Demystifying OAuth and OIDC: JFokus

Transcript

1. Demystifying OAuth and OIDC An illustrated crash course Deepu K

   Sasidharan

2. @auth0 | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java

   Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105.bsky.social deepu05

3. @auth0 | @deepu105 | deepu.tech Authorization Process of determining whether

   a user has the necessary permissions to access a resource.

4. @auth0 | @deepu105 | deepu.tech OAuth OAuth is the industry-standard

   protocol for delegated authorization.

5. @auth0 | @deepu105 | deepu.tech Why OAuth?

6. @auth0 | @deepu105 | deepu.tech Enhanced security: Token based, Limited

   Scope & Duration Standardized: Interoperability, ease of integration Flexible & Scalable: Diverse use cases, cross platform UX: Widely adopted, good UX, social login

7. @auth0 | @deepu105 | deepu.tech OAuth OAuth 1.0 →No longer

   used OAuth 2.0 →Widely used version OAuth 2.1 →Latest version

8. @auth0 | @deepu105 | deepu.tech System Roles

9. @auth0 | @deepu105 | deepu.tech Tokens Access Token →Authorization to

   access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens

10. @auth0 | @deepu105 | deepu.tech Claim →KV pair assertion with

    user info Scope →Group of claims or permission limiting access

11. @auth0 | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code

    Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

12. @auth0 | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code

    Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)

13. @auth0 | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange

    refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, CIBA, etc.

14. @auth0 | @deepu105 | deepu.tech OAuth 2 Flows

15. @auth0 | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended)

    Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA

16. @auth0 | @deepu105 | deepu.tech Resource Owner Password Credentials Grant

    Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }

17. @auth0 | @deepu105 | deepu.tech Authorization Code Grant Flow (Not

    recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }

18. @auth0 | @deepu105 | deepu.tech Authorization Code Grant Flow with

    PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

19. @auth0 | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization

    request NA Token request { client_id, client_secret, grant_type=client_credentials }

20. @auth0 | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization

    request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }

21. @auth0 | @deepu105 | deepu.tech Device Authorization Grant Flow Device

    Authorization request { client_id, scope, } Token request { client_id, device_code, grant_type=urn:ietf:params :oauth:grant-type:device_code }

22. @auth0 | @deepu105 | deepu.tech OAuth Flow Decision Tree

23. @auth0 | @deepu105 | deepu.tech Authentication Process of verifying the

    identity of a user. OAuth lacked a standard way to authenticate users.

24. @auth0 | @deepu105 | deepu.tech OpenID Connect OpenID Connect (OIDC)

    is an identity layer built on top of the OAuth 2.0 framework

25. @auth0 | @deepu105 | deepu.tech OIDC using Authorization Code Grant

    Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

26. @auth0 | @deepu105 | deepu.tech Auth for GenAI Try the

    demo and join the waitlist JWT UI

27. @auth0 | @deepu105 | deepu.tech You are now an OAuth

    expert!

28. @auth0 | @deepu105 | deepu.tech Auth for GenAI Try the

    demo and join the waitlist

29. @auth0 | @deepu105 | deepu.tech OAuth2 and OIDC workshop for

    Java Developers

30. @auth0 | @deepu105 | deepu.tech Thank You