2018-02-12#

Demonstration for Authentication and Authorization#

Primary purpose#

Demonstration of Best Current Practice and Poor Practices for Client applications use of OAuth 2.0, OIDC (maybe UMA) surrounding Authentication and Authorization.

Client HTML Application#

A HTML application which will make API calls to https://api.example.com and possibly other third-party API resource servers to obtain data and end-user information. Use Javascript using node.js as it is well known and adaptable to most other WEB based apps including mobile.

Use of HTML5 where possible

API Resource Server#

An API server with no relationship to End-Users (only Client Apps). Assume this would use OAuth 2.0 at least to start.

Various Providers#

Desire to work with multiple Authentication Providers using OAuth 2.0 and OIDC. Desired Providers:

• Google
• Facebook
• Microsoft
• Azure
• AWS Cognito
• Ping Identity
• ForgeRock

Desired Features#

There are a few features that would be nice to incorporate:

• FIDO Standards
• OpenID Connect Discovery
• Mutual TLS for OAuth Client Authentication

More Information#

There might be more information for this subject on one of the following: ...nobody