Authentication and Authorization

• September 15, 2016
• DevOps  

• Justin Richer
• Aaron Parecki
• OAuth 2.0
• It’s Time for OAuth 2.1
• OAuth 3
  • Transactional Authorization
  • oauth.xyz
  • Video
  • It takes a completely greenfield approach, rethinking how OAuth and all its related specs and extensions such as UMA might look if everything were not tied to being an extension of the original OAuth 2.0 RFC 6759

JWT

JSON Web Tokens (JWT) are a more modern approach to authentication. As the web moves to a greater separation between the client and server, JWT provides a wonderful alternative to traditional cookie based authentication models.

Good Articles:

• Stop using JWT for sessions
• JSON Web Tokens (JWT) vs Sessions

OAuth2

(Authorization) OAuth2 is an authorization mechanism (i.e. allows you to check that a token is valid and has a specific set of scopes granted) An Introduction to OAuth 2

• GOTO 2018 • Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck
• OAuth 2 in Action

OpenID Connect

(Authentication and Authorization) OpenID Connect is just an authentication layer built on top of OAuth2. It is a standards specifications and there are a lot of implementations for this standard.

OpenID Connect Specifications

• Identity Provider (IDP): offers user authentication as a service
• Relying Party (RP): an application that outsources its user authentication function to an IDP.
• Resource
• User

Other products:

• MITREid Connect
• dex
• hydra

References:

• API Security: Deep Dive into OAuth and OpenID Connect
• https://security.stackexchange.com/questions/94995/oauth-2-vs-openid-connect-to-secure-api
• Map of OAuth 2.0 Specs