Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth Démystifié

OAuth Démystifié

Title : OAuth démystifié!
Abstract : Vous vous sentez perdu entre les Implicit Grant et Code Grant ? Vous ne comprenez jamais la différence entre OAuth et OpenID Connect ? Comment votre Active Directory d'entreprise se positionne dans ce schéma ? Dans ce talk, je démystifie la fédération d'identités et vous expliquerez les flux d'authentification de OAuth. Je vous ferai une démo concrète de la configuration et la programmation d'un serveur d'identité pour distribuer des tokens JWT.

More Decks by Sébastien Stormacq - AWS Developer Advocate

Other Decks in Technology

Transcript

  1. Amazon Cognito Managed identities in the ☁ Managed user directory

    Signin with existing identities (federation) Customised hosted UI or SDK AWS credentials and access control OpenID Connect and Oauth 2
  2. User User Client App (browser, mobile app, app server) Auth

    Service Authorization & Identity Server Resource Server (API) Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) authenticate click login with XXX. ? state = 987 & redirect_uri = auth Service & client_id = 123 & scope = email & response = token enter credentials verify credentials redirect to redirect_uri ? state = 987 & token = abc & token_type = bearer access API get access token Invoke API (authorization : access_token) securely store token
  3. User User Client App (browser, mobile app, app server) Auth

    Service Authorization & Identity Server Resource Server (API) Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) authenticate click login with XXX. ? state = 987 & redirect_uri = auth Service & client_id = 123 & scope = email & response = code enter credentials verify credentials redirect to redirect_uri ? code = abc & state = 987 get_token ? client_id = 123 & code = abc (authorization = base64(client_id:client-secret ) return id, access & refresh tokens securely store tokens access API get access token Invoke API (authorization : access_token) (optional) refresh tokens