Understanding OAuth and OpenID for Authentication

Simple Forms

Username

Password

Set-Cookie: session-id: bdotnet; max-age: 96000 

• Hash Password
• Verify Hash
• Lookup user info
• Lookup authorization info

Downsides

Security

Maintenance

OAuth 2.0 and OpenID Connect are becoming industry standards for solving this problem

Identity Use Cases

Simple Login (Forms & Cookies)

Single Sign-On Across Sites (SAML)

Mobile Login (???)

Delegated Authorization (???)

Delegated Authorization with OAuth 2.0

Connect with Google

Username

Password

accounts.google.com

Allow Yelp to access your contacts?

yelp.com/callback

OAuth 2.0 Terminology

Resource Owner

Client

Authorization Server

Resource Server

Authorization Grant

Redirect URI

Access Token

OAuth Authorization Flow

Connect with Google

Username

Password

accounts.google.com

Allow Yelp to access your contacts?

yelp.com/callback

Goto: Authorization Server

Redirect URI: yelp.com/callback

Response-Type: code

Back to redirect URI with Authorization Code

Exchange Authorization Code for Access-Token

contacts.google.com

talk to resource server with access_token

More OAuth 2.0 Terminology

Scopes

Consent

OAuth Authorization Flow

Connect with Google

Username

Password

accounts.google.com

Allow Yelp to access your contacts?

yelp.com/callback

Goto: Authorization Server

Redirect URI: yelp.com/callback

Response-Type: code

Back to redirect URI with Authorization Code

Exchange Authorization Code for Access-Token

contacts.google.com

talk to resource server with access_token

Scope: profile contacts

Starting the Flow

http://accounts.google.com/o/oauth2/v2/auth?client_id=312370492854-3n758q04mrmd7ghtp5v37gk9pcd4ahkn.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauthdebugger.com%2Fdebug&scope=profile&response_type=code&response_mode=form_post&nonce=bgaep7f128

Exchange the code for access token

POST {tokenEndpoint}

Content-Type: application/x-www-formurlencoded 

grant_type=authorization_code

code=4/igGq6waXM9dbMmvLG5UiOpCREKhy0EsM

client_id=312370492854-3n758q04mrmd7ghtp5v3

client_secret={clientSecret}&redirect_uri=https%3A%2F%2Foauthdebugger.com%2Fdebug

Use the Access Token

GET api.google.com/some-end-point

Authorization: Bearer kjdfirhlk093r7jhksdklcjklfkhjkvgyfas

OAuth Flows

Authorization Code

Implicit Flow

Resource Owner Password Credentials

Client Credentials

OAuth Implicit Flow

Connect with Google

Username

Password

accounts.google.com

Allow Yelp to access your contacts?

yelp.com/callback

Goto: Authorization Server

Redirect URI: yelp.com/callback

Response-Type: token

Back to redirect URI with Access Token

Identity Use Cases (~2014)

Simple Login (OAuth 2.0) Authentication

Single Sign-On Across Sites (OAuth 2.0) Authentication

Mobile Login (OAuth 2.0) Authentication

Delegated Authorization (OAuth 2.0) Authorization

OAuth 2.0 and Open ID Connect

OpenID Connect

OAuth 2.0

OpenID Connect for Authentication

OAuth 2.0 for Authorization

OAuth + OpenID Flow

Connect with Google

Username

Password

accounts.google.com

Allow Yelp to access your contacts?

yelp.com/callback

Goto: Authorization Server

Redirect URI: yelp.com/callback

Response-Type: code

Back to redirect URI with Authorization Code

Exchange Authorization Code for Access-Token

accounts.google.com/userinfo

talk to resource server with access_token

Scope: openid profile

Identity Use Cases (NOW)

Simple Login (OpenID Connect) Authentication

Single Sign-On Across Sites (OpenID Connect) Authentication

Mobile Login (OpenID Connect) Authentication

Delegated Authorization (OpenID Connect) Authorization