Building Clients for OpenID Connect - OAuth 2-based Systems

Explore best practices for building clients that utilize OpenID Connect and OAuth 2 protocols in this comprehensive conference talk. Dive into the complexities of authentication and API access, learning how to simplify front-end development while addressing challenges such as selecting appropriate protocol flows, secure token storage, and token lifetime management. Gain insights on implementing solutions for native server applications, client-side applications, browser-based applications, and Single Page Applications (SPAs). Discover the intricacies of various flows including Client Credentials, Authorization Code, Hybrid, and Implicit, as well as their potential issues. Examine anti-patterns, explore the use of client libraries, and understand the implications of Same Site Cookies and "Backend for Frontend" (BFF) architecture. Leave equipped with knowledge to make informed decisions when building secure and efficient clients for OpenID Connect and OAuth 2-based systems.

Intro
Objectives
It's complicated!
The Big Picture
Client Credentials Flow
Use Token
Challenges for Clients
Front-Channel: Authorization Code Flow Request
Front-Channel: Authorization Code Flow Response
Back-Channel: Retrieving Tokens
Issues with Code Flow
Hybrid Flow Request
Hybrid Flow Response
Issues with Hybrid Flow
Public Clients
Native/Mobile Applications
Anti Pattern: Resource Owner Password Flow
Using a browser for driving the authentication workflow
Client Libraries
Browser-based Clients (aka SPAS)
History (2)
Implicit Flow Request
Problems with Implicit Flow
Token Management for JS Apps
Java Script Client Library
The new kid on the block: Same Site Cookies
"BFF" Architecture
Further Reading