Simple Forms
Username
Password
Set-Cookie: session-id: bdotnet; max-age: 96000
- Hash Password
- Verify Hash
- Lookup user info
- Lookup authorization info
Downsides
Security
Maintenance
OAuth 2.0 and OpenID Connect are becoming industry standards for solving this problem
Identity Use Cases
Simple Login (Forms & Cookies)
Single Sign-On Across Sites (SAML)
Mobile Login (???)
Delegated Authorization (???)
Delegated Authorization with OAuth 2.0
Connect with Google
Username
Password
accounts.google.com
Allow Yelp to access your contacts?
yelp.com/callback
OAuth 2.0 Terminology
Resource Owner
Client
Authorization Server
Resource Server
Authorization Grant
Redirect URI
Access Token
OAuth Authorization Flow
Connect with Google
Username
Password
accounts.google.com
Allow Yelp to access your contacts?
yelp.com/callback
Goto: Authorization Server
Redirect URI: yelp.com/callback
Response-Type: code
Back to redirect URI with Authorization Code
Exchange Authorization Code for Access-Token
contacts.google.com
talk to resource server with access_token
More OAuth 2.0 Terminology
Scopes
Consent
OAuth Authorization Flow
Connect with Google
Username
Password
accounts.google.com
Allow Yelp to access your contacts?
yelp.com/callback
Goto: Authorization Server
Redirect URI: yelp.com/callback
Response-Type: code
Back to redirect URI with Authorization Code
Exchange Authorization Code for Access-Token
contacts.google.com
talk to resource server with access_token
Scope: profile contacts
Starting the Flow
http://accounts.google.com/o/oauth2/v2/auth?client_id=312370492854-3n758q04mrmd7ghtp5v37gk9pcd4ahkn.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauthdebugger.com%2Fdebug&scope=profile&response_type=code&response_mode=form_post&nonce=bgaep7f128
Exchange the code for access token
POST {tokenEndpoint}
Content-Type: application/x-www-formurlencoded
grant_type=authorization_code
code=4/igGq6waXM9dbMmvLG5UiOpCREKhy0EsM
client_id=312370492854-3n758q04mrmd7ghtp5v3
client_secret={clientSecret}&redirect_uri=https%3A%2F%2Foauthdebugger.com%2Fdebug
Use the Access Token
GET api.google.com/some-end-point
Authorization: Bearer kjdfirhlk093r7jhksdklcjklfkhjkvgyfas
OAuth Flows
Authorization Code
Implicit Flow
Resource Owner Password Credentials
Client Credentials
OAuth Implicit Flow
Connect with Google
Username
Password
accounts.google.com
Allow Yelp to access your contacts?
yelp.com/callback
Goto: Authorization Server
Redirect URI: yelp.com/callback
Response-Type: token
Back to redirect URI with Access Token
Identity Use Cases (~2014)
Simple Login (OAuth 2.0) Authentication
Single Sign-On Across Sites (OAuth 2.0) Authentication
Mobile Login (OAuth 2.0) Authentication
Delegated Authorization (OAuth 2.0) Authorization
OAuth 2.0 and Open ID Connect
OpenID Connect
OAuth 2.0
OpenID Connect for Authentication
OAuth 2.0 for Authorization
OAuth + OpenID Flow
Connect with Google
Username
Password
accounts.google.com
Allow Yelp to access your contacts?
yelp.com/callback
Goto: Authorization Server
Redirect URI: yelp.com/callback
Response-Type: code
Back to redirect URI with Authorization Code
Exchange Authorization Code for Access-Token
accounts.google.com/userinfo
talk to resource server with access_token
Scope: openid profile
Identity Use Cases (NOW)
Simple Login (OpenID Connect) Authentication
Single Sign-On Across Sites (OpenID Connect) Authentication
Mobile Login (OpenID Connect) Authentication
Delegated Authorization (OpenID Connect) Authorization