Skill - OAuth 2.0 for centralized Authorization and Authentication of users and applications
What is OAuth 2.0
- Using OAuth 2.0 specification, applications can trust a central server for authorizing and authenticating users or applications
- The identity and access rights information of users or applications will be centrally stored in the identity server / Secure Token Service (STS)
- Identity server can authenticate users or applications and issue tokens to them for getting access to the secured resources in the resource server
- Since user or application gets authenticated at an identity server for getting access to resources in one or multiple resource servers, Single-Sign-On (SSO) is implementable using OAuth 2.0 and users or applications identity and access information can be centrally managed.
- OpenID connect is a layer on top of OAuth 2.0 for facilitating authentication and user information retrieval to client applications
OAuth 2.0 Terminology
Identity Server / Secure Token Server (STS)
A software that issues token to clients for accessing resources
User
A human trying to access the resources using a registered client
Client
A software registered in the Identity server that can request tokens from the Identity Server for authenticating users (requires identity token) or accessing resources (requires access token)
Resources
Resources are the data protected by the Identity Server. The data can be identity data (username, email, phone number etc. also called as user claims) or APIs
Identity Token
Identity token is issued by the STS to the client after authenticating a user. It contains user identifier information (subject claim) and how and when the user is authenticated. It may also contain additional user identity information in it.
Access Token
Access token are issued to clients by the STS for accessing resources. They contain information about the client and user (if present). APIs use these tokens to validate the access of clients
OAuth 2.0 Flows
- OAuth 2.0 Flow is the process of authorizing or authenticating a user or application.
- There are multiple flows in OAuth 2.0 specification as listed below to support scenarios like machine-to-machine, back-end web applications, Single Page Apps (SPAs), input constrained devices etc.
- Authorization Code Flow
- Authorization Code Flow with Proof Key for Code Exchange (PKCE)
- Implicit Flow with Form Post
- Hybrid Flow
- Client Credentials Flow
- Device Authorization Flow
- Resource Owner Password Flow
OAuth 2.0 implementation
OAuth 2.0 Server
- Keycloak is an open-source Identity and Access Management (IAM) solution by RedHat that can be used as an OAuth 2.0 server. It also provides a UI for managing users, clients and resources
- Many providers like Okta also provide OAuth 2.0 services in the cloud
OAuth 2.0 client and Resource Server
- OAuth 2.0 authorization and authentication can be integrated in applications using many opensource frameworks in various languages like authlilb in python, ASP.NET Core Identity, IdentityModel in dotnet
Video
You can see the video on this post here
References
- Terminology in OAuth 2.0 - https://identityserver4.readthedocs.io/en/latest/intro/terminology.html
- Overview of different OAuth 2.0 flows - https://auth0.com/docs/get-started/authentication-and-authorization-flow
Comments
Post a Comment