Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Oauth2 Openid Connect

    Enviado por

    g007adam759
    71 visualizações10 páginas
    Oauth2 Openid Connect

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PPTX, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Oauth2 Openid Connect

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PPTX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    71 visualizações10 páginas

    Oauth2 Openid Connect

    Enviado por

    g007adam759
    Oauth2 Openid Connect

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PPTX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 10

    Microservice Security

    Objectives

     Oauth2
     Openid Connect
     Tokens (access, id/ bearer,jwt)
     https://tools.ietf.org/html/rfc6749 - Oauth2
     http://openid.net/specs/openid-connect-core-1_0.html - Openid Connect
    Oauth2

     Oauth2 defines several grants


     Interactions between interacting parties
     Resource Owner
     the entity that can grant access to a protected resource.
     typically, the end-user
     Client
     application requesting access to a protected resource on behalf of the Resource Owner
     Application backend

     Resource Server
     the server hosting the protected resources
     this is the API you want to access

     Authorization Server
     the server that authenticates the Resource Owner
     issues access tokens after getting proper authorization
    Openid Connect

     new emerging standard for single sign-on and identity provision on the
    internet
     formula for success:
     simple JSON-based identity tokens (JWT),
     delivered via the OAuth 2.0 protocol
     Supports:
     Web
     browser-based
     native / mobile apps
    JSON Web Token

     https://tools.ietf.org/html/rfc7519
     Claim
     Information about subject
     Pair Claim name : claim value
     JWT
     Header
     Type
     Signature algorithm

     Set of claims
     Signature
    Implicit Flow

     Client implemented in End Authorization Resource


    Client
    browser User Server Server
    Resource Request

    Authorization Request

    Authenticate

    Credentials+consent

    access token, id token

    Resource Request (access toke, id token)


    validate tokens
    resource

    resource
    Authorization Code Flow

    End Authorization Resource


     Does not expose any tokens User
    Client
    Server Server
    to the user agent (e.g. Resource Request

    browser)
    Authorization Request

     Client must maintain


    securely a client secret Authenticate

    with the Authorization Credentials+consent

    Server authorization_code

    Exchange(authorization_code)

    id_token, access_token

    Resource Request (access_token, id_token)


    validate tokens
    resource

    resource
    Resource Owner Password Grant

     Oauth2 flow End


    Client
    Authorization Resource
    User Server Server
     Client is trusted Resource Request

    Authorization Request

    Authenticate

    Password credentials Password credentials

    access token

    Resource Request (access token))


    validate tokens
    resource

    resource
    Client Credentials

     Client owns the resource Authorization Resource


    Client
    Server Server

    Client credentials

    access token

    Resource Request (access token))

    validate tokens

    resource
    Decision
    Client == Resource YES Client Credentials
    Owner ?

    NO

    Client runs YES


    Authorization Code
    server-side ? Grant

    NO

    Client absolutely
    Resource Owner
    trusted to handle user YES
    Password Grant
    credentials ?

    NO

    Client is native app or Authorization Code


    Implicit Grant SPA NATIVE
    SPA ? Grant

    Você também pode gostar