Authentication and authorization are necessary for many of the applications we build. Maybe you've developed apps and implemented authentication an...
For further actions, you may consider blocking this person and/or reporting abuse
Thank you for sharing this outstanding interesting and well written article, and just timely for my particular needs. Keep it up!
Thanks, Rodrigo, and you’re welcome! I hope it helps you with what you’re working on!
Thanks for that article, cleared some things up!
But I also have a question: The docs talk about storing subscription plan data into the users metadata, but don't go into detail how. Would I use a rule or hook for this? Also what is the difference?
In a very general sense, I would recommend rules for adding the user metadata to your ID and/or access tokens (depending on the use case), but without knowing more details, I'm not able to detail a flow for you.
I strongly recommend that you ask this question in the Auth0 Community forum and provide details there such as:
The folks at Auth0 should then be able to help you determine the correct flow to get all your data securely where it needs to go.
Thank you for your post. It is well written and easy to digest for everyone (I think).
I really appreciate your diagrams. Can you tell how do you create them, please?
What would be your advice for modern developers: should they just forget about or abandon Auth 2.0 and stick to OIDC?
As you mentioned these 2 points as problems with using access tokens for authentication:
How are they being solved in OpenID Connect?
Even in OpenID connect, what if I stole a JWT token and present it to authorization server, it will still work right? It is the same for point 2 as well right?
If a token is stolen it can be used by someone else. Just like if a cookie is stolen it too can be used by someone else. It is up to the develop to make sure their application is secure against attacks.
OIDC addresses this by using something called a nonce, which is explained in the section on authentication claims. A nonce provides a way for a client to know that the token it receives is the one being returned from the exact authorization request that was issued.
Great article.
2 small questions :
'The client application then decodes the ID token (which is a JWT) and verifies it. This includes validating the signature ' - to do this must the client app have the public key of the issuer installed? Does the client also need to communicate/interface with the auth server at the point of verification/validation?
Thanks for your time.
Hello, thanks for your questions!
1) Yes, the client app must have access to the decryption key in order to validate the signature; otherwise, it won't be able to decrypt the signature to see its contents. If asymmetric key cryptography is being used, then it will be a public key; if symmetric, there is only one key, and that same key must be kept private on both the client and authorization server (not recommended).
2) No, the client does not need to communicate with the auth server during validation. It should already have the key, and everything else it needs to perform validation is contained within the JWT itself.
It's strongly recommended that you not implement validation manually, but rather, that you use an SDK or library. If you'd like to learn a lot more about this, I also wrote Signing and Validating JSON Web Tokens (JWT) for Everyone.
that was awesome
Thank you for the kind words, and thank you for reading!
Thanks for the info
Really helpfull and crystal clear!
Thanks a lot
keep up ....thanks for sharing good one
When using the iPhone (Safari) for authentication, always error 401 unauthorized for Windows Identity, any idea to solve this?
This is insightful. Thank you for sharing this with us.
This is a great article. You explained this complicated stuff step by step and that was very useful. Thanks!
By the way, the animations are nice!
Is this still relevant ? Or are there any latest versions in oauth ?
Nicely written!
Looking forward to the next parts! Thanks for sharing such detailed yet accessible information.
I really enjoyed reading this crash-course, a lot of concept were demystified gracefully
Thanks a lot
Thank you for sharing this wonderful write up. It gave a lot of insight.
Excellent article, I wish I had read it before; Not long ago I was struggling to solve a Identity Server (.Net Core) problem with zero knowledge about Open Id Connect.
For sure I will share.