Building a Microgateway in Ballerina_KubeCon 2108Ballerina
API gateways play a critical role in modern enterprise architecture. As microservices strengthen their hold on modern-day application architectures, cloud native API gateways are high in demand. Ballerina, being a programming language designed to address and simplify the complexities of heavily distributed systems primarily built on microservice architectures, provides a rich set of language features and a smart compiler that makes it a good choice of technology to build a cloud native API gateway.
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Building a Microgateway in Ballerina_KubeCon 2108Ballerina
API gateways play a critical role in modern enterprise architecture. As microservices strengthen their hold on modern-day application architectures, cloud native API gateways are high in demand. Ballerina, being a programming language designed to address and simplify the complexities of heavily distributed systems primarily built on microservice architectures, provides a rich set of language features and a smart compiler that makes it a good choice of technology to build a cloud native API gateway.
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
We’ve all encountered the issue: a blank screen or worse, a 500 error on the server. How do you cope with this kind of issue, what do you do to find the culprit and resolve the error.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
Adding Identity Management and Access Control to your Application, Authorization using the FIWARE components: Identity Management, PEP Proxy, Access Control (PDP/PAP).
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
http://www.springio.net/stateless-authentication-for-microservices/
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
We’ve all encountered the issue: a blank screen or worse, a 500 error on the server. How do you cope with this kind of issue, what do you do to find the culprit and resolve the error.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
Adding Identity Management and Access Control to your Application, Authorization using the FIWARE components: Identity Management, PEP Proxy, Access Control (PDP/PAP).
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
http://www.springio.net/stateless-authentication-for-microservices/
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in-depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to get the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
The presentation done at Colombo White Hat Security Meetup for introducing OAuth framework to the security enthusiasts. The event details are in [1].
[1] https://www.meetup.com/Colombo-White-Hat-Security/events/255358391/
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
The Customer Engagement Roadmap - The Key to Increasing the Value of Your Membership Base
Want to increase your subscription site’s profitability? The Customer Engagement Roadmap will show you how!
20. S tep 1: Obtaining a R eques t Token
http://api.netfix.com/oauth/request_token
Signed Request
Request Token & Secret
21. S tep 1: Obtaining a R eques t Token
http://api.netfix.com/oauth/request_token?
oauth_callback=http%3A%2F%2Fwww.example.com%2Fcallback
&oauth_consumer_key=1234567890123456789012345
&oauth_nonce=60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e
&oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255631744
&oauth_version=1.0
22. C alculating The S ig nature
Calculate Base String
<HTTP method>&<canonicalized URL path>&<parameters>
GET&http%3A%2F%2Fapi.netfix.com%2Foauth
%2Frequest_token&oauth_callback%3Dhttp%253A%252F
%252Fwww.example.com%252Fcallback
%26oauth_consumer_key
%3D1234567890123456789012345%26oauth_nonce
%3D3eb496472d2a46ceb71d65fc1b7341ae359f932c
%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp
%3D1255631744%26oauth_version%3D1.0
23. C alculating The S ig nature
• Parameters are collected, sorted and concatenated into a
normalized string
• Parameters in the OAuth HTTP Authorization header excluding the realm
parameter.
• Parameters in the HTTP POST request body (with a content-type of
application/x-www-form-urlencoded).
• HTTP GET parameters added to the URLs in the query part (as defned by
[RFC3986] section 3)
• The oauth_signature parameter MUST be excluded
• Parameters are sorted by name, using lexicographical byte
value ordering
24. C alculating The S ig nature (Authorization Header)
GET /oauth/request_token HTTP/1.1
User-Agent: PECL::HTTP/1.6.4 (PHP/5.2.10)
Host: api.netfix.com
Accept: */*
Authorization: OAuth oauth_callback="http%3A%2F
%2Fwww.example.com%2Fcallback",
oauth_consumer_key="1234567890123456789012345",
oauth_nonce="60a3f1c4a18c2a68d8cb216f46bceb4ad7dff32e",
oauth_signature="SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1255631744", oauth_version="1.0"
25. C alculating The S ig nature
Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&
Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&,<Base String>)
Base64 encode then URL encode result:
oauth_signature=SB%2BjBrcHkQRgMP8XKVyps3rw6Xo%3D
26. S tep 1: Obtaining a R eques t Token (R es pons e)
oauth_token=bqba9rku48yacfatjxjw3fkc
&oauth_token_secret=EZ2mBk6rC2vZ
&oauth_callback_confrmed=true
&login_url=https%3A%2F%2Fapi-user.netfix.com%2Foauth
%2Flogin
27. S tep 2: Us er Authentication
Determined by needs of Service Provider
https://api-user.netfix.com/oauth/login?oauth_token=bqba9rku48yacfatjxjw3fkc
28. S tep 2: Us er Authentication
Determined by needs of Service Provider
Callback
oauth_token=bqba9rku48yacfatjxjw3fkc&oauth_verifer=abcdefg
29. S tep 2: Us er Authentication
Determined by needs of Service Provider
31. S tep 3: Obtaining an Acces s Token
http://api.netfix.com/oauth/access_token
Signed Request
Access Token & Secret
32. S tep 3: Obtaining an Acces s Token
http://api.netfix.com/oauth/access_token?
oauth_consumer_key=1234567890123456789012345
&oauth_nonce=0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a
&oauth_signature=FXDtkQtg6u42YYipJhBgCBvVXHI%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255704433
&oauth_token=bqba9rku48yacfatjxjw3fkc
&oauth_verifer=abcdefg
&oauth_version=1.0
33. C alculating The S ig nature
Calculate Base String
<HTTP method>&<canonicalized URL path>&<parameters>
GET&http%3A%2F%2Fapi.netfix.com%2Foauth
%2Faccess_token&oauth_consumer_key
%3D1234567890123456789012345%26oauth_nonce
%3D0a5ebd08b88e3ec7d7e27c7fb8735c7aa9a7229a
%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1255704433%26oauth_token
%3Dbqba9rku48yacfatjxjw3fkc%26oauth_verifer%3Dabcdefg
%26oauth_version%3D1.0
34. C alculating The S ig nature
Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&EZ2mBk6rC2vZ
Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&EZ2mBk6rC2vZ,<Base String>)
Base64 encode then URL encode result:
oauth_signature=eCLuRjEhSB%2BFImlN8sqrusPd9AE%3D
35. S tep 3: Obtaining an Acces s Token (R es pons e)
oauth_token=5432109876543210987654321
&user_id=123myuserid456
&oauth_token_secret=543210987654321
36. Acces s ing R es ources
http://api.netfix.com/<path to resource>
Signed Request
Resource
37. Acces s ing R es ources
http://api.netfix.com/users/123myuserid456/queues?
oauth_consumer_key=1234567890123456789012345
&oauth_nonce=0c36fbefee5af0316687c6984a32c0184526e7b2
&oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1255712310
&oauth_token=5432109876543210987654321
&oauth_version=1.0
&v=1.5
38. C alculating The S ig nature
Create Secret
<consumer secret>&<token secret>
1234567890123456789012345&543210987654321
Sign Base String using algorithm specifed
HMAC(1234567890123456789012345&543210987654321,<Base String>)
Base64 encode then URL encode result:
oauth_signature=IXkzzAhF9hnsFIeftxEdfG0nx1s%3D
39. Acces s ing R es ources (R es pons e)
<?xml version="1.0" standalone="yes"?>
<resource>
<link href="http://api.netfix.com/users/123myuserid456/queues/disc"
rel="http://schemas.netfix.com/queues.disc" title="disc queue" />
<link href="http://api.netfix.com/users/123myuserid456/queues/instant"
rel="http://schemas.netfix.com/queues.instant"
title="instant queue" />
</resource>
42. 2-Leg g ed OAuth
• No Dance Required
• Only Consumer Key and Secret required
• Application making requests on its own behalf
• Direct Access / No Delegation
• Replacement for HTTP Basic Authentication
• Sign request just as if they were requests for Request
Tokens