Modern Authentication Demystified

Ado Kukic

Developer Evangelist

Auth0

@kukicado

Authentication Used to be Easy*

* Not really

@kukicado

@kukicado

Traditional Authentication

{ username / password }

{ sid 123 }

@kukicado

Traditional Authentication

{ sid 123 }

{ html }

@kukicado

Traditional Authentication

Modern Auth is Complex

Grant Types

Scopes

Auth Flows

@kukicado

4 Types of Authentication

Web

API

SPA

Native

@kukicado

OAuth 2.0

An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

An open standard for access delegation.

@kukicado

OpenID Connect

An authentication layer built on top of OAuth 2.0, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server.

@kukicado

An authentication layer built on top of OAuth 2.0

OAuth 2.0 Roles

Resource Owner

The entity that can grant access to a protected resource. Typically this is the end-user.

Resource Server

The server hosting the protected resources. This is the API you want to access.

Client

The app requesting access to a protected resource on behalf of the Resource Owner.

Authorization Server

The server that authenticates the Resource Owner, and issues tokens.

Tokens in OAuth 2.0

 

Access Token

An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.

Refresh Token

A special kind of token containing the information required to obtain a new Access Token or ID Token.

Id Token

A JWT that contains user profile information (name, email, etc.), represented in the form of claims.

@kukicado

OAuth 2.0 Endpoints

Authorization

Used to interact with the resource owner and get the authorization to access the protected resource.

Token

Used by the application in order to get an Access Token or a Refresh Token.
(Not used in Implicit Flow)

@kukicado

OAuth 2.0 Flows

Authorization Code

Authorization Code with Proof Key for Code Exchange (PKCE)

Implicit

Client Credentials

@kukicado

Traditional

Web Application

Authorization Code Flow

@kukicado

Baseline

{ html }

@kukicado

/callback?code={123}

{ tokens }

{ sid 123 }

Authentication

@kukicado

{ html }

Authenticated

@kukicado

API

Backend

Client Credentials Grant Flow

@kukicado

Baseline

{ json }

{ json }

@kukicado

api.weather.com

myweatherapp.com

Authentication

@kukicado

curl --request POST \
  --url https://api.weather.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"3zSueXFGn4SBaM2YxvXJsRAVgltikrFk",
"client_secret":"8YJD05dUgLO9FVqKA6UEx8FEXa4Py4PjRqG79Qcw8Fkr2uTTfJ5GIkpZLdJl2feJ",
"audience":"http://myweatherapp.com",
"grant_type":"client_credentials"}'
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qZEdSalJHTTBOQk1ERkdNVEF6UXpCQk56VkdOVUpGTmpNMU16WkZSak5CUmtZM01VVkRNZyJ9.eyJpc3MiOiJodHRwczovL2Fkb2JvdC5hdXRoMC5jb20vIiwic3ViIjoiM3pTdWVYRkduNFNCYU0yWXh2WEpzUkFWZ2x0aWtyRmtAY2xpZW50cyIsImF1ZCI6Imh0dHA6Ly9tb3ZpZWFuYWx5c3QuY29tIiwiaWF0IjoxNTU0NzQxNzA4LCJleHAiOjE1NTQ4MjgxMDgsImF6cCI6IjN6U3VlWEZHbjRTQmFNMll4dlhKc1JBVmdsdGlrckZrIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.c5WiNoR87yC-tQo-WU2lMVKr5Vv4aJpCovQ0b2IDoBulk1L4W48qPHIuvFKxP-U7TGmBu0QQZNBnd_sgixlD3YCfrxn7V8G3M-FJF5YBnAdfn_yBYxKMoNYBbDSWLl70KfgjwhsPB8UA4p5iSQLEYkb9aVelJJehl7-7otxoT22uJ6X3cnMCmWKBbyZdtRvqbvPnxkrnBFn1Hp3uO7qThhIrUpCHP0ohVcXXNEIdr9pl_4aFXNOulKtnEs5p6XijaGdDtsxtiAgKAGIxrkigCmLc-L0zVyIbU6Db-q2QePqW0PuJElo6_Ye7N7dm_q-KoHy1wdAmPp2IalS0wjxJbQ",
  "token_type": "Bearer"
}

Authenticated

{ json }

{ json }

@kukicado

Getting New Access Token

{ json }

{ json }

@kukicado

SPA

Single Page Application

Implicit Grant Flow*

@kukicado

Baseline

{ json }

@kukicado

Authentication

@kukicado

Authenticated

{ json }

{ json }

@kukicado

Silent Authentication

{ json }

{ json }

@kukicado

Silent Authentication

{ json }

{ json }

iframe

@kukicado

Native

Android, iOS, Desktop

Authorization Code with PKCE Grant Flow

@kukicado

Baseline

{ json }

@kukicado

Authentication

{ code_challenge }

code={123}

@kukicado

Authentication

{ code={123} code_verifier }

@kukicado

Authenticated

{ json }

{ json }

@kukicado

Refresh Token

{ code={123} code_verifier }

@kukicado

Authenticated

{ json }

{ json }

@kukicado

Getting New Tokens via Refresh Token

{ json }

{ json }

@kukicado

 

Summary

 

@kukicado

Modern authentication is complex.

OAuth 2.0 offers solutions / flows for most use cases.

Implementing OAuth 2.0 can provide a competitive advantage.

 

Resources

 

@kukicado

OAuth 2.0 Official Website

https://oauth.net/2/

 

OAuth 2.0 Complete Guide

http://bit.ly/oauth-complete

 

OAuth 2.0 Scopes

http://bit.ly/oauth-scopes

 

Thank You!

@kukicado

 

Modern Authentication (Auth0 Webinar)

By Ado Kukic

Modern Authentication (Auth0 Webinar)

  • 697