Donuts.js 8/8/2018
Bruce Campbell
*Not Church Specific
A standard way to secure and share a resource
Particularly good at access delegation... granting access from one app to another without giving out your password
👨🏼💼
🧡
Do you want to grant
the access to...
☑️ Friendlist
☑️ Birthday
☑️ Email Address
☑️ Post to your timeline
Yes
No
👨🏼💼
👨🏼💼
👨🏼💼
App
Auth Provider
What can be done
Who the current user is and their presence in the application
vs
(AuthZ)
(AuthN)
OAuth 2.0
OpenID Connect
The User
The API/Resource your application is trying to use
The server the user interacts with to approve or deny requests to access their account, as well as the source of tokens
The application attempting to access a resource on a User's behalf
identifier (or username) that identifies a client to the authorization server
uh... the password
The process utilized to grant applications access to resources
What am I allowing the application to do on my behalf?
Strings that might be opaque, representing scopes and expiration/duration of access
A means of representing a relationship between 2 things
/authorize
/token
/revoke (RFC 7009)
/register (RFC 7591)
The token given to the application to access the protected resource on the user or application's behalf
The token given to the application to request a new access token on its expiration
*Contents of these tokens are not specified in OAuth 2.0 Core*
Images found from: http://www.bubblecode.net/en/2016/01/22/understanding-oauth2/
Utilized in Implicit and Authorization Code Flows as a whitelist of URIs that are allowed to use the client_id
Utilized with Redirect URIs by those who want to be more secure or as a way to persist data through the trip to the authorization server
There isn't a standard list...
Browser
node.js
app server
service a
service b
Architecture
Auth
Server
"client"
"user"
Browser
service a
service b
Auth
Server
"client"
"user"
User navigates to https://myapp.lds.org/demo
node.js
app server
Browser
service a
service b
Auth
Server
"client"
"user"
app server sends a redirect to the login screen
and the browser follows the redirect
node.js
app server
Browser
service a
service b
Auth
Server
"client"
"user"
User authenticates...
submitting credentials to the auth server
node.js
app server
Browser
service a
service b
Auth
Server
"client"
"user"
Auth Server responds with a redirect back to the app server... and includes an "authorization code"
node.js
app server
auth code
Browser
service a
service b
Auth
Server
"client"
"user"
The app server exchanges the auth code for
a pair of tokens (access & refresh)
node.js
app server
auth code
tokens
Browser
service a
service b
Auth
Server
"client"
"user"
app server needs data to render the page so...
makes an api call and includes the access token
node.js
app server
access token
Browser
service a
service b
Auth
Server
"client"
"user"
"service a" verifies the access token using it's own client id and client secret
node.js
app server
access token
👍
Browser
service a
service b
Auth
Server
"client"
"user"
"service a" responds with the data, the app server renders the page and responds to the browser
node.js
app server
👞 👟 👠
👡 👢