SlideShare a Scribd company logo

How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank

HostedbyConfluent
HostedbyConfluent

Saxo Bank is on a growth journey and Kafka is a critical component to that success. Securing our financial event streams is a top priority for us and initially we started with an on-prem Kafka cluster secured with (the de-facto) Kerberos. However, as we modernize and scale, the demands of hybrid cloud, multiple domains, polyglot computing and Data Mesh require us to also modernize our approach to security. In this talk, we will describe how we took the default (non-production ready) Kafka OAuth implementation and productionized it to work with Kafka in Azure Cloud, including the Kafka stack and clients. By enabling both Kerberos and OAuth running on-prem and in the cloud, we now plan to gracefully retire Kerberos from our estate.

Technology
1 of 33
Download to read offline
Page 1 How We Eased Our Security Journey With OAuth (Goodbye Kerberos)
Page 2 Paul Makkar – Head of Data in Motion, Saxo Bank Rahul Gulati – Senior Data Platform Engineer, Saxo Bank
Page 3 Saxo Bank is a Global, Multi-Asset Facilitator We unbundle the value chain through our open architecture We source the best ideas, products, liquidity and services from the best providers Capital markets products, services and liquidity Saxo Bank facilitation Distribution to clients – The SaxoExperience We run and develop one global, multi-asset, multi-tenanted tech stack, and one set of global business processes We distribute capital market and asset management products and services through our platforms tied together by the SaxoExperience Trading platforms FIX / Open API CRM & CMS API OMS / EMS Broker connectivity Hosting services Clearing and settlement Client account structures Margin & risk management Market data connectivity Custody EOD files, FSSO & TENS Regulatory reporting Traders Investors Wholesale SaxoTraderPRO and SaxoTradersGO for self-directed traders SaxoInvestor for self-directed and delegating investors Outsourced capital markets infrastructure and client facing front ends Processes Open / FIX API Tech Stack Execution and trading Market data Custody and back office Reporting Business management Client management Integration
Page 4 Saxo and Kafka Building a Data Mesh Kafka self-service Domain Team Domain Team Domain Team Data In Motion Security is key to our success Education
Page 5 Authentication vs Authorization
Page 6 Phase I
Page 7 Cluster Components and Security On-prem Broker Zookeeper Broker SASL(Kerberos) + TLS SASL(Kerberos) Kafka Connect SASL(Kerberos) + TLS NA Schema Registry SASL(Kerberos) + TLS NA Control Center SASL(Kerberos) + TLS NA
Page 8 Challenges with Kerberos Cross realm authentication is hard! Authentication from the cloud using On Prem LDAP/AD not possible. Very difficult to debug.
Page 9
Page 10 OAuth with Kafka Looked possible, looked promising. Complete production ready solution not available out of the box
Page 11 OAuth with Kafka – Why Not Production Ready? Default implementation of OAuthbearer deals with Unsecured JWT tokens. Generates arbitrary tokens. Only suitable for DEV/TEST environments. No external Authorization server involved for granting tokens and authenticating clients.
Page 12 OAuth with Azure Active Directory (AAD)
Page 13 Introductio n OAuth is an authorization framework that enables you or your application to get access to an HTTP service either on behalf of resource owner or by allowing your application to obtain access on its own behalf.
Page 14 OAuth Terminology
Page 15 OAuth Terminology Grant Types Client Credentials An Access Token are the tokens used to access resources. A Refresh Token represents your next authorization. Grant Type or Flow specifies how you retrieve those tokens.
Page 16 Phase II
Page 17 Cluster Components and Security Azure Cluster Broker Zookeeper Broker SASL(OAuth) + TLS SASL(Digest) Kafka Connect SASL(OAuth) + TLS NA Schema Registry SASL(OAuth) + TLS NA Control Center SASL(OAuth) + TLS NA
Page 18 OAuth Authentication Flow in Kafka Azure AD Kafka Broker 1. Request Token(client id and secret) 2. Access Token 3. OAuth Access Token 4. Authenticated Brokers, Connect, Schema Registry, Control Center Clients
Page 19 OAuth Detailed Implementation (Authentication) Clients Brokers Azure AD Request Token Validate Access Token SASL Authentication Request (Access Token) SASL Authentication Response Produce/Consume Request Response
Page 20 Authentication with OAuth (JWT Token Retrieval & Validation)
Page 21 JWT (JSON WEB TOKENS) aaa.bbbbbbb.cccc Header Payload Signature
Page 22 Azure AD App Registration • Separate Apps for Brokers, Producers, Consumers, Connect, SR etc. across different environments i.e., Dev, Test & Prod. • Authentication based on client Id and Client secret of Apps.
Page 23 Retrieving Azure AD Token {"token_type":"Bearer","expires_in":"3599","ext_ expires_in":"3599","expires_on":"1596455877"," not_before":"1596451977","resource":"0000000 2-0000-0000-c000- 000000000000","access_token":"eyJ0eXAiOiJK V1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZ QZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6I mh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuT SJ9.eyJhdW… Broker Logs Access Token
Page 24 Validating JWT (Brokers) • Validate Token Length. Valid token to have 3 parts i.e. Header, Payload, Signature. • Validate Token Signature: • Decode Token header. • Get token signing key. • Verify if token is signed by Azure AD keys. Decoded Header
Page 25 Validating JWT (Brokers, contd ) • Validate token expiry & audience based on token claims i.e., exp & aud. Decoded Payload • Broker Logs
Page 26 Phase I, Phase II.... Phase III
Page 27 Producers Consumers Broker 1 Broker 2 Kafka Cluster Zookeeper 1 Zookeeper 2 Zookeeper Cluster Kerberos Kerberos & TLS Connect Schema Registry Control Center Kerberos/TL S Producers Consumers Broker 1 Broker 2 Zookeeper 1 Zookeeper 2 Zookeeper Cluster Connect Control Center Schema Registry OAuth /TLS OAuth & TLS Digest OAuth/TLS Kerberos OAuth Security Setup – Different Phases OAuth Azure AD
Page 28 Authorization
Page 29 OAuth Detailed Implementation (Authorization) Zookeeper Get ACL's Authorizer Load ACL's Authorization Allow/Deny
Page 30 Kafka ACL’s – Azure AD App Client IDs Authorization Issues (Without granting Topic ACL’s). Producer/Consumer ACL’s Azure Client ID
Page 31 Enabling OAuth on Kafka Brokers Clients (Producer/Consumers)
Page 32 Brokers Configuration Supporting Multiple Listeners on Brokers
Page 33 Easy to authenticate Producers/Consumers Apps' running anywhere i.e. On Prem/Cloud. Cross domain authentication became possible (in fact, not even relevant). Much easier to onboard new clients and authenticate AD Apps. Debugging authentication issues became easier. Have started the journey to deprecate Kerberos. How Has The Journey Been So Far?

Recommended

A visual introduction to Apache Kafka
A visual introduction to Apache KafkaA visual introduction to Apache Kafka
A visual introduction to Apache KafkaPaul Brebner
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentationMohammed Fazuluddin
 
Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Flink Forward
 
ElastiCache & Redis
ElastiCache & RedisElastiCache & Redis
ElastiCache & RedisAmazon Web Services
 
Kafka Streams for Java enthusiasts
Kafka Streams for Java enthusiastsKafka Streams for Java enthusiasts
Kafka Streams for Java enthusiastsSlim Baltagi
 
Handling eventual consistency in a transactional world with Matteo Cimini and...
Handling eventual consistency in a transactional world with Matteo Cimini and...Handling eventual consistency in a transactional world with Matteo Cimini and...
Handling eventual consistency in a transactional world with Matteo Cimini and...HostedbyConfluent
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overviewconfluent
 

Recommended

A visual introduction to Apache Kafka
A visual introduction to Apache KafkaA visual introduction to Apache Kafka
A visual introduction to Apache KafkaPaul Brebner
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentationMohammed Fazuluddin
 
Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Building a fully managed stream processing platform on Flink at scale for Lin...
Building a fully managed stream processing platform on Flink at scale for Lin...Flink Forward
 
ElastiCache & Redis
ElastiCache & RedisElastiCache & Redis
ElastiCache & RedisAmazon Web Services
 
Kafka Streams for Java enthusiasts
Kafka Streams for Java enthusiastsKafka Streams for Java enthusiasts
Kafka Streams for Java enthusiastsSlim Baltagi
 
Handling eventual consistency in a transactional world with Matteo Cimini and...
Handling eventual consistency in a transactional world with Matteo Cimini and...Handling eventual consistency in a transactional world with Matteo Cimini and...
Handling eventual consistency in a transactional world with Matteo Cimini and...HostedbyConfluent
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overviewconfluent
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaAIMDek Technologies
 
Common issues with Apache Kafka® Producer
Common issues with Apache Kafka® ProducerCommon issues with Apache Kafka® Producer
Common issues with Apache Kafka® Producerconfluent
 
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018Amazon Web Services Korea
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsLightbend
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka StreamsGuozhang Wang
 
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...Amazon Web Services
 
Uber: Kafka Consumer Proxy
Uber: Kafka Consumer ProxyUber: Kafka Consumer Proxy
Uber: Kafka Consumer Proxyconfluent
 
Apache Kafka - Martin Podval
Apache Kafka - Martin PodvalApache Kafka - Martin Podval
Apache Kafka - Martin PodvalMartin Podval
 
Reliability Guarantees for Apache Kafka
Reliability Guarantees for Apache KafkaReliability Guarantees for Apache Kafka
Reliability Guarantees for Apache Kafkaconfluent
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaJoe Stein
 
Kafka 101 and Developer Best Practices
Kafka 101 and Developer Best PracticesKafka 101 and Developer Best Practices
Kafka 101 and Developer Best Practicesconfluent
 
Real-Time Streaming Data on AWS
Real-Time Streaming Data on AWSReal-Time Streaming Data on AWS
Real-Time Streaming Data on AWSAmazon Web Services
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best PracticesDataWorks Summit/Hadoop Summit
 
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017Amazon Web Services Korea
 
Data Streaming with Apache Kafka & MongoDB
Data Streaming with Apache Kafka & MongoDBData Streaming with Apache Kafka & MongoDB
Data Streaming with Apache Kafka & MongoDBconfluent
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, ConfluentTemporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, ConfluentHostedbyConfluent
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 

More Related Content

What's hot

Common issues with Apache Kafka® Producer
Common issues with Apache Kafka® ProducerCommon issues with Apache Kafka® Producer
Common issues with Apache Kafka® Producerconfluent
 
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018Amazon Web Services Korea
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsLightbend
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka StreamsGuozhang Wang
 
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...Amazon Web Services
 
Uber: Kafka Consumer Proxy
Uber: Kafka Consumer ProxyUber: Kafka Consumer Proxy
Uber: Kafka Consumer Proxyconfluent
 
Apache Kafka - Martin Podval
Apache Kafka - Martin PodvalApache Kafka - Martin Podval
Apache Kafka - Martin PodvalMartin Podval
 
Reliability Guarantees for Apache Kafka
Reliability Guarantees for Apache KafkaReliability Guarantees for Apache Kafka
Reliability Guarantees for Apache Kafkaconfluent
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkAmazon Web Services
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaJoe Stein
 
Kafka 101 and Developer Best Practices
Kafka 101 and Developer Best PracticesKafka 101 and Developer Best Practices
Kafka 101 and Developer Best Practicesconfluent
 
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017Amazon Web Services Korea
 
Data Streaming with Apache Kafka & MongoDB
Data Streaming with Apache Kafka & MongoDBData Streaming with Apache Kafka & MongoDB
Data Streaming with Apache Kafka & MongoDBconfluent
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, ConfluentTemporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, ConfluentHostedbyConfluent
 

What's hot (20)

Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
Common issues with Apache Kafka® Producer
Common issues with Apache Kafka® ProducerCommon issues with Apache Kafka® Producer
Common issues with Apache Kafka® Producer
 
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
모놀리스에서 마이크로서비스 아키텍처로의 전환 전략::박선용::AWS Summit Seoul 2018
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
 
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
(BDT403) Best Practices for Building Real-time Streaming Applications with Am...
 
Uber: Kafka Consumer Proxy
Uber: Kafka Consumer ProxyUber: Kafka Consumer Proxy
Uber: Kafka Consumer Proxy
 
Apache Kafka - Martin Podval
Apache Kafka - Martin PodvalApache Kafka - Martin Podval
Apache Kafka - Martin Podval
 
Reliability Guarantees for Apache Kafka
Reliability Guarantees for Apache KafkaReliability Guarantees for Apache Kafka
Reliability Guarantees for Apache Kafka
 
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech TalkElastic Load Balancing Deep Dive - AWS Online Tech Talk
Elastic Load Balancing Deep Dive - AWS Online Tech Talk
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache Kafka
 
Kafka 101 and Developer Best Practices
Kafka 101 and Developer Best PracticesKafka 101 and Developer Best Practices
Kafka 101 and Developer Best Practices
 
Real-Time Streaming Data on AWS
Real-Time Streaming Data on AWSReal-Time Streaming Data on AWS
Real-Time Streaming Data on AWS
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best Practices
 
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
인프라 자동 배포를 위한 AWS CloudFormation 고급 활용법 - AWS Summit Seoul 2017
 
Data Streaming with Apache Kafka & MongoDB
Data Streaming with Apache Kafka & MongoDBData Streaming with Apache Kafka & MongoDB
Data Streaming with Apache Kafka & MongoDB
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
 
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, ConfluentTemporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
Temporal-Joins in Kafka Streams and ksqlDB | Matthias Sax, Confluent
 

Similar to How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank

Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Interledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed BlockchainInterledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed BlockchainAmazon Web Services
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
Security as a Service - Tian Wang
Security as a Service - Tian WangSecurity as a Service - Tian Wang
Security as a Service - Tian WangVMware Tanzu
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock
 

Similar to How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank (20)

Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Lets encrypt
Lets encryptLets encrypt
Lets encrypt
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Interledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed BlockchainInterledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed Blockchain
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Security as a Service - Tian Wang
Security as a Service - Tian WangSecurity as a Service - Tian Wang
Security as a Service - Tian Wang
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
Blockchain & microsoft
Blockchain & microsoftBlockchain & microsoft
Blockchain & microsoft
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 

More from HostedbyConfluent

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Renaming a Kafka Topic | Kafka Summit London
Renaming a Kafka Topic | Kafka Summit LondonRenaming a Kafka Topic | Kafka Summit London
Renaming a Kafka Topic | Kafka Summit LondonHostedbyConfluent
 
Evolution of NRT Data Ingestion Pipeline at Trendyol
Evolution of NRT Data Ingestion Pipeline at TrendyolEvolution of NRT Data Ingestion Pipeline at Trendyol
Evolution of NRT Data Ingestion Pipeline at TrendyolHostedbyConfluent
 
Ensuring Kafka Service Resilience: A Dive into Health-Checking Techniques
Ensuring Kafka Service Resilience: A Dive into Health-Checking TechniquesEnsuring Kafka Service Resilience: A Dive into Health-Checking Techniques
Ensuring Kafka Service Resilience: A Dive into Health-Checking TechniquesHostedbyConfluent
 
Exactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaExactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaHostedbyConfluent
 
Fish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit LondonFish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit LondonHostedbyConfluent
 
Tiered Storage 101 | Kafla Summit London
Tiered Storage 101 | Kafla Summit LondonTiered Storage 101 | Kafla Summit London
Tiered Storage 101 | Kafla Summit LondonHostedbyConfluent
 
Building a Self-Service Stream Processing Portal: How And Why
Building a Self-Service Stream Processing Portal: How And WhyBuilding a Self-Service Stream Processing Portal: How And Why
Building a Self-Service Stream Processing Portal: How And WhyHostedbyConfluent
 
From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...
From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...
From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...HostedbyConfluent
 
Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...
Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...
Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...HostedbyConfluent
 
Navigating Private Network Connectivity Options for Kafka Clusters
Navigating Private Network Connectivity Options for Kafka ClustersNavigating Private Network Connectivity Options for Kafka Clusters
Navigating Private Network Connectivity Options for Kafka ClustersHostedbyConfluent
 
Apache Flink: Building a Company-wide Self-service Streaming Data Platform
Apache Flink: Building a Company-wide Self-service Streaming Data PlatformApache Flink: Building a Company-wide Self-service Streaming Data Platform
Apache Flink: Building a Company-wide Self-service Streaming Data PlatformHostedbyConfluent
 
Explaining How Real-Time GenAI Works in a Noisy Pub
Explaining How Real-Time GenAI Works in a Noisy PubExplaining How Real-Time GenAI Works in a Noisy Pub
Explaining How Real-Time GenAI Works in a Noisy PubHostedbyConfluent
 
TL;DR Kafka Metrics | Kafka Summit London
TL;DR Kafka Metrics | Kafka Summit LondonTL;DR Kafka Metrics | Kafka Summit London
TL;DR Kafka Metrics | Kafka Summit LondonHostedbyConfluent
 
A Window Into Your Kafka Streams Tasks | KSL
A Window Into Your Kafka Streams Tasks | KSLA Window Into Your Kafka Streams Tasks | KSL
A Window Into Your Kafka Streams Tasks | KSLHostedbyConfluent
 
Mastering Kafka Producer Configs: A Guide to Optimizing Performance
Mastering Kafka Producer Configs: A Guide to Optimizing PerformanceMastering Kafka Producer Configs: A Guide to Optimizing Performance
Mastering Kafka Producer Configs: A Guide to Optimizing PerformanceHostedbyConfluent
 
Data Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and BeyondData Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and BeyondHostedbyConfluent
 
Code-First Approach: Crafting Efficient Flink Apps
Code-First Approach: Crafting Efficient Flink AppsCode-First Approach: Crafting Efficient Flink Apps
Code-First Approach: Crafting Efficient Flink AppsHostedbyConfluent
 
Debezium vs. the World: An Overview of the CDC Ecosystem
Debezium vs. the World: An Overview of the CDC EcosystemDebezium vs. the World: An Overview of the CDC Ecosystem
Debezium vs. the World: An Overview of the CDC EcosystemHostedbyConfluent
 
Beyond Tiered Storage: Serverless Kafka with No Local Disks
Beyond Tiered Storage: Serverless Kafka with No Local DisksBeyond Tiered Storage: Serverless Kafka with No Local Disks
Beyond Tiered Storage: Serverless Kafka with No Local DisksHostedbyConfluent
 

More from HostedbyConfluent (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Renaming a Kafka Topic | Kafka Summit London
Renaming a Kafka Topic | Kafka Summit LondonRenaming a Kafka Topic | Kafka Summit London
Renaming a Kafka Topic | Kafka Summit London
 
Evolution of NRT Data Ingestion Pipeline at Trendyol
Evolution of NRT Data Ingestion Pipeline at TrendyolEvolution of NRT Data Ingestion Pipeline at Trendyol
Evolution of NRT Data Ingestion Pipeline at Trendyol
 
Ensuring Kafka Service Resilience: A Dive into Health-Checking Techniques
Ensuring Kafka Service Resilience: A Dive into Health-Checking TechniquesEnsuring Kafka Service Resilience: A Dive into Health-Checking Techniques
Ensuring Kafka Service Resilience: A Dive into Health-Checking Techniques
 
Exactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaExactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and Kafka
 
Fish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit LondonFish Plays Pokemon | Kafka Summit London
Fish Plays Pokemon | Kafka Summit London
 
Tiered Storage 101 | Kafla Summit London
Tiered Storage 101 | Kafla Summit LondonTiered Storage 101 | Kafla Summit London
Tiered Storage 101 | Kafla Summit London
 
Building a Self-Service Stream Processing Portal: How And Why
Building a Self-Service Stream Processing Portal: How And WhyBuilding a Self-Service Stream Processing Portal: How And Why
Building a Self-Service Stream Processing Portal: How And Why
 
From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...
From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...
From the Trenches: Improving Kafka Connect Source Connector Ingestion from 7 ...
 
Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...
Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...
Future with Zero Down-Time: End-to-end Resiliency with Chaos Engineering and ...
 
Navigating Private Network Connectivity Options for Kafka Clusters
Navigating Private Network Connectivity Options for Kafka ClustersNavigating Private Network Connectivity Options for Kafka Clusters
Navigating Private Network Connectivity Options for Kafka Clusters
 
Apache Flink: Building a Company-wide Self-service Streaming Data Platform
Apache Flink: Building a Company-wide Self-service Streaming Data PlatformApache Flink: Building a Company-wide Self-service Streaming Data Platform
Apache Flink: Building a Company-wide Self-service Streaming Data Platform
 
Explaining How Real-Time GenAI Works in a Noisy Pub
Explaining How Real-Time GenAI Works in a Noisy PubExplaining How Real-Time GenAI Works in a Noisy Pub
Explaining How Real-Time GenAI Works in a Noisy Pub
 
TL;DR Kafka Metrics | Kafka Summit London
TL;DR Kafka Metrics | Kafka Summit LondonTL;DR Kafka Metrics | Kafka Summit London
TL;DR Kafka Metrics | Kafka Summit London
 
A Window Into Your Kafka Streams Tasks | KSL
A Window Into Your Kafka Streams Tasks | KSLA Window Into Your Kafka Streams Tasks | KSL
A Window Into Your Kafka Streams Tasks | KSL
 
Mastering Kafka Producer Configs: A Guide to Optimizing Performance
Mastering Kafka Producer Configs: A Guide to Optimizing PerformanceMastering Kafka Producer Configs: A Guide to Optimizing Performance
Mastering Kafka Producer Configs: A Guide to Optimizing Performance
 
Data Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and BeyondData Contracts Management: Schema Registry and Beyond
Data Contracts Management: Schema Registry and Beyond
 
Code-First Approach: Crafting Efficient Flink Apps
Code-First Approach: Crafting Efficient Flink AppsCode-First Approach: Crafting Efficient Flink Apps
Code-First Approach: Crafting Efficient Flink Apps
 
Debezium vs. the World: An Overview of the CDC Ecosystem
Debezium vs. the World: An Overview of the CDC EcosystemDebezium vs. the World: An Overview of the CDC Ecosystem
Debezium vs. the World: An Overview of the CDC Ecosystem
 
Beyond Tiered Storage: Serverless Kafka with No Local Disks
Beyond Tiered Storage: Serverless Kafka with No Local DisksBeyond Tiered Storage: Serverless Kafka with No Local Disks
Beyond Tiered Storage: Serverless Kafka with No Local Disks
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank

  • 1. Page 1 How We Eased Our Security Journey With OAuth (Goodbye Kerberos)
  • 2. Page 2 Paul Makkar – Head of Data in Motion, Saxo Bank Rahul Gulati – Senior Data Platform Engineer, Saxo Bank
  • 3. Page 3 Saxo Bank is a Global, Multi-Asset Facilitator We unbundle the value chain through our open architecture We source the best ideas, products, liquidity and services from the best providers Capital markets products, services and liquidity Saxo Bank facilitation Distribution to clients – The SaxoExperience We run and develop one global, multi-asset, multi-tenanted tech stack, and one set of global business processes We distribute capital market and asset management products and services through our platforms tied together by the SaxoExperience Trading platforms FIX / Open API CRM & CMS API OMS / EMS Broker connectivity Hosting services Clearing and settlement Client account structures Margin & risk management Market data connectivity Custody EOD files, FSSO & TENS Regulatory reporting Traders Investors Wholesale SaxoTraderPRO and SaxoTradersGO for self-directed traders SaxoInvestor for self-directed and delegating investors Outsourced capital markets infrastructure and client facing front ends Processes Open / FIX API Tech Stack Execution and trading Market data Custody and back office Reporting Business management Client management Integration
  • 4. Page 4 Saxo and Kafka Building a Data Mesh Kafka self-service Domain Team Domain Team Domain Team Data In Motion Security is key to our success Education
  • 7. Page 7 Cluster Components and Security On-prem Broker Zookeeper Broker SASL(Kerberos) + TLS SASL(Kerberos) Kafka Connect SASL(Kerberos) + TLS NA Schema Registry SASL(Kerberos) + TLS NA Control Center SASL(Kerberos) + TLS NA
  • 8. Page 8 Challenges with Kerberos Cross realm authentication is hard! Authentication from the cloud using On Prem LDAP/AD not possible. Very difficult to debug.
  • 10. Page 10 OAuth with Kafka Looked possible, looked promising. Complete production ready solution not available out of the box
  • 11. Page 11 OAuth with Kafka – Why Not Production Ready? Default implementation of OAuthbearer deals with Unsecured JWT tokens. Generates arbitrary tokens. Only suitable for DEV/TEST environments. No external Authorization server involved for granting tokens and authenticating clients.
  • 12. Page 12 OAuth with Azure Active Directory (AAD)
  • 13. Page 13 Introductio n OAuth is an authorization framework that enables you or your application to get access to an HTTP service either on behalf of resource owner or by allowing your application to obtain access on its own behalf.
  • 15. Page 15 OAuth Terminology Grant Types Client Credentials An Access Token are the tokens used to access resources. A Refresh Token represents your next authorization. Grant Type or Flow specifies how you retrieve those tokens.
  • 17. Page 17 Cluster Components and Security Azure Cluster Broker Zookeeper Broker SASL(OAuth) + TLS SASL(Digest) Kafka Connect SASL(OAuth) + TLS NA Schema Registry SASL(OAuth) + TLS NA Control Center SASL(OAuth) + TLS NA
  • 18. Page 18 OAuth Authentication Flow in Kafka Azure AD Kafka Broker 1. Request Token(client id and secret) 2. Access Token 3. OAuth Access Token 4. Authenticated Brokers, Connect, Schema Registry, Control Center Clients
  • 19. Page 19 OAuth Detailed Implementation (Authentication) Clients Brokers Azure AD Request Token Validate Access Token SASL Authentication Request (Access Token) SASL Authentication Response Produce/Consume Request Response
  • 20. Page 20 Authentication with OAuth (JWT Token Retrieval & Validation)
  • 21. Page 21 JWT (JSON WEB TOKENS) aaa.bbbbbbb.cccc Header Payload Signature
  • 22. Page 22 Azure AD App Registration • Separate Apps for Brokers, Producers, Consumers, Connect, SR etc. across different environments i.e., Dev, Test & Prod. • Authentication based on client Id and Client secret of Apps.
  • 23. Page 23 Retrieving Azure AD Token {"token_type":"Bearer","expires_in":"3599","ext_ expires_in":"3599","expires_on":"1596455877"," not_before":"1596451977","resource":"0000000 2-0000-0000-c000- 000000000000","access_token":"eyJ0eXAiOiJK V1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZ QZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6I mh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuT SJ9.eyJhdW… Broker Logs Access Token
  • 24. Page 24 Validating JWT (Brokers) • Validate Token Length. Valid token to have 3 parts i.e. Header, Payload, Signature. • Validate Token Signature: • Decode Token header. • Get token signing key. • Verify if token is signed by Azure AD keys. Decoded Header
  • 25. Page 25 Validating JWT (Brokers, contd ) • Validate token expiry & audience based on token claims i.e., exp & aud. Decoded Payload • Broker Logs
  • 26. Page 26 Phase I, Phase II.... Phase III
  • 27. Page 27 Producers Consumers Broker 1 Broker 2 Kafka Cluster Zookeeper 1 Zookeeper 2 Zookeeper Cluster Kerberos Kerberos & TLS Connect Schema Registry Control Center Kerberos/TL S Producers Consumers Broker 1 Broker 2 Zookeeper 1 Zookeeper 2 Zookeeper Cluster Connect Control Center Schema Registry OAuth /TLS OAuth & TLS Digest OAuth/TLS Kerberos OAuth Security Setup – Different Phases OAuth Azure AD
  • 29. Page 29 OAuth Detailed Implementation (Authorization) Zookeeper Get ACL's Authorizer Load ACL's Authorization Allow/Deny
  • 30. Page 30 Kafka ACL’s – Azure AD App Client IDs Authorization Issues (Without granting Topic ACL’s). Producer/Consumer ACL’s Azure Client ID
  • 31. Page 31 Enabling OAuth on Kafka Brokers Clients (Producer/Consumers)
  • 32. Page 32 Brokers Configuration Supporting Multiple Listeners on Brokers
  • 33. Page 33 Easy to authenticate Producers/Consumers Apps' running anywhere i.e. On Prem/Cloud. Cross domain authentication became possible (in fact, not even relevant). Much easier to onboard new clients and authenticate AD Apps. Debugging authentication issues became easier. Have started the journey to deprecate Kerberos. How Has The Journey Been So Far?