Tweet
Tweet

Slide 1

Slide 1 text

OAuth démystifié ! Sébastien Stormacq, AWS Developer Advocate @sebsto

Slide 2

Slide 2 text

Congrats ! Your app launched !" # $ % &

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

userid firstname lastmail email password sebsto Sébastien Stormacq stormacq@amazon.com FA34BD7543E… natalia Natalia Arbelaez nata@email.com AA6FC2984AB…

Slide 5

Slide 5 text

What possibly can go wrong ? '()

Slide 6

Slide 6 text

From 50 to 50.000.000 users *+,*+,*+,*+,*+,*+,*+,

Slide 7

Slide 7 text

http://blog.interactiveschools.com/blog/50-million-users-how-long-does-it-take-tech-to-reach-this-milestone

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

seb@me.com

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Developers build features !"#

Slide 16

Slide 16 text

DO NOT ⛔ Build your own identity system Store user credentials

Slide 17

Slide 17 text

Identification Authentication Authorisation

Slide 18

Slide 18 text

OAuth OpenID Connect

Slide 19

Slide 19 text

Managed OAuth Service

Slide 20

Slide 20 text

Amazon Cognito Managed identities in the ☁ Managed user directory Signin with existing identities (federation) Customised hosted UI or SDK AWS credentials and access control OpenID Connect and Oauth 2

Slide 21

Slide 21 text

Amazon Cognito Managed identities in the ☁

Slide 22

Slide 22 text

OpenID Connect and OAuth Flows

Slide 23

Slide 23 text

Implicit Grant

Slide 24

Slide 24 text

User User Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) authenticate click login with XXX. ? state = 987 & redirect_uri = auth Service & client_id = 123 & scope = email & response = token enter credentials verify credentials redirect to redirect_uri ? state = 987 & token = abc & token_type = bearer access API get access token Invoke API (authorization : access_token) securely store token

Slide 25

Slide 25 text

Code Grant

Slide 26

Slide 26 text

User User Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) authenticate click login with XXX. ? state = 987 & redirect_uri = auth Service & client_id = 123 & scope = email & response = code enter credentials verify credentials redirect to redirect_uri ? code = abc & state = 987 get_token ? client_id = 123 & code = abc (authorization = base64(client_id:client-secret ) return id, access & refresh tokens securely store tokens access API get access token Invoke API (authorization : access_token) (optional) refresh tokens

Slide 27

Slide 27 text

Demo

Slide 28

Slide 28 text

Thank you ! @sebsto /sebsto /sebsto /sebAWS Sébastien Stormacq