A bite of OAuth 2.0

and more and more and more

wombat team 尊享版

Agenda

  • Introduce OAuth 2.0
  • Why OAuth 2.0?
  • OAuth 2.0 Grant Type
  • Authorization Code Grant
  • Implicit Grant
  • OpenID Connect
  • JWT is a kind of magic
  • So, build SSO, shall we?
  • What about MicroServices Auth/Autho?

Introduction

  • You don't want to give someone your password to access your resource. —— user
  • Your service has a lot of resources, you want to bring everyone in to build environment. —— service provider
  • You want to start a program to help people, but hold user's credentials is dangerous. —— client
  • You want the services are easy to deal with user's identity with minimum cost. —— dev
  • You want users' identities are easy to manage and support multiple factor authentications. —— ops

Roles

  • Resource owner (the user)
  • Resource server (the API)
  • Authorization server (can be the same server as the API)
  • Client (the third-party app)

https://authorization-server.com/authorize

https://authorization-server.com/token

Terms

  • Access Token
  • Refresh Token
  • Authorization Code
  • Authorization Grant
    • authorization code

    • implicit

    • resource owner

    • client credentials

Authorization Code Grant

Implicit Grant

Questions?

How do resource owner verify the token and supply service?

If I'm going to build authorization system, how to manage the clients?

How to implement a RBAC?

Hmm... client works in user-agent, how to persist the token?

Let's think about our website, what about current token implement?

OpenID Connect

OpenID Connect is trying to solve identity sharing.

JWT

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWdlIjoyNSwiYWRtaW4iOnRydWUsImdlbmRlciI6Im1hbGUifQ.ZQxleE14Pl8Kt4SxCN_tBpi8cW2yTiWEKBx5l85oupw

Build SSO

OpenID Connect is light, friendly, simple to dev.

How to deal with legacy systems?

Identity Management is quite a big part.

Keys, certificates, role changes, token expires.

Client management.

Can we buy?

Identity service as Application

A bit thought about MicroService

decentration

DONE

Made with Slides.com