Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth Démystifié

OAuth Démystifié

Title : OAuth démystifié!
Abstract : Vous vous sentez perdu entre les Implicit Grant et Code Grant ? Vous ne comprenez jamais la différence entre OAuth et OpenID Connect ? Comment votre Active Directory d'entreprise se positionne dans ce schéma ? Dans ce talk, je démystifie la fédération d'identités et vous expliquerez les flux d'authentification de OAuth. Je vous ferai une démo concrète de la configuration et la programmation d'un serveur d'identité pour distribuer des tokens JWT.

More Decks by Sébastien Stormacq - AWS Developer Advocate

Other Decks in Technology

Transcript

  1. OAuth démystifié ! Sébastien Stormacq, AWS Developer Advocate @sebsto

  2. Congrats ! Your app launched !" # $ % &

  3. None
  4. userid firstname lastmail email password sebsto Sébastien Stormacq stormacq@amazon.com FA34BD7543E…

    natalia Natalia Arbelaez nata@email.com AA6FC2984AB…
  5. What possibly can go wrong ? '()

  6. From 50 to 50.000.000 users *+,*+,*+,*+,*+,*+,*+,

  7. http://blog.interactiveschools.com/blog/50-million-users-how-long-does-it-take-tech-to-reach-this-milestone

  8. None
  9. None
  10. None
  11. None
  12. seb@me.com

  13. None
  14. None
  15. Developers build features !"#

  16. DO NOT ⛔ Build your own identity system Store user

    credentials
  17. Identification Authentication Authorisation

  18. OAuth OpenID Connect

  19. Managed OAuth Service

  20. Amazon Cognito Managed identities in the ☁ Managed user directory

    Signin with existing identities (federation) Customised hosted UI or SDK AWS credentials and access control OpenID Connect and Oauth 2
  21. Amazon Cognito Managed identities in the ☁

  22. OpenID Connect and OAuth Flows

  23. Implicit Grant

  24. User User Client App (browser, mobile app, app server) Auth

    Service Authorization & Identity Server Resource Server (API) Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) authenticate click login with XXX. ? state = 987 & redirect_uri = auth Service & client_id = 123 & scope = email & response = token enter credentials verify credentials redirect to redirect_uri ? state = 987 & token = abc & token_type = bearer access API get access token Invoke API (authorization : access_token) securely store token
  25. Code Grant

  26. User User Client App (browser, mobile app, app server) Auth

    Service Authorization & Identity Server Resource Server (API) Client App (browser, mobile app, app server) Auth Service Authorization & Identity Server Resource Server (API) authenticate click login with XXX. ? state = 987 & redirect_uri = auth Service & client_id = 123 & scope = email & response = code enter credentials verify credentials redirect to redirect_uri ? code = abc & state = 987 get_token ? client_id = 123 & code = abc (authorization = base64(client_id:client-secret ) return id, access & refresh tokens securely store tokens access API get access token Invoke API (authorization : access_token) (optional) refresh tokens
  27. Demo

  28. Thank you ! @sebsto /sebsto /sebsto /sebAWS Sébastien Stormacq