Modern Authentication Demystified
Ado Kukic
Developer Evangelist
Auth0
@kukicado
Authentication Used to be Easy*
* Not really
@kukicado
@kukicado
Traditional Authentication
{ username / password }
{ sid 123 }
@kukicado
Traditional Authentication
{ sid 123 }
{ html }
@kukicado
Traditional Authentication
Modern Auth is Complex
Grant Types
Scopes
Auth Flows
@kukicado
4 Types of Authentication
Web
API
SPA
Native
@kukicado
OAuth 2.0
An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
An open standard for access delegation.
@kukicado
OpenID Connect
An authentication layer built on top of OAuth 2.0, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server.
@kukicado
An authentication layer built on top of OAuth 2.0
OAuth 2.0 Roles
Resource Owner
The entity that can grant access to a protected resource. Typically this is the end-user.
Resource Server
The server hosting the protected resources. This is the API you want to access.
Client
The app requesting access to a protected resource on behalf of the Resource Owner.
Authorization Server
The server that authenticates the Resource Owner, and issues tokens.
Tokens in OAuth 2.0
Access Token
An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.
Refresh Token
A special kind of token containing the information required to obtain a new Access Token or ID Token.
Id Token
A JWT that contains user profile information (name, email, etc.), represented in the form of claims.
@kukicado
OAuth 2.0 Endpoints
Authorization
Used to interact with the resource owner and get the authorization to access the protected resource.
Token
Used by the application in order to get an Access Token or a Refresh Token.
(Not used in Implicit Flow)
@kukicado
OAuth 2.0 Flows
Authorization Code
Authorization Code with Proof Key for Code Exchange (PKCE)
Implicit
Client Credentials
@kukicado
Traditional
Web Application
Authorization Code Flow
@kukicado
Baseline
{ html }
@kukicado
/callback?code={123}
{ tokens }
{ sid 123 }
Authentication
@kukicado
{ html }
Authenticated
@kukicado
API
Backend
Client Credentials Grant Flow
@kukicado
Baseline
{ json }
{ json }
@kukicado
api.weather.com
myweatherapp.com
Authentication
@kukicado
curl --request POST \
--url https://api.weather.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"3zSueXFGn4SBaM2YxvXJsRAVgltikrFk",
"client_secret":"8YJD05dUgLO9FVqKA6UEx8FEXa4Py4PjRqG79Qcw8Fkr2uTTfJ5GIkpZLdJl2feJ",
"audience":"http://myweatherapp.com",
"grant_type":"client_credentials"}'
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qZEdSalJHTTBOQk1ERkdNVEF6UXpCQk56VkdOVUpGTmpNMU16WkZSak5CUmtZM01VVkRNZyJ9.eyJpc3MiOiJodHRwczovL2Fkb2JvdC5hdXRoMC5jb20vIiwic3ViIjoiM3pTdWVYRkduNFNCYU0yWXh2WEpzUkFWZ2x0aWtyRmtAY2xpZW50cyIsImF1ZCI6Imh0dHA6Ly9tb3ZpZWFuYWx5c3QuY29tIiwiaWF0IjoxNTU0NzQxNzA4LCJleHAiOjE1NTQ4MjgxMDgsImF6cCI6IjN6U3VlWEZHbjRTQmFNMll4dlhKc1JBVmdsdGlrckZrIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.c5WiNoR87yC-tQo-WU2lMVKr5Vv4aJpCovQ0b2IDoBulk1L4W48qPHIuvFKxP-U7TGmBu0QQZNBnd_sgixlD3YCfrxn7V8G3M-FJF5YBnAdfn_yBYxKMoNYBbDSWLl70KfgjwhsPB8UA4p5iSQLEYkb9aVelJJehl7-7otxoT22uJ6X3cnMCmWKBbyZdtRvqbvPnxkrnBFn1Hp3uO7qThhIrUpCHP0ohVcXXNEIdr9pl_4aFXNOulKtnEs5p6XijaGdDtsxtiAgKAGIxrkigCmLc-L0zVyIbU6Db-q2QePqW0PuJElo6_Ye7N7dm_q-KoHy1wdAmPp2IalS0wjxJbQ",
"token_type": "Bearer"
}Authenticated
{ json }
{ json }
@kukicado
Getting New Access Token
{ json }
{ json }
@kukicado
SPA
Single Page Application
Implicit Grant Flow*
@kukicado
Baseline
{ json }
@kukicado
Authentication
@kukicado
Authenticated
{ json }
{ json }
@kukicado
Silent Authentication
{ json }
{ json }
@kukicado
Silent Authentication
{ json }
{ json }
iframe
@kukicado
Native
Android, iOS, Desktop
Authorization Code with PKCE Grant Flow
@kukicado
Baseline
{ json }
@kukicado
Authentication
{ code_challenge }
code={123}
@kukicado
Authentication
{ code={123} code_verifier }
@kukicado
Authenticated
{ json }
{ json }
@kukicado
Refresh Token
{ code={123} code_verifier }
@kukicado
Authenticated
{ json }
{ json }
@kukicado
Getting New Tokens via Refresh Token
{ json }
{ json }
@kukicado
Summary
@kukicado
Modern authentication is complex.
OAuth 2.0 offers solutions / flows for most use cases.
Implementing OAuth 2.0 can provide a competitive advantage.
Resources
@kukicado
OAuth 2.0 Official Website
https://oauth.net/2/
OAuth 2.0 Complete Guide
http://bit.ly/oauth-complete
OAuth 2.0 Scopes
http://bit.ly/oauth-scopes
Thank You!
@kukicado