Modern Authentication 101
There has never been more emphasis in security than in the modern environment of distributed computing and increased sharing of data. Our data does not sit inside silos consumed by one application anymore. In this context the modern distributed applications need to securely access protected resources without having to share passwords. We need scalable solutions that work with things like single page applications. We will dive in and explore terms like `OAuth`, `OpenIdConnect` and `JWT` and how they relate to authentication and authorisation. This presentation hopes to give you a good understanding of what, where and how to get started with the modern approaches to authentication.
In my experience most software developers don't have a good understanding of why protocols like OAuth and OpenIdConnect exist. What type of problems they solve and what flow to pick to solve their problems. Most of all they lack the knowledge of the compromises they make when they choose a authentication flow. Because these authentication flows are abstracted away in most implementations, the novice developers don't get exposed to the nuts and bolts. There are more and more compromises that happen because someone doesn't follow the security best practice or pick the wrong tool for the job. My motivation is to transfer some of my knowledge to young developers so they make an informed choice when the opportunity presents itself.
Senior Software Engineer @ Microsoft