Enterprise OAuth 2.0 - OAuth2.0OpenID Connect For the Enterprise(4)
OAuth 2.0 and OpenID Connect
-
OAuth 2.0 is for authorization
- Access token should contain only authorization information
- Scopes, Roles, Grant Types, Flows, Tokens
- No ID Token
- https://tools.ietf.org/html/rfc6749
-
OpenID Connect is the Identity layer on top of OAuth 2.0
- ID Token contains user claims
- /userinfo endpoint
- Scopes: openid profile email
- Can create custom claims
- Adds more Response types
- https://openid.net/specs/openid-connect-core-1_0.html
OAuth 2.0 Best Practices
- Prefer Authorization Code Grant with PKCE
- Prefer Client Credentials Grant for Cron Jobs
- Avoid using Implicit Grant
- Avoid using Resource Owner Password Grant
- Store the secrets in a Safe place
- Rotate the secrets regularly
- Keep Access tokens short (5 min)
- Avoid using local users of the Authorization Server
- Do not associate users with more scopes than needed
- Use the enterprise logout (all sessions)
- Do not store tokens or secrets in the browser or Mobile Devices