Modern Authentication
A Non-Dystopian Look At
Authentication Used to be Easy*
* Not really
{ username / password }
{ sid 123 }
{ sid 123 }
{ html }
Modern Auth is Complex
Grant Types
Platforms
Auth Flows
4 Types of Authentication
Web
API
SPA
Native
OAuth 2.0
An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
An open standard for access delegation.
OAuth 2.0 Roles
Resource Owner
The entity that can grant access to a protected resource. Typically this is the end-user.
Resource Server
The server hosting the protected resources. This is the API you want to access.
Client
The app requesting access to a protected resource on behalf of the Resource Owner.
Authorization Server
The server that authenticates the Resource Owner, and issues tokens.
OAuth 2.0 Endpoints
Authorization
Used to interact with the resource owner and get the authorization to access the protected resource.
Token
Used by the application in order to get an Access Token or a Refresh Token.
(Not used in Implicit Flow)
Authorization Code vs
Access Token vs Refresh Token vs Id Token
Authorization Code
An opaque string, meant to be exchanged with an Access Token at the token endpoint.
Access Token
An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.
Refresh Token
A special kind of token containing the information required to obtain a new Access Token or ID Token.
Id Token
A JWT that contains user profile information (name, email, etc.), represented in the form of claims.
OAuth 2.0 Flows
Authorization Code
Authorization Code with Proof Key for Code Exchange (PKCE)
Implicit
Client Credentials
Resource Owner Password Credentials
Traditional
Web Application
Authorization Code Flow
Baseline
{ html }
/callback?code={123}
{ tokens }
{ sid 123 }
Authentication
{ html }
Authenticated
{ ok }
{ success }
{ change pw }
User Changes
API
Backend
Client Credentials Grant Flow
Baseline
{ json }
{ json }
Authentication
Authenticated
{ json }
{ json }
Refresh Token
Getting New Access Token
{ json }
{ json }
SPA
Single Page Application
Implicit Grant Flow
Baseline
{ json }
Authentication
Authenticated
{ json }
{ json }
Silent Authentication
{ json }
{ json }
Silent Authentication
{ json }
{ json }
iframe
Native
Android, iOS, Desktop
Authorization Code with PKCE Grant Flow
Baseline
{ json }
Authentication
{ code_challenge }
code={123}
Authentication
{ code={123} code_verifier }
Authenticated
{ json }
{ json }
A Non-Dystopian Look at Modern Authentication
By Ado Kukic
