Modern Authentication

A Non-Dystopian Look At

Ado Kukic

Developer Evangelist

Auth0

@kukicado

Authentication used to be simple*

* Not really

@kukicado

http://bit.ly/auth0-winnipeg

@kukicado

http://bit.ly/auth0-winnipeg

{ username / password }

{ sid 123 }

@kukicado

http://bit.ly/auth0-winnipeg

{ sid 123 }

{ html }

@kukicado

http://bit.ly/auth0-winnipeg

Modern Auth is Complex

Grant Types

Scopes

Auth Flows

@kukicado

http://bit.ly/auth0-winnipeg

4 Types of Authentication

Web

API

SPA

Native

@kukicado

http://bit.ly/auth0-winnipeg

OAuth 2.0

An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

An open standard for access delegation.

@kukicado

http://bit.ly/auth0-winnipeg

OpenID Connect

An authentication layer built on top of OAuth 2.0, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server.

@kukicado

An authentication layer built on top of OAuth 2.0

http://bit.ly/auth0-winnipeg

OAuth 2.0 Roles

Resource Owner

The entity that can grant access to a protected resource. Typically this is the end-user.

Resource Server

The server hosting the protected resources. This is the API you want to access.

Client

The app requesting access to a protected resource on behalf of the Resource Owner.

Authorization Server

The server that authenticates the Resource Owner, and issues tokens.

OAuth 2.0 Endpoints

Authorization

Used to interact with the resource owner and get the authorization to access the protected resource.

Token

Used by the application in order to get an Access Token or a Refresh Token.
(Not used in Implicit Flow)

@kukicado

http://bit.ly/auth0-winnipeg

Codes and Tokens

Authorization Code

An opaque string, meant to be exchanged with an Access Token at the token endpoint.

Access Token

An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.

Refresh Token

A special kind of token containing the information required to obtain a new Access Token or ID Token.

Id Token

A JWT that contains user profile information (name, email, etc.), represented in the form of claims.

@kukicado

http://bit.ly/auth0-winnipeg

OAuth 2.0 Flows

Authorization Code

Authorization Code with Proof Key for Code Exchange (PKCE)

Implicit

Client Credentials

@kukicado

http://bit.ly/auth0-winnipeg

Traditional

Web Application

Authorization Code Flow

@kukicado

http://bit.ly/auth0-winnipeg

Baseline

{ html }

@kukicado

http://bit.ly/auth0-winnipeg

/callback?code={123}

{ tokens }

{ sid 123 }

Authentication

@kukicado

http://bit.ly/auth0-winnipeg

{ html }

Authenticated

@kukicado

http://bit.ly/auth0-winnipeg

{ ok }

{ success }

{ change pw }

User Changes

@kukicado

http://bit.ly/auth0-winnipeg

API

Backend

Client Credentials Grant Flow

@kukicado

http://bit.ly/auth0-winnipeg

Baseline

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Registration

@kukicado

http://bit.ly/auth0-winnipeg

Authentication

@kukicado

http://bit.ly/auth0-winnipeg

Authenticated

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Getting New Access Token

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

SPA

Single Page Application

Implicit Grant Flow*

@kukicado

http://bit.ly/auth0-winnipeg

* Up until now

Baseline

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Authentication

@kukicado

http://bit.ly/auth0-winnipeg

Authenticated

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Silent Authentication

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Silent Authentication

{ json }

iframe

@kukicado

http://bit.ly/auth0-winnipeg

Native

Android, iOS, Desktop

Authorization Code with PKCE Grant Flow

@kukicado

http://bit.ly/auth0-winnipeg

Baseline

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Authentication

{ code_challenge }

code={123}

@kukicado

http://bit.ly/auth0-winnipeg

Authentication

{ code={123} code_verifier }

@kukicado

http://bit.ly/auth0-winnipeg

Authenticated

{ json }

@kukicado

http://bit.ly/auth0-winnipeg

Summary

@kukicado

Modern authentication is complex.

OAuth 2.0 offers guidance for most use cases.

Implementing OAuth 2.0 can provide a competitive advantage.

http://bit.ly/auth0-winnipeg

Resources

@kukicado

OAuth 2.0 Official Website

https://oauth.net/2/

OAuth 2.0 Complete Guide

http://bit.ly/oauth-complete

OAuth 2.0 Scopes

http://bit.ly/oauth-scopes

http://bit.ly/auth0-winnipeg

Thank You!

@kukicado

http://bit.ly/auth0-winnipeg

Modern Authentication

A Non-Dystopian Look At

Ado Kukic

Developer Evangelist

Auth0

@kukicado

Authentication used to be simple*

Modern Auth is Complex

Grant Types

Scopes

Auth Flows

4 Types of Authentication

Web

API

SPA

Native

OAuth 2.0

OpenID Connect

OAuth 2.0 Roles

OAuth 2.0 Endpoints

Codes and Tokens

OAuth 2.0 Flows

Traditional

Web Application

Authorization Code Flow

Baseline

Authentication

Authenticated

User Changes

API

Backend

Client Credentials Grant Flow

Baseline

Registration

Authentication

Authenticated

Getting New Access Token

SPA

Single Page Application

Implicit Grant Flow*

Baseline

Authentication

Authenticated

Silent Authentication

Silent Authentication

Native

Android, iOS, Desktop

Authorization Code with PKCE Grant Flow

Baseline

Authentication

Authentication

Authenticated

Summary

Resources

Thank You!

@kukicado

Modern Authentication (GDG Winnipeg)

More from Ado Kukic