ITB 2023 - The Many Layers of OAuth - Keith Casey .pdf

ortussolutions 57 views 51 slides Sep 04, 2024
Slide 1
Slide 1 of 51
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51

About This Presentation

Testing has become essential in software development, offering benefits in debugging and deployment. This session will guide attendees from basic function tests to advanced techniques like mocking and testing API interactions. Examples will use ColdBox, but most techniques are applicable to other fr...

Size: 2.46 MB
Language: en
Added: Sep 04, 2024
Slides: 51 pages

Slide Content

The Many
Layers Of OAuth
Danger Casey
API Problem Solver, GTM Guy, General Nuisance
[email protected]

May 2023

© ngrok. All rights reserved. Confidential Information of ngrok
01 Intro
02 OAuth Vocabulary
03 The Grant Types
04 Which one when?
05 The fun pain truth lies multitude of specs
06 Closing / Q&A
Agenda

01
Who am I?

© ngrok. All rights reserved. Confidential Information of ngrok
Who am I?

© ngrok. All rights reserved. Confidential Information of ngrok
Who am I?
https://www.youtube.com/@geekamongthetrees

02
OAuth Vocab

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




What is OAuth 2.0?

It’s unrelated to OAuth 1.0

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




What is OpenID Connect (OIDC)?

It’s unrelated to OpenID

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




Which is better: OAuth or OpenID Connect?

Trick question: OIDC is part of OAuth

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




Authentication
- vs -
Authorization

© ngrok. All rights reserved. Confidential Information of ngrok
-Resource Owner is you
-Grant Type (aka Flow) describes the use case
-Tokens represents the authorization, user or state
-Authorization Server (aka Auth Server) creates the tokens
-Scopes are the permissions you request from the Auth Server
-Claims are the fields & data returned from the Auth Server
-Resource Server is where you use the auth and id tokens
Key OAuth Terms

© ngrok. All rights reserved. Confidential Information of ngrok
-Resource Owner is you
-Grant Type how you get the tokens
-Tokens are the tokens
-Authorization Server creates the tokens
-Scopes how you request stuff in the token
-Claims the stuff in the token
-Resource Server where you use the token
Key OAuth Terms (simplified)

© ngrok. All rights reserved. Confidential Information of ngrok
Hotel Key Cards but for Apps

03
Grant Types

© ngrok. All rights reserved. Confidential Information of ngrok
-Authorization Code Flow
-Implicit Flow
-Resource Owner Password Flow
-Client Credentials Flow
Grant Types (aka OAuth flows)

© ngrok. All rights reserved. Confidential Information of ngrok
Authorization Code Flow
User Auth
Client Auth

© ngrok. All rights reserved. Confidential Information of ngrok
Implicit Flow
User Auth
No Client Auth!

© ngrok. All rights reserved. Confidential Information of ngrok
Resource Owner Password Flow
User Auth
No Client Auth!
Wait. What does that mean!?
The app has your creds!

© ngrok. All rights reserved. Confidential Information of ngrok
Client Credential Flow
Client Auth
No User Auth!?

04
Which should I use?

© ngrok. All rights reserved. Confidential Information of ngrok
Which do I use?
Wait. Where did
that come from?

© ngrok. All rights reserved. Confidential Information of ngrok
-Authorization Code Flow
-Implicit Flow
-Resource Owner Password Flow
-Client Credentials Flow
Grant Types (aka OAuth flows)

© ngrok. All rights reserved. Confidential Information of ngrok
-Authorization Code Flow
-Implicit Flow
-Resource Owner Password Flow
-Client Credentials Flow
Extensions
-Authorization Code Flow with PKCE
-SAML 2.0 Assertion Flow
-Device Grant Type
-Okta: Interaction Grant Type
Grant Types (aka OAuth flows)

© ngrok. All rights reserved. Confidential Information of ngrok
Authorization Code Flow with PKCE (RFC 7636)
User Auth
Client Auth

© ngrok. All rights reserved. Confidential Information of ngrok
SAML 2.0 Assertion Flow
Client Auth
No User Auth!?

© ngrok. All rights reserved. Confidential Information of ngrok
Which do I use?

© ngrok. All rights reserved. Confidential Information of ngrok
-Authorization Code Flow
-Implicit Flow - deprecated in favor of Auth Code+PKCE
-Resource Owner Password Flow - not recommended
-Client Credentials Flow
Extensions
-Authorization Code Flow with PKCE
-SAML 2.0 Assertion Flow
-Device Flow
-Okta: Interaction Grant Type
Grant Types (aka OAuth flows)

Specifications05

© ngrok. All rights reserved. Confidential Information of ngrok
OAuth (RFC 6749)

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




Notice:

NOT authentication

© ngrok. All rights reserved. Confidential Information of ngrok
What about those tokens?

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




JWTs to the Rescue!

(JSON Web Tokens)

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




Ha.

You wish.

© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)

© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)

© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)

© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




So then what do we do?

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




OpenID Connect FTW

© ngrok. All rights reserved. Confidential Information of ngrok
OpenID Connect

© ngrok. All rights reserved. Confidential Information of ngrok
OIDC: Opinionated Structure
●openid
●profile
●email
●address
●phone
●name
●given_name
●email
●street_address
●phone_number
And many more..

© ngrok. All rights reserved. Confidential Information of ngrok
●RFC 6749 OAuth Core
●RFC 7519 JSON Web Token
●RFC 7662 Token Introspection
●RFC 7009 Token Revocation
●OpenID Connect Specification
●RFC 8414 Authorization Server Metadata Discovery
More Pieces!

© ngrok. All rights reserved. Confidential Information of ngrok
●RFC 6749 OAuth Core
●RFC 7519 JSON Web Token
●RFC 7662 Token Introspection
●RFC 7009 Token Revocation
●OpenID Connect Specification
●RFC 8414 Authorization Server Metadata Discovery
More Pieces!
The second most
important RFC of all

06
Closing Thoughts

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




“We support OAuth”
is a meaningless statement

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




“We support OpenID Connect”
is useful (for SSO)

© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok




Figure out which combo of
specs you need & they have

*RFC 8414 is your best friend

© ngrok. All rights reserved. Confidential Information of ngrok
01 Intro
02 OAuth Vocabulary
03 The Grant Types
04 Which one when?
05 The fun pain truth lies multitude of specs
06 Closing / Q&A
Recap

Thank you

The Many
Layers Of OAuth
Danger Casey
API Problem Solver, GTM Guy, General Nuisance
[email protected]

May 2023
Tags
#ortussolutions #debugging #coldbox #commandbox #coding #webapp #mysql #cfml #testbox #coldfusion #sql #apps #sns #coldfusioncms #coldboxapp #coldboxframebox #javacms #codexwiki #software
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 57
  • Slides 51
  • Age 454 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
21 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category