I spent the last three years building application back-ends using Web APIs so that arbitrary client technologies can consume them. This creates a number of interesting challenges around authentication and authorization. Embracing token-based authentication, claims and the OAuth2 design patterns simplified many of the complex scenarios. This talk illustrates which tools we have built to make our lifes easier and what works well and what doesn’t - together with some war stories and tips from the trenches.
After a 3-year long struggle, the IETF finally released the OAuth2 specification(s). While all the big players (like Google, Microsoft and Facebook) are already using it, more and more people want to follow. But there is big confusion about what OAuth2 really is, what its uses cases are and which problems it can actually solve. At the same time, also the security experts out there don’t really agree if OAuth2 is a complete failure, or not - or something in between. Dominick walks you through OAuth2, its use cases and pitfalls.
OpenID Connect is here – and it’s here to stay. This suite of protocols makes federation, single sign-on, session management, discovery and management feasible across arbitrary client types and platforms. It is also a welcome simplification compared to archaic WS*, XML and SAML technologies that made interop often complicated. Dominick walks you through the various bits and pieces – and along the way might even release a new open source project that implements OpenID Connect on the .NET platform ;)