Slide 16
Slide 16 text
@mkheck www.thehecklers.com
Why OpenID Connect & OAuth2?
In traditional authentication, the client requests an access-restricted resource on the server by authenticating with the
server using the resource owner’s credentials
To provide third-party applications (3PAs) access, the resource owner shares credentials with the 3P. This creates
several problems:
3PAs store the resource owner’s credentials for future use, typically a password in clear-text
Servers must support password authentication, despite the security weaknesses inherent in passwords
3PAs gain overly broad access to the resource owner’s protected resources, removing any ability to restrict
duration or access to a limited subset of resources
Resource owners cannot revoke access to an individual 3P without revoking access to all third parties, and must
do so by changing the 3P’s password
Compromise of any 3PA results in compromise of the end-user’s password and all data protected by that
password
From IETF rfc6749, The OAuth2 Authorization Framework