Implementing Modern Identity
and Sign In With Apple
Ado Kukic
Sr. Developer Advocate Engineer
Auth0
@kukicado
Authentication Used to be Easy*
* Not really
@kukicado
@kukicado
Traditional Application
{ username / password }
{ sid 123 }
@kukicado
Traditional Authentication
{ sid 123 }
{ html }
@kukicado
Traditional Authentication
Modern Auth is Complex
Grant Types
Scopes
Auth Flows
@kukicado
4 Types of Authentication
Web
API
SPA
Native
@kukicado
OAuth 2.0
An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
An open standard for access delegation.
@kukicado
OpenID Connect
An authentication layer built on top of OAuth 2.0, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server.
@kukicado
An authentication layer built on top of OAuth 2.0
OAuth 2.0 Roles
Resource Owner
Resource Server
Client
Authorization Server
Tokens in OAuth 2.0
Id Token
Refresh Token
Access Token
@kukicado
OAuth 2.0 Flows
Authorization Code
Authorization Code with Proof Key for Code Exchange (PKCE)
Native
Client Credentials
@kukicado
Device
Traditional
Web Application
Authorization Code Flow
@kukicado
Baseline
{ html }
@kukicado
/callback?code={123}
{ tokens }
{ sid 123 }
Authentication
@kukicado
{ html }
Authenticated
@kukicado
API
Backend
Client Credentials Grant Flow
@kukicado
Baseline
{ json }
{ json }
@kukicado
api.weather.com
myweatherapp.com
Authentication
@kukicado
curl --request POST \
--url https://accounts.weather.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"3zSueXFGn4SBaM2YxvXJsRAVgltikrFk",
"client_secret":"8YJD05dUgLO9FVqKA6UEx8FEXa4Py4PjRqG79Qcw8Fkr2uTTfJ5GIkpZLdJl2feJ",
"audience":"http://myweatherapp.com",
"grant_type":"client_credentials"}'
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qZEdSalJHTTBOQk1ERkdNVEF6UXpCQk56VkdOVUpGTmpNMU16WkZSak5CUmtZM01VVkRNZyJ9.eyJpc3MiOiJodHRwczovL2Fkb2JvdC5hdXRoMC5jb20vIiwic3ViIjoiM3pTdWVYRkduNFNCYU0yWXh2WEpzUkFWZ2x0aWtyRmtAY2xpZW50cyIsImF1ZCI6Imh0dHA6Ly9tb3ZpZWFuYWx5c3QuY29tIiwiaWF0IjoxNTU0NzQxNzA4LCJleHAiOjE1NTQ4MjgxMDgsImF6cCI6IjN6U3VlWEZHbjRTQmFNMll4dlhKc1JBVmdsdGlrckZrIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.c5WiNoR87yC-tQo-WU2lMVKr5Vv4aJpCovQ0b2IDoBulk1L4W48qPHIuvFKxP-U7TGmBu0QQZNBnd_sgixlD3YCfrxn7V8G3M-FJF5YBnAdfn_yBYxKMoNYBbDSWLl70KfgjwhsPB8UA4p5iSQLEYkb9aVelJJehl7-7otxoT22uJ6X3cnMCmWKBbyZdtRvqbvPnxkrnBFn1Hp3uO7qThhIrUpCHP0ohVcXXNEIdr9pl_4aFXNOulKtnEs5p6XijaGdDtsxtiAgKAGIxrkigCmLc-L0zVyIbU6Db-q2QePqW0PuJElo6_Ye7N7dm_q-KoHy1wdAmPp2IalS0wjxJbQ",
"token_type": "Bearer"
}Authenticated
{ json }
{ json }
@kukicado
curl --request GET \
--url https://api.weather.com/zip/89166 \
--header 'content-type: application/json' \
--header 'Authorization: Bearer eyJhbGc...'
Native
Android, iOS, Desktop, SPA, Hybrid, ...
Authorization Code with PKCE Grant Flow
@kukicado
Baseline
{ json }
@kukicado
Authentication
{ code_challenge }
code={123}
@kukicado
let code_verifier = "The quick brown fox jumps over the lazy dog";
let challenge = sha256(code_verifier);
let code_challenge = {
message: challenge //d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592,
alg : "SHA256"
};
Authentication
{ code={123} code_verifier }
@kukicado
Authenticated
{ json }
{ json }
@kukicado
Getting New Tokens via Refresh Token
{ json }
{ json }
@kukicado
Summary
@kukicado
Modern authentication is complex.
OAuth 2.0 offers solutions / flows for most use cases.
Implementing OAuth 2.0 can provide a competitive advantage.
Resources
@kukicado
OAuth 2.0 Official Website
https://oauth.net/2/
OAuth 2.0 Complete Guide
http://bit.ly/oauth-complete
OAuth 2.0 Scopes
http://bit.ly/oauth-scopes
Sign in With Apple
@kukicado
Why?
1.4 Billion Apple Devices in the wild
50%+ iPhones already on iOS 13
If using social login on iOS must support by April 2020
@kukicado
Challenges
Focus on end user privacy with Hide My Email
Multiple flows to support - Native and Web
Limited access from CIAM perspective
@kukicado
Auth0 + Sign In With Apple
Add with the flip of a switch
Account linking and progressive profiling
Call your APIs
@kukicado
Demo Time!
Thank you!
@kukicado
Implementing Modern Identity and SIWA
By Ado Kukic
