13 Deepening security with OpenID Connect
This chapter covers
- Boosting security in the authorization code flow
- Simplifying user logins and maintaining sessions with refresh tokens
- Enhancing user identity management
- Implementing multitenancy
As ACME, Inc. grew rapidly, it realized that it needed a better, safer way for users to log in. That’s when it decided to set up single sign-on (SSO), which lets users access multiple apps with one login. To do this right, the company had to separate the job of checking who a user is (authentication) from the app that handles the user’s data (the backend). This setup makes things safer and easier to manage.
ACME couldn’t just make things up as it went along, of course; it needed a solid, trusted system as a guide. That’s how it found OAuth 2 and OpenID Connect (OIDC). OAuth 2 is a framework that lets apps get permission as access certain user data without passwords. OIDC builds on OAuth 2 by adding a way to confirm who the user is. Think of OAuth 2 as the pizza crust and OIDC as the delicious cheese and toppings. Who wants plain crust anyway?
In chapter 12, we talked about how OAuth 2 and OIDC work. We covered the way that tokens, such as access tokens and ID tokens, help apps talk to one another securely. We also explained the different ways (called grant types) that apps can ask for these tokens. Knowing these steps is key to setting up secure, smooth logins.