Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance
[email protected]
May 2023
Slide 2
Slide 2 text
© ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
Slide 3
Slide 3 text
01 Who am I?
Slide 4
Slide 4 text
© ngrok. All rights reserved. Confidential Information of ngrok Who am I?
Slide 5
Slide 5 text
© ngrok. All rights reserved. Confidential Information of ngrok Who am I? https://www.youtube.com/@geekamongthetrees
Slide 6
Slide 6 text
02 OAuth Vocab
Slide 7
Slide 7 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
Slide 8
Slide 8 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
Slide 9
Slide 9 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
Slide 10
Slide 10 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
© ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
Slide 13
Slide 13 text
© ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
Slide 14
Slide 14 text
© ngrok. All rights reserved. Confidential Information of ngrok Hotel Key Cards but for Apps
Slide 15
Slide 15 text
03 Grant Types
Slide 16
Slide 16 text
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
Slide 17
Slide 17 text
© ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow User Auth Client Auth
Slide 18
Slide 18 text
© ngrok. All rights reserved. Confidential Information of ngrok Implicit Flow User Auth No Client Auth!
Slide 19
Slide 19 text
© ngrok. All rights reserved. Confidential Information of ngrok Resource Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
Slide 20
Slide 20 text
© ngrok. All rights reserved. Confidential Information of ngrok Client Credential Flow Client Auth No User Auth!?
Slide 21
Slide 21 text
04 Which should I use?
Slide 22
Slide 22 text
© ngrok. All rights reserved. Confidential Information of ngrok Which do I use? Wait. Where did that come from?
Slide 23
Slide 23 text
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
Slide 24
Slide 24 text
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
Slide 25
Slide 25 text
© ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow with PKCE (RFC 7636) User Auth Client Auth
Slide 26
Slide 26 text
© ngrok. All rights reserved. Confidential Information of ngrok SAML 2.0 Assertion Flow Client Auth No User Auth!?
Slide 27
Slide 27 text
© ngrok. All rights reserved. Confidential Information of ngrok Which do I use?
Slide 28
Slide 28 text
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
Slide 29
Slide 29 text
Specifications 05
Slide 30
Slide 30 text
© ngrok. All rights reserved. Confidential Information of ngrok OAuth (RFC 6749)
Slide 31
Slide 31 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
Slide 32
Slide 32 text
© ngrok. All rights reserved. Confidential Information of ngrok What about those tokens?
Slide 33
Slide 33 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
Slide 34
Slide 34 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
Slide 35
Slide 35 text
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
Slide 36
Slide 36 text
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
Slide 37
Slide 37 text
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
Slide 38
Slide 38 text
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
Slide 39
Slide 39 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
Slide 40
Slide 40 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
Slide 41
Slide 41 text
© ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect
Slide 42
Slide 42 text
© ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..
Slide 43
Slide 43 text
© ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!
Slide 44
Slide 44 text
© ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
Slide 45
Slide 45 text
06 Closing Thoughts
Slide 46
Slide 46 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
Slide 47
Slide 47 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
Slide 48
Slide 48 text
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
Slide 49
Slide 49 text
© ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap
Slide 50
Slide 50 text
Thank you
Slide 51
Slide 51 text
The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance
[email protected]
May 2023