reading-notes

Reading notes for Code Fellows Courses

View project on GitHub

Notes on Authentication

What is OAuth

  • What is OAuth?

It is secure, third-party, user-agent, delegated authorization; an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential

  • Give an example of what using OAuth would look like.

Like when I go to a new website and it gives me the option to directly create or log in to an account with them or to use my Google Account or Apple Account authentication.

  • How does OAuth work? What are the steps that it takes to authenticate the user?

The primary site connects with the third party site, verifies the credentials for identification, and clears them for entry to the primary site.

  • What is OpenID?

An authentication layer for OAuth (beat out in popularity and functionality by Facebook Connect).

Authorization and Authentication flows

  • What is the difference between authorization and authentication?

Authorication is about accessing services, authentication is about assessing identity.

  • What is Authorization Code Flow?

Exchange of an Authorization Code for a token.

  • What is Authorization Code Flow with Proof Key for Code Exchange (PKCE)?

An additional layer of security where Auth0’s SDK creates a cryptographically-random code_verifier and from this generates a code_challenge for extra verification.

  • What is Implicit Flow with Form Post?

While no longer considered a best practice for requesting Access Tokens, it is an alternative to Authorization Code Flow intended for Public Clients or apps that can’t securely store Client Secrets.

  • What is Client Credentials Flow?

The system authenticates and authorizes the app rather than a user, used with machine-to-machine (M2M) apps.

  • What is Device Authorization Flow?

The device asks the user to go to a link on their computer or smartphone and authorize the device.

  • What is Resource Owner Password Flow?

Should only be used when redirect-based flows can’t be used, it requests that users provide credentials (username and password), typically using an interactive form.

Things I want to know more about

Excited to see how we implement this.