0% found this document useful (0 votes)
175 views10 pages

Oauth2 Openid Connect

The document discusses microservice security standards including OAuth2 and OpenID Connect. It provides an overview of key concepts in OAuth2 such as the different parties involved (resource owner, client, resource server, authorization server) and grant types. It then explains OpenID Connect which builds on OAuth2 to provide identity tokens. It also covers JSON Web Tokens and flows such as implicit, authorization code, resource owner password, and client credentials grant.

Uploaded by

g007adam759
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
175 views10 pages

Oauth2 Openid Connect

The document discusses microservice security standards including OAuth2 and OpenID Connect. It provides an overview of key concepts in OAuth2 such as the different parties involved (resource owner, client, resource server, authorization server) and grant types. It then explains OpenID Connect which builds on OAuth2 to provide identity tokens. It also covers JSON Web Tokens and flows such as implicit, authorization code, resource owner password, and client credentials grant.

Uploaded by

g007adam759
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Microservice Security

Objectives

 Oauth2
 Openid Connect
 Tokens (access, id/ bearer,jwt)
 https://tools.ietf.org/html/rfc6749 - Oauth2
 http://openid.net/specs/openid-connect-core-1_0.html - Openid Connect
Oauth2

 Oauth2 defines several grants


 Interactions between interacting parties
 Resource Owner
 the entity that can grant access to a protected resource.
 typically, the end-user
 Client
 application requesting access to a protected resource on behalf of the Resource Owner
 Application backend

 Resource Server
 the server hosting the protected resources
 this is the API you want to access

 Authorization Server
 the server that authenticates the Resource Owner
 issues access tokens after getting proper authorization
Openid Connect

 new emerging standard for single sign-on and identity provision on the
internet
 formula for success:
 simple JSON-based identity tokens (JWT),
 delivered via the OAuth 2.0 protocol
 Supports:
 Web
 browser-based
 native / mobile apps
JSON Web Token

 https://tools.ietf.org/html/rfc7519
 Claim
 Information about subject
 Pair Claim name : claim value
 JWT
 Header
 Type
 Signature algorithm

 Set of claims
 Signature
Implicit Flow

 Client implemented in End Authorization Resource


Client
browser User Server Server
Resource Request

Authorization Request

Authenticate

Credentials+consent

access token, id token

Resource Request (access toke, id token)


validate tokens
resource

resource
Authorization Code Flow

End Authorization Resource


 Does not expose any tokens User
Client
Server Server
to the user agent (e.g. Resource Request

browser)
Authorization Request

 Client must maintain


securely a client secret Authenticate

with the Authorization Credentials+consent

Server authorization_code

Exchange(authorization_code)

id_token, access_token

Resource Request (access_token, id_token)


validate tokens
resource

resource
Resource Owner Password Grant

 Oauth2 flow End


Client
Authorization Resource
User Server Server
 Client is trusted Resource Request

Authorization Request

Authenticate

Password credentials Password credentials

access token

Resource Request (access token))


validate tokens
resource

resource
Client Credentials

 Client owns the resource Authorization Resource


Client
Server Server

Client credentials

access token

Resource Request (access token))

validate tokens

resource
Decision
Client == Resource YES Client Credentials
Owner ?

NO

Client runs YES


Authorization Code
server-side ? Grant

NO

Client absolutely
Resource Owner
trusted to handle user YES
Password Grant
credentials ?

NO

Client is native app or Authorization Code


Implicit Grant SPA NATIVE
SPA ? Grant

You might also like