Data
Reader small image

You're reading from  Cloud Identity Patterns and Strategies

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781801810845
Edition1st Edition
Concepts
Identity Management
Right arrow
Authors (2):
Giuseppe Di Federico
Giuseppe Di Federico
author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

Fabrizio Barcaroli
Fabrizio Barcaroli
author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

View More author details
Right arrow

Authentication Flows

We know that OpenID Connect (OIDC) extends the OAuth 2.0 protocol by introducing new flows, reusing some of the existing ones, and by placing the user, not the application, at the center of such flows. In this chapter, we will go through OAuth 2.0 and OIDC basics, learn about their flows, similarities, and differences, and where they can be used and why.

The chapter covers the following main topics:

  • The authorization code grant flow
  • The authorization code grant flow with Proof Key for Code Exchange
  • The implicit grant flow
  • The client credentials grant flow
  • The Resource Owner Password Credentials (ROPC) grant flow
  • The On-Behalf-Of (OBO) flow
  • Hybrid flows

Here’s a list of the flows and their support:

Figure 4.1 – OIDC/OAuth 2.0 flow support summary

The authorization code grant flow

The authorization code grant flow is used by a client application to obtain both an access token (or an ID token for OIDC) and a refresh token, and it is even more secure when used with confidential clients. Because this is a redirection-based flow, the client must be able to connect with the resource owner’s user agent (usually a web browser) and receive inbound requests from the authorization server (via redirection).

The flow is described in the following diagram:

Figure 4.2 – Authorization code grant flow

The diagram is explained in detail in the following list. Each item reports the specific interaction that occurs at the numbered point in the diagram:

  1. The client application requests an authorization code (authorization grant proof) from the /authorize endpoint of the authorization (AuthZ) server. This is what a request looks like:
    GET /authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri...

The authorization code grant flow with PKCE

PKCE is a more secure variation of the authorization code grant flow that was mainly introduced for SPAs. It was introduced to mitigate the authorization code interception attack, which aims to steal the authorization code from a legitimate application in order to obtain an access token.

Let’s see how this flow works:

Figure 4.3 – PKCE

The flow is explained in detail as follows:

  1. The client application requests an authorization code (authorization grant proof) from the /authorize endpoint of the authorization (AuthZ) server. Before sending the request, the client application generates a secret named code_verifier; it transforms it with a transformation named t_m and attaches the following to the authorization request:
    • t(code_verifier): The transformed secret
    • t_m: The transformation function
  2. The authorization server stores the transformed secret, t(code_verifier), and the transformation function...

The implicit grant flow

The implicit grant flow is used to obtain an access token (or an ID token for OIDC) and is optimized for SPA public clients. Such clients typically run in a web browser, using a client-side scripting language such as JavaScript. This flow does not issue a refresh token, and the interaction between the client and the authorization server is done through the /authorize endpoint only.

The flow is described in the following diagram:

Figure 4.4 – Implicit grant flow

The diagram is explained in detail as follows:

  1. An access token is requested by the client application; this is achieved by accessing the /authorize endpoint on the authorization (AuthZ) server. This is what a request looks like:
    GET /authorize?
    response_type=token    (or id_token)
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &scope=openid%20resource_server_id
    &nonce=n-0S6_WzA2Mj
    &state=af0ifjsldkj...

The client credentials grant flow

The client credentials grant is a flow that must be used only by confidential clients, and it enables non-interactive application authentication. This makes sense because embedding the application credentials in a public client (such as a mobile application) exposes them to malicious users, making the whole purpose of keeping such credentials safe and secure in vain.

The flow is described in the following diagram:

Figure 4.5 – Client credentials grant flow

The diagram is explained in detail as follows:

  1. The client application requests an access token directly from the /token endpoint of the authorization (AuthZ) server by providing its previously configured credentials (such as client_id and a secret or certificate). This is what a request looks like:
    GET /token?
    grant_type=client_credentials
    &client_id=s6BhdRkqt3
    &scope=resource_server_id
    &client_secret=uayaskiR$£QDcfa
    Host: authzserver.example...

The ROPC grant flow

The ROPC flow moves the resource owner’s credential management into the client application. The resource owner is prompted directly by the client application, which usually has a form where the user can insert their credentials. For this reason, ROPC is not a recommended flow because it trusts that the client application will not misuse a user’s credentials.

The flow is described in the following diagram:

Figure 4.6 – ROPC grant flow

The diagram is explained in detail as follows:

  1. The resource owner directly inserts their credentials within the client application.
  2. The client application requests an access token directly to the /token endpoint of the authorization (AuthZ) server by sending the credentials the resource owner provided in the previous step. This is what a request looks like:
    POST /token?
    grant_type=PASSWORD
    &client_id=s6BhdRkqt3
    &scope=resource_server_id%20offline_access
    &username=userid1...

The OBO flow

The OBO flow (which is not part of standard OAuth 2.0 (IETF) but is specific to Microsoft Azure Active Directory implementation) is used to allow a resource server to call another resource server in the background without any user interaction. This is useful when there are two resource servers, usually managed by different parties, that trust the same authorization server and contribute to the logic of a single application, and need to be used in the background seamlessly. To allow a resource server to use the OBO flow, the authorization server must be properly configured.

Figure 4.7 – OBO flow

The diagram is explained in detail as follows:

  1. The client application requests an access token to the authorization server using the authorization code grant flow or another authentication flow, as described in the previous paragraphs.
  2. The authorization server validates the request and issues an access token to the client application.
    3. ...

Hybrid flows

Hybrid flows (part of the OIDC specification) mix authorization code grant and implicit flows together, enabling the issuing of access tokens and ID tokens at different phases compared to when those flows are used alone.

During the first call to the /authorize endpoint of the authorization server, a client application can specify the following values for the response_type parameter, making the authorization server behave differently:

  • code token: When specified in the HTTP request, an access token and an authorization code must be included in a successful response
  • code id_token: When specified in the HTTP request, an authorization code and an ID token must be included in a successful response
  • id_token token: When specified in the HTTP request, an ID token and an access token must be included in a successful response
  • code id_token token: When specified in the HTTP request, an access token and an ID token must be included in a successful response
    • ...

Summary

In this chapter, we have gone through the authorization and authentication flows provided by OAuth 2.0 and OIDC protocols. We described their usage and their main objectives in terms of the best scenarios where they can be used.

In the next chapter, we will get a broader view of how these flows can be used to solve specific problems by providing a set of recipes, or patterns, that can be used in particular scenarios that are usually encountered when working in an enterprise.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 7 of 15
Next Chapter
You have been reading a chapter from
Cloud Identity Patterns and Strategies
Published in: Dec 2022Publisher: PacktISBN-13: 9781801810845
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages