SlideShare une entreprise Scribd logo

Identity, authentication and authorization

Mithun Shanbhag
Mithun Shanbhag

In this talk, we'll dive into the basics of authentication from an asp.net developer's perspective. If words like "JWT", "claims", "OAuth", "OpenID", "authentication server", "refresh tokens" etc confuse you, then this talk is for you. We'll also peek into identity platforms like Auth0, Okta, Azure AD B2C, IdentityServer etc which are commonly used with asp.net. Finally we'll walk through some best practices and checklists. All slides & code samples will be publicly shared after the presentation. Author: Mithun Shanbhag

1  sur  9
twitter: @MithunShanbhag blog: mithunshanbhag.github.io
twitter: @MithunShanbhagblog: mithunshanbhag.github.io OpenID Connect (OIDC) vs OAuth 2.0 OpenID Connection (OIDC) • Authentication protocol (SSO) • Built on OAuth 2.0 • Generates id_token • Standardizedscopes OAuth 2.0 • Authorization protocol • Generates access_token • Claimsandcustom claims image attribution: okta dev blog
twitter: @MithunShanbhagblog: mithunshanbhag.github.io User Client App Authorization Server Resource (API) Authorization request Login button 302/Redirectto authentication prompt Authentication and consent Calls /authorize endpoint • client_id: xxxxxxxxxxxx • redirect_uri: xxxxxxxxxxxxxxx • state:xxxxxxxxxxxxxxx • response_type:tokenid_token • scope: openid Authorization grant Requestresource(s) • access_token • id_token • access_token Response Implicit Flow LEGEND FrontChannel Back Channel
twitter: @MithunShanbhagblog: mithunshanbhag.github.io DEMO
twitter: @MithunShanbhagblog: mithunshanbhag.github.io AppType Channels User Interaction Client Secret response_type field Recommended Flow Single Page Apps Front Yes No “token id_token” Implicit Server-Side Web Apps Front, Back Yes Yes “code” Authorization Code Native Apps Front, Back Yes Yes “code” Authorization Code/PKCE CLI,daemons, services Back No Yes N/A Client Credentials Legacy Apps Front, Back No No N/A Resource Owner/Password
twitter: @MithunShanbhagblog: mithunshanbhag.github.io User Client App Authorization Server Resource (API) Authorization request Login button 302/Redirectto authentication prompt Authentication and consent Calls /authorize endpoint • client_id: {xxxxxxxxxxxx} • redirect_uri: {xxxxxxxxxxxxxx} • state:{xxxxxxxxxxxxxxx} • response_type:code • scope: openid Authorization code grant RequestID and Access tokens code: {code} Response Authorization Code Flow LEGEND FrontChannel Back Channel Calls /token endpoint • client_id: xxxxxxxxxxxx • client_secret: xxxxxxxxxxxxxxx • code: {code} • id_token • access_token Requestresource(s) Response • access_token
twitter: @MithunShanbhagblog: mithunshanbhag.github.io OIDC Endpoints • GET/authorize: Obtain user consent andauthorization grant. • POST/token: Obtains id_token, access_token by supplying the authorization code or refresh_token. • GET/userinfo: Obtains claims about the authenticated end user. • POST/revoke: Revoke an access_token or refresh_token. • GET/logout: Self-explanatory. • GET/.well-known/keys: Obtain public keys (JWKS) used tosign the tokens. • GET/.well-known/openid-configuration: Return OIDCmetadata related tothe specified authorization server. • GET/.well-known/authorization-server: Return OAuth 2.0 metadata related tothe specified authorization server.
twitter: @MithunShanbhagblog: mithunshanbhag.github.io JWT Structure HEADER • Signing algorithm (mostly RS256/asymmetric orHS256/symmetric). • Signing Key Id. PAYLOAD • Standardandcustom claims. SIGNATURE • HS256/symmetric: • The client secret is used toboth sign & verify. • Signature = HS256(base64UrlEncode(header)+ "." + base64UrlEncode(payload) + “.”+ secret) • RS256/asymmetric: • The private signing key/certificate is used tosign. • Verification done via the public key (JWKS from/.well-known/keys OIDCendpoint). • Signature = RS256(base64UrlEncode(header)+ "." + base64UrlEncode(payload) + “.”+ public/private key pair)
twitter: @MithunShanbhagblog: mithunshanbhag.github.io Q&A

Recommandé

JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
Ashish Agrawal
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Microsoft Décideurs IT
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication Library
Cory Forsyth
 
Box connector
Box connectorBox connector
Box connector
Thang Loi
 

Recommandé

JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
Ashish Agrawal
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Les mécanismes et protocoles d’authentification sans mot de passe avec Window...
Microsoft Décideurs IT
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication Library
Cory Forsyth
 
Box connector
Box connectorBox connector
Box connector
Thang Loi
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
Mattias Jidhage
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Api security
Api security Api security
Api security
teodorcotruta
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
Andy March
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
Cory Forsyth
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication Options
Jimmy Zimmerman
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
 
CloudSkew Architecture
CloudSkew ArchitectureCloudSkew Architecture
CloudSkew Architecture
Mithun Shanbhag
 
Azure Pipelines
Azure PipelinesAzure Pipelines
Azure Pipelines
Mithun Shanbhag
 

Contenu connexe

Similaire à Identity, authentication and authorization

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
Naoki Nagazumi
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
Mattias Jidhage
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Api security
Api security Api security
Api security
teodorcotruta
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
Andy March
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
Cory Forsyth
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication Options
Jimmy Zimmerman
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
 

Similaire à Identity, authentication and authorization (20)

Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Api security
Api security Api security
Api security
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication Options
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 

Plus de Mithun Shanbhag

CloudSkew Architecture
CloudSkew ArchitectureCloudSkew Architecture
CloudSkew Architecture
Mithun Shanbhag
 
Azure Pipelines
Azure PipelinesAzure Pipelines
Azure Pipelines
Mithun Shanbhag
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on Azure
Mithun Shanbhag
 
Design Patterns for Data Management and Consistency
Design Patterns for Data Management and ConsistencyDesign Patterns for Data Management and Consistency
Design Patterns for Data Management and Consistency
Mithun Shanbhag
 
WSL - Windows SubSytem For Linux
WSL - Windows SubSytem For LinuxWSL - Windows SubSytem For Linux
WSL - Windows SubSytem For Linux
Mithun Shanbhag
 
Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
Mithun Shanbhag
 
Crash course in sql
Crash course in sqlCrash course in sql
Crash course in sql
Mithun Shanbhag
 
Crash course in git and github
Crash course in git and githubCrash course in git and github
Crash course in git and github
Mithun Shanbhag
 

Plus de Mithun Shanbhag (8)

CloudSkew Architecture
CloudSkew ArchitectureCloudSkew Architecture
CloudSkew Architecture
 
Azure Pipelines
Azure PipelinesAzure Pipelines
Azure Pipelines
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on Azure
 
Design Patterns for Data Management and Consistency
Design Patterns for Data Management and ConsistencyDesign Patterns for Data Management and Consistency
Design Patterns for Data Management and Consistency
 
WSL - Windows SubSytem For Linux
WSL - Windows SubSytem For LinuxWSL - Windows SubSytem For Linux
WSL - Windows SubSytem For Linux
 
Creating user-mode debuggers for Windows
Creating user-mode debuggers for WindowsCreating user-mode debuggers for Windows
Creating user-mode debuggers for Windows
 
Crash course in sql
Crash course in sqlCrash course in sql
Crash course in sql
 
Crash course in git and github
Crash course in git and githubCrash course in git and github
Crash course in git and github
 

Dernier

DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESINTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
anfaltahir1010
 
What’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete RoadmapWhat’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete Roadmap
Envertis Software Solutions
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
kalichargn70th171
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 

Dernier (20)

DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESINTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
 
What’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete RoadmapWhat’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete Roadmap
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 

Identity, authentication and authorization

  • 2. twitter: @MithunShanbhagblog: mithunshanbhag.github.io OpenID Connect (OIDC) vs OAuth 2.0 OpenID Connection (OIDC) • Authentication protocol (SSO) • Built on OAuth 2.0 • Generates id_token • Standardizedscopes OAuth 2.0 • Authorization protocol • Generates access_token • Claimsandcustom claims image attribution: okta dev blog
  • 3. twitter: @MithunShanbhagblog: mithunshanbhag.github.io User Client App Authorization Server Resource (API) Authorization request Login button 302/Redirectto authentication prompt Authentication and consent Calls /authorize endpoint • client_id: xxxxxxxxxxxx • redirect_uri: xxxxxxxxxxxxxxx • state:xxxxxxxxxxxxxxx • response_type:tokenid_token • scope: openid Authorization grant Requestresource(s) • access_token • id_token • access_token Response Implicit Flow LEGEND FrontChannel Back Channel
  • 5. twitter: @MithunShanbhagblog: mithunshanbhag.github.io AppType Channels User Interaction Client Secret response_type field Recommended Flow Single Page Apps Front Yes No “token id_token” Implicit Server-Side Web Apps Front, Back Yes Yes “code” Authorization Code Native Apps Front, Back Yes Yes “code” Authorization Code/PKCE CLI,daemons, services Back No Yes N/A Client Credentials Legacy Apps Front, Back No No N/A Resource Owner/Password
  • 6. twitter: @MithunShanbhagblog: mithunshanbhag.github.io User Client App Authorization Server Resource (API) Authorization request Login button 302/Redirectto authentication prompt Authentication and consent Calls /authorize endpoint • client_id: {xxxxxxxxxxxx} • redirect_uri: {xxxxxxxxxxxxxx} • state:{xxxxxxxxxxxxxxx} • response_type:code • scope: openid Authorization code grant RequestID and Access tokens code: {code} Response Authorization Code Flow LEGEND FrontChannel Back Channel Calls /token endpoint • client_id: xxxxxxxxxxxx • client_secret: xxxxxxxxxxxxxxx • code: {code} • id_token • access_token Requestresource(s) Response • access_token
  • 7. twitter: @MithunShanbhagblog: mithunshanbhag.github.io OIDC Endpoints • GET/authorize: Obtain user consent andauthorization grant. • POST/token: Obtains id_token, access_token by supplying the authorization code or refresh_token. • GET/userinfo: Obtains claims about the authenticated end user. • POST/revoke: Revoke an access_token or refresh_token. • GET/logout: Self-explanatory. • GET/.well-known/keys: Obtain public keys (JWKS) used tosign the tokens. • GET/.well-known/openid-configuration: Return OIDCmetadata related tothe specified authorization server. • GET/.well-known/authorization-server: Return OAuth 2.0 metadata related tothe specified authorization server.
  • 8. twitter: @MithunShanbhagblog: mithunshanbhag.github.io JWT Structure HEADER • Signing algorithm (mostly RS256/asymmetric orHS256/symmetric). • Signing Key Id. PAYLOAD • Standardandcustom claims. SIGNATURE • HS256/symmetric: • The client secret is used toboth sign & verify. • Signature = HS256(base64UrlEncode(header)+ "." + base64UrlEncode(payload) + “.”+ secret) • RS256/asymmetric: • The private signing key/certificate is used tosign. • Verification done via the public key (JWKS from/.well-known/keys OIDCendpoint). • Signature = RS256(base64UrlEncode(header)+ "." + base64UrlEncode(payload) + “.”+ public/private key pair)

Notes de l'éditeur

  1. angular app (angular app) Fiddler jwt.io
  2. PKCE: Proof key for code exchange Code verifier, code challenge Client Credentials: Directly call the /token endpoint with client id + client secret, get access_token back Resource Owner Password: Directly call the /token endpoint with usernam + password, get access_token back