integrating oauth2 & openid connect - intersystems · 2018-06-26 · o %oauth2 o api classes,...

© 2016 InterSystems Corporation. All rights reserved.

Integrating OAuth2 & OpenID Connect

1 | © 2016 InterSystems Corporation. All Rights Reserved.

Authentication vs Autorization

OpenID Connect

OAuth2

Authentication

Authorization

Who you are

What you can do


OAuth is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.Generally, OAuth provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

What is OAuth?


OAuth2 Practical Example


Without OAuth2


Lets Start Again


With OAuth2


With OAuth2URLchangedto:https://drive.google.com


With OAuth2URLis:https://drive.google.com


With OAuth2URLchangedtohttp://printfast.comwithcodeparameter


With OAuth2


OAuth2 Flow in Depth


Who is who in OAuth

Person using client application

UserApplication that asks for data from resource server

Client

Registers client and resource server applicationsProvides endpoint for user to login and gain permission to retrieve dataProvides scope

Authorization Server

Resource Server

Provides data to client application through API calls

Resource OwnerA user who is giving access to client


OAuth2 Flow - Client RegistrationAuthorization Server

Resource Server

Client Client Registers with Authorization Server

Client_Id=print-fastClient_Secret=xxxRedirect_Url =http://print-fast.com


Grant type defines how client application obtains permission (grant) from the users to access their data on their behalf.o Authorization code

o Most often usedo Uses redirect to authorization server to authorize access to data

o Implicit granto Simplified version of the above, the access token is issued directly

o Resource Owner granto Resource owner has to provide its credentials directly to client

o Client Credentials granto Used when client application on behalf of itself, rather than user of client app, is requesting access

to protected resources such as storage or database service

Grant Types/OAuth2 Flows


OAuth2 Flow (Authorization code)

Authorization Server

Resource Server

Client

Resource OwnerAuthorization Request

Authorization Grant

Access Token

Authorization Grant

Access Token

Protected Resource


o A set of classes in %SYS namespace - framework o Framework classes by their purpose (and package)o %OAuth2

o API classes, provide user customization to authorization page

o Oautho Internal classes used by framework to:

o Store configurationso Store access tokens

o %SYS.OAuth2o API classes, used by developers to:

o Establish OAuth messages flow o Create HTTP request objects

o Validate tokens

How we implement OAuth2


Demo


Where to go from here

integrating oauth2 & openid connect - intersystems · 2018-06-26 · o %oauth2 o api classes,...

Documents