AUTHENTICATION IN WEB, API-BASED &
DISTRIBUTED ENVIRONMENTS
NIKO KÖBLER (@DASNIKO)
Slide 2
Slide 2 text
ABOUT ME
▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de
▸ Doing stuff with & without computers, writing Software, > 20 yrs
▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA)
▸ Speaker at international Tech Conferences
▸ Author of „Serverless Computing in AWS Cloud“
serverlessbuch.de
▸ Twitter: @dasniko
SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS
Slide 3
Slide 3 text
AUTHENTICATION
AUTHORIZATION
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
?
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
OAUTH2
AUTHORIZATION, NOT AUTHENTICATION!
The OAuth 2.0 authorization framework enables
a 3rd-party application to obtain limited access
to an HTTP service.
IETF, RFC 6749, 2012
Slide 13
Slide 13 text
OAUTH2 GRANT TYPES
GRANT TYPE APPS
Authorization Code Web, Apps
Implicit JavaScript, etc.
Resource Owner Password Credentials Apps
Client Credentials Web
Refresh Web, Apps
Slide 14
Slide 14 text
OAUTH2 TERMS
Resource Owner
Client
Authorization Server
Resource Server
Redirect URI
Response Type
Scope
Consent
Client ID
Client Secret
Authorization Code
Access Token
OPEN ID CONNECT
AUTHENTICATION LAYER ON TOP OF OAUTH 2.0
‣ verify the identity of an end-user
‣ obtain basic profile information about the user
‣ RESTful HTTP API, using JSON as data format
‣ allows clients of all types (web-based, mobile, JavaScript)
OPENID FOUNDATION, 2014