reading-notes

Class Fifteen Notes (301)

Authentication

OAuth¹

• OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential.
• Example: when logging onto a website and it offers one or more opportunities to log on using another site’s logon
• OAuth works by:

1. The first website connects to the second website on behalf of the user, using OAuth, providing the user’s verified identity;
2. The second site generates a one-time token and one-time secret unique key to the transaction and parties involved
3. The first site gives he token and the secret to the initiating user’s client software, which t=hen presents the request token and secret to their authorization provider
4. If not already authenticated, the client may be asked to authenticate
5. The user appvoes a particular transaction type at the first website;
6. The user gives the approved access token to the first site, which then gives the access token to the second website as proof of athentication; 7 The second site lets the first site access their site on behalf of the user; 8 The user sees a successfullly completed transaction occuring

• OpenID is a technolgy that’s in the same context as oAuth, but it’s for authentication rather than authorization, that allows humans to log onto machines (versus OAuth allows machines to log onto machines on behalf of humans);

Authorization and Authentication flows²

• Authorization code flow is used on the serverside, and authentication is used on the client side.
• Authorization code flow exchanges an authorization code for a token
• Authorization Code Flow with Proof Key for Code Exchange (PKCE) is based on standard authorization code flw, which introduces a secret (Code Verifier) created by the calling application that can be verified by the authorization server.
• Implicit Flow with Form Post allows the web app requests and obtain tokens through the front channel, without the need for secrets or extra backend calls, so no secret management is involved.
• Client Credentials flow passes along the client ID and client secret to authenticate themselves to get a token
• Device authorization flow is used when an input-constrained device is used, so instead of authenticate the user, the device go to a link on the computer or smartphone to authorize the device
• Resource owner password flow requests the users to provide credentials by using an interactive form.

What is Resource Owner Password Flow?

Back to main page

References

1. https://www.csoonline.com/article/3216404/what-is-oauth-how-the-open-authorization-framework-works.html ↩

2. https://auth0.com/docs/get-started/authentication-and-authorization-flow ↩