An example-driven guide to securing access to your applications with OpenID Connect, the OAuth-based identity layer that keeps billions of user interactions safe every day.In OpenID Connect in Action you will:• Build client applications that integrate OpenID Connect adhering to best practices• Create single-page applications secured with OpenID Connect• Integrate OpenID connect with native mobile and server-side web applications• Federate access to APIs/microservices from a client application• Use OpenID Connect to secure access to smart TV applications• Explore common login security pitfalls and how to avoid them• Take a deep-dive into the internals of OpenID Connect-----Chapters 1 to 8 of 9 OpenID Connect in Action MEAP V07 Copyright welcome brief contents Chapter 1: The OpenID Connect landscape 1.1 What is OpenID Connect? 1.2 An alternative view of OpenID Connect 1.3 OpenID Connect vs. OpenID 1.4 OpenID Connect vs. OAuth 2.0 1.5 How login with Facebook works around OAuth 2.0 for authentication 1.6 OpenID Connect vs. SAML 2.0 Web SSO 1.7 Transporting identity related attributes across multiple trust domains 1.8 Building a seamless login experience among multiple applications connected to a single identity provider 1.9 The benefits of having one trusted identity provider for multiple client applications 1.9.1 Having one trusted identity provider means you have a single source of truth 1.9.2 Having one trusted identity provider helps implementing single sign on (SSO) across multiple client applications 1.9.3 A single place to implement and configure multiple login options for user authentication 1.9.4 Having one trusted identity provider helps to bootstrap trust with external identity providers 1.9.5 Handling protocol / claim transformation between client applications and partner identity providers at a single place 1.10 OpenID Connect use cases 1.10.1 Login to client applications 1.10.2 Sharing attributes 1.10.3 Signup with OpenID Connect 1.10.4 Single logout 1.10.5 Federating access to APIs 1.11 OpenID providers and client libraries 1.12 What you will learn in this book 1.13 Summary Chapter 2: The cornerstone of OpenID Connect 2.1 What is OAuth 2.0? 2.1.1 What is access delegation problem? 2.1.2 Fixing the access delegation problem with OAuth 2.0 2.1.3 Why OAuth 2.0 is called an authorization framework? 2.2 Actors of an OAuth 2.0 flow 2.2.1 The role of the resource server 2.2.2 The role of the client application 2.2.3 The role of the resource owner 2.2.4 The role of the authorization server 2.3 A grant type defines a protocol to request an access token 2.3.1 Client credentials grant type 2.3.2 Resource owner password grant type 2.3.3 Refresh token grant type 2.3.4 Authorization code grant type 2.3.5 Implicit grant type 2.4 Public clients vs. confidential clients 2.5 Scopes bind capabilities to an OAuth 2.0 access token 2.6 Token types 2.7 OAuth 2.0 ecosystem 2.8 What’s new in OAuth 2.1? 2.9 Summary Chapter 3: Securing access to a single-page application 3.1 Authentication flows define the communications between a client application and an OpenID provider 3.2 Authentication flows vs. grant types 3.3 How does implicit flow work? 3.3.1 The flow of events in the implicit authentication flow 3.4 Why does one client application need to have multiple redirect_uris? 3.5 Using the state parameter 3.6 URI fragment vs. query string 3.7 Generating a random, unguessable nonce 3.8 Implementing implicit flow using Google as the OpenID provider 3.8.1 Setting up Google as an OpenID provider 3.8.2 Constructing the authentication request 3.8.3 An overview of the ID token returned back from the Google OpenID provider 3.8.4 ID token validation rules 3.9 How does authorization code flow work? 3.9.1 The flow of events in the authorization code authentication flow 3.10 Authorization code flow or the implicit flow? 3.11 Securing a single-page application using OpenID Connect 3.11.1 Building a single-page application with React 3.11.2 Setting up an OpenID Provider 3.11.3 Updating the client application to use OpenID Connect login 3.12 Summary Chapter 4: The building blocks of an ID token 4.1 What is a JSON Web Token? 4.2 What does a JWT look like? 4.2.1 The JWT JOSE header 4.2.2 The JWT claims set 4.3 What does JSON Web Signature (JWS) token look like? 4.4 Building a compact serialized JWS token 4.5 The JOSE header of a JWS token 4.5.1 The alg carries name of the algorithm 4.5.2 The jku carries a URL pointing to a JSON Web Key set 4.5.3 The jwk carries the public key corresponding to the signature 4.5.4 The kid represents an identifier for the key used to sign the message 4.5.5 The x5u attribute carries a URL pointing to a X.509 certificate 4.5.6 The x5c attribute represents the X.509 certificate 4.5.7 The x5t / x5t#s256 attributes represent the thumbprint of a certificate 4.5.8 The crit attribute indicates the presence of custom parameters 4.6 The process of compact serializing JWS token 4.7 What does JSON Web Encryption (JWE) token look like? 4.8 Building a compact serialized JWE token 4.9 The JOSE header of a JWE token 4.9.1 The alg defines the algorithm to encrypt the CEK 4.9.2 The enc represents the algorithm used for content encryption 4.9.3 The zip defines the name of the compression algorithm 4.9.4 The jku carries a URL, which points to a JSON Web Key set 4.9.5 The jwk attribute carries the public key corresponding to the CEK 4.9.6 The kid carries an identifier for the key used to encrypt CEK 4.9.7 The x5u carries a URL, which points to a X.509 certificate 4.9.8 The x5c carries the X.509 certificate embedded into the token 4.9.9 The x5t / x5t#s256 represent the thumbprint of a certificate 4.9.10 The crit attribute indicates the presence of custom parameters 4.10 The process of compact serializing and verifying JWE token 4.11 The role of a nested JWT 4.12 Summary Chapter 5: Requesting and returning claims 5.1 The ways of requesting claims from an OpenID provider 5.2 Returning scope bound claims in an ID token 5.2.1 Requesting claims using scope parameter from Google OpenID provider 5.2.2 Requesting claims using scopes from Apple OpenID provider 5.2.3 OpenID Connect defines four standard scope values 5.2.4 OpenID Connect defines twenty standard claims 5.2.5 OAuth 2.0 scope vs. OpenID Connect scope 5.2.6 Do it yourself! Requesting claims using scopes with cURL 5.3 Returning scope bound claims from the userinfo endpoint 5.3.1 How the userinfo endpoint works? 5.3.2 Why OpenID Connect introduced the userinfo endpoint 5.3.3 When to use the userinfo endpoint to retrieve user claims 5.3.4 Using the userinfo endpoint with the Google OpenID provider with cURL 5.4 Cross-origin resource sharing (CORS) 5.4.1 The same-origin policy 5.4.2 What is the danger of not having a same-origin policy? 5.4.3 Using cross-origin resource sharing 5.5 Requesting individual claims via the authentication request 5.5.1 An example of requesting individual claims 5.5.2 Why it is useful to request individual claims 5.6 Using custom claims 5.7 Claim types 5.7.1 Using aggregated claims for identity proofing 5.7.2 Using distributed claims for identity proofing 5.7.3 Verifying aggregated and distributed claims 5.8 Summary Chapter 6: Securing access to a server-side web application 6.1 Agent-based single sign on vs. proxy-based single sign on 6.1.1 Agent-based single sign on 6.1.2 Proxy-based single sign on 6.2 Implementing login using an agent 6.3 How authorization code flow works with a server-side web application? 6.4 Storing tokens in a server-side web application 6.5 Refreshing an access token and an ID token 6.6 Implementing login using a proxy 6.7 Summary Chapter 7: Logging out 7.1 What is Single logout? 7.2 Single logout options in OpenID Connect 7.3 Implementing OpenID Connect session management 7.3.1 What’s new in OpenID Connect login flow to support logout? 7.3.2 The role of iframes loaded from the client application’s domain and the OpenID provider’s domain 7.3.3 How the OpenID provider constructs the session_state parameter? 7.3.4 A client application initiating logout 7.3.5 The id_token_hint parameter 7.3.6 Implementing OpenID Connect session management with a server-side web application 7.4 Implementing front-channel logout 7.4.1 A client application initiating logout 7.4.2 The OpenID provider responding to the client application’s logout request 7.4.3 Implementing front-channel logout with a single-page application 7.5 Summary Chapter 8: Claim-based access control with Open Policy Agent (OPA) 8.1 Key components in an access control system 8.2 Introducing Open Policy Agent 8.2.1 OPA high-level architecture 8.2.2 Deploying OPA as a Docker container 8.2.3 Protecting an OPA server with mTLS 8.2.4 OPA policies 8.2.5 External data 8.3 Controlling access based on the claims in an ID token 8.4 OPA alternatives 8.5 Summary Appendix A: ES6 and React fundamentals A.1 Running JavaScript A.2 What’s new in JavaScript (ES6)? A.2.1 New keywords to declare variables A.2.2 JavaScript functions recap A.2.3 Arrow functions A.2.4 Default values for arguments of a function A.2.5 Template literals A.2.6 Rest operator A.2.7 Spread operator A.2.8 Destructuring an object A.2.9 Modules A.3 Getting started with React A.4 Working with multiple React components A.5 Passing messages among components A.6 Managing state for React components A.7 Organizing a React application A.7.1 Decouple the code to distribute from rest of the dependencies A.7.2 Decouple the rendering code from other React components A.7.3 Aggregate all JavaScript code into a single file A.8 Organizing a React application in an easy way 06.pdf 07.pdf An example-driven guide to securing access to your applications with OpenID Connect, the OAuth-based identity layer that keeps billions of user interactions safe every day. In OpenID Connect in Action you Login security is a complex problem with a simple OpenID Connect. OpenID Connect in Action takes you under the hood of this reliable identity layer, showing you how to integrate OpenID Connect into a server-side web application, a single-page application (SPA), a native mobile application, APIs, and more. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology OpenID Connect is an easy-to-implement identity layer built on top of OAuth 2. OpenID Connect helps secure billions of user interactions on the internet daily. Because it uses the JSON standard, OpenID Connect is more lightweight than legacy alternatives and flexible enough to meet the ID federation requirements for all types of modern applications. About the book OpenID Connect in Action teaches you to deploy OpenID Connect to secure access to your apps. Ten-year access management veteran Prabath Siriwardena takes you in-depth with the widely adopted technology, showing you how to optimize OpenID Connect for your applications specific use cases. Youll work to secure end-to-end example applications created with React and React Native, and even develop solutions for Smart TVs and APIs. About the reader For experienced software developers. Examples in Java and JavaScript. About the author Prabath Siriwardena has over a decade of experience working in access management and security. He has built security solutions for numerous Fortune 500 companies, and spoken at some of the worlds top security conferences.