Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLDR - OAuth

Andy March
September 12, 2019

TLDR - OAuth

Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.

Andy March

September 12, 2019

More Decks by Andy March

Other Decks in Technology


  1. 10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  2. Digital Identity Circa 2007 Simple Login – forms and cookies

    Single Sign-on – SAML Delegated Access – passwords
  3. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel
  4. What is an access token anyway Sent by a client

    in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens
  5. { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat":

    1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "[email protected]" } JWT Payload
  6. Local Token Validation Check the signature Check the audience Check

    the issuance timestamp Check the expiry timestamp
  7. Token Refresh http://examply.okta-emea.com/oauth2/default/v1/token Authorization Basic ${Base64(<client_id>:<client_secret>)} grant_type=refresh_token redirect_uri=https://examply.co.uk/callback scope=profile refresh_token="eyJhbGciOiJ[...]K1Sun9bA"

    { "token_type": Bearer, "access_token": eyJhbGciOiJ[...]K1Sun9bA, "expires_in": 3600, "scope": ”profile", "refresh_token": "eyJhbGciOiJ[...]K1Sun9bA", } Request Response
  8. Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0

    Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization
  9. OpenID Connect Default Scopes Openid Indicates an OpenId request Profile

    Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access
  10. { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat":

    1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload
  11. Access Token vs ID Token OAuth specification Audience is the

    resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user
  12. Simple Login – OpenID Connect Single Sign-on – OpenID Connect

    Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today