CISSP Question #209: Real Exam Question with Answer & Explanation

Question

An organization has decided to contract with a cloud-based service provider to leverage their identity as a service offering. They will use Open Authentication (OAuth) 2.0 to authenticate external users to the organization's services. As part of the authentication process, which of the following must the end user provide?

Options

• AAn access token
• BA username and password
• CA username
• DA password

Explanation

In OAuth 2.0, end users authenticate by presenting an access token, not raw credentials, to access protected resources through a delegated authorization framework.

Common mistakes.

• B. While a username and password may be used to authenticate to the identity provider (IdP) to obtain a token, OAuth 2.0 itself does not define credentials as the artifact presented to the resource/service - the access token is the mechanism OAuth 2.0 specifies for end-user authorization.
• C. A username alone is insufficient for authentication under any standard protocol, and OAuth 2.0 specifically uses access tokens - not usernames - as the credential artifact presented to access protected services.
• D. A password alone is not a valid authentication artifact in OAuth 2.0; the protocol is designed specifically to avoid passing raw credentials (like passwords) to resource servers by using access tokens instead.

Concept tested. OAuth 2.0 access token-based delegated authorization

Reference. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

No community discussion yet for this question.