Skip to content

class301-14.md

Latest commit

 

History

History
39 lines (34 loc) · 2.64 KB

class301-14.md

File metadata and controls

39 lines (34 loc) · 2.64 KB

Authentication

OAuth

  • CSO Article

  • SSO - Single Sign-On

  • OAuth is an open-standard authorization protocol/framework that details how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the original logon credential.

    • AKA secure 3rd party user-agent, delegated authorization
    • an example of this is when a website allows you to login using your google account

  • OAuth only works using HTTPS

  • How OAuth Works

    1. website (A) connects to website (B) on behalf of user using OAuth
    2. website (B) generates a single use request token and secret
    3. website (A) provides request token and secret to user's client software
    4. client software presents request token and secret to to authorization provider
    5. if not authenticated, client is asked to authenticate then client is asked to approve authorization transaction to website (B)
    6. user approves transaction at website (A)
    7. user gets approved access token
    8. user gives approved access token to website (A)
    9. website (A) gives approved access token to website (B) as proof of user authentication
    10. website (B) allows website (A) to access site on behalf of user
    11. user see successful transaction

  • OpenID is about authentication, where OpenID Connect is now an authentication layer for OAuth

  • Summary by StackOverflow user pithily: "OpenID is for humans logging into machines, OAuth is for machines logging into machines on behalf of humans."

Authorization and Authentication Flows

  • Auth0 docs

  • Authentication is the process of a user/subject proving its ownership of a presented identity, by providing a password or some other uniquely owned or presented factor.

  • Authorization is the process of letting a subject access resources after a successful authentication, oftentimes somewhere else.

  • Authorization Code Flow - exchanges Authorization for a token for server-side apps

  • Authorization Code Flow with Proof Key for Code Exchange (PKCE) - Authorization Code Flow for mobile and native applications Implicit Flow with Form Post - alternative to Authorization Code Flow for Public Clients (not best practice) Client Credentials Flow - Machine to Machine (M2M) authentication and authorization Device Authorization Flow - device asks user to authenticate via a link on computer or smartphone Resource Owner Password Flow - credentials provided via form (not recommended)

Bookmark/Skim

Auth0 docs