13 Deepening security with OpenID Connect

 

This chapter covers

  • Boosting security with Proof Key for Code Exchange (PKCE) in the authorization code flow.
  • Simplifying user logins and maintaining sessions with refresh tokens.
  • Enhancing user identity management with OpenID Connect's identity layer and additional features.
  • Implementing multitenancy with OIDC

As Acme Inc. grew rapidly, we realized we needed a better and safer way for users to log in. That’s when we decided to set up Single Sign-On (SSO), which lets users access multiple apps with just one login. To do this right, we had to separate the job of checking who a user is (authentication) from the app that handles the user’s data (the backend). This setup makes things safer and easier to manage.

Of course, we couldn't just make it up as we went along—we needed a solid, trusted system to guide us. That’s how we found OAuth 2 and OpenID Connect (OIDC). OAuth 2 is a framework that lets apps get permission to access certain user data without needing passwords. OpenID Connect builds on OAuth 2 by adding a way to confirm who the user is. It’s like OAuth 2 is the pizza crust, and OpenID Connect is the delicious cheese and toppings. Who wants plain crust anyway?

13.1 Augmenting the authorization code grant type with PKCE

13.2 Using refresh tokens to simplify authentication

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.4 Using multitenancy

13.5 Summary