AuthN CS: clarify OAuth (authorization) vs OpenID Connect (authentication); replace legacy 'OpenId' subsection #1776
Conversation
…tion); replace legacy 'OpenId' subsection
pankajtaneja5
requested review from
kwwall,
mackowski,
jmanico and
szh
as code owners
|
A small fix is needed... /home/runner/work/CheatSheetSeries/CheatSheetSeries/cheatsheets/Authentication_Cheat_Sheet.md |
…DC; trim trailing spaces
|
Thanks! I’ve updated “end-user” → “end user” in both places and removed the legacy OAuth/OpenId blocks. Markdown lint is clean locally. Let me know if you’d like any further wording tweaks. |
| @@ -303,21 +303,17 @@ Enable logging and monitoring of authentication functions to detect attacks/fail | |||
|
|
|||
| While authentication through a combination of username, password, and multi-factor authentication is considered generally secure, there are use cases where it isn't considered the best option or even safe. Examples of this are third-party applications that desire to connect to the web application, either from a mobile device, another website, desktop, or other situations. When this happens, it is NOT considered safe to allow the third-party application to store the user/password combo, since then it extends the attack surface into their hands, where it isn't in your control. For this and other use cases, there are several authentication protocols that can protect you from exposing your users' data to attackers. | |||
|
|
|||
| ### OAuth | |||
| ### OAuth 2.0 | |||
There was a problem hiding this comment.
What about "OAuth 2"? OAuth 2.1 is going to be around somewhat soon (?) and all of his applies to OAuth 2.0 as well as OAuth 2.1.
There was a problem hiding this comment.
I think we should only mention 2.0 and 2.1
There was a problem hiding this comment.
@pankajtaneja5 can you add that
|
|
||
| ### OpenId |
There was a problem hiding this comment.
Maybe add something on this subsection explaining that OpenId is completely different from OpenID Connect? That is a frequent source of confusion ("We will integrate with ThirdPartySoftware, they do OpenID and we support it." two weeks later "Actually we don't support OpenID but OpenID Connect 😢 ")
There was a problem hiding this comment.
Agree 100%. One is for delegation and one is for Federation
There was a problem hiding this comment.
@pankajtaneja5 can you add that?
|
|
||
| Open Authorization (OAuth) is a protocol that allows an application to authenticate against a server as a user, without requiring passwords or any third-party server that acts as an identity provider. It uses a token generated by the server and provides how the authorization flows most occur, so that a client, such as a mobile application, can tell the server what user is using the service. | ||
| **OAuth 2.0 is an authorization framework**, not an authentication protocol. It enables a client to obtain scoped, time-limited access to protected resources via access tokens issued by an authorization server. Use OAuth 2.0 for **authorization** (delegating access to APIs and resources). For end-user authentication/SSO, use **OpenID Connect (OIDC)** (see below). |
|
These are all excellent suggestions |
|
✅ Follow-ups addressed: |
pankajtaneja5
force-pushed
the
fix/authn-oidc-clarify
branch
from
e66829d to
447e9bf
Compare
What
Why
References
You're A Rockstar
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
[TEXT](URL)If your PR is related to an issue, please finish your PR text with the following line:
This PR fixes issue #1763 .
Thank you again for your contribution 😃