OpenID Connect in Action MEAP V07
Copyright
welcome
brief contents
Chapter 1: The OpenID Connect landscape
1.1 What is OpenID Connect?
1.2 An alternative view of OpenID Connect
1.3 OpenID Connect vs. OpenID
1.4 OpenID Connect vs. OAuth 2.0
1.5 How login with Facebook works around OAuth 2.0 for authentication
1.6 OpenID Connect vs. SAML 2.0 Web SSO
1.7 Transporting identity related attributes across multiple trust domains
1.8 Building a seamless login experience among multiple applications connected to a single identity provider
1.9 The benefits of having one trusted identity provider for multiple client applications
1.9.1 Having one trusted identity provider means you have a single source of truth
1.9.2 Having one trusted identity provider helps implementing single sign on (SSO) across multiple client applications
1.9.3 A single place to implement and configure multiple login options for user authentication
1.9.4 Having one trusted identity provider helps to bootstrap trust with external identity providers
1.9.5 Handling protocol / claim transformation between client applications and partner identity providers at a single place
1.10 OpenID Connect use cases
1.10.1 Login to client applications
1.10.2 Sharing attributes
1.10.3 Signup with OpenID Connect
1.10.4 Single logout
1.10.5 Federating access to APIs
1.11 OpenID providers and client libraries
1.12 What you will learn in this book
1.13 Summary
Chapter 2: The cornerstone of OpenID Connect
2.1 What is OAuth 2.0?
2.1.1 What is access delegation problem?
2.1.2 Fixing the access delegation problem with OAuth 2.0
2.1.3 Why OAuth 2.0 is called an authorization framework?
2.2 Actors of an OAuth 2.0 flow
2.2.1 The role of the resource server
2.2.2 The role of the client application
2.2.3 The role of the resource owner
2.2.4 The role of the authorization server
2.3 A grant type defines a protocol to request an access token
2.3.1 Client credentials grant type
2.3.2 Resource owner password grant type
2.3.3 Refresh token grant type
2.3.4 Authorization code grant type
2.3.5 Implicit grant type
2.4 Public clients vs. confidential clients
2.5 Scopes bind capabilities to an OAuth 2.0 access token
2.6 Token types
2.7 OAuth 2.0 ecosystem
2.8 Whatβs new in OAuth 2.1?
2.9 Summary
Chapter 3: Securing access to a single-page application
3.1 Authentication flows define the communications between a client application and an OpenID provider
3.2 Authentication flows vs. grant types
3.3 How does implicit flow work?
3.3.1 The flow of events in the implicit authentication flow
3.4 Why does one client application need to have multiple redirect_uris?
3.5 Using the state parameter
3.6 URI fragment vs. query string
3.7 Generating a random, unguessable nonce
3.8 Implementing implicit flow using Google as the OpenID provider
3.8.1 Setting up Google as an OpenID provider
3.8.2 Constructing the authentication request
3.8.3 An overview of the ID token returned back from the Google OpenID provider
3.8.4 ID token validation rules
3.9 How does authorization code flow work?
3.9.1 The flow of events in the authorization code authentication flow
3.10 Authorization code flow or the implicit flow?
3.11 Securing a single-page application using OpenID Connect
3.11.1 Building a single-page application with React
3.11.2 Setting up an OpenID Provider
3.11.3 Updating the client application to use OpenID Connect login
3.12 Summary
Chapter 4: The building blocks of an ID token
4.1 What is a JSON Web Token?
4.2 What does a JWT look like?
4.2.1 The JWT JOSE header
4.2.2 The JWT claims set
4.3 What does JSON Web Signature (JWS) token look like?
4.4 Building a compact serialized JWS token
4.5 The JOSE header of a JWS token
4.5.1 The alg carries name of the algorithm
4.5.2 The jku carries a URL pointing to a JSON Web Key set
4.5.3 The jwk carries the public key corresponding to the signature
4.5.4 The kid represents an identifier for the key used to sign the message
4.5.5 The x5u attribute carries a URL pointing to a X.509 certificate
4.5.6 The x5c attribute represents the X.509 certificate
4.5.7 The x5t / x5t#s256 attributes represent the thumbprint of a certificate
4.5.8 The crit attribute indicates the presence of custom parameters
4.6 The process of compact serializing JWS token
4.7 What does JSON Web Encryption (JWE) token look like?
4.8 Building a compact serialized JWE token
4.9 The JOSE header of a JWE token
4.9.1 The alg defines the algorithm to encrypt the CEK
4.9.2 The enc represents the algorithm used for content encryption
4.9.3 The zip defines the name of the compression algorithm
4.9.4 The jku carries a URL, which points to a JSON Web Key set
4.9.5 The jwk attribute carries the public key corresponding to the CEK
4.9.6 The kid carries an identifier for the key used to encrypt CEK
4.9.7 The x5u carries a URL, which points to a X.509 certificate
4.9.8 The x5c carries the X.509 certificate embedded into the token
4.9.9 The x5t / x5t#s256 represent the thumbprint of a certificate
4.9.10 The crit attribute indicates the presence of custom parameters
4.10 The process of compact serializing and verifying JWE token
4.11 The role of a nested JWT
4.12 Summary
Chapter 5: Requesting and returning claims
5.1 The ways of requesting claims from an OpenID provider
5.2 Returning scope bound claims in an ID token
5.2.1 Requesting claims using scope parameter from Google OpenID provider
5.2.2 Requesting claims using scopes from Apple OpenID provider
5.2.3 OpenID Connect defines four standard scope values
5.2.4 OpenID Connect defines twenty standard claims
5.2.5 OAuth 2.0 scope vs. OpenID Connect scope
5.2.6 Do it yourself! Requesting claims using scopes with cURL
5.3 Returning scope bound claims from the userinfo endpoint
5.3.1 How the userinfo endpoint works?
5.3.2 Why OpenID Connect introduced the userinfo endpoint
5.3.3 When to use the userinfo endpoint to retrieve user claims
5.3.4 Using the userinfo endpoint with the Google OpenID provider with cURL
5.4 Cross-origin resource sharing (CORS)
5.4.1 The same-origin policy
5.4.2 What is the danger of not having a same-origin policy?
5.4.3 Using cross-origin resource sharing
5.5 Requesting individual claims via the authentication request
5.5.1 An example of requesting individual claims
5.5.2 Why it is useful to request individual claims
5.6 Using custom claims
5.7 Claim types
5.7.1 Using aggregated claims for identity proofing
5.7.2 Using distributed claims for identity proofing
5.7.3 Verifying aggregated and distributed claims
5.8 Summary
Chapter 6: Securing access to a server-side web application
6.1 Agent-based single sign on vs. proxy-based single sign on
6.1.1 Agent-based single sign on
6.1.2 Proxy-based single sign on
6.2 Implementing login using an agent
6.3 How authorization code flow works with a server-side web application?
6.4 Storing tokens in a server-side web application
6.5 Refreshing an access token and an ID token
6.6 Implementing login using a proxy
6.7 Summary
Chapter 7: Logging out
7.1 What is Single logout?
7.2 Single logout options in OpenID Connect
7.3 Implementing OpenID Connect session management
7.3.1 Whatβs new in OpenID Connect login flow to support logout?
7.3.2 The role of iframes loaded from the client applicationβs domain and the OpenID providerβs domain
7.3.3 How the OpenID provider constructs the session_state parameter?
7.3.4 A client application initiating logout
7.3.5 The id_token_hint parameter
7.3.6 Implementing OpenID Connect session management with a server-side web application
7.4 Implementing front-channel logout
7.4.1 A client application initiating logout
7.4.2 The OpenID provider responding to the client applicationβs logout request
7.4.3 Implementing front-channel logout with a single-page application
7.5 Summary
Chapter 8: Claim-based access control with Open Policy Agent (OPA)
8.1 Key components in an access control system
8.2 Introducing Open Policy Agent
8.2.1 OPA high-level architecture
8.2.2 Deploying OPA as a Docker container
8.2.3 Protecting an OPA server with mTLS
8.2.4 OPA policies
8.2.5 External data
8.3 Controlling access based on the claims in an ID token
8.4 OPA alternatives
8.5 Summary
Appendix A: ES6 and React fundamentals
A.1 Running JavaScript
A.2 Whatβs new in JavaScript (ES6)?
A.2.1 New keywords to declare variables
A.2.2 JavaScript functions recap
A.2.3 Arrow functions
A.2.4 Default values for arguments of a function
A.2.5 Template literals
A.2.6 Rest operator
A.2.7 Spread operator
A.2.8 Destructuring an object
A.2.9 Modules
A.3 Getting started with React
A.4 Working with multiple React components
A.5 Passing messages among components
A.6 Managing state for React components
A.7 Organizing a React application
A.7.1 Decouple the code to distribute from rest of the dependencies
A.7.2 Decouple the rendering code from other React components
A.7.3 Aggregate all JavaScript code into a single file
A.8 Organizing a React application in an easy way
06.pdf
07.pdf