Enterprise OAuth 2.0 - OAuth2.0OpenID Connect For the Enterprise(4)

Enterprise OAuth 2.0 - OAuth2.0OpenID Connect For the Enterprise(4)

OAuth 2.0 and OpenID Connect

• OAuth 2.0 is for authorization

  • Access token should contain only authorization information
  • Scopes, Roles, Grant Types, Flows, Tokens
  • No ID Token
  • https://tools.ietf.org/html/rfc6749

• OpenID Connect is the Identity layer on top of OAuth 2.0

  • ID Token contains user claims
  • /userinfo endpoint
  • Scopes: openid profile email
  • Can create custom claims
  • Adds more Response types
  • https://openid.net/specs/openid-connect-core-1_0.html

OAuth 2.0 Best Practices

• Prefer Authorization Code Grant with PKCE
• Prefer Client Credentials Grant for Cron Jobs
• Avoid using Implicit Grant
• Avoid using Resource Owner Password Grant
• Store the secrets in a Safe place
• Rotate the secrets regularly
• Keep Access tokens short (5 min)
• Avoid using local users of the Authorization Server
• Do not associate users with more scopes than needed
• Use the enterprise logout (all sessions)
• Do not store tokens or secrets in the browser or Mobile Devices