Posts tagged 'authentication'

  • What happens to the tokens after an OAuth Authorization Code grant?

    What happens to the tokens after an OAuth Authorization Code grant?
    Dan Moore  |  Jan 19th, 2023

    At the end of the OAuth Authorization Code grant, after a user presents their credentials at login, a code is returned which can be exchanged for one or more tokens at the token endpoint.

    These tokens include an access token, an optional refresh token, and an optional id token. The access token is used to get access to different APIs and protected resources. The refresh token lets you mint new access tokens, and the id token is used by the client to display information about the user.

    READ MORE
  • Why is there no authentication in OAuth?

    Why is there no authentication in OAuth?
    Dan Moore  |  Jun 14th, 2022

    OAuth, a standard for securely delegating authorization information, and OIDC, a profile written on top of it to securely transmit user profile data, both rely heavily on authentication of the user (also known as the ‘resource owner’) at the authorization server. The authorization server issues tokens only after the user has been authenticated to its satisfaction.

    However, there is next to no guidance about how to actually authenticate the user. Should I use a username and password? A magic link? Delegate to a third party? Require a TOTP code?

    This question came up in a discussion amongst the FusionAuth team and I thought it was worth digging into a bit more.

    Why exactly is ‘authentication’ undefined in OAuth/OIDC?

    READ MORE
  • Why use a standardized auth protocol?

    Why use a standardized auth protocol?
    James Hickey  |  Jun 10th, 2021

    Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.

    READ MORE
  • Outsourcing auth: how to get buy-in from your team

    Outsourcing auth: how to get buy-in from your team
    Joe Stech  |  Feb 3rd, 2021

    You lead a team of engineers, and your team is responsible for building out a new customer-facing product that could have a huge impact on the trajectory of your company. Lately you’ve been considering whether or not rolling your own authentication system is a good idea. You’ve spent a lot of time and effort carefully weighing the pros and cons, and you’ve come to the conclusion that home grown auth is not in the best interests of your company.

    How do you go about talking to all the relevant stakeholders about this choice?

    READ MORE
  • Hide upstream identity providers with the Auth Facade

    Hide upstream identity providers with the Auth Facade
    Dan Moore  |  Jan 27th, 2021

    During conversations with FusionAuth customers, I have seen a common deployment pattern I call the “Auth Facade”. This architecture is useful when deploying software to heterogeneous environments. You and your team are building an application which will deploy onsite. This could be into a data center, an isolated network, or a private cloud. These environments are run by your customers and you have limited insight into their configuration.

    READ MORE
  • Why outsource your auth system?

    Why outsource your auth system?
    Joe Stech  |  Jan 20th, 2021

    You’re a software engineering leader, and you’re great at your job. You know that the optimal path for software development lies in figuring out which components of your design to implement from scratch and which have already been implemented by specialists and can be reused.

    READ MORE