An illustrated crash course for OAuth and OIDC

Slide 1

Slide 1 text

Demystifying OAuth and OIDC An illustrated crash course Deepu K Sasidharan

Slide 2

Slide 2 text

@oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aﬁcionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @deepu105@mastodon.social deepu.tech @deepu105 deepu05

Slide 3

Slide 3 text

@oktaDev | @deepu105 | deepu.tech Authorization Process of determining whether a user has the necessary permissions to access a resource.

Slide 4

Slide 4 text

@oktaDev | @deepu105 | deepu.tech OAuth OAuth is the industry-standard protocol for delegated authorization.

Slide 5

Slide 5 text

@oktaDev | @deepu105 | deepu.tech OAuth OAuth 1.0 →No longer used OAuth 2.0 →Widely used version OAuth 2.1 →Latest version

Slide 6

Slide 6 text

@oktaDev | @deepu105 | deepu.tech System Roles Resource Owner →End user Resource Server →API Server Client →System requesting access Authorization Server →Authenticate and issue tokens

Slide 7

Slide 7 text

@oktaDev | @deepu105 | deepu.tech System Roles

Slide 8

Slide 8 text

@oktaDev | @deepu105 | deepu.tech Tokens Access Token →Authorization to access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens

Slide 9

Slide 9 text

@oktaDev | @deepu105 | deepu.tech Claim →KV pair assertion with user info Scope →Group of claims or permission limiting access

Slide 10

Slide 10 text

@oktaDev | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (conﬁdential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

Slide 11

Slide 11 text

@oktaDev | @deepu105 | deepu.tech Authorization Code Grant →Exchange authorization code for access token (secure clients) Authorization Code Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) OAuth 2.0 Grants OAuth 2.1 Grants Implicit Grant →Get access token directly (SPA, native apps) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (conﬁdential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

Slide 12

Slide 12 text

@oktaDev | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (conﬁdential clients)

Slide 13

Slide 13 text

@oktaDev | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, etc.

Slide 14

Slide 14 text

@oktaDev | @deepu105 | deepu.tech OAuth 2 Flows

Slide 15

Slide 15 text

@oktaDev | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended) Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA

Slide 16

Slide 16 text

@oktaDev | @deepu105 | deepu.tech Resource Owner Password Credentials Grant Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }

Slide 17

Slide 17 text

@oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow (Not recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }

Slide 18

Slide 18 text

@oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

Slide 19

Slide 19 text

@oktaDev | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization request NA Token request { client_id, client_secret, grant_type=client_credentials }

Slide 20

Slide 20 text

@oktaDev | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }

Slide 21

Slide 21 text

@oktaDev | @deepu105 | deepu.tech Device Authorization Grant Flow Device Authorization request { client_id, scope, } Token request { client_id, device_code, grant_type=urn:ietf:params :oauth:grant-type:device_code }

Slide 22

Slide 22 text

@oktaDev | @deepu105 | deepu.tech Authentication Process of verifying the identity of a user. OAuth lacked a standard way to authenticate users.

Slide 23

Slide 23 text

@oktaDev | @deepu105 | deepu.tech OpenID Connect OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework

Slide 24

Slide 24 text

@oktaDev | @deepu105 | deepu.tech OIDC using Authorization Code Grant Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

Slide 25

Slide 25 text

@oktaDev | @deepu105 | deepu.tech You are now an OAuth expert!

Slide 26

Slide 26 text

@oktaDev | @deepu105 | deepu.tech OAuth2 and OIDC workshop for Java Developers

Slide 27

Slide 27 text

© Okta and/or its afﬁliates. All rights reserved. For Okta internal use only. DATA CLASSIFICATION: OKTA INTERNAL dev_day a 24 hour virtual event September 24, 2024 Registration opens summer of 2024 Stay up to date with the latest at: a0.to/devday

Slide 28

Slide 28 text

@oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot