From the course: Web Security: OAuth and OpenID Connect (2019)
Describing OAuth 2.0
From the course: Web Security: OAuth and OpenID Connect (2019)
Describing OAuth 2.0
- Let's talk about what OAuth and OpenID Connect are. We're cover OAuth first. Most people think they understand OAuth. Unfortunately, most people are wrong. OAuth is not a password sharing mechanism or protocol. It's not even a log in process. The misunderstanding comes down to Authentication versus Authorization. These are affectionately known as AuthN and AuthZ respectfully. Authentication is who you are while authorization is what you can do. Authorization depends on authentication but they're not interchangeable. My favorite analogy here is checking in to a hotel. When you check in to a hotel, you present the front desk clerk with your drivers license or passport and a credit card. This establishes who you are, or your identity. Then they issue you a key card. Encoded on that card is what you have access to, which will include your room, but it might also include the gym or workout room. And if you have permission, it might also include the executive lounge. That's your authorization. The best part is that your personal and billing information never leaves the front desk. This is OAuth. In terms of OAuth terminology, you are the client. The front desk is the authorization server which evaluates the authorization policies. The key card is an access token, representing the result of those policies. And your room, the executive lounge, etc., are the resources you want to protect. Fundamentally, OAuth is an authorization framework. It gives you a consistent pattern to request, receive, and apply authorization policies across resources. Now let's talk about OpenID Connect. OIDC provides structure to a user profile, and allows you to selectively share it. To continue with our analogy from earlier, let's say you want to eat at the hotel restaurant. With OIDC you can share your food allergies, and those alone, but not your e-mail address. Allowing you to share specific things is just authorization all over again. And that's right, OpenID Connect is just a special case of OAuth. It's designed specifically for single sign on use cases, and sharing profile information. That's how we get SIAN with GitHub, Facebook, LinkedIn, and just about everything else.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.