Modern Authentication

A Non-Dystopian Look At

Authentication Used to be Easy*

* Not really

{ username / password }

{ sid 123 }

{ sid 123 }

{ html }

Modern Auth is Complex

Grant Types

Platforms

Auth Flows

4 Types of Authentication

Web

API

SPA

Native

OAuth 2.0

An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

An open standard for access delegation.

OAuth 2.0 Roles

Resource Owner

The entity that can grant access to a protected resource. Typically this is the end-user.

Resource Server

The server hosting the protected resources. This is the API you want to access.

Client

The app requesting access to a protected resource on behalf of the Resource Owner.

Authorization Server

The server that authenticates the Resource Owner, and issues tokens.

OAuth 2.0 Endpoints

Authorization

Used to interact with the resource owner and get the authorization to access the protected resource.

Token

Used by the application in order to get an Access Token or a Refresh Token.
(Not used in Implicit Flow)

Authorization Code vs

Access Token vs Refresh Token vs Id Token

 

Authorization Code

An opaque string, meant to be exchanged with an Access Token at the token endpoint.

Access Token

An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.

Refresh Token

A special kind of token containing the information required to obtain a new Access Token or ID Token.

Id Token

A JWT that contains user profile information (name, email, etc.), represented in the form of claims.

OAuth 2.0 Flows

Authorization Code

Authorization Code with Proof Key for Code Exchange (PKCE)

Implicit

Client Credentials

Resource Owner Password Credentials

Traditional

Web Application

Authorization Code Flow

Baseline

{ html }

/callback?code={123}

{ tokens }

{ sid 123 }

Authentication

{ html }

Authenticated

{ ok }

{ success }

{ change pw }

User Changes

API

Backend

Client Credentials Grant Flow

Baseline

{ json }

{ json }

Authentication

Authenticated

{ json }

{ json }

Refresh Token

Getting New Access Token

{ json }

{ json }

SPA

Single Page Application

Implicit Grant Flow

Baseline

{ json }

Authentication

Authenticated

{ json }

{ json }

Silent Authentication

{ json }

{ json }

Silent Authentication

{ json }

{ json }

iframe

Native

Android, iOS, Desktop

Authorization Code with PKCE Grant Flow

Baseline

{ json }

Authentication

{ code_challenge }

code={123}

Authentication

{ code={123} code_verifier }

Authenticated

{ json }

{ json }

A Non-Dystopian Look at Modern Authentication

By Ado Kukic

A Non-Dystopian Look at Modern Authentication

  • 721