Implementing OpenID Connect and OAuth 2.0 – Tips from the Trenches presented at NDCSecurity 2020

by Dominick Baier,

Summary : There are typical architectural patterns around identity & access control for modern applications (micro services or cloud-native apps – or whatever you like to call them). OpenID Connect and OAuth 2.0 are the enabler for these architectures. When building such an application system, you will inevitably run into some challenges and questions like which protocol flow to choose, how to design your resources and tokens, how to connect your various (new and old) clients to the token-based system, how to design session and token lifetime management, how to deal with revocation, authentication vs authorization etc.In this session we will have a look at some common patterns (and maybe anti-patterns) on designing token-based systems and get some answer for the above questions.