Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Many Layers of OAuth, 2024

The Many Layers of OAuth, 2024

OAuth is one of the most important but most misunderstood frameworks out there. What you think it is, it probably isn’t. What it actually is, you probably hadn’t considered. Regardless, when you consider the standards, specifications, and common practices interact and fit together, it’s impressive what you can accomplish with minimal effort.

In this session, we’ll explore through the most common RFCs and implementations that are combined to make powerful, robust, and secure solutions that drive modern software development.

Keith Casey

April 25, 2024
Tweet

More Decks by Keith Casey

Other Decks in Technology

Transcript

  1. Agenda - Intro - OAuth Vocabulary - The Grant Types

    - Which one when? - The fun pain truth lies multitude of specs - Closing / Q&A
  2. 7 7 7 What is OAuth 2.0? It’s unrelated to

    OAuth 1.0 It’s an authorization framework, has nothing to do with authentication.
  3. 8 8 8 What is OpenID Connect (OIDC)? It’s unrelated

    to OpenID It’s an interoperability extension for Single Sign On.
  4. 9 9 9 Which is better: OAuth or OpenID Connect?

    Trick question: OIDC is an extension of OAuth
  5. 12 12 12 Key OAuth Terms - Resource Owner is

    you - Resource Server is what you want to share access to - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user, or state - Authorization Server (aka Auth Server) creates the Tokens - Scopes are the permissions you request from the Auth Server - Claims are the key/value pairs returned from the Auth Server
  6. 13 13 13 Key OAuth Terms (simplified) - Resource Owner

    is you - Resource Server where you use the token - Grant Type (aka Flow) how you get the tokens - Tokens are the tokens - Authorization Server (aka Auth Server) creates the Tokens - Scopes how you request stuff in the tokens - Claims the stuff in the tokens
  7. 16 16 16 Grant Types (aka OAuth flows) - Authorization

    Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credential Flow Ref: https://datatracker.ietf.org/doc/html/rfc6749
  8. 19 19 19 Resource Owner Password Flow Wait. What does

    that mean? The app has your creds! No Client Auth! User Auth
  9. 22 22 22 - Authorization Code Flow - Implicit Flow

    - Resource Owner Password Flow - Client Credential Flow Grant Types (aka OAuth flows)
  10. 24 24 24 Grant Types (aka OAuth flows) - Authorization

    Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credential Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Ref: Various RFCs
  11. 25 25 25 Authorization Code Flow with PKCE (RFC 7636)

    Ref: https://datatracker.ietf.org/doc/rfc7636/ User Auth Client Auth
  12. 27 27 27 Grant Types (aka OAuth flows) - Authorization

    Code Flow replaced w/ PKCE (below) - Implicit Flow replaced w/ PKCE (below) - Resource Owner Password Flow removed - Client Credential Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Ref: https://oauth.net/2.1/ (still a draft)
  13. 29 29 29 Which should I use? (under OAuth 2.1)

    * Leaves out SAML Assertion, Device Grant Type, and others Does your App have an end user? Client Credential Flow Auth Code with PKCE Yes No
  14. 42 42 42 - openid - erofile - email -

    address - phone OIDC: Opinionated Structure - name - given_name - email - street_address - phone_number And many more..
  15. 43 43 43 - RFC 7662 Token Introspection - RFC

    7009 Token Revocation - RFC 8628 Device Authorization Grant - RFC 7522 SAML Assertion - RFC 7591 Dynamic Client Registration - RFC 7592 Dynamic Client Management - OpenID Connect Metadata Discovery - RFC 8414 Authorization Server Metadata Discovery - Industry-specific: Open Banking/FAPI, FHIR (healthcare), Open Insurance, Open Energy More Pieces! Ref: https://www.oauth.com/oauth2-servers/map-oauth-2-0-specs/
  16. 47 47 47 Figure out which combination of specs your

    need & they have *RFC 8414 is your best friend
  17. Recap - Intro - OAuth Vocabulary - The Grant Types

    - Which one when? - The fun pain truth lies multitude of specs - Closing / Q&A
  18. FYI - OAuth 2.0 Simplified - https://www.oauth.com/ - Includes specs,

    explanations, etc - OAuth 2.0 Course - Includes examples, walkthroughs, etc