SlideShare a Scribd company logo
The Many
Layers Of OAuth
Danger Casey
API Problem Solver, GTM Guy, General Nuisance
danger@ngrok.com
May 2023
© ngrok. All rights reserved. Confidential Information of ngrok
01 Intro
02 OAuth Vocabulary
03 The Grant Types
04 Which one when?
05 The fun pain truth lies multitude of specs
06 Closing / Q&A
Agenda
01
Who am I?
© ngrok. All rights reserved. Confidential Information of ngrok
Who am I?
© ngrok. All rights reserved. Confidential Information of ngrok
Who am I?
https://www.youtube.com/@geekamongthetrees
02
OAuth Vocab
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
What is OAuth 2.0?
It’s unrelated to OAuth 1.0
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
What is OpenID Connect (OIDC)?
It’s unrelated to OpenID
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Which is better: OAuth or OpenID Connect?
Trick question: OIDC is part of OAuth
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Authentication
- vs -
Authorization
© ngrok. All rights reserved. Confidential Information of ngrok
- Resource Owner is you
- Grant Type (aka Flow) describes the use case
- Tokens represents the authorization, user or state
- Authorization Server (aka Auth Server) creates the tokens
- Scopes are the permissions you request from the Auth Server
- Claims are the fields & data returned from the Auth Server
- Resource Server is where you use the auth and id tokens
Key OAuth Terms
© ngrok. All rights reserved. Confidential Information of ngrok
- Resource Owner is you
- Grant Type how you get the tokens
- Tokens are the tokens
- Authorization Server creates the tokens
- Scopes how you request stuff in the token
- Claims the stuff in the token
- Resource Server where you use the token
Key OAuth Terms (simplified)
© ngrok. All rights reserved. Confidential Information of ngrok
Hotel Key Cards but for Apps
03
Grant Types
© ngrok. All rights reserved. Confidential Information of ngrok
- Authorization Code Flow
- Implicit Flow
- Resource Owner Password Flow
- Client Credentials Flow
Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok
Authorization Code Flow
User Auth
Client Auth
© ngrok. All rights reserved. Confidential Information of ngrok
Implicit Flow
User Auth
No Client Auth!
© ngrok. All rights reserved. Confidential Information of ngrok
Resource Owner Password Flow
User Auth
No Client Auth!
Wait. What does that mean!?
The app has your creds!
© ngrok. All rights reserved. Confidential Information of ngrok
Client Credential Flow
Client Auth
No User Auth!?
04
Which should I use?
© ngrok. All rights reserved. Confidential Information of ngrok
Which do I use?
Wait. Where did
that come from?
© ngrok. All rights reserved. Confidential Information of ngrok
- Authorization Code Flow
- Implicit Flow
- Resource Owner Password Flow
- Client Credentials Flow
Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok
- Authorization Code Flow
- Implicit Flow
- Resource Owner Password Flow
- Client Credentials Flow
Extensions
- Authorization Code Flow with PKCE
- SAML 2.0 Assertion Flow
- Device Grant Type
- Okta: Interaction Grant Type
Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok
Authorization Code Flow with PKCE (RFC 7636)
User Auth
Client Auth
© ngrok. All rights reserved. Confidential Information of ngrok
SAML 2.0 Assertion Flow
Client Auth
No User Auth!?
© ngrok. All rights reserved. Confidential Information of ngrok
Which do I use?
© ngrok. All rights reserved. Confidential Information of ngrok
- Authorization Code Flow
- Implicit Flow - deprecated in favor of Auth Code+PKCE
- Resource Owner Password Flow - not recommended
- Client Credentials Flow
Extensions
- Authorization Code Flow with PKCE
- SAML 2.0 Assertion Flow
- Device Flow
- Okta: Interaction Grant Type
Grant Types (aka OAuth flows)
Specifications
05
© ngrok. All rights reserved. Confidential Information of ngrok
OAuth (RFC 6749)
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Notice:
NOT authentication
© ngrok. All rights reserved. Confidential Information of ngrok
What about those tokens?
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
JWTs to the Rescue!
(JSON Web Tokens)
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Ha.
You wish.
© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
So then what do we do?
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
OpenID Connect FTW
© ngrok. All rights reserved. Confidential Information of ngrok
OpenID Connect
© ngrok. All rights reserved. Confidential Information of ngrok
OIDC: Opinionated Structure
● openid
● profile
● email
● address
● phone
● name
● given_name
● email
● street_address
● phone_number
And many more..
© ngrok. All rights reserved. Confidential Information of ngrok
● RFC 6749 OAuth Core
● RFC 7519 JSON Web Token
● RFC 7662 Token Introspection
● RFC 7009 Token Revocation
● OpenID Connect Specification
● RFC 8414 Authorization Server Metadata Discovery
More Pieces!
© ngrok. All rights reserved. Confidential Information of ngrok
● RFC 6749 OAuth Core
● RFC 7519 JSON Web Token
● RFC 7662 Token Introspection
● RFC 7009 Token Revocation
● OpenID Connect Specification
● RFC 8414 Authorization Server Metadata Discovery
More Pieces!
The second most
important RFC of all
06
Closing Thoughts
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
“We support OAuth”
is a meaningless statement
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
“We support OpenID Connect”
is useful (for SSO)
© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Figure out which combo of
specs you need & they have
*RFC 8414 is your best friend
© ngrok. All rights reserved. Confidential Information of ngrok
01 Intro
02 OAuth Vocabulary
03 The Grant Types
04 Which one when?
05 The fun pain truth lies multitude of specs
06 Closing / Q&A
Recap
Thank you
The Many
Layers Of OAuth
Danger Casey
API Problem Solver, GTM Guy, General Nuisance
danger@ngrok.com
May 2023

More Related Content

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
Carsonified Team
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
David Waite
 

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf (20)

De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015Stateless authentication for microservices - Greach 2015
Stateless authentication for microservices - Greach 2015
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTW
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID Connect
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flows
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security –  What’s in...Leveraging open banking specifications for rigorous API security –  What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
OAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the HoodOAuth2 Authorization Server Under the Hood
OAuth2 Authorization Server Under the Hood
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 

More from Ortus Solutions, Corp

More from Ortus Solutions, Corp (20)

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
ITB2024 - Keynote Day 1 - Ortus Solutions.pdf
ITB2024 - Keynote Day 1 - Ortus Solutions.pdfITB2024 - Keynote Day 1 - Ortus Solutions.pdf
ITB2024 - Keynote Day 1 - Ortus Solutions.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Ortus Government.pdf
Ortus Government.pdfOrtus Government.pdf
Ortus Government.pdf
 
Luis Majano The Battlefield ORM
Luis Majano The Battlefield ORMLuis Majano The Battlefield ORM
Luis Majano The Battlefield ORM
 
Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusion
 
Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023Daniel Garcia ContentBox: CFSummit 2023
Daniel Garcia ContentBox: CFSummit 2023
 
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdfITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf
 
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdfITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf
 
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdfITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf
 
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdfITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
 
ITB_2023_CBWire_v3_Grant_Copley.pdf
ITB_2023_CBWire_v3_Grant_Copley.pdfITB_2023_CBWire_v3_Grant_Copley.pdf
ITB_2023_CBWire_v3_Grant_Copley.pdf
 
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdfITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf
 
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdfITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf
 
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdfITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf
 
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdfITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf
 
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdfITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf
 
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdfITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
ITB_2023_Create_as_many_web_sites_or_web_apps_as_you_want_George_Murphy.pdf
 

Recently uploaded

JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 

Recently uploaded (20)

JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
Benefits of Employee Monitoring Software
Benefits of  Employee Monitoring SoftwareBenefits of  Employee Monitoring Software
Benefits of Employee Monitoring Software
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 

ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

  • 1. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023
  • 2. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
  • 4. © ngrok. All rights reserved. Confidential Information of ngrok Who am I?
  • 5. © ngrok. All rights reserved. Confidential Information of ngrok Who am I? https://www.youtube.com/@geekamongthetrees
  • 7. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
  • 8. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
  • 9. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
  • 10. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
  • 11.
  • 12. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
  • 13. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
  • 14. © ngrok. All rights reserved. Confidential Information of ngrok Hotel Key Cards but for Apps
  • 16. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  • 17. © ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow User Auth Client Auth
  • 18. © ngrok. All rights reserved. Confidential Information of ngrok Implicit Flow User Auth No Client Auth!
  • 19. © ngrok. All rights reserved. Confidential Information of ngrok Resource Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
  • 20. © ngrok. All rights reserved. Confidential Information of ngrok Client Credential Flow Client Auth No User Auth!?
  • 22. © ngrok. All rights reserved. Confidential Information of ngrok Which do I use? Wait. Where did that come from?
  • 23. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  • 24. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  • 25. © ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow with PKCE (RFC 7636) User Auth Client Auth
  • 26. © ngrok. All rights reserved. Confidential Information of ngrok SAML 2.0 Assertion Flow Client Auth No User Auth!?
  • 27. © ngrok. All rights reserved. Confidential Information of ngrok Which do I use?
  • 28. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  • 30. © ngrok. All rights reserved. Confidential Information of ngrok OAuth (RFC 6749)
  • 31. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
  • 32. © ngrok. All rights reserved. Confidential Information of ngrok What about those tokens?
  • 33. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
  • 34. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
  • 35. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 36. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 37. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 38. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 39. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
  • 40. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
  • 41. © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect
  • 42. © ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..
  • 43. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!
  • 44. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
  • 46. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
  • 47. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
  • 48. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
  • 49. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap
  • 51. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023