Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth by Example - Workshop

Andy March
December 05, 2019

OAuth by Example - Workshop

Authentication and authorization has come a long way in the last ten years. Are you still rolling your own identity? Don't know the differences between the authorization code grant from and the client credentials grant? Do you want to accept social authentication to your service but you're not sure how?

Join Andy March as we review OAuth and OIDC, their history, the problems they solve and how you can apply them to your services. This workshop will guide you through configuring Okta as an identity provider, deploying a simple web app enforcing authentication and authorization.

Andy March

December 05, 2019

More Decks by Andy March

Other Decks in Technology


  1. 10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  2. Digital Identity Circa 2007 Simple Login – forms and cookies

    Single Sign-on – SAML Delegated Access – passwords
  3. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel
  4. What is an access token anyway Sent by a client

    in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens
  5. { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat":

    1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "[email protected]" } JWT Payload
  6. Local Token Validation Check the signature Check the audience Check

    the issuance timestamp Check the expiry timestamp
  7. Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0

    Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization
  8. OpenID Connect Default Scopes Openid Indicates an OpenId request Profile

    Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access
  9. { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat":

    1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload
  10. Access Token vs ID Token OAuth specification Audience is the

    resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user
  11. Simple Login – OpenID Connect Single Sign-on – OpenID Connect

    Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today
  12. OAuth 2.0 Simplified Written by Aaron Parecki, Senior Security Architect

    @ Okta Member of the OAuth working group Maintainer of OAuth.net