An illustrated crash course for OAuth and OIDC

Transcript

1. Demystifying OAuth and OIDC An illustrated crash course Deepu K

   Sasidharan

2. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java

   Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05

3. @oktaDev | @deepu105 | deepu.tech Authorization Process of determining whether

   a user has the necessary permissions to access a resource.

4. @oktaDev | @deepu105 | deepu.tech OAuth OAuth is the industry-standard

   protocol for delegated authorization.

5. @oktaDev | @deepu105 | deepu.tech OAuth OAuth 1.0 →No longer

   used OAuth 2.0 →Widely used version OAuth 2.1 →Latest version

6. @oktaDev | @deepu105 | deepu.tech System Roles Resource Owner →End

   user Resource Server →API Server Client →System requesting access Authorization Server →Authenticate and issue tokens

7. @oktaDev | @deepu105 | deepu.tech System Roles

8. @oktaDev | @deepu105 | deepu.tech Tokens Access Token →Authorization to

   access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens

9. @oktaDev | @deepu105 | deepu.tech Claim →KV pair assertion with

   user info Scope →Group of claims or permission limiting access

10. @oktaDev | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code

    Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

11. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant →Exchange authorization

    code for access token (secure clients) Authorization Code Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) OAuth 2.0 Grants OAuth 2.1 Grants Implicit Grant →Get access token directly (SPA, native apps) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

12. @oktaDev | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code

    Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)

13. @oktaDev | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange

    refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, etc.

14. @oktaDev | @deepu105 | deepu.tech OAuth 2 Flows

15. @oktaDev | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended)

    Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA

16. @oktaDev | @deepu105 | deepu.tech Resource Owner Password Credentials Grant

    Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }

17. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow (Not

    recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }

18. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow with

    PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

19. @oktaDev | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization

    request NA Token request { client_id, client_secret, grant_type=client_credentials }

20. @oktaDev | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization

    request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }

21. @oktaDev | @deepu105 | deepu.tech Device Authorization Grant Flow Device

    Authorization request { client_id, scope, } Token request { client_id, device_code, grant_type=urn:ietf:params :oauth:grant-type:device_code }

22. @oktaDev | @deepu105 | deepu.tech Authentication Process of verifying the

    identity of a user. OAuth lacked a standard way to authenticate users.

23. @oktaDev | @deepu105 | deepu.tech OpenID Connect OpenID Connect (OIDC)

    is an identity layer built on top of the OAuth 2.0 framework

24. @oktaDev | @deepu105 | deepu.tech OIDC using Authorization Code Grant

    Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

25. @oktaDev | @deepu105 | deepu.tech You are now an OAuth

    expert!

26. @oktaDev | @deepu105 | deepu.tech OAuth2 and OIDC workshop for

    Java Developers

27. © Okta and/or its affiliates. All rights reserved. For Okta

    internal use only. DATA CLASSIFICATION: OKTA INTERNAL dev_day a 24 hour virtual event September 24, 2024 Registration opens summer of 2024 Stay up to date with the latest at: a0.to/devday

28. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot