3. It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
3
Authorization
server
Resource server
Resource owner
Client
4. It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
Authorizes (consents) at run
time after authenticating, at
the AS
4
Authorization
server
Resource server
Resource owner
Client
5. It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
Authorizes (consents) at run
time after authenticating, at
the AS
App gets consent based on the
API scopes it requested; it has
its own identity distinct from the
RO’s
5
Authorization
server
Resource server
Resource owner
Client
6. It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
Authorizes (consents) at run
time after authenticating, at
the AS
Standard OAuth endpoints for
authorization and access token
issuance
App gets consent based on the
API scopes it requested; it has
its own identity distinct from the
RO’s
6
Authorization
server
Resource server
Resource owner
Client
7. It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
Authorizes (consents) at run
time after authenticating, at
the AS
Standard OAuth endpoints for
authorization and access token
issuance
Some number of API
endpoints that deliver the
data or other value-add
App gets consent based on the
API scopes it requested; it has
its own identity distinct from the
RO’s
7
Authorization
server
Resource server
Resource owner
Client
8. It has helped to kill the “password anti-pattern”
OAuth is for constrained delegation to apps
Authorizes (consents) at run
time after authenticating, at
the AS
Standard OAuth endpoints for
authorization and access token
issuance
Some number of API
endpoints that deliver the
data or other value-add
App gets consent based on the
API scopes it requested; it has
its own identity distinct from the
RO’s
(A)
Authorization
Request
(B)
Authorization
Grant
(C)
Authorization
Grant
(D)
Access
Token
(E)
Access Token
(F)
Protected
Resource
8
Authorization
server
Resource server
Resource owner
Client
10. How did it append?
Facebook Hack
Authenticate
Get access
11. How did it append?
Facebook Hack
View as… Alice
12. How did it append?
Facebook Hack
Token
stolen!
13. How did it append?
Facebook Hack
Token
stolen!
Cheshire cat
is ALICE!!!
14. Do it right!
• Use ID token to represent a user
> OAuth is a vehicule for authorization not authentication
> Numbers: Google, Azure, Wechat uses OIDC
• Data minimization
• Priviledge minimization (scopes)
• Other method: the use of audience, PKCE