What is OAuth?
OAuth is a standard for access delegation. If you are trying to grant app/client access to information on other places(websites) without providing passwords, that's basically the purpose of OAuth. This feature is used by several companies and permits users to share information about their accounts with third-party applications or websites.
OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
Auth0 helps you to:
- Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, among others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.
- Add authentication through the more traditional username/password databases.
- Add support for linking different user accounts with the same user.
- Support for generating signed JSON Web Tokens to call your APIs and flow the user identity securely.
- Analytics of how, when, and where users are logging in.
- Pull data from other sources and add it to the user profile, through JavaScript rules.
What you should add to your OAuth code:
CLIENT_ID, CLIENT_SECRET, AUTZ_URL and IDCS_URL:
Your code for parsingJWT and manipulating the JSON content provided by the OAuth mechanism should be similar to this:
In the case of Google, you should register the service account, the product name(equals project name), and the redirect_URI.
Web application configuration on GCP.
Service account and keys needed to Auth0 on Google.
Getting the Authorization, Token and SessionID.
What's the difference between SSO/federation and this OAuth process?
A1- Federation uses SAML(Security Assertion Markup Language) to achieve SSO, Federation, and Identity Management.
OAuth(Open Authorization) is a standard for authorization of resources. It does not deal with authentication
A2-Token X Message Format
SAML deals with XML as the data constructor token format.
OAuth tokens can be binary, JSON, or SAML as explained in OAuth Bearer Tokens.
A3-Transport
SAML has Bindings that use HTTP such as HTTP POST Binding, HTTP REDIRECT Binding, etc.
But there is no restriction on the transport format. You can use SOAP or JMS or any transport you want to use to send SAML tokens or messages.
OAuth uses HTTP exclusively.
Happy coding.
I hope it helps,
Thiago Leoncio
No comments:
Post a Comment