Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Many Layers of OAuth

Keith Casey
May 22, 2023
120

The Many Layers of OAuth

OAuth is one of the most important but most misunderstood frameworks out there. What you think it is, it probably isn’t. What it actually is, you probably hadn’t considered. Regardless, when you consider the standards, specifications, and common practices interact and fit together, it’s impressive what you can accomplish with minimal effort.

In this session, we’ll explore through the most common RFCs that are combined to make powerful, robust, and secure solutions that drive modern software development.

Keith Casey

May 22, 2023
Tweet

Transcript

  1. © ngrok. All rights reserved. Confidential Information of ngrok 01

    Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
  2. © ngrok. All rights reserved. Confidential Information of ngrok Who

    am I? https://www.youtube.com/@geekamongthetrees
  3. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
  4. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
  5. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
  6. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
  7. © ngrok. All rights reserved. Confidential Information of ngrok -

    Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
  8. © ngrok. All rights reserved. Confidential Information of ngrok -

    Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
  9. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  10. © ngrok. All rights reserved. Confidential Information of ngrok Resource

    Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
  11. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  12. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  13. © ngrok. All rights reserved. Confidential Information of ngrok Authorization

    Code Flow with PKCE (RFC 7636) User Auth Client Auth
  14. © ngrok. All rights reserved. Confidential Information of ngrok SAML

    2.0 Assertion Flow Client Auth No User Auth!?
  15. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  16. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
  17. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
  18. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
  19. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
  20. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
  21. © ngrok. All rights reserved. Confidential Information of ngrok OIDC:

    Opinionated Structure • openid • profile • email • address • phone • name • given_name • email • street_address • phone_number And many more..
  22. © ngrok. All rights reserved. Confidential Information of ngrok •

    RFC 6749 OAuth Core • RFC 7519 JSON Web Token • RFC 7662 Token Introspection • RFC 7009 Token Revocation • OpenID Connect Specification • RFC 8414 Authorization Server Metadata Discovery More Pieces!
  23. © ngrok. All rights reserved. Confidential Information of ngrok •

    RFC 6749 OAuth Core • RFC 7519 JSON Web Token • RFC 7662 Token Introspection • RFC 7009 Token Revocation • OpenID Connect Specification • RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
  24. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
  25. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
  26. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
  27. © ngrok. All rights reserved. Confidential Information of ngrok 01

    Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap