There has never been more emphasis in security than in the modern environment of distributed computing and increased sharing of data. Our data does not sit inside silos consumed by one application anymore. In this context the modern distributed applications need to securely access protected resources without having to share passwords. We need scalable solutions that work with things like single page applications. We will dive in and explore terms like "OAuth", "OpenId Connect" and "JWT" and how they relate to authentication and authorisation. This presentation hopes to give you a good understanding of what, where and how to get started with the modern approaches to authentication.
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
David Chase, Ping Identity
Exploring the implementation and architecture of OAuth and OpenID Connect, using web and mobile applications, with topics including grant types, choosing a grant type, refresh tokens, and managing sessions
This presentation describes vulnerabilities in two popular single sign-on strategies like SAML and OpenID/Connect and how to mitigate and these vulnerabilities are
1) SAML Authentication bypass vulnerability using canonicalization method which ignores comments section of SAML response for SAML signature calculation.
2) JWT validation vulnerability with "none" algorithm - certain libraries ignores JWT validation if algorithm is defined as "none" in JWT header.
Presentation describes various methods to properly validate SAML response or identity token ( id_token ).
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
Authentication is among the most important concepts in security, but most people take a fatally simplistic approach to the matter. We will explore some of the concepts of authentication, including an idea for a more advanced view of authentication that violates common wisdom regarding a related topic.
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
David Chase, Ping Identity
Exploring the implementation and architecture of OAuth and OpenID Connect, using web and mobile applications, with topics including grant types, choosing a grant type, refresh tokens, and managing sessions
This presentation describes vulnerabilities in two popular single sign-on strategies like SAML and OpenID/Connect and how to mitigate and these vulnerabilities are
1) SAML Authentication bypass vulnerability using canonicalization method which ignores comments section of SAML response for SAML signature calculation.
2) JWT validation vulnerability with "none" algorithm - certain libraries ignores JWT validation if algorithm is defined as "none" in JWT header.
Presentation describes various methods to properly validate SAML response or identity token ( id_token ).
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
Authentication is among the most important concepts in security, but most people take a fatally simplistic approach to the matter. We will explore some of the concepts of authentication, including an idea for a more advanced view of authentication that violates common wisdom regarding a related topic.
The talk gives an introduction to the NextGenPSD2 OAuth SCA mode and explains security considerations implementors should take into account when implementing it. This advice will go beyond the text of the NextGenPSD2 Spec and will be based on the latest OAuth Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics) and work being conducted at OpenID Foundations FAPI working group.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
What should today's students of computer science know about the new topics OAuth and OpenID Connect? This presentation addresses this question. It was given as a guest lecture at the Karlsruhe Institute of Technology.
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
This is my first public speech about way to secure your API. Interective presentation you could find here - https://sergeypodgornyy.github.io/oauth-webbylab-presentation/
Security is something you want to get right. If you need to secure an API right now, I imagine you are worrying about how, exactly, to do it. It is to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism. If you want simple stateless HTTP authentication to an API, then JWT is just fine and relatively quick to implement. But JWT is a simple authentication protocol, OAuth is an authentication framework, that enables a third-party application to obtain limited access to an HTTP service. OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.
OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.
Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
Identity, Security and XML Web ServicesJorgen Thelin
The use of security credentials and concepts of single-sign-on and “identity” play a big part in Web Services as developers start writing enterprise-grade line-of-business applications. An overview is provided of the emerging XML security credential standards such as SAML, along with various “identity” standards such as Passport and Liberty. We examine how “identity aware” Web Service implementations need to be, and the value a Web Services platform can add in reducing complexity in this area, with lessons drawn from experiences using J2EE technology for real-world security scenarios.
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
Identity is a foundational element of SaaS design, and getting it right can be challenging. You need a strategy that allows you to connect users to tenants, roles, and policies in a seamless model that doesn't handcuff developers. Fortunately, identity providers and OpenID Connect give us a model that equips SaaS providers with the tools they need to address all the moving parts of SaaS identity. In this session, we dive into the details of how you can use these solutions to build a robust identity solution—a solution that covers binding identities to tenants, supports tenant and system roles, and isolates tenant access. The goal here is to provide a concrete example of how to orchestrate all of these elements of the SaaS identity model on AWS.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
What should today's students of computer science know about the new topics OAuth and OpenID Connect? This presentation addresses this question. It was given as a guest lecture at the Karlsruhe Institute of Technology.
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
This is my first public speech about way to secure your API. Interective presentation you could find here - https://sergeypodgornyy.github.io/oauth-webbylab-presentation/
Security is something you want to get right. If you need to secure an API right now, I imagine you are worrying about how, exactly, to do it. It is to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism. If you want simple stateless HTTP authentication to an API, then JWT is just fine and relatively quick to implement. But JWT is a simple authentication protocol, OAuth is an authentication framework, that enables a third-party application to obtain limited access to an HTTP service. OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
Rich Authorization Requests allows clients to pass fine grained authorization data in the OAuth authorization request. It's been developed based on experiences in open banking and other security sensitive areas.
OpenID and Information Cards are two of the most prominent emerging identity technologies. It is important that you understand the benefits, usage and differences between them in order prepare for the future, even when not ready to deploy them. During this presentation we will examine what digital identities are and specifically what each of these technologies is.
Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
Identity, Security and XML Web ServicesJorgen Thelin
The use of security credentials and concepts of single-sign-on and “identity” play a big part in Web Services as developers start writing enterprise-grade line-of-business applications. An overview is provided of the emerging XML security credential standards such as SAML, along with various “identity” standards such as Passport and Liberty. We examine how “identity aware” Web Service implementations need to be, and the value a Web Services platform can add in reducing complexity in this area, with lessons drawn from experiences using J2EE technology for real-world security scenarios.
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
Identity is a foundational element of SaaS design, and getting it right can be challenging. You need a strategy that allows you to connect users to tenants, roles, and policies in a seamless model that doesn't handcuff developers. Fortunately, identity providers and OpenID Connect give us a model that equips SaaS providers with the tools they need to address all the moving parts of SaaS identity. In this session, we dive into the details of how you can use these solutions to build a robust identity solution—a solution that covers binding identities to tenants, supports tenant and system roles, and isolates tenant access. The goal here is to provide a concrete example of how to orchestrate all of these elements of the SaaS identity model on AWS.
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What is identity proofing? What technologies help you proof a new user when they register with your mobile or web service? This presentation from Identity North shows you how.
Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that connect your applications with your business partners? Recent trends and standards are creating a new generation of API-focused identity patterns.
Learn how to:
• Apply API access control patterns with existing identity infrastructure
• Support emerging standards such as OAuth, Open ID Connect
• Empower developers to create APIs that reach out to your organisation’s target audience
AWS IoT ist eine verwaltete Cloud-Plattform, mit der verbundenen Geräte einfach und sicher mit Cloud-Anwendungen und anderen Geräten zusammenarbeiten können. AWS IoT kann Milliarden von Geräten und Billionen von Nachrichten unterstützen und diese Nachrichten zuverlässig und sicher verarbeiten und zu AWS-Endpunkten und anderen Geräten weiterleiten. Mit AWS IoT können Ihre Anwendungen alle Ihre Geräte verfolgen und mit ihnen kommunizieren, und zwar jederzeit und auch dann, wenn sie nicht verbunden sind. Dieses Webinar gibt Ihnen einen tiefgreifenden Einblick in die Konzepte und Funktionsweisen dieses Services.
Informieren Sie sich jetzt über das kostenlose Nutzungskontingent von AWS: http://amzn.to/1Qh9stj
Similar to DDD Melbourne 2019 : Modern Authentication 101 (20)
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
3. 1. Identity & Trust
> Identity, authentication and authorization
> Trust and claims based identity
> Parties involved
> What do they solve?
> Concepts and Acronyms
> Main Flows
3. OAuth and OpenID Connect
2. Tokens
> SAML and JWT
4.
5. Definitions
Identity: Unique name of a person, device, or
combination of both.
Authentication: Process of verifying that identity.
Authorization: Function of specifying access
rights/privileges to resources.
6. Definitions
Access Token
An object which represents the right to
perform some operation.
Identity Token
An object that aids in proving the user's
identity and authenticating that user.
10. Scenario: Renting a Car
Hi. I’m Dilbert. I like to
rent your finest car.
Hi Dilbert. My name is Amy.
Can you please provider a
driver’s license or passport?
Trust
11. Claims Based Identity
A claim is a statement that one subject, such as a
person or organization, makes about itself or
another subject. The subject making the claim or
claims is the provider.
- Wikipedia.org
12. Dilbert Adams
Drivers License as an Identity Token
Claims about the Subject
• Name
• Address
• Date of birth
• Photo
Issuer (Identity Provider)
• VicRoads
Validation
• Holographic Logo
13. • User
• Subject (Sub)
• Resource Owner (RO)
• Relying Party (RP)
• Client
• Audience (Aud)
• Resource
• Identity Provider (IdP)
• Authorization Server (AS)
• Issuing Authority (ISS)
• Token Issuer
• Security Token Service (STS)
• Login Server
So many names… Application
15. Recap
• Authentication vs Authorization
• Claims based identity
• Parties involved
• Traditional and modern approaches
• Leveraging existing trust relationships
• Terms
• User, Subject, Resource Owner
• Relying Party, Client
• Id Provider, Auth Server, Token Issuer
16.
17. Passwords
1. Password
2. Password
Access TokensVS
1. Password2. Token
3. Token
If token is a
reference token,
exchange it for
identity claims
from the IdP
4. Ref Token
5. Claims
18. Security Assertion Markup Language
Open standard for exchanging authentication and authorization data between
parties.
45. Recap
• Passwords vs Tokens
• Why tokens are preferred
• SAML (Security Assertion Markup Language)
• JWT (JSON Web Token)
• Header, Payload, Signature
• Constructing
• Verifying
46.
47. OAuth 2.0
OAuth 2.0 is the industry-standard protocol for
authorization. It focuses on client developer simplicity
while providing specific authorization flows for web
applications, desktop applications, mobile phones, and
living room devices.
- OAuth.net
48. History of OAuth
2007
December
OAuth 1.0
Final Draft
2010
April
Standardized
via IETF
2012
October
OAuth 2.0
Implicit, Auth Code,
Resource Owner, Client
Credentials flows
Today
Device Code, Token
Exchange etc
49. Limitation of OAuth
• Only specifies a solution to authorization concerns
• No standard way of describing claims
Enter “OpenID Connect”
50. OpenID Connect
OpenID Connect is an interoperable authentication
protocol based on the OAuth 2.0 family of
specifications. It uses straightforward REST/JSON
message flows.
- OpenID.net
(Identity, Authentication) + OAuth 2.0 = OpenID Connect
51. OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
Store ClientId and Secret
Pick correct flow for public vs
confidential clients
Construct a HTTP request
Handle call-back
Verify token and manage lifetime
Allow client and user registration
Discovery endpoint for meta data
“.well-known/openid-
configuration”
Issuer, signing certificate
public key, supported claims,
scopes etc..
Implement endpoints for Token,
Authorization and UserInfo
Register and sign in to the IdP
Inspect and grant consent to the
requested scopes
52. OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
Store ClientId and Secret
Pick correct flow for public vs
confidential clients
Construct a HTTP request
Handle call-back
Verify token and manage lifetime
Allow client and user registration
Discovery endpoint for meta data
“.well-known/openid-
configuration”
Issuer, signing certificate
public key, supported claims,
scopes etc..
Implement endpoints for Token,
Authorization and UserInfo
Register and sign in to the IdP
Inspect and grant consent to the
requested scopes
53. OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
Store ClientId and Secret
Pick correct flow for public vs
confidential clients
Construct a HTTP request
Handle call-back
Verify token and manage lifetime
Allow client and user registration
Discovery endpoint for meta data
“.well-known/openid-
configuration”
Issuer, signing certificate
public key, supported claims,
scopes etc..
Implement endpoints for Token,
Authorization and UserInfo
Register and sign in to the IdP
Inspect and grant consent to the
requested scopes
54. OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
Store ClientId and Secret
Pick correct flow for public vs
confidential clients
Construct a HTTP request
Handle call-back
Verify token and manage lifetime
Allow client and user registration
Discovery endpoint for meta data
“.well-known/openid-
configuration”
Issuer, signing certificate
public key, supported claims,
scopes etc..
Implement endpoints for Token,
Authorization and UserInfo
Register and sign in to the IdP
Inspect and grant consent to the
requested scopes
55. OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
56. OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
57. OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
58. OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
59. OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
60. Token Types
Key representing access
to a resource. Can be
self contained or a
reference token.
access_token
Contains identity
information in the form
of a (self contained)
JWT.
id_token
A reference token that
can be used to obtain a
new access_token when
the current one is no
longer valid.
refresh_token
A reference token that
can be exchanged for
the access_token.
code (authorization code)
61. Endpoints
Authorization
Token
Userinfo
Performs the authorization and
returns a supported combination of
access_token, id_token ,
refresh_token, and/or code
Exchanges a reference token (code or
refresh_token) to an access_token,
id_token and/or refresh_token.
Exchange the access_token for a set
of claims about the identity of the
subject.
62. Application Types
Confidential Clients Public Clients Other
WebApp (running on backend) Single Page Apps (Javascript) Input Constrained Devices
WebApi
Native App Native App
Daemon Apps
63. Some OAuth 2.0 Flows
• Implicit grant
• Authorization code grant
• Hybrid flow
• Token Exchange (On-behalf-of)
• Client credentials grant
• Device code grant
• Resource owner password grant*
69. Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
70. Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
GET
https://idp.com/authorize?
client_id=my_client_id
&response_type=code
&redirect_uri=callback_url
&scope=openid
&response_mode=query
&state=12345
&nonce=678910
71. Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
72. Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
GET
https://localhost/webapp?
code=reference_token_here
&state=12345
73. Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
GET
https://idp.com/token?
client_id=my_client_id
&client_secret=some_secret
&grant_type=authorization_code
&code=reference_token_here
&redirect_uri=callback_url
75. Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Authorization: Bearer access_token
76. Hybrid Flow
• Same as the implicit flow
• With additional reference token (authorization code).
• Exchange it for an access token using the token endpoint.
https://YOUR_REDIRECT_URI
/#access_token=opaque_token
&expires_in=7200
&token_type=Bearer
&code=AUTHORIZATION_CODE
&id_token=jwt
77. Client Credentials Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Credentials
Admin consent
required
Authorization
Server
Dilbert’s
Driving History
79. Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
80. Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
81. Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
82. Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
83. Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
84. Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
85. Resource Owner Password Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
86. Picking the right OAuth flow
Public
Client ?
Native or
SPA ?
Implicit
Auth Code +
PKCE
Has an
active user ?
Client Credentials
Input
Constrained
?
Legacy App
?Resource Owner
Password Cred…
Device Code
Auth Code
Yes
No
No
Yes
No
No
Yes
Yes
SPA Native
87. Recap
• OAuth
• What it solves
• OpenID Connect
• What it solves
• Concepts
• Endpoints
• Picking an appropriate OAuth flow
88. Want More?
• Protocol Reference: https://oauth.net
• Starter Kit: https://connect2id.com/learn
• Choosing Flows: https://auth0.com/docs/api-
auth/which-oauth-flow-to-use
• MS Identity Platform (Azure AD) Documentation
• IdentityServer: https://identityserver.io
• Rob Moore & Matt Davies : Modern Auth @ NDC 2016
Cons of this approach
Have to lookup database each time or save state about session
Non standard ways of storing passwords
Password management
Malicious actor
Weakest link exposes everything
Existing trust relationship
They are what the subject is or is not. It is up to the application receiving the incoming claim to map the is/is not claims to the may/may not rules of the application.
Pros
No credentials are given to the application
Standardized way of storing credentials and managing passwords by well known IdPs.
Utilize existing trust relationships
Self contained token: Drivers License
Reference Token: Visa application number
Story about 3 store and pin
Why protocols are important
Why SAML was popular (Swiss army knife)
Why protocols are important
Why SAML was popular (Swiss army knife)
Why JWT are more modern
Light weight
Self contained
Verifiable
OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation
The OAuth 1.0 protocol was published as RFC 5849, in April 2010.
The OAuth 2.0 framework was published as RFC 6749, in October 2012.
OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation
The OAuth 1.0 protocol was published as RFC 5849, in April 2010.
The OAuth 2.0 framework was published as RFC 6749, in October 2012.
OpenID Connect specifications were launched on 2014.
Google, Microsoft, PingIdentity and PayPal
ClientId upon registration
ClientId upon registration
ClientId upon registration
ClientId upon registration
Admin must consent to client application scopes
Non interactive flow
Butler example
Delegation
JWT Bearer Authorization Grant (RFC 7523)
Token Exchange Flow
Application needs to request scopes for API A and B up front