SlideShare a Scribd company logo

ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

Ortus Solutions, Corp, profile picture
Ortus Solutions, Corp

This document provides an overview of OAuth and OpenID Connect specifications and grant types. It begins with introductions and defining key terms like tokens, scopes, and claims. It then explains the four main grant types - Authorization Code Flow, Implicit Flow, Resource Owner Password Flow, and Client Credentials Flow. The document notes extensions and recommends the Authorization Code Flow with PKCE for most use cases. It discusses related specifications around JSON Web Tokens, introspection, and revocation. It closes by emphasizing the need to understand which combination of specifications are required for a given implementation.

Software
Related topics:
Web Application Insights
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023
© ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
01 Who am I?
© ngrok. All rights reserved. Confidential Information of ngrok Who am I?
© ngrok. All rights reserved. Confidential Information of ngrok Who am I? https://www.youtube.com/@geekamongthetrees
02 OAuth Vocab
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
© ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
© ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
© ngrok. All rights reserved. Confidential Information of ngrok Hotel Key Cards but for Apps
03 Grant Types
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow User Auth Client Auth
© ngrok. All rights reserved. Confidential Information of ngrok Implicit Flow User Auth No Client Auth!
© ngrok. All rights reserved. Confidential Information of ngrok Resource Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
© ngrok. All rights reserved. Confidential Information of ngrok Client Credential Flow Client Auth No User Auth!?
04 Which should I use?
© ngrok. All rights reserved. Confidential Information of ngrok Which do I use? Wait. Where did that come from?
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
© ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow with PKCE (RFC 7636) User Auth Client Auth
© ngrok. All rights reserved. Confidential Information of ngrok SAML 2.0 Assertion Flow Client Auth No User Auth!?
© ngrok. All rights reserved. Confidential Information of ngrok Which do I use?
© ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
Specifications 05
© ngrok. All rights reserved. Confidential Information of ngrok OAuth (RFC 6749)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
© ngrok. All rights reserved. Confidential Information of ngrok What about those tokens?
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
© ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect
© ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..
© ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!
© ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
06 Closing Thoughts
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
© ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
© ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap
Thank you
The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023

More Related Content

PDF
OAuth and why you should use it
Sergey Podgornyy
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
ForgeRock Open banking - Meetup 28/06/2018
Quentin Castel
 
PPTX
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PDF
The OpenID Connect Protocol
Clément OUDOT
 
PDF
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 
OAuth and why you should use it
Sergey Podgornyy
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
ForgeRock Open banking - Meetup 28/06/2018
Quentin Castel
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
The OpenID Connect Protocol
Clément OUDOT
 
Stateless authentication for microservices - Spring I/O 2015
Alvaro Sanchez-Mariscal
 

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf (20)

PDF
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
PDF
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
PDF
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
PDF
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
PDF
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
PDF
OAuth FTW
Chris Messina
 
PDF
How OAuth and portable data can revolutionize your web app - Chris Messina
Carsonified Team
 
PDF
Auth proxy pattern on Kubernetes
MichaƂ WcisƂo
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
PDF
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
WSO2
 
PDF
Comment ça marche: OpenID Connect fournisseur d’identitĂ© universel de Google ...
Leonard Moustacchis
 
PDF
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
PPTX
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
MysoreMuleSoftMeetup
 
PDF
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
PDF
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
PDF
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
PPTX
Leveraging open banking specifications for rigorous API security – What’s in...
Rogue Wave Software
 
PDF
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
PPTX
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
Introduction to SAML & OIDC
ForgeRock Identity Tech Talks
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
Stateless authentication for microservices - Greach 2015
Alvaro Sanchez-Mariscal
 
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
OAuth FTW
Chris Messina
 
How OAuth and portable data can revolutionize your web app - Chris Messina
Carsonified Team
 
Auth proxy pattern on Kubernetes
MichaƂ WcisƂo
 
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
WSO2
 
Comment ça marche: OpenID Connect fournisseur d’identitĂ© universel de Google ...
Leonard Moustacchis
 
Distributed Authorization with Open Policy Agent.pdf
Nordic APIs
 
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
MysoreMuleSoftMeetup
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays
 
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
Leveraging open banking specifications for rigorous API security – What’s in...
Rogue Wave Software
 
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 

More from Ortus Solutions, Corp (20)

PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
PDF
June Webinar: BoxLang-Dynamic-AWS-Lambda
Ortus Solutions, Corp
 
PDF
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
Ortus Solutions, Corp
 
PDF
What's-New-with-BoxLang-Brad Wood.pptx.pdf
Ortus Solutions, Corp
 
PDF
Getting Started with BoxLang - CFCamp 2025.pdf
Ortus Solutions, Corp
 
PDF
CFCamp2025 - Keynote Day 1 led by Luis Majano.pdf
Ortus Solutions, Corp
 
PDF
What's New with BoxLang Led by Brad Wood.pdf
Ortus Solutions, Corp
 
PDF
Vector Databases and the BoxLangCFML Developer.pdf
Ortus Solutions, Corp
 
PDF
Using cbSSO in a ColdBox App Led by Jacob Beers.pdf
Ortus Solutions, Corp
 
PDF
Use JSON to Slash Your Database Performance.pdf
Ortus Solutions, Corp
 
PDF
Portable CI wGitLab and Github led by Gavin Pickin.pdf
Ortus Solutions, Corp
 
PDF
Tame the Mesh An intro to cross-platform tracing and troubleshooting.pdf
Ortus Solutions, Corp
 
PDF
Supercharging CommandBox with Let's Encrypt.pdf
Ortus Solutions, Corp
 
PDF
Spice up your site with cool animations using GSAP..pdf
Ortus Solutions, Corp
 
PDF
Passkeys and cbSecurity Led by Eric Peterson.pdf
Ortus Solutions, Corp
 
PDF
Legacy Code Nightmares , Hellscapes, and Lessons Learned.pdf
Ortus Solutions, Corp
 
PDF
Integrating the OpenAI API in Your Coldfusion Apps.pdf
Ortus Solutions, Corp
 
PDF
Hidden Gems in FusionReactor for BoxLang, ACF, and Lucee Users.pdf
Ortus Solutions, Corp
 
PDF
Geting-started with BoxLang Led By Raymon Camden.pdf
Ortus Solutions, Corp
 
PDF
From Zero to CRUD with ORM - Led by Annette Liskey.pdf
Ortus Solutions, Corp
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
June Webinar: BoxLang-Dynamic-AWS-Lambda
Ortus Solutions, Corp
 
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
Ortus Solutions, Corp
 
What's-New-with-BoxLang-Brad Wood.pptx.pdf
Ortus Solutions, Corp
 
Getting Started with BoxLang - CFCamp 2025.pdf
Ortus Solutions, Corp
 
CFCamp2025 - Keynote Day 1 led by Luis Majano.pdf
Ortus Solutions, Corp
 
What's New with BoxLang Led by Brad Wood.pdf
Ortus Solutions, Corp
 
Vector Databases and the BoxLangCFML Developer.pdf
Ortus Solutions, Corp
 
Using cbSSO in a ColdBox App Led by Jacob Beers.pdf
Ortus Solutions, Corp
 
Use JSON to Slash Your Database Performance.pdf
Ortus Solutions, Corp
 
Portable CI wGitLab and Github led by Gavin Pickin.pdf
Ortus Solutions, Corp
 
Tame the Mesh An intro to cross-platform tracing and troubleshooting.pdf
Ortus Solutions, Corp
 
Supercharging CommandBox with Let's Encrypt.pdf
Ortus Solutions, Corp
 
Spice up your site with cool animations using GSAP..pdf
Ortus Solutions, Corp
 
Passkeys and cbSecurity Led by Eric Peterson.pdf
Ortus Solutions, Corp
 
Legacy Code Nightmares , Hellscapes, and Lessons Learned.pdf
Ortus Solutions, Corp
 
Integrating the OpenAI API in Your Coldfusion Apps.pdf
Ortus Solutions, Corp
 
Hidden Gems in FusionReactor for BoxLang, ACF, and Lucee Users.pdf
Ortus Solutions, Corp
 
Geting-started with BoxLang Led By Raymon Camden.pdf
Ortus Solutions, Corp
 
From Zero to CRUD with ORM - Led by Annette Liskey.pdf
Ortus Solutions, Corp
 

Recently uploaded (20)

PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Transform Your Business with a Software ERP System
Canada Software Company
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
assetexplorer- product-overview - presentation
nonameist3434
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 

ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

  • 1. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023
  • 2. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda
  • 4. © ngrok. All rights reserved. Confidential Information of ngrok Who am I?
  • 5. © ngrok. All rights reserved. Confidential Information of ngrok Who am I? https://www.youtube.com/@geekamongthetrees
  • 7. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0
  • 8. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID
  • 9. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth
  • 10. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
  • 12. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms
  • 13. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)
  • 14. © ngrok. All rights reserved. Confidential Information of ngrok Hotel Key Cards but for Apps
  • 16. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  • 17. © ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow User Auth Client Auth
  • 18. © ngrok. All rights reserved. Confidential Information of ngrok Implicit Flow User Auth No Client Auth!
  • 19. © ngrok. All rights reserved. Confidential Information of ngrok Resource Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!
  • 20. © ngrok. All rights reserved. Confidential Information of ngrok Client Credential Flow Client Auth No User Auth!?
  • 22. © ngrok. All rights reserved. Confidential Information of ngrok Which do I use? Wait. Where did that come from?
  • 23. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)
  • 24. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  • 25. © ngrok. All rights reserved. Confidential Information of ngrok Authorization Code Flow with PKCE (RFC 7636) User Auth Client Auth
  • 26. © ngrok. All rights reserved. Confidential Information of ngrok SAML 2.0 Assertion Flow Client Auth No User Auth!?
  • 27. © ngrok. All rights reserved. Confidential Information of ngrok Which do I use?
  • 28. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)
  • 30. © ngrok. All rights reserved. Confidential Information of ngrok OAuth (RFC 6749)
  • 31. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication
  • 32. © ngrok. All rights reserved. Confidential Information of ngrok What about those tokens?
  • 33. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)
  • 34. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.
  • 35. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 36. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 37. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 38. © ngrok. All rights reserved. Confidential Information of ngrok JSON Web Token (RFC 7519)
  • 39. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?
  • 40. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW
  • 41. © ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect
  • 42. © ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..
  • 43. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!
  • 44. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all
  • 46. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement
  • 47. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)
  • 48. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend
  • 49. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap
  • 51. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023