Implementing Modern Identity

and Sign In With Apple

Ado Kukic

Sr. Developer Advocate Engineer

Auth0

@kukicado

Authentication Used to be Easy*

* Not really

@kukicado

@kukicado

Traditional Application

{ username / password }

{ sid 123 }

@kukicado

Traditional Authentication

{ sid 123 }

{ html }

@kukicado

Traditional Authentication

Modern Auth is Complex

Grant Types

Scopes

Auth Flows

@kukicado

4 Types of Authentication

Web

API

SPA

Native

@kukicado

OAuth 2.0

An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

An open standard for access delegation.

@kukicado

OpenID Connect

An authentication layer built on top of OAuth 2.0, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server.

@kukicado

An authentication layer built on top of OAuth 2.0

OAuth 2.0 Roles

Resource Owner

Resource Server

Client

Authorization Server

Tokens in OAuth 2.0

 

Id Token

Refresh Token

Access Token

@kukicado

OAuth 2.0 Flows

Authorization Code

Authorization Code with Proof Key for Code Exchange (PKCE)

Native

Client Credentials

@kukicado

Device

Traditional

Web Application

Authorization Code Flow

@kukicado

Baseline

{ html }

@kukicado

/callback?code={123}

{ tokens }

{ sid 123 }

Authentication

@kukicado

{ html }

Authenticated

@kukicado

API

Backend

Client Credentials Grant Flow

@kukicado

Baseline

{ json }

{ json }

@kukicado

api.weather.com

myweatherapp.com

Authentication

@kukicado

curl --request POST \
  --url https://accounts.weather.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"3zSueXFGn4SBaM2YxvXJsRAVgltikrFk",
"client_secret":"8YJD05dUgLO9FVqKA6UEx8FEXa4Py4PjRqG79Qcw8Fkr2uTTfJ5GIkpZLdJl2feJ",
"audience":"http://myweatherapp.com",
"grant_type":"client_credentials"}'
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qZEdSalJHTTBOQk1ERkdNVEF6UXpCQk56VkdOVUpGTmpNMU16WkZSak5CUmtZM01VVkRNZyJ9.eyJpc3MiOiJodHRwczovL2Fkb2JvdC5hdXRoMC5jb20vIiwic3ViIjoiM3pTdWVYRkduNFNCYU0yWXh2WEpzUkFWZ2x0aWtyRmtAY2xpZW50cyIsImF1ZCI6Imh0dHA6Ly9tb3ZpZWFuYWx5c3QuY29tIiwiaWF0IjoxNTU0NzQxNzA4LCJleHAiOjE1NTQ4MjgxMDgsImF6cCI6IjN6U3VlWEZHbjRTQmFNMll4dlhKc1JBVmdsdGlrckZrIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.c5WiNoR87yC-tQo-WU2lMVKr5Vv4aJpCovQ0b2IDoBulk1L4W48qPHIuvFKxP-U7TGmBu0QQZNBnd_sgixlD3YCfrxn7V8G3M-FJF5YBnAdfn_yBYxKMoNYBbDSWLl70KfgjwhsPB8UA4p5iSQLEYkb9aVelJJehl7-7otxoT22uJ6X3cnMCmWKBbyZdtRvqbvPnxkrnBFn1Hp3uO7qThhIrUpCHP0ohVcXXNEIdr9pl_4aFXNOulKtnEs5p6XijaGdDtsxtiAgKAGIxrkigCmLc-L0zVyIbU6Db-q2QePqW0PuJElo6_Ye7N7dm_q-KoHy1wdAmPp2IalS0wjxJbQ",
  "token_type": "Bearer"
}

Authenticated

{ json }

{ json }

@kukicado

curl --request GET \
  --url https://api.weather.com/zip/89166 \
  --header 'content-type: application/json' \
  --header 'Authorization: Bearer eyJhbGc...'

Native

Android, iOS, Desktop, SPA, Hybrid, ...

Authorization Code with PKCE Grant Flow

@kukicado

Baseline

{ json }

@kukicado

Authentication

{ code_challenge }

code={123}

@kukicado

let code_verifier = "The quick brown fox jumps over the lazy dog";
let challenge = sha256(code_verifier);

let code_challenge = {
 message: challenge //d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592,
 alg : "SHA256"
};

Authentication

{ code={123} code_verifier }

@kukicado

Authenticated

{ json }

{ json }

@kukicado

Getting New Tokens via Refresh Token

{ json }

{ json }

@kukicado

 

Summary

 

@kukicado

Modern authentication is complex.

OAuth 2.0 offers solutions / flows for most use cases.

Implementing OAuth 2.0 can provide a competitive advantage.

 

Resources

 

@kukicado

OAuth 2.0 Official Website

https://oauth.net/2/

 

OAuth 2.0 Complete Guide

http://bit.ly/oauth-complete

 

OAuth 2.0 Scopes

http://bit.ly/oauth-scopes

Sign in With Apple

@kukicado

Why?

1.4 Billion Apple Devices in the wild

50%+ iPhones already on iOS 13

If using social login on iOS must support by April 2020

@kukicado

Challenges

Focus on end user privacy with Hide My Email

Multiple flows to support - Native and Web

Limited access from CIAM perspective

@kukicado

Auth0 + Sign In With Apple

Add with the flip of a switch

Account linking and progressive profiling

Call your APIs

@kukicado

 

Demo Time!

 

Thank you!

@kukicado

 

Implementing Modern Identity and SIWA

By Ado Kukic

Implementing Modern Identity and SIWA

  • 762