JUST ENOUGH OPENID CONNECT A SECURITY PROTOCOL IN 3 ACTS 

About Me @falican 

The Scenario Talking OIDC Token Expiration More Using Client Credentials @falican 

GRACE & HER ML MODEL @falican THE SCENARIO 

GRACE HOOPER DATA SCIENTIST Grace has a strong maths & stats background and recently joined Rail Corp, working in their fledgling data science department. EXPERIENCE § Matlab § R § Power BI § Excel § Tableau @falican 

When Will A Wagon Need Maintenance? @falican THE SCENARIO 

Hand Cranking the Predictions 1. Export a CSV from data warehouse via Power BI. 2. Run the model overnight. 3. Upload CSV via Power BI to data warehouse. 4. Generate the PDF report with Power BI. 5. Email report to stakeholders. @falican THE SCENARIO 

The Automation Plan 1. Use Python to download the data from the data warehouse. 2. Use Python to upload the predictions to the data warehouse. 3. Run the model on a server. @falican THE SCENARIO 

HERE ARE YOUR CLIENT CREDENTIALS @falican TALKING OPENID CONNECT (OIDC) 

Off to a Slow Start @falican From: Grace Hooper To: Avery Adams Subject: accessing the warehouse with python Hi Avery, I need to download & upload data to the warehouse using python. Can you help? - Grace From: Avery Adams To: Grace Hooper Subject: RE: accessing the warehouse with Python Hi Grace, the warehouse documentation says you can use http & "openid connect" and that I need to give you some client credentials. I've generated you some credentials and included them below along with some other data the docs say you will need. You are the first person to do this so can you let me know how you get on? Here are your client credentials: Client id: gracehooper Client secret: eca4368d5b92c3ae5f46a5404b5bd47f Grant type: password Token url: https://dwh.railcorp.com/oidc/token TALKING OPENID CONNECT 

OpenID Connect? OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and rest-like manner. Authentication? So something like HTTP Basic Auth? @falican TALKING OPENID CONNECT 

So Something Like HTTP Basic Auth? 1) Source: http://docs.python-requests.org/en/master/user/authentication/ @falican TALKING OPENID CONNECT 

Grant Type? Client id: gracehooper Client secret: eca4368d5b92c3ae5f46a5404b5bd47f Grant type: password Token url: https://dwh.railcorp.com/oidc/token @falican TALKING OPENID CONNECT 

Resource Owner Password Grant Source: https://github.com/FrankHassanabad/Oauth2orizeRecipes (MIT License) @falican TALKING OPENID CONNECT 

Python (Batteries Included) 1) Source: http://docs.python-requests.org/en/master/user/authentication/ @falican TALKING OPENID CONNECT 

It Works! @falican TALKING OPENID CONNECT 

WHY IS THIS REQUEST FAILING? @falican REFRESH TOKENS 

This Should Work?! @falican TOKEN EXPIRATION 

TokenExpiredError? @falican TOKEN EXPIRATION 

That Fixed It @falican TOKEN EXPIRATION 

DON’T GIVE OUT YOUR PASSWORD @falican USING CLIENT CREDENTIALS 

What About Other Workflows? 1) Source: https://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html#available-workflows @falican USING CLIENT CREDENTIALS 

Client Credentials Grant 1) Source: http://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html#backend-application-flow @falican USING CLIENT CREDENTIALS 

Client Credentials Grant 1) Source: https://github.com/FrankHassanabad/Oauth2orizeRecipes/wiki/Security-Scenarios (MIT) @falican USING CLIENT CREDENTIALS 

Well That is Simple! @falican USING CLIENT CREDENTIALS 

FURTHER READING @falican APPENDIX A 

Thanks • Auth0 OpenID Connect docs https://auth0.com/docs/protocols/oidc • Requests-OAuthlib: OAuth for Humans http://requests-oauthlib.readthedocs.io/en/latest/ @falican