Tweet
Tweet

Slide 1

Slide 1 text

Demystifying OAuth and OIDC An illustrated crash course Deepu K Sasidharan

Slide 2

Slide 2 text

@auth0 | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @deepu105@mastodon.social deepu.tech @deepu105.bsky.social deepu05

Slide 3

Slide 3 text

@auth0 | @deepu105 | deepu.tech Authorization Process of determining whether a user has the necessary permissions to access a resource.

Slide 4

Slide 4 text

@auth0 | @deepu105 | deepu.tech OAuth OAuth is the industry-standard protocol for delegated authorization.

Slide 5

Slide 5 text

@auth0 | @deepu105 | deepu.tech Why OAuth?

Slide 6

Slide 6 text

@auth0 | @deepu105 | deepu.tech Enhanced security: Token based, Limited Scope & Duration Standardized: Interoperability, ease of integration Flexible & Scalable: Diverse use cases, cross platform UX: Widely adopted, good UX, social login

Slide 7

Slide 7 text

@auth0 | @deepu105 | deepu.tech OAuth OAuth 1.0 →No longer used OAuth 2.0 →Widely used version OAuth 2.1 →Latest version

Slide 8

Slide 8 text

@auth0 | @deepu105 | deepu.tech System Roles

Slide 9

Slide 9 text

@auth0 | @deepu105 | deepu.tech Tokens Access Token →Authorization to access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens

Slide 10

Slide 10 text

@auth0 | @deepu105 | deepu.tech Claim →KV pair assertion with user info Scope →Group of claims or permission limiting access

Slide 11

Slide 11 text

@auth0 | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

Slide 12

Slide 12 text

@auth0 | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)

Slide 13

Slide 13 text

@auth0 | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, CIBA, etc.

Slide 14

Slide 14 text

@auth0 | @deepu105 | deepu.tech OAuth 2 Flows

Slide 15

Slide 15 text

@auth0 | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended) Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA

Slide 16

Slide 16 text

@auth0 | @deepu105 | deepu.tech Resource Owner Password Credentials Grant Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }

Slide 17

Slide 17 text

@auth0 | @deepu105 | deepu.tech Authorization Code Grant Flow (Not recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }

Slide 18

Slide 18 text

@auth0 | @deepu105 | deepu.tech Authorization Code Grant Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

Slide 19

Slide 19 text

@auth0 | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization request NA Token request { client_id, client_secret, grant_type=client_credentials }

Slide 20

Slide 20 text

@auth0 | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }

Slide 21

Slide 21 text

@auth0 | @deepu105 | deepu.tech Device Authorization Grant Flow Device Authorization request { client_id, scope, } Token request { client_id, device_code, grant_type=urn:ietf:params :oauth:grant-type:device_code }

Slide 22

Slide 22 text

@auth0 | @deepu105 | deepu.tech OAuth Flow Decision Tree

Slide 23

Slide 23 text

@auth0 | @deepu105 | deepu.tech Authentication Process of verifying the identity of a user. OAuth lacked a standard way to authenticate users.

Slide 24

Slide 24 text

@auth0 | @deepu105 | deepu.tech OpenID Connect OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework

Slide 25

Slide 25 text

@auth0 | @deepu105 | deepu.tech OIDC using Authorization Code Grant Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

Slide 26

Slide 26 text

@auth0 | @deepu105 | deepu.tech Auth for GenAI Try the demo and join the waitlist JWT UI

Slide 27

Slide 27 text

@auth0 | @deepu105 | deepu.tech You are now an OAuth expert!

Slide 28

Slide 28 text

@auth0 | @deepu105 | deepu.tech Auth for GenAI Try the demo and join the waitlist

Slide 29

Slide 29 text

@auth0 | @deepu105 | deepu.tech OAuth2 and OIDC workshop for Java Developers

Slide 30

Slide 30 text

@auth0 | @deepu105 | deepu.tech Thank You