Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

An illustrated crash course for OAuth and OIDC

An illustrated crash course for OAuth and OIDC

In this talk, we will embark on an illustrated journey to demystify OAuth 2.1 and OpenID Connect (OIDC). We will start by exploring the fundamental concepts of these two protocols, their roles in modern authentication and authorization, and the problems they solve in the realm of identity and access management.

Deepu K Sasidharan

June 25, 2024
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java

    Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05
  2. @oktaDev | @deepu105 | deepu.tech Authorization Process of determining whether

    a user has the necessary permissions to access a resource.
  3. @oktaDev | @deepu105 | deepu.tech OAuth OAuth 1.0 →No longer

    used OAuth 2.0 →Widely used version OAuth 2.1 →Latest version
  4. @oktaDev | @deepu105 | deepu.tech System Roles Resource Owner →End

    user Resource Server →API Server Client →System requesting access Authorization Server →Authenticate and issue tokens
  5. @oktaDev | @deepu105 | deepu.tech Tokens Access Token →Authorization to

    access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens
  6. @oktaDev | @deepu105 | deepu.tech Claim →KV pair assertion with

    user info Scope →Group of claims or permission limiting access
  7. @oktaDev | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code

    Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)
  8. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant →Exchange authorization

    code for access token (secure clients) Authorization Code Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) OAuth 2.0 Grants OAuth 2.1 Grants Implicit Grant →Get access token directly (SPA, native apps) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)
  9. @oktaDev | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code

    Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)
  10. @oktaDev | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange

    refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, etc.
  11. @oktaDev | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended)

    Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA
  12. @oktaDev | @deepu105 | deepu.tech Resource Owner Password Credentials Grant

    Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }
  13. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow (Not

    recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }
  14. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow with

    PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }
  15. @oktaDev | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization

    request NA Token request { client_id, client_secret, grant_type=client_credentials }
  16. @oktaDev | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization

    request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }
  17. @oktaDev | @deepu105 | deepu.tech Device Authorization Grant Flow Device

    Authorization request { client_id, scope, } Token request { client_id, device_code, grant_type=urn:ietf:params :oauth:grant-type:device_code }
  18. @oktaDev | @deepu105 | deepu.tech Authentication Process of verifying the

    identity of a user. OAuth lacked a standard way to authenticate users.
  19. @oktaDev | @deepu105 | deepu.tech OpenID Connect OpenID Connect (OIDC)

    is an identity layer built on top of the OAuth 2.0 framework
  20. @oktaDev | @deepu105 | deepu.tech OIDC using Authorization Code Grant

    Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }
  21. © Okta and/or its affiliates. All rights reserved. For Okta

    internal use only. DATA CLASSIFICATION: OKTA INTERNAL dev_day a 24 hour virtual event September 24, 2024 Registration opens summer of 2024 Stay up to date with the latest at: a0.to/devday
  22. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot