Solving Identity Management in Modern Applications
Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0
Every day you play with the light of the universe.
—Pablo Neruda, Chilean poet, politician, and diplomat, fromTwenty Love Poems and a Song of Despair (1925)
There is a significant and growing cybersecurity workforce gap. A Global Information Security Workforce Study 1 predicts a cybersecurity workforce gap of 1.8 million individuals by 2022. At a time when the number of online services and devices that need security is growing rapidly, this is nothing short of alarming. In order to fill this gap, it is imperative to encourage more people to learn about this field and provide adequate resources for them to efficiently come up to speed. Identity management is an important component of security which is critical to protect the rapidly expanding array of innovative online services, smart devices, bots, automated agents, and the like that are being created.
The authors of this book are fortunate to have been a part of this field for some time. Between the two of us, we have created and deployed a variety of different types of applications, single sign-on, identity federation, provisioning systems for various access control models, directory services, and various forms of strong authentication. We have had the pleasure of working closely with many customers to understand their unique requirements and help them design and deploy identity and access management systems in both cloud and enterprise environments. We’ve learned many lessons from these projects, some of them the hard way through the school of hard knocks!
We wrote this book to share what we’ve learned from our experiences. We hope to provide others a head start based on the lessons we’ve learned. Our intent is to provide an introduction for those who are new to identity management and inspire them to continue learning more about this topic. We provide an overview of three identity management protocols, namely, OIDC, OAuth 2.0, and SAML 2.0, that will be useful for application developers who need to add authentication and authorization to their applications and APIs. We’ve covered the problem each protocol is designed to solve, how to initiate basic requests, and how to troubleshoot issues. A sample program accompanies the book and illustrates some of the concepts. We’ve also provided information on typical identity management requirements to help you identify what to include in your project plan, things that can go wrong that should be planned for, common mistakes, and how to approach compliance. These chapters will be valuable for developers as well as architects, technical project managers, and members of security teams involved with application development projects.
In terms of scope, the book is designed to provide an introduction to identity management. We cover how the three identity protocols can be used to solve common use cases for authentication and authorization that you will encounter in creating an application. We don’t have space to cover every protocol, corner case, or every nuance of the protocols. We also can’t cover every detail in the specifications for the protocols. Our intent is to give you an overview that will help you get started and provide sufficient background to help you more fully understand more in-depth materials.
We are extremely grateful to numerous colleagues who’ve generously contributed to this book through reviewing original drafts and providing corrections and feedback on what we missed, what might be misunderstood, and what is most valuable for people to know. This project would not have been possible without their assistance and expertise, as noted in the acknowledgements. That said, any errors are completely our own. Any errata we discover after the book is published will be noted in the Apress GitHub repo for the book, accessible via https://www.apress.com/us/book/9781484250945 .
We hope this book and the sample code are useful to you and wish you luck and security for your application projects!
The best way to find yourself is to lose yourself in the service of others.
—Mahatma Gandhi
This book would not have been possible without the generous help of many friends and coworkers who have graciously shared their expertise and knowledge to review and improve the original draft. It has been a pleasure working with each of them over the years, and we are fortunate and much indebted for the knowledge, wisdom, and insights they have shared with us as well as, on occasion, the laughs.
Massive, massive appreciation and heartfelt thanks to Carlos Mostek for careful reviews of early and later drafts of this book and contributing many corrections, insightful additions, and helpful advice from his trove of development and IAM wisdom as well as his experience helping many customers solve their IAM challenges over the years.
Immense, heartfelt thanks also to Peter Stromquist for thoroughly reviewing the draft version of this book and adding many corrections, suggesting additional ideas we’d left out, and adding wisdom from his valuable store of development and IAM expertise developed while designing solutions for many, many customers.
Huge, sincere gratitude to Amaan Cheval for careful reviews of the draft for this book and contributing many corrections, clarifications, and suggestions for additional content from his keen knowledge of IAM topics, customer challenges, and broad development experience.
Enormous and ardent thank you to Nicolas Philippe for thorough reviews from his extensive identity, security, and development experience; suggesting clarifications, additional topics requiring explanation; and adding wisdom from his years of experience with IAM as well as application development.
Titanic, sincere thanks also to Nicolás Sabena for excellent, careful reviews and contributing much valuable guidance on troubleshooting from his extensive expertise in IAM and development, as well as his keen ability to solve even the most puzzling customer issues.
Huge, grateful thanks to Jared Hanson for generously answering many questions and for reviewing and contributing corrections to many chapters of this book from his deep knowledge of identity protocols.
Massive gratitude and thanks as well to Vittorio Bertocci for graciously sharing his extensive IAM knowledge in many forums, from which we and others have learned a great deal, and for reviewing portions of this book with an eagle eye, providing valuable critique on errors in content, logic, and flow as well as suggestions for improvements and kind advice about writing.
Immense gratitude is due to Erin Richards for careful reviews, corrections, and additions on compliance matters, adding wisdom and practical advice from her long experience in this field as well as content on privacy and security frameworks.
Huge appreciation also to Adam Nunn for thorough reviews, corrections, and suggestions for the compliance chapter based on his wisdom and experience in technical audits and compliance.
Sincere gratitude to Bill Soley for commiseration during the project as well as review and contributing suggestions and advice from his immense knowledge of security matters.
Much appreciation also to Subra Kumaraswamy for reviewing a portion of this book and contributing suggestions from his experience in both IAM and security.
Immeasurable and heartfelt gratitude to Laura Hill for insightful editorial reviews, finding the logic disconnects in early drafts and making numerous suggestions for how to cut out extraneous fluff and clarify explanations. Many thanks as well for patiently listening and providing encouragement as this project took shape!
Colossal thanks to Terence Rabuzzi for his razor-sharp editorial reviews and advice on everything from graphics to structure and approaches for evaluating the logic of many sections.
Tremendous thanks to the creative eye, graphic talents, and technical knowledge of Liliya Pustovoyt for creating diagrams to illustrate several of the concepts discussed in the book.
We also owe a huge debt of gratitude to Rita Fernando, Susan McDermott, Laura Berendson, and the rest of the Apress team for their patient advice, answering numerous questions, clear guidance, and editing on the text and graphics for this project.
A final massive and heartfelt thank you is due to our dear friends and family for their patience and support during this very long project. The kind words and voices of encouragement throughout meant a lot during the long hours of research, writing, development, and editing.
We are incredibly grateful to all who helped make this project possible by reviewing early drafts and contributing suggestions, advice, corrections, and additions. The text has been immeasurably improved by our reviewers’ careful attention and many insightful comments. We could not have done this without them. That said, a line by Albert Camus is appropriate here: “The only real progress lies in learning to be wrong all alone.” Any errors in the final text are solely ours. Any errata we discover after the book is published will be noted in the Apress GitHub repo for the book, accessible via https://www.apress.com/us/book/9781484250945 .
Table of Contents
About the Authors and About the Technical Reviewers
About the Authors
has had many roles in the software industry related to security and identity management as a security and identity architect; enterprise architect; director of developer success working with identity customers; sr. director of security governance, risk, and compliance; and founder of cloud identity services. Yvonne was responsible for IT security strategy and architecture at Sun Microsystems, founded and designed the identity management services offered through Oracle Managed Cloud Services, and founded a developer success team for Auth0, working with customers and overseeing the creation of an identity management training program for customer-facing support and professional services engineers.
In working with business teams at Sun, designing and deploying identity systems for customers at Oracle, and while founding a developer success team at Auth0, Yvonne had the opportunity of working with many customers, from small startups to large enterprises. Her experience spans the implementation of SSO, identity federation, directory services, adaptive knowledge-based authentication, and identity provisioning as well as multilevel authentication systems with certificate-based authentication. She has worked with OIDC, SAML 2.0, WS-Fed, OAuth2.0, and OpenID. From this depth of experience, Yvonne realized the growing need for a basic overview of identity management concepts that is understandable to business application owners as well as architects and developers.
is a Solutions Engineering Specialist at Auth0. He has several years of experience designing and demonstrating Identity Management solutions to customers using Auth0 using OAuth 2.0, OpenID Connect and SAML 2.0. His current focus areas involve Consumer IoT, Device Based Identity and designing solutions that explore web based identity in peripheral domains.
About the Technical Reviewers
is a software engineer with experience across the full stack of desktop, mobile, and server-side application development. Jared is the developer of Passport.js, the popular Node.js authentication framework, and a contributor to the OpenID and OAuth family of specifications. He has worked as an architect at both Auth0 and Okta, leading companies in the identity and access management industry.
has over two decades of professional experience developing software. He has a Master of Science in Software Engineering and a Bachelor of Science in Aerospace Engineering, both from the University of Minnesota. He has had a wide breadth of software experience and expertise across highly security-sensitive industries: defense contracting, financial markets, and currently, identity and security. Throughout his career, he has filled a variety of roles: test engineer, developer, architect, manager, director, and solution architect. Through most of his time at Auth0, he has worked with a wide range of customers, providing him a unique view of myriad identity-related use cases. He lives in Minnesota with his wife and three extremely active kids. He loves spending quality time with his friends and family, playing and coaching soccer, hiking, playing video games, and juggling fire.