Posts tagged 'authentication'
What happens to the tokens after an OAuth Authorization Code grant?
At the end of the OAuth Authorization Code grant, after a user presents their credentials at login, a code is returned which can be exchanged for one or more tokens at the token endpoint.
These tokens include an access token, an optional refresh token, and an optional id token. The access token is used to get access to different APIs and protected resources. The refresh token lets you mint new access tokens, and the id token is used by the client to display information about the user.READ MORE
Why is there no authentication in OAuth?
OAuth, a standard for securely delegating authorization information, and OIDC, a profile written on top of it to securely transmit user profile data, both rely heavily on authentication of the user (also known as the ‘resource owner’) at the authorization server. The authorization server issues tokens only after the user has been authenticated to its satisfaction.
However, there is next to no guidance about how to actually authenticate the user. Should I use a username and password? A magic link? Delegate to a third party? Require a TOTP code?
This question came up in a discussion amongst the FusionAuth team and I thought it was worth digging into a bit more.
Why exactly is ‘authentication’ undefined in OAuth/OIDC?READ MORE
Why use a standardized auth protocol?
Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.READ MORE
Outsourcing auth: how to get buy-in from your team
You lead a team of engineers, and your team is responsible for building out a new customer-facing product that could have a huge impact on the trajectory of your company. Lately you’ve been considering whether or not rolling your own authentication system is a good idea. You’ve spent a lot of time and effort carefully weighing the pros and cons, and you’ve come to the conclusion that home grown auth is not in the best interests of your company.
How do you go about talking to all the relevant stakeholders about this choice?READ MORE
Hide upstream identity providers with the Auth Facade
During conversations with FusionAuth customers, I have seen a common deployment pattern I call the “Auth Facade”. This architecture is useful when deploying software to heterogeneous environments. You and your team are building an application which will deploy onsite. This could be into a data center, an isolated network, or a private cloud. These environments are run by your customers and you have limited insight into their configuration.READ MORE
Why outsource your auth system?
You’re a software engineering leader, and you’re great at your job. You know that the optimal path for software development lies in figuring out which components of your design to implement from scratch and which have already been implemented by specialists and can be reused.READ MORE