Friday 12:10 p.m.–12:40 p.m.

Web identity: OAuth2 and OpenIDConnect

Brendan McCollam


Interested in adding single sign-on to your application, but confused about the variety of different web authentication methods out there? OAuth, OAuth2, OpenID, OpenIDConnect, SAML, Facebook Connect? This talk will clarify the different protocols, examining OAuth2 and OpenIDConnect in greater detail. It will demonstrate a basic client implementation using FLOSS libraries, and briefly touch on some of the issues involved in server implementation. - Introduction (5 minutes) - What is single sign-on (SSO)? - "Sign in with your Google/Facebook/Github/... account" - Why would you want that? - Ease of implementation & security: you aren't responsible for protecting users' credentials. - User aquisition: you aren't asking users to create a new account. - Potentially get more data about the user (be careful about privacy) - How do we get there? - [High-level diagram of single sign-on] - History - Authorization protocols (grants permission to do something) - OAuth 1.0a: more complex to implement, specifies its own signing - OAuth 2.0: simpler, relies on SSL/TLS for security. - Authentication [identity] protocols (provide metadata about the user) - OpenID (deprecated) - OpenID 2.0 (XML based, kind of clunky) - OpenIDConnect: set of extensions to OAuth 2.0. - The rest of this talk will focus on OAuth 2 and OpenIDConnect. - The OAuth 2.0 Protocol (3 minutes) - Widely adopted; implementations in most major languages. - Authorization code grant [flow chart] - Client makes authorization request to authentication provider. - Authentication provider authenticates user (how? not your problem!) - Authentication provider returns an "authorization code" to client. - Client exchanges auth code for an "access token" that entitles it to take action on behalf of the user. - Implicit Grant [flow chart] - Other things OAuth2 defines: client credentials, username-password, native applications - OpenIDConnect: Getting user metadata (2 minutes) - What does OpenIDConnect add? - What kinds of information can you ask for? - Client implementation [authenticating through an external system] (10 minutes) - Example code for basic Flask application with username-password sign in. - Show how to replace local login with OAuth2 using `oauth2client` library. - Show how to retrieve and display user data with OpenIDConnect. - Brief mention of alternative client libraries. - Server implementations [letting external clients authenticate through your system] (5 minutes) - Fewer Python libraries available for server. - PyOIDC - OAuthlib - Important considerations when building your implementation. - Example implementation: Globus Auth - Q&A (5 minutes)