2017-07-23#
Biometric authentication runs afoul of religion in West Virginia#
An article Biometric authentication runs afoul of religion in West Virginia
Not For Identification Purposes#
Whenever you see someone talk about a new Identity items remember Not For Identification PurposesRan Across Today#
Appears most of the questions people encounter with OAuth 2.0 and OpenID Connect involve the Client-side application and how to perform integration.Either they are trying to "roll-their-own" and deal with the too many details or they have general implementation issues from an architecture point of view such as Single Sign-On and using with multiple Applications or microservices.
What Auth0 and Microsoft get right is the simplicity.
In a traditional application Access Control and Authentication is done at the beginning of the session. There was a "user repository" where the application would call to obtain the Digital Identity information.
When we move to microservices this type of service would require each microservice to have this same ability to call the "user repository" which is not efficient or vary scalable.
Many of the posts we see on OAuth 2.0 and OpenID Connect implementation issues revolve around:
- Prompt Parameter - How to stop it.
- Determining of the user has an account
Prompt Parameter #
Well really the challenge revolves around questions like:- Ignore prompt while user already logged in
- Is it possible to authenticate using OAuth without prompting the user when we have the user credentials?
- OAuth flow when user is already logged in to the Oauth Provider
- How to check if a visitor/user is already logged in on Google? (not on the app itself)
- Login w/ Oauth service after user is already logged in?
Most of these can be solved by:
- understanding that just because the user may be Authenticated to some Social Identity Provider does not imply that the Resource Owner has Authorized the OAuth Client Application to have access to the Resource Server.
- understanding how to use a Refresh_token to obtain a new Access Token
- understanding how and when to use the Prompt Parameter values.
- understanding Privacy Considerations for Identity Correlation to associate attributes to the OAuth Client (Application) with the Identity Provider (IDP)