Overview
Syllabus
Intro
It's complicated!
Objectives
The Big Picture
Client Credentials Flow
Use Token
Challenges for Clients
User-Centric Clients
Front-Channel: Authorization Code Flow Request
Front-Channel: Authorization Code Flow Response
Back-Channel: Retrieving Tokens
Issues with Code Flow
Hybrid Flow Request
Hybrid Flow Response
Issues with Hybrid Flow
Public Clients
Native/Mobile Applications
Anti Pattern: Resource Owner Password Flow
Using a browser for driving the authentication workflow
Proof-Key for Code Exchange (PKCE)
Client Libraries
Browser-based Clients (aka SPAS)
History (1)
Problems with Implicit Flow
Token Management for JS Apps
Java Script Client Library
The new kid on the block: SameSite Cookies
"BFF" Architecture
Taught by
NDC Conferences