorization_code &code=reference_token_here &redirect_uri=callback_url
  70. 70. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow { "access_token": jwt_here "token_type": "Bearer", "expires_in": 3599, "scope": consented scopes, "refresh_token": ref_token "id_token": jwt_here }
  71. 71. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow Authorization: Bearer access_token
  72. 72. Hybrid Flow • Same as the implicit flow • With additional reference token (authorization code). • Exchange it for an access token using the token endpoint. https://YOUR_REDIRECT_URI /#access_token=opaque_token &expires_in=7200 &token_type=Bearer &code=AUTHORIZATION_CODE &id_token=jwt
  73. 73. Client Credentials Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow Credentials Admin consent required Authorization Server Dilbert’s Driving History
  74. 74. Token Exchange Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow Authorization Server
  75. 75. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  76. 76. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  77. 77. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  78. 78. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  79. 79. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  80. 80. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  81. 81. Resource Owner Password Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
  82. 82. Picking the right OAuth flow Public Client ? Native or SPA ? Implicit Auth Code + PKCE Has an active user ? Client Credentials Input Constrained ? Legacy App ?Resource Owner Password Cred… Device Code Auth Code Yes No No Yes No No Yes Yes SPA Native
  83. 83. Recap • OAuth • What it solves • OpenID Connect • What it solves • Concepts • Endpoints • Picking an appropriate OAuth flow
  84. 84. Want More? • Protocol Reference: https://oauth.net • Starter Kit: https://connect2id.com/learn • Choosing Flows: https://auth0.com/docs/api- auth/which-oauth-flow-to-use • MS Identity Platform (Azure AD) Documentation • IdentityServer: https://identityserver.io • Rob Moore & Matt Davies : Modern Auth @ NDC 2016
  85. 85. Thank you! @dasiths dasith.me
  86. 86. COFFEE BY WIFI BY CHILDCARE BY

×