Stop Writing Custom Authentication APIs! How to Easily Implement OAuth2 with OpenID Connect and UMA
Note: This is an OSCON 2016 session proposal by Gluu CEO, Mike Schwartz.
OAuth2 can be a pain in the neck! However, short-lived OAuth2 bearer tokens can improve API performance and security. And if you have lots of API’s, centralizing client registration and token issuance makes sense. Don’t re-invent the wheel! Use FOSS tools for the OpenID Connect and User Managed Access profiles of OAuth2 to get the job done quickly and securely.
Before you write another OAuth2 API… STOP!!!
OAuth2 is a framework not a protocol. One of the common mistakes made by programmers is to reinvent the wheel by defining a new OAuth2 API when existing profiles already exist. This is especially true for person authentication and the centralized issuance of tokens for API access management. Not only is it a waste of effort, but unless you have a lot of experience writing security API’s, you may mess it up and create a security vulnerability.
OpenID Connect, developed by many of the leading OAuth2 gurus, defines how to identify clients and people. A client is either a website or native application–it’s software acting on behalf of a person. OpenID Connect is not an authentication API–how to authenticate the person is left up to you. You can use passwords, SMS messages, push notifications, U2F security keys, biometric or any other technology. OpenID Connect provides the API’s that enable you to send a person to be authenticated, and to enable the person to authorize the release of information to your application.
The User Managed Access protocol (UMA) is complementary to OpenID Connect. After your application has identified a person, you may need to call API’s. In OAuth2 world, you want to make sure that the client calling the API has a valid token. Where does this token come from? How is it validated? This is what UMA defines.
From a productivity perspective, many tools and libraries already exist to implement OpenID Connect and UMA. By using existing implementations, you can avoid digging into the depths of OAuth2 application security. That’s the ultimate goal: to get you on your way to solve business problems, while putting proven security patterns to work.
Subscribe to Get News and Product Updates
our RSS Feed