2. AGENDA
Before the Cloud & Web Services
The evolution of Authentication systems
OAuth2.0 & JWT
OAuth2.0 - the server side
OIDC - Generic Understanding of Actors
OIDC Flows - Behind the Scenes
SAML
SAML - Behind the Scenes
What’s SSO got to do with it ?
AuthExpereince
3. Before the Cloud
1 user per application
Onboarding was an issue …
Grouping (Scoping)
4. Before the Cloud
1 user per application
Onboarding was an issue …
Grouping (Scoping)
5. Before the Cloud
1 user per application
Onboarding was an issue …
Grouping (Scoping)
Common Solution
LDAP -Lightweight Directory Access Protocol
Identify the User in the directory,
Identi
fi
cation is Based on the Location in the
Directory tree
6. Before the Cloud
1 user per application
Onboarding was an issue …
Grouping (Scoping)
Common Solution
LDAP -Lightweight Directory Access Protocol
Identify the User in the directory,
Identi
fi
cation is Based on the Location in the
Directory tree
Problem
Security is internal (we trust our DC,LDAP)
Organizations start consuming 3rd party services
How do we manage our Customer / Client DB
What if I don’t know his ID ? Origin ?
(Onboarding Issue all over Again)
7. Before the Cloud
1 user per application
Onboarding was an issue …
Grouping (Scoping)
Common Solution
LDAP -Lightweight Directory Access Protocol
Identify the User in the directory,
Identi
fi
cation is Based on the Location in the
Directory tree
Problem
Security is internal (we trust our DC,LDAP)
Organizations start consuming 3rd party services
How do we manage our Customer / Client DB
What if I don’t know his ID ? Origin ?
(Onboarding Issue all over Again)
SSO - Single Sign On / Use your corporate e-mail
8. Before the Cloud
1 user per application
Onboarding was an issue …
Grouping (Scoping)
Common Solution
LDAP -Lightweight Directory Access Protocol
Identify the User in the directory,
Identi
fi
cation is Based on the Location in the
Directory tree
Problem
Security is internal (we trust our DC,LDAP)
Organizations start consuming 3rd party services
How do we manage our Customer / Client DB
What if I don’t know his ID ? Origin ?
(Onboarding Issue all over Again)
SSO - Single Sign On / Use your corporate e-mail
“Social” Login
9. OAUTH
Misconception #1: OAUTH != Auth0
Misconception #2: It is used to AUTHORIZE not Identify
Purpose: Provide temporary access to your information
Method: JWT - Json Web Token
AuthExpereince
10. OAuth2.0 Usage
Resource Owner (You!)
Standard web login (username / password)
Client / Application
Authorization Server
11. OAuth2.0 Usage
Resource Owner (You!)
Standard web login (username / password)
Client / Application
Can we please import your contacts
Authorization Server
12. OAuth2.0 Usage
Resource Owner (You!)
Standard web login (username / password)
Client / Application
Can we please import your contacts
Authorization Server
15. Client / Application ID
A way for the identity provider to Identify the
Client / Application
Client Secret
A unique identi
fi
er of that application ID
OAuth2.0 - Behind the scenes
zero trust policy
16. Client / Application ID
A way for the identity provider to Identify the
Client / Application
Client Secret
A unique identi
fi
er of that application ID
OAuth2.0 - Behind the scenes
zero trust policy
Grant
A token proving the ID is valid
17. Client / Application ID
A way for the identity provider to Identify the
Client / Application
Client Secret
A unique identi
fi
er of that application ID
OAuth2.0 - Behind the scenes
zero trust policy
Grant
A token proving the ID is valid
18. Client / Application ID
A way for the identity provider to Identify the
Client / Application
Client Secret
A unique identi
fi
er of that application ID
OAuth2.0 - Behind the scenes
zero trust policy
CONCENT
A token proving the ID is valid
GRANT
Based on the Scope the App/Client ID
has permissions to access
19. OAuth = Authorization (a.k.a access)
grants access to a resource !
Identifying the user is the application / client’s job !
grants are provided via token
tokens expire !
We want to limit the duration / validity of the grant token
20. The Client Application has no record of the user
How he logged in
When he logged-in or logged-out
Only the authorization server u with the resource owner !
OAuth = Authorization (a.k.a access)
21. OIDC
Purpose: Identity & Authentication layer for OAuth
Method:
1. Dedicated Service Endpoints
2. JWT - Json Web Token
AuthExpereince
22. OIDC
FLOWS
Purpose: Identity & Authentication layer for OAuth
Method:
1. Dedicated Service Endpoints
2. JWT - Json Web Token
AuthExpereince
23. Haggai Philip Zagury | DevOps Group & Tech Lead | 2021
OpenID Connect
Adding the Identity Layer to OAuth
34. Kiryat Atidim, Building 7
,
3rd Floor POB 5826
9
Tel Aviv 6158102 IsraeL
(+972) 3 6488618 info@tikalk.co
m
35. Goal Infographics
Marketing is the study and management of exchange relationships. Marketing is the business
process of creating relationships with and satisfying customers.
To get your company’s name out there, you need to make sure to
get your company’s name out there.
Goal 1
To get your company’s name out there, you need to make
sure to get your company’s name out there.
Goal 2
To get your company’s name out there, you need to
make sure to get your company’s name.
Goal 3
To get your company’s name out there,
you need to make sure to get.
Goal 4