The Many Layers of OAuth, 2024

Transcript

1. Product Manager [email protected] The Many Layers of OAuth

2. Agenda - Intro - OAuth Vocabulary - The Grant Types

   - Which one when? - The fun pain truth lies multitude of specs - Closing / Q&A

3. Who am I?

4. Who am I?

5. Who am I?

6. OAuth Vocab

7. 7 7 7 What is OAuth 2.0? It’s unrelated to

   OAuth 1.0 It’s an authorization framework, has nothing to do with authentication.

8. 8 8 8 What is OpenID Connect (OIDC)? It’s unrelated

   to OpenID It’s an interoperability extension for Single Sign On.

9. 9 9 9 Which is better: OAuth or OpenID Connect?

   Trick question: OIDC is an extension of OAuth

10. 10 10 10 Authentication - vs - Authorization

11. Ref: https://datatracker.ietf.org/doc/html/rfc6749

12. 12 12 12 Key OAuth Terms - Resource Owner is

    you - Resource Server is what you want to share access to - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user, or state - Authorization Server (aka Auth Server) creates the Tokens - Scopes are the permissions you request from the Auth Server - Claims are the key/value pairs returned from the Auth Server

13. 13 13 13 Key OAuth Terms (simplified) - Resource Owner

    is you - Resource Server where you use the token - Grant Type (aka Flow) how you get the tokens - Tokens are the tokens - Authorization Server (aka Auth Server) creates the Tokens - Scopes how you request stuff in the tokens - Claims the stuff in the tokens

14. 14 14 14 Hotel Key Cards but for Apps

15. Grant Types (aka use cases or how you get the

    tokens)

16. 16 16 16 Grant Types (aka OAuth flows) - Authorization

    Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credential Flow Ref: https://datatracker.ietf.org/doc/html/rfc6749

17. 17 17 17 Authorization Code Flow User Auth Client Auth

18. 18 18 18 Implicit Flow User Auth No Client Auth!

19. 19 19 19 Resource Owner Password Flow Wait. What does

    that mean? The app has your creds! No Client Auth! User Auth

20. 20 20 20 Client Credential Flow Client Auth No User

    Auth!

21. Which should I use?

22. 22 22 22 - Authorization Code Flow - Implicit Flow

    - Resource Owner Password Flow - Client Credential Flow Grant Types (aka OAuth flows)

23. 23 23 23 Which should I use?

24. 24 24 24 Grant Types (aka OAuth flows) - Authorization

    Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credential Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Ref: Various RFCs

25. 25 25 25 Authorization Code Flow with PKCE (RFC 7636)

    Ref: https://datatracker.ietf.org/doc/rfc7636/ User Auth Client Auth

26. 26 26 26 SAML Assertion Flow (RFC 7522) Ref: https://datatracker.ietf.org/doc/rfc7522/

    User Auth Client Auth

27. 27 27 27 Grant Types (aka OAuth flows) - Authorization

    Code Flow replaced w/ PKCE (below) - Implicit Flow replaced w/ PKCE (below) - Resource Owner Password Flow removed - Client Credential Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Ref: https://oauth.net/2.1/ (still a draft)

28. 28 28 28 Which should I use?

29. 29 29 29 Which should I use? (under OAuth 2.1)

    * Leaves out SAML Assertion, Device Grant Type, and others Does your App have an end user? Client Credential Flow Auth Code with PKCE Yes No

30. Specifications

31. Ref: https://datatracker.ietf.org/doc/html/rfc6749 OAuth 2.0 Core (RFC 6749)

32. 32 32 32 Notice: NOT Authentication

33. Ref: https://datatracker.ietf.org/doc/html/rfc6749 What are Access Tokens?

34. 34 34 34 JWTs to the Rescue! (JSON Web Tokens)

35. 35 35 35 Ha. You wish.

36. Ref: https://datatracker.ietf.org/doc/html/rfc7519 JSON Web Token (RFC 7519)

37. Ref: https://datatracker.ietf.org/doc/html/rfc7519 JWTs: Standard Claims!

38. Ref: https://datatracker.ietf.org/doc/html/rfc7519 JWTs: Standard Claims! lol, nope

39. 39 39 39 So then what do we do?

40. 40 40 40 OpenID Connect FTW

41. Ref: https://openid.net/specs/openid-connect-core-1_0.html OpenID Connect

42. 42 42 42 - openid - erofile - email -

    address - phone OIDC: Opinionated Structure - name - given_name - email - street_address - phone_number And many more..

43. 43 43 43 - RFC 7662 Token Introspection - RFC

    7009 Token Revocation - RFC 8628 Device Authorization Grant - RFC 7522 SAML Assertion - RFC 7591 Dynamic Client Registration - RFC 7592 Dynamic Client Management - OpenID Connect Metadata Discovery - RFC 8414 Authorization Server Metadata Discovery - Industry-specific: Open Banking/FAPI, FHIR (healthcare), Open Insurance, Open Energy More Pieces! Ref: https://www.oauth.com/oauth2-servers/map-oauth-2-0-specs/

44. Closing Thoughts

45. 45 45 45 “We support OAuth” is a meaningless statement

46. 46 46 46 “We support OpenID Connect” is useful (for

    SSO or interop)

47. 47 47 47 Figure out which combination of specs your

    need & they have *RFC 8414 is your best friend

48. Recap - Intro - OAuth Vocabulary - The Grant Types

    - Which one when? - The fun pain truth lies multitude of specs - Closing / Q&A

49. Thank You

50. FYI - OAuth 2.0 Simplified - https://www.oauth.com/ - Includes specs,

    explanations, etc - OAuth 2.0 Course - Includes examples, walkthroughs, etc

51. Product Manager [email protected] The Many Layers of OAuth