reading-notes

reading notes for code fellows

---

Project maintained by dLeigh01 Hosted on GitHub Pages — Theme by mattgraham

Authentication

This is important because having the ability to correclty implement authorization and/or authentication in your site or app is a necessary skill in many jobs you will come across.

What is OAuth

OAuth is an open-standard authentication protocol that describes how unrelated services can safely allow authenticated access to their assets without sharing credentials. (secure, third-party, user-agent, delegated authorization) OAuth was created by some major companies like Twitter and Google in 2010 and underwent many revisions over the next two years before OAuth 2.0 was released, which was widly criticized, but more popular than the original. An example of OAuth is when you go to login to a site and it offers you multiple options, such as logging in through google, or apple, or your email. You’re authenticated by the other site and it grants permission to the site you came from.

OAuth involves two separate sites using the same version of the software trying to accomplish something together. How it works

• Site 1 connects to site 2 using OAuth and provides the users identity
• Site 2 gives out a one-time token
• Site 1 give the token tothe user’s client software
• The software presents it to their authorization provider
• If not already authenticated, the user may be asked to authenticate and then approve the authorization transaction
• the user or their software approves
• the user is given an approved token
• the user gives the token to site 1
• Site 1 gives the token to site 2 as proof it has been authorized
• Site 2 lets site 1 access their site on behalf of the user
• The user sees a completed transaction

While OAuth is about authorization, OpenID is for authentication. OpenID was difficult to implement and as such never became widely adopted. In 2014 however, OpenIDConnect was released, which made it into an authentication layer for OAuth.

1. OAuth is a secure, third-party, user-agent, delegated authorization.
2. OAuth is like when you are making an account on a new site and it asks if you would like to log in using an account on a different site, such as facebook or google.
3. There are many steps, see list above.
4. OpenID is an authenticator than now works in tandem with OAuth.

Authorization and Authentication Flows

1. Authentication is verifying who you are, authorization is verifying what you can access.
2. Authorization code flow exchanges an Authorization Code for a token.
3. PKCE introduces a secret created by the calling application that can be verified by the authorization server, adding an extra level of security.
4. Implicit flow with form post uses OIDC to implement web sign-in be requesting and obtaining tokens through the front channel without the use of secrets.
5. Client credentials flow is used in machine to machine applications by passing along their Client ID and Secret to authenticate themselves and get a token.
6. Device authorization flow asks the user to go to a link on their computer or smartphone to authorize the device.
7. Resource owner password flow can be used by highly trusted applications to get credentials from the user with an interactive form.

Things I Want to Know More About

What is typically the best form of authentication/authentication to use?

[< table of contents]

[< home]