Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Presentations OpenID Connect & OAuth - Demystifying Cloud Identity

OpenID Connect & OAuth - Demystifying Cloud Identity



Filip Hanik and Sree Tummidi talk about the OpenID Connect and OAuth 2 standards, the most popular authentication and authorization frameworks used in native cloud applications today. They share their experiences building the Cloud Foundry User Authentication and Account management project, a production grade OAuth 2 authorization and resource server, as well as an OpenID Connect implementation.


Filip Hanik works as a Senior Staff Engineer at Pivotal. Sree Tummidi is the Product Manager for Identity & Access Management on Pivotal Cloud Foundry.

About the conference

SpringOne Platform brings together the people, process and tools for delivering and operating software services. Learn and share with the startups and enterprises leveraging modern Java with Spring connecting all the pieces of the modern software puzzle from developer, operator, architect, data scientist to executive.

Recorded at:

Dec 10, 2016

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • OAuth does not equal OpenID Connect

    by Gluu Federation,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    What I see a lot is that people use OAuth2 clients, which work with OpenID Connect, but do not use the security features of OpenID Connect. Is this code verifying the nonce in the id_token? Does it follow all the recommendations in the OpenID Connect basic client implementers guide. Working code is great. But secure code is better. See on OAuth v. SAML v. OpenID Connect for a deeper discussion. Also, consider using a client like oxd which provides a secure implementation of OpenID Connect client calls, without some of the complexity required by a low level OAuth client.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p