Rating: 5 out of 5 stars
5/5
Ebook217 pages1 hour
OpenID Connect - End-user Identity for Apps and APIs: API-University Series, #6
Rating: 0 out of 5 stars
()
About this ebook
Signup and login with a Google, Yahoo, or Microsoft account can be found in more and more web and mobile apps. One login used by many, freeing the end-user from the burden of managing many accounts and passwords. Signup and login to a new app become so smooth and convenient, that end-users are much more likely to try a new app.
For us developers of web and mobile apps, these signup and login features are attractive, too: we do not need to manage user credentials, and we get a higher conversion rate resulting in more new customers. In effect, this means cutting costs and increasing the number of new customers for our apps.
So how does this feature "Signup and login with Google, Yahoo, or Microsoft" work? It is realized with OpenID Connect, a standardized protocol for sharing end-user data in a secure and controlled manner. Exploring how OpenID Connect works, so we as developers can enjoy its benefits is the subject of this book.
This book explains the overall concept of OpenID Connect, so we understand who the actors are, which endpoints and tokens are involved and how these elements interact in so-called flows. These flows tend to get confusing, so we visualize these flows as sequence diagrams, and show how to choose the flow that is appropriate for a given scenario. Using examples, we explore how the tokens are constructed, signed and encrypted with JWT, JWS, and JWE.
This is not a programming book, don't expect implementations with a specific programming language or library. Instead, we focus on understanding OpenID Connect on a conceptual level, so we can design and architect apps that work with OpenID Connect. And OpenID Connect is the standard behind creating smooth login and signup experiences, increasing the customer signup rate, and creating highly converting apps.
Related to OpenID Connect - End-user Identity for Apps and APIs
Titles in the series (3)
RESTful API Design - Best Practices in API Design with REST: API-University Series, #3 OpenID Connect - End-user Identity for Apps and APIs: API-University Series, #6 Rating: 0 out of 5 stars0 ratingsMaking Money with Alexa Skills - A Developer's Guide: API-University Series, #10 Rating: 0 out of 5 stars0 ratings
Related ebooks
RESTful API Design - Best Practices in API Design with REST: API-University Series, #3 Rating: 5 out of 5 stars5/5Mastering OAuth 2.0 Rating: 5 out of 5 stars5/5Developing Cloud Native Applications in Azure using .NET Core: A Practitioner’s Guide to Design, Develop and Deploy Apps Rating: 0 out of 5 stars0 ratingsREST API Design Control and Management Rating: 4 out of 5 stars4/5Cloud Native Patterns: Designing change-tolerant software Rating: 4 out of 5 stars4/5Microservices Security in Action Rating: 0 out of 5 stars0 ratingsAPI Security in Action Rating: 5 out of 5 stars5/5API Design Patterns Rating: 5 out of 5 stars5/5Event Processing in Action Rating: 0 out of 5 stars0 ratingsDomain Driven Design : How to Easily Implement Domain Driven Design - A Quick & Simple Guide Rating: 2 out of 5 stars2/5Microservices in Action Rating: 0 out of 5 stars0 ratingsOAuth 2 in Action Rating: 0 out of 5 stars0 ratingsHands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on Kubernetes Rating: 5 out of 5 stars5/5CORS in Action: Creating and consuming cross-origin APIs Rating: 0 out of 5 stars0 ratingsMicroservices Patterns: With examples in Java Rating: 5 out of 5 stars5/5Re-Engineering Legacy Software Rating: 0 out of 5 stars0 ratingsThe Tao of Microservices Rating: 0 out of 5 stars0 ratingsMicroservices Architecture Handbook: Non-Programmer's Guide for Building Microservices Rating: 5 out of 5 stars5/5Building Server-side and Microservices with Go: Building Modern Backends and Microservices Using Go, Docker and Kubernetes Rating: 0 out of 5 stars0 ratingsKnative in Action Rating: 0 out of 5 stars0 ratingsRefactoring for Software Design Smells: Managing Technical Debt Rating: 4 out of 5 stars4/5RabbitMQ in Depth Rating: 0 out of 5 stars0 ratingsOpenID Connect A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsServerless Applications with Node.js: Using AWS Lambda and Claudia.js Rating: 0 out of 5 stars0 ratings10x Software Engineer Rating: 0 out of 5 stars0 ratingsMicroservices by Examples Using .NET Core: Using .NET Core Rating: 0 out of 5 stars0 ratingsChaos Engineering: Site reliability through controlled disruption Rating: 5 out of 5 stars5/5Seriously Good Software: Code that works, survives, and wins Rating: 5 out of 5 stars5/5Micro Frontends in Action Rating: 0 out of 5 stars0 ratings
Internet & Web For You
More Porn - Faster!: 50 Tips & Tools for Faster and More Efficient Porn Browsing Rating: 3 out of 5 stars3/5Beginner's Guide To Starting An Etsy Print-On-Demand Shop Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5The $1,000,000 Web Designer Guide: A Practical Guide for Wealth and Freedom as an Online Freelancer Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Coding For Dummies Rating: 5 out of 5 stars5/5Introduction to Internet Scams and Fraud: Credit Card Theft, Work-At-Home Scams and Lottery Scams Rating: 4 out of 5 stars4/5The Logo Brainstorm Book: A Comprehensive Guide for Exploring Design Directions Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5The Digital Marketing Handbook: A Step-By-Step Guide to Creating Websites That Sell Rating: 5 out of 5 stars5/5SEO For Dummies Rating: 4 out of 5 stars4/5How To Make Money Blogging: How I Replaced My Day-Job With My Blog and How You Can Start A Blog Today Rating: 4 out of 5 stars4/5Six Figure Blogging Blueprint Rating: 5 out of 5 stars5/5200+ Ways to Protect Your Privacy: Simple Ways to Prevent Hacks and Protect Your Privacy--On and Offline Rating: 0 out of 5 stars0 ratingsThe Beginner's Affiliate Marketing Blueprint Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5The Internet Is Not What You Think It Is: A History, a Philosophy, a Warning Rating: 4 out of 5 stars4/5Podcasting For Dummies Rating: 4 out of 5 stars4/5How to Destroy Surveillance Capitalism Rating: 4 out of 5 stars4/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsHow To Start A Podcast Rating: 4 out of 5 stars4/5
Related podcast episodes
Running Databases on Kubernetes 0% found this document useful#21 - Domain-Driven Design and Event-Driven Architecture - Vaughn Vernon 0% found this document useful#76 - Learning Domain-Driven Design - Vladik Khononov 0% found this document usefulEP 22: What is OAuth 2? 0% found this document usefulNode.js with Myles Borins: Myles Borins joins the podcast to share all his knowledge about Node.js! 0% found this document useful#58 - Uncle Bob Martin // The Clean Coder Behind Test Driven Development, SOLID Principles and the Agile Manifesto 0% found this document usefulOAuth, "It's complicated.": with Aaron Parecki 0% found this document useful#71 - Strategic Monoliths and Microservices - Vaughn Vernon 0% found this document useful#79 - Domain-Driven Design With Functional Programming - Scott Wlaschin 0% found this document useful#1 - Startup Tech Leadership - Jerome Poudevigne 0% found this document useful
Related articles
Create A RESTful Server In Go Linux FormatArticle
Create A RESTful Server In Go
Oct 19, 2021
8 min readAn Introduction To Rabbitmq Linux FormatArticle
An Introduction To Rabbitmq
Jun 29, 2021
RabbitMQ is a Message Broker, which means that it can safely hold messages generated by applications and make them available to other applications. The main advantages are reliability, support for clustering and high-availability queues, tracing capa
1 min readAccess Your Mac Anywhere MacLifeArticle
Access Your Mac Anywhere
Nov 8, 2022
2 min readBasic Concepts Linux FormatArticle
Basic Concepts
Jul 2, 2019
A messaging system such as Kafka enables you to send messages between processes, applications and servers. Applications connect to Kafka to send or get data. Strictly speaking, a Kafka ‘topic’ is a unit of storage in Kafka: data in Kafka is stored in
1 min readBuild Your Own URL Shortening Service Linux FormatArticle
Build Your Own URL Shortening Service
May 4, 2021
7 min readTypes Of Databases Linux FormatArticle
Types Of Databases
Aug 27, 2019
NoSQL databases provide the performance, scalability and stability that’s required by the modern data-driven apps we interact with these days. But that is where the similarity between NoSQL systems end. In fact, it wouldn’t be wrong to say that the o
1 min readMetrics & Visuals In Go Linux FormatArticle
Metrics & Visuals In Go
Nov 17, 2020
Mihalis Tsoukalos is a DataOps engineer and a technical writer. He’s the author of Go Systems Programming and Mastering Go, 2nd edition. The subject of this tutorial is two-fold. First, it’s about creating a Go application that exports metrics to P
7 min readCreate Asynchronous Code With Python Linux FormatArticle
Create Asynchronous Code With Python
Jun 29, 2021
8 min readBitwarden Linux FormatArticle
Bitwarden
Sep 19, 2023
2 min readIDrive RemotePC Team PC Pro MagazineArticle
IDrive RemotePC Team
Sep 7, 2023
PRICE First year, 50 computers, £172 exc VAT from remotepc.com IDrive has been our cloud backup provider of choice for many years, and its RemotePC service aims to offer the same appealing combination of features, value and simplicity. Even better, I
2 min readLogMeIn GoToAssist Remote Support 5 PC Pro MagazineArticle
LogMeIn GoToAssist Remote Support 5
Sep 9, 2021
2 min readRemote Support Software 2020 PC Pro MagazineArticle
Remote Support Software 2020
Aug 13, 2020
3 min read“This Is A 2FA Solution That Shouldn’t Go Within A Hundred Feet Of Your Devices. I Expected Better From Google” PC Pro MagazineArticle
“This Is A 2FA Solution That Shouldn’t Go Within A Hundred Feet Of Your Devices. I Expected Better From Google”
Jun 8, 2023
9 min read01 Super Apps Are Here, But Are They Secure Enough? HWM SingaporeArticle
01 Super Apps Are Here, But Are They Secure Enough?
May 12, 2023
3 min readBest Password Managers iPad & iPhone UserArticle
Best Password Managers
Mar 13, 2020
4 min readBitwarden PC Pro MagazineArticle
Bitwarden
Oct 5, 2023
3 min readBest Password Manager For IPhone iPad & iPhone UserArticle
Best Password Manager For IPhone
Aug 19, 2022
4 min readPassword Managers APCArticle
Password Managers
Nov 6, 2023
11 min readConnectWise Control 21.8 PC Pro MagazineArticle
ConnectWise Control 21.8
Sep 9, 2021
2 min readIDrive RemotePC Enterprise PC Pro MagazineArticle
IDrive RemotePC Enterprise
Nov 10, 2022
2 min readAuthy vs. Google Authenticator Maximum PCArticle
Authy vs. Google Authenticator
Jan 3, 2023
5 min readAuthy vs. Google Authenticator APCArticle
Authy vs. Google Authenticator
Jan 23, 2023
5 min readCybersecurity Made Simple: Taming The Password The European Business ReviewArticle
Cybersecurity Made Simple: Taming The Password
Mar 1, 2022
8 min readProtect Your Tech ComputeractiveArticle
Protect Your Tech
Dec 6, 2023
What’s the threat? Scammers are placing fake adverts in Google for the popular program CPU-Z, in the latest example of hackers infiltrating search results with malware. The ads are headlined ‘CPU-Z | Analytics and Monitoring | Single Sign-On’ (see sc
2 min readIDrive RemotePC Team PC Pro MagazineArticle
IDrive RemotePC Team
Aug 13, 2020
2 min readRemote Support Software 2023 PC Pro MagazineArticle
Remote Support Software 2023
Sep 7, 2023
3 min readRemote Support Software 2022 PC Pro MagazineArticle
Remote Support Software 2022
Sep 11, 2022
4 min readApple’s New Passkeys MacLifeArticle
Apple’s New Passkeys
Jan 31, 2023
4 min readApple’s New Passkeys MacLifeArticle
Apple’s New Passkeys
Jan 31, 2023
4 min readGoTo Resolve Basic PC Pro MagazineArticle
GoTo Resolve Basic
Sep 11, 2022
2 min read
Reviews for OpenID Connect - End-user Identity for Apps and APIs
Rating: 0 out of 5 stars
0 ratings
0 ratings0 reviews
Book preview
OpenID Connect - End-user Identity for Apps and APIs - Matthias Biehl
OpenID Connect
End-user Identity for Apps and APIs
Matthias Biehl
OpenID Connect
OpenID Connect
Abstract
1 Introduction
1.1 What is OpenID Connect
1.2 How does OpenID Connect Work
1.2.1 Claims on the Userinfo Endpoint
1.2.2 Claims in the Identity Token
1.3 OAuth 2 vs. OpenID Connect
1.4 Common Misunderstandings
1.5 Perspective of the End-user
Advantages for the End-user
1.6 Perspective of the App Provider
Advantages for the App Provider
1.7 Perspective of the OpenID Connect Provider
Advantages for the OpenID Connect Provider
1.8 OpenID Connect Cheat Sheet
2 OpenID Connect Actors
2.1 OpenID Connect Provider
2.2 Resource Provider
2.3 End-user (a.k.a. Resource Owner)
2.4 Client (a.k.a. App)
3 OpenID Connect Endpoints
3.1 Authorization Endpoint
3.1.1 Behavior of the Authorization Endpoint
3.1.2 Input Parameters
3.1.3 Output
3.1.4 Scope
3.1.5 Claims
3.2 Resource Endpoint
3.3 Userinfo Endpoint
3.3.1 Interactions on the Userinfo Endpoint
3.3.2 Requirements
3.3.3 Claims on the UserInfo Endpoint
3.4 Token Endpoint
3.4.1 Input Parameters
3.4.2 Credentials
3.4.3 Output
3.4.4 Validations at the Token Endpoint
3.5 Redirect Endpoint
3.5.1 Why is this so complicated?
3.5.2 Details of the Redirect Endpoint
3.5.3 Implementing the Redirect Endpoint
4 Tokens in OpenID Connect
4.1 Token Types
4.1.1 Reference Tokens
4.1.2 Value Tokens
4.1.3 Token Types in OpenID Connect
4.2 Access Token
4.2.1 Access Token Validation
4.3 Refresh Token
4.4 Authorization Code
4.5 ID Token
4.5.1 Example ID Token
4.5.2 Claims
4.5.3 ID Token Validation
5 OpenID Connect Flows
5.1 Authorization Code Flow
5.1.1 Authorization Endpoint
5.1.2 Redirect Endpoint
5.1.3 Token Endpoint
5.1.4 Token Validation
5.1.5 Access Protected Endpoint
5.2 Refresh Flow
5.3 Implicit Flows
5.4 Implicit Flow with id_token & token
5.4.1 Authorization Endpoint
5.4.2 Redirect Endpoint
5.4.3 Token Validation
5.4.4 Access Protected Endpoint
5.5 Implicit Flow with id_token
5.5.1 Authorization Endpoint
5.5.2 Redirect Endpoint
5.5.3 Token Validation
5.6 Hybrid Flows
5.7 Hybrid Flow with code & id_token & token
5.7.1 Authorization Endpoint
5.7.2 Redirect Endpoint
5.7.3 Token Validation for Hybrid Flow
5.7.4 Token Endpoint
5.7.5 Resource Endpoint
5.8 Hybrid Flow with code & id_token
5.8.1 Authorization Endpoint
5.8.2 Redirect Endpoint
5.8.3 Token Validation
5.8.4 Token Endpoint
5.8.5 Resource Endpoint
5.9 Hybrid Flow with code & token
5.9.1 Authorization Endpoint
5.9.2 Redirect Endpoint
5.9.3 Token Validation
5.9.4 Token Endpoint
5.9.5 Resource Endpoint
6 Client Setup for OpenID Connect
6.1 Choosing A Suitable OpenID Connect Flow
6.2 Client Registration
6.3 Redirect Endpoint Implementation
6.3.1 Receive the Parameters
6.3.2 Validate and Store the Parameters
6.3.3 Initiate the Next Step in the Flow
6.4 Initiation of OpenID Connect Flow
6.5 Access to Resource Endpoints and Userinfo Endpoint
7 JSON Token Infrastructure
7.1 JSON Web Token (JWT)
7.1.1 Using JWT
7.1.2 JWT Claims
7.1.3 JWS and JWE - Signature and Encryption
7.1.4 Format of a Signed JWT
7.1.5 JWT Verification
7.1.6 Distinguishing if a JWT is JWE or JWS
7.2 JSON Web Signature (JWS)
7.2.1 JWS Format
7.2.2 JWS Serialization
7.2.3 JWS Example
7.3 JSON Web Encryption (JWE)
7.3.1 JWE Format
7.3.2 JWE Serialization
7.3.3 JWE Example
7.4 JSON Web Key (JWK) and JSON Web Key Set (JWKS)
7.5 JSON Web Algorithm (JWA)
7.5.1 MAC Algorithms for JWS
7.5.2 Content Encryption Algorithms for JWE
7.5.3 Key Encryption Algorithms for JWE
8 Appendix
Newsletter with FREE Bonus Material
About the Author
Feedback
Other Products by the Author
API-University Book Club
Book on OAuth 2.0
Book on OpenID Connect
Book on API Architecture
Book on RESTful API Design
Book on Webhooks
Book on GraphQL API Design
Book on REST & GraphQL
Book on Serverless GraphQL APIs with AWS AppSync
Book on Making Money with Alexa Skills - A Developer’s Guide
Online Course on OAuth 2.0
Online Course on RESTful API Design
References
Table of contents
OpenID Connect
OpenID Connect
Copyright 2019 by Matthias Biehl
All rights reserved, including the right to reproduce
this book or portions thereof in any form whatsoever.
Book cover contains elements designed by Freepik.
Biehl, Matthias
API-University Press
Volume 6 of the API-University Series.
Includes illustrations, bibliographical references and index.
Built:
ISBN-13: 978-1979718479
ISBN-10: 1979718474
API-University Press
https://www.api-university.com
info@api-university.com
Abstract
Signup and login with a Google, Yahoo, or Microsoft account can be found in more and more web and mobile apps. One login used by many, freeing the end-user from the burden of managing many accounts and passwords. Signup and login to a new app become so smooth and convenient, that end-users are much more likely to try a new app.
For us developers of web and mobile apps, these signup and login features are attractive, too: we do not need to manage user credentials, and we get a higher conversion rate resulting in more new customers. In effect, this means cutting costs and increasing the number of new customers for our apps.
So how does this feature Signup and login with Google, Yahoo, or Microsoft
work? It is realized with OpenID Connect, a standardized protocol for sharing end-user data in a secure and controlled manner. Exploring how OpenID Connect works, so we as developers can enjoy its benefits is the subject of this book.
This book explains the overall concept of OpenID Connect, so we understand who the actors are, which endpoints and tokens are involved and how these elements interact in so-called flows. These flows tend to get confusing, so we visualize these flows as sequence diagrams, and show how to choose the flow that is appropriate for a given scenario. Using examples, we explore how the tokens are constructed, signed and encrypted with JWT, JWS, and JWE.
This is not a programming book, don’t expect implementations with a specific programming language or library. Instead, we focus on understanding OpenID Connect on a conceptual level, so we can design and architect apps that work with OpenID Connect. And OpenID Connect is the standard behind creating smooth login and signup experiences, increasing the customer signup rate, and creating highly converting apps.
One more thing before we get started ...
As a reader of this book, you have free access to the API-University Best Practice Newsletter. Free bonus material and amazing freebies are waiting for subscribers, such as the popular OAuth Cheat Sheet.
1 Introduction
For us web and mobile app developers, authentication and identity management is a big pain point. We understand that it is critical from an information security perspective, since we are dealing with personal data, so we better get it right. This means setting up a secure infrastructure for authentication and storing user identity, maintaining it with constant security patches and providing end-user support, e.g. for lost passwords, changed address, changed email and a lot more. It simply means a lot of overhead and does not deliver any differentiating features to win new users. But signup and login are not only difficult to build and operate, but it is often inconvenient to use.
End-users are not very fond of filling in long signup forms, and if we require it in an app, it usually hurts conversion, number of signups, usage and ratings of the app. End-users tend to shy away from tedious onboarding processes or only get halfway through before they give up. Those users may never return.
So how do some of the most successful and popular apps deal with this situation? Have they found a solution, which may be the secret of their success?
To find out, let’s study the user experience when signing up for their app. When signing up as a user for such an app, we can choose to identify with our existing Google,
Enjoying the preview?
Page 1 of 1