Gluu Blog

Follow us:
Back to Blog

Stop Writing Custom Authentication APIs! How to Easily Implement OAuth2 with OpenID Connect and UMA

Mike S. November 11, 2015

Note: This is an OSCON 2016 session proposal by Gluu CEO, Mike Schwartz.

Summary

OAuth2 can be a pain in the neck! However, short-lived OAuth2 bearer tokens can improve API performance and security. And if you have lots of API’s, centralizing client registration and token issuance makes sense. Don’t re-invent the wheel! Use FOSS tools for the OpenID Connect and User Managed Access profiles of OAuth2 to get the job done quickly and securely.

Abstract

Before you write another OAuth2 API… STOP!!!

OAuth2 is a framework not a protocol. One of the common mistakes made by programmers is to reinvent the wheel by defining a new OAuth2 API when existing profiles already exist. This is especially true for person authentication and the centralized issuance of tokens for API access management. Not only is it a waste of effort, but unless you have a lot of experience writing security API’s, you may mess it up and create a security vulnerability.

OpenID Connect, developed by many of the leading OAuth2 gurus, defines how to identify clients and people. A client is either a website or native application–it’s software acting on behalf of a person. OpenID Connect is not an authentication API–how to authenticate the person is left up to you. You can use passwords, SMS messages, push notifications, U2F security keys, biometric or any other technology. OpenID Connect provides the API’s that enable you to send a person to be authenticated, and to enable the person to authorize the release of information to your application.

The User Managed Access protocol (UMA) is complementary to OpenID Connect. After your application has identified a person, you may need to call API’s. In OAuth2 world, you want to make sure that the client calling the API has a valid token. Where does this token come from? How is it validated? This is what UMA defines.

Using open standards ensures interoperability. Some may remember LDAP as an authentication option. OpenID Connect and UMA offer a more modern solution for centralized security to meet new requirements for stronger authentication techniques. These standards also offer support for mobile and javascript applications.

From a productivity perspective, many tools and libraries already exist to implement OpenID Connect and UMA. By using existing implementations, you can avoid digging into the depths of OAuth2 application security. That’s the ultimate goal: to get you on your way to solve business problems, while putting proven security patterns to work.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.