This document discusses API security and authorization in distributed microservice architectures. It introduces concepts of identity, authentication and authorization (IAM) and standards like SAML, OAuth and OpenID Connect (OIDC) that address IAM for APIs. OIDC extends SAML and OAuth by standardizing tokens, scopes and endpoints, making it easier to integrate multiple authorization providers. The document recommends using separate OIDC authorization servers per bounded context to define custom scopes and policies and enforce access control in a distributed way.
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
Sometimes you need to be more sure your are connected to the right person. In those cases, to mitigate the risk of identity fraud, you should consider using a technique called trust elevation. Its easy with the OAuth2 profiles: OpenID Connect and UMA.
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
OpenID Connect is the newest iteration of the OpenID Internet authentication standard that’s been developed in coordination by Google, Facebook, Microsoft and others at the OpenID Foundation.
OpenID Connect performs many of the same tasks as OpenID 1 & 2, but does so in a way that is API-friendly, and usable by native and mobile applications.
OpenID 1 and 2 lend part of their name, but Connect is a complete re-write that is fundamentally better architected for the modern web in a few important ways.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!Mike Schwartz
Sometimes you need to be more sure your are connected to the right person. In those cases, to mitigate the risk of identity fraud, you should consider using a technique called trust elevation. Its easy with the OAuth2 profiles: OpenID Connect and UMA.
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
OpenID Connect is the newest iteration of the OpenID Internet authentication standard that’s been developed in coordination by Google, Facebook, Microsoft and others at the OpenID Foundation.
OpenID Connect performs many of the same tasks as OpenID 1 & 2, but does so in a way that is API-friendly, and usable by native and mobile applications.
OpenID 1 and 2 lend part of their name, but Connect is a complete re-write that is fundamentally better architected for the modern web in a few important ways.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
Authentication through Claims-Based Authenticationijtsrd
Thinking as far as claims and issuers is an effective reflection that backs better approaches for securing your application. Claims have an understanding with the issuer and allow the claims of the user to be accepted only if the claims are issued by a trusted issuer. Authentication and authorization is explicit in CBAC as compared to other approaches. [1]. Pawan Patil | Ankit Ayyar | Vaishali Gatty"Authentication through Claims-Based Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd15644.pdf http://www.ijtsrd.com/engineering/software-engineering/15644/authentication-through-claims-based-authentication/pawan-patil
Cloud Native Journey in Synchrony FinancialVMware Tanzu
SpringOne Platform 2017
Michael Barber, Synchrony Financial
"Synchrony Financial’s Journey to transform the IT organization to Cloud and Cloud-Native Micro Service Organization. This session highlights our cloud journey from vision formation to strategy to fast paced private cloud build and moved our applications to Pivotal Cloud Foundry.
Synchrony Financial has always focused on technology, innovation and agility to serve the customer best. In today’s fast changing fintech environment Synchrony continuously creates innovative products, process and bring in agility by simplifying technology and improving speed to market. As our CIO states, speed is the new IP, we bring the speed by enabling modern technology platform and tools to enable our business and engineers to innovate more with less effort.
In this presentation, we will focus on sharing our journey from initial cloud vision creation, how we created a simplified strategy to prove our technology selection, validated the assumptions, created an execution strategy, transformed our process and created a fast paced road map to move to cloud-native systems and decompose monolith to micro services. We were able to achieve most it using Pivotal Cloud Foundry platform with spring frame work and tools. This presentation will also share highlights of program structure and approach of this key initiative."
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
Scripting extends ForgeRock products in a powerful way, both for deployers as well as developers. For OpenAM, deployers can embed the ssoadm command line utility in comprehensive shells scripts for ultra fast deployments and configurations. Developers can use scripts for client-side and server-side authentication, policy conditions, and handling OpenID Connect claims. In OpenIDM, scripting allows you to customize various aspects of OpenIDM functionality, by providing custom logic between source and target mappings, defining correlation rules, filters, triggers, and more.
Webinar Highlights:
Scripting
The ForgeRock Platform
Q&A
Join Anders Askåsen, Senior Technical Product Manager, and Javed Shah, Senior Sales Engineer, as they highlight the concepts and show examples and best practices for scripting with the ForgeRock Identity Platform.
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
Technology has grown at an unprecedented rate in recent years. We now are tasked to create applications that will provide us with the flexibility to adapt to this unparalleled growth. We will look at the state of SSO including applicable standards, such as SAML, OpenId Connect, to gain an understanding of the bigger picture and examine how this new technology can be leveraged to help serve our customers.
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock
Existing notice-and-consent paradigms of privacy have begun to fail dramatically — and people have begun to notice. Now that Edward Snowden has burst our privacy bubble and IoT devices are recording our every move, it’s time for companies to break out of the privacy-as compliance rut. The User-Managed Access (UMA) standard and ForgeRock’s OpenUMA project are stepping into the breach. OpenUMA gives companies a new tool for delivering to individuals a convenient central hub for proactively authorizing who and what can get access to their personal data and content.
Explains the process described in the core specification for OpenID Connect 1.0 which is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
Microsoft Graph API Webinar Application PermissionsStefan Weber
Slidedeck presented during a webinar i held on 15th November 2023 about how to consume Microsoft Graph API using application level permissions.
Webinar Recording https://youtu.be/yVK8WQz5qnU
Authentication through Claims-Based Authenticationijtsrd
Thinking as far as claims and issuers is an effective reflection that backs better approaches for securing your application. Claims have an understanding with the issuer and allow the claims of the user to be accepted only if the claims are issued by a trusted issuer. Authentication and authorization is explicit in CBAC as compared to other approaches. [1]. Pawan Patil | Ankit Ayyar | Vaishali Gatty"Authentication through Claims-Based Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd15644.pdf http://www.ijtsrd.com/engineering/software-engineering/15644/authentication-through-claims-based-authentication/pawan-patil
Cloud Native Journey in Synchrony FinancialVMware Tanzu
SpringOne Platform 2017
Michael Barber, Synchrony Financial
"Synchrony Financial’s Journey to transform the IT organization to Cloud and Cloud-Native Micro Service Organization. This session highlights our cloud journey from vision formation to strategy to fast paced private cloud build and moved our applications to Pivotal Cloud Foundry.
Synchrony Financial has always focused on technology, innovation and agility to serve the customer best. In today’s fast changing fintech environment Synchrony continuously creates innovative products, process and bring in agility by simplifying technology and improving speed to market. As our CIO states, speed is the new IP, we bring the speed by enabling modern technology platform and tools to enable our business and engineers to innovate more with less effort.
In this presentation, we will focus on sharing our journey from initial cloud vision creation, how we created a simplified strategy to prove our technology selection, validated the assumptions, created an execution strategy, transformed our process and created a fast paced road map to move to cloud-native systems and decompose monolith to micro services. We were able to achieve most it using Pivotal Cloud Foundry platform with spring frame work and tools. This presentation will also share highlights of program structure and approach of this key initiative."
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
Scripting extends ForgeRock products in a powerful way, both for deployers as well as developers. For OpenAM, deployers can embed the ssoadm command line utility in comprehensive shells scripts for ultra fast deployments and configurations. Developers can use scripts for client-side and server-side authentication, policy conditions, and handling OpenID Connect claims. In OpenIDM, scripting allows you to customize various aspects of OpenIDM functionality, by providing custom logic between source and target mappings, defining correlation rules, filters, triggers, and more.
Webinar Highlights:
Scripting
The ForgeRock Platform
Q&A
Join Anders Askåsen, Senior Technical Product Manager, and Javed Shah, Senior Sales Engineer, as they highlight the concepts and show examples and best practices for scripting with the ForgeRock Identity Platform.
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
Technology has grown at an unprecedented rate in recent years. We now are tasked to create applications that will provide us with the flexibility to adapt to this unparalleled growth. We will look at the state of SSO including applicable standards, such as SAML, OpenId Connect, to gain an understanding of the bigger picture and examine how this new technology can be leveraged to help serve our customers.
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy ChallengeForgeRock
Existing notice-and-consent paradigms of privacy have begun to fail dramatically — and people have begun to notice. Now that Edward Snowden has burst our privacy bubble and IoT devices are recording our every move, it’s time for companies to break out of the privacy-as compliance rut. The User-Managed Access (UMA) standard and ForgeRock’s OpenUMA project are stepping into the breach. OpenUMA gives companies a new tool for delivering to individuals a convenient central hub for proactively authorizing who and what can get access to their personal data and content.
Explains the process described in the core specification for OpenID Connect 1.0 which is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
Microsoft Graph API Webinar Application PermissionsStefan Weber
Slidedeck presented during a webinar i held on 15th November 2023 about how to consume Microsoft Graph API using application level permissions.
Webinar Recording https://youtu.be/yVK8WQz5qnU
Understanding Authentication and Authorization in RESTful API: A Comprehensiv...Uncodemy
In the modern, digitally interconnected era, where information flows freely over the internet, ensuring the security of data and services has become very important. Web applications and services are no longer standalone entities.
Enterprise API : Best practice for World class API ecosystem is an attempt on my part to explain the best practice in deploying API infrastructure in the organization.
Securely expose protected resources as ap is with app42 api gatewayZuaib
App42 API Gateway is a comprehensive & battle-tested API Management solution that enables companies of all sizes and even individuals to launch APIs in minutes.
Identity Server ha sido durante mucho tiempo el framework para OpenIdConnect y OAuth 2 más utilizado en el ámbito de .NET. Usándolo conectábamos de modo seguro front y back, conseguíamos Single Sign-On y en general manejábamos aspectos relativos a la seguridad de nuestras aplicaciones.
Pero nada es eterno, y en Octubre de 2020, desde Duende Software, fundada por los mantainers de Identity Server anunciaban que el soporte se acabaría junto al de .NET Core 3.1 ¡Y eso se acerca! En noviembre de 2022 dejará de mantenerse, y por tanto dejaremos de recibir actualizaciones de seguridad.
¿Qué opciones tenemos?
Veremos algunas de ellas, entre las que están otros paquetes open source y soluciones que Microsoft nos ofrece en Azure, como Azure AD B2C.
RESTful APIs,SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms…and the glue to tie all that together? Are you kidding? A technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
This presentation will give you short and not very technical overview about claims-based authentication.
The claims-based authentication will be the way to almost all Microsoft web-based platforms around. It is more complex than old username-password method but also more secure and general.
Traditional security models no longer suffice in the new digital and API driven economy. APIs expose corporate data in very deliberate and thoughtful ways, but, as with any technology that involves enterprise data, security should always be a prime concern. How do you keep your customers' digital experiences as secure as your backend data and services?
OAuth is an API authorization protocol that enables apps to access information on behalf of users without requiring them to divulge their usernames and passwords.
Flaws in Oauth 2.0 Can Oauth be used as a Security Serverijtsrd
OAuth 2.0 is the business standard convention for approval. OAuth 2.0 spotlights on customer engineer straightforwardness while giving explicit approval streams to web applications, work area applications, cell phones, and lounge room gadgets. The scientists analyzed 600 top U.S. also, ChAndroid versatile applications that utilization OAuth 2.0 APIs from Facebook, Google and Sina"”which works Weibo in China"”and backing SSO for outsider applications. The scientists found that 41.2 percent of the applications they tried were defenseless against their attackinese. Pooja Krushna Paste | Pratik Ramakant Vaidya "Flaws in Oauth 2.0: Can Oauth be used as a Security Server" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-4 , June 2020, URL: https://www.ijtsrd.com/papers/ijtsrd31319.pdf Paper Url :https://www.ijtsrd.com/computer-science/other/31319/flaws-in-oauth-20-can-oauth-be-used-as-a-security-server/pooja-krushna-paste
WSO2 SMART TALK 2023 #2 Novità di WSO2 Identity Server
Nel secondo appuntamento di WSO2 smart talk 2023 Matteo ci racconta tutte le novità di WSO2 Identity Server 6.2. Per ulteriori informazioni scrivete a sales@profesia.it
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
This presentation describes the token-agent implementation for openID Connect for authenticating native mobile apps provided by third parties. It presents a standards-based working solution for integrating loosely coupled native apps into a trust federation using. This allows for deeper integrated authentication services on Android and iOS without violating app-store policies.
This presentation has been part of the EduID Mobile App workshop at SWITCH on 25 Apr. 2017.
Thanks to Christoph Graf (SWITCH), Riccardo Mazza (USI), Michael Hausherr (FHNW), Goran Josic (USI), and Yann Cuttaz (USI).
Identity and Access (AD), Azure and Office 365: Building a Single Page Application (SPA) with ASP.NET Web API and Angular.js using Azure Active Directory to Log in Users
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
GHC18 Abstract - API Security, a Grail Quest
1. API Security, a Grail Quest
Paula Paul
Technology Principal, ThoughtWorks
ppaul@thoughtworks.com
@paulapaultweets
ABSTRACT
Software engineers often wrestle with securing business
applications. We've enforced access control with RACF,
Unix file permissions, Windows security descriptors, SQL
grants, and entitlements servers. Microservice
architectures and REST APIs present new challenges for
access control. Join this illustrated quest to protect
application resources in distributed architectures, using
OpenID Connect.
AUDIENCE
This presentation is for software engineers who:
- implement distributed, microservice, event-driven
and/or REST API based systems for the enterprise.
- collaborate with Security or SecOps teams within the
enterprise, to ensure adoption of secure coding
practices and access control for APIs.
This is an Intermediate presentation for the Security
track. It provides a technical overview of a broad topic, to
arm attendees for more in depth quests of their own.
INTRODUCTION
We can learn quite bit about access control from Monty
Python and the Holy Grail (Python Pictures, 1991).
Enterprise applications are digital models of a business,
enabling access to the products, customer information,
supply chains, and transactions that drive revenue and
profit. We’ve protected access to those digital resources
for decades using the concepts of identity and
authentication (‘what is your name’), scope of access
(‘what is your quest’), and at times, examining additional
attributes or claims that are unique to the user (e.g. ‘what
is your favorite color’). The tools we use to define and
enforce access control include simple file system
permissions based on a network id or group name, and
database management systems that have separate
logical access controls or grants specific to database
objects. These approaches work well when the resources
we are trying to protect are centralized in a file system or
a monolithic database. In a distributed microservice
architecture, we no longer have centralized resources to
protect; business resources are scattered everywhere,
including the cloud. When we build microservices and
APIs for Internet based access to distributed resources,
how do we define and enforce access permissions, and
cast unauthorized users into the Gorge of Eternal Peril?
API Security, a Grail Quest
The first question, ‘What is your name?’, addresses
Authentication
and Identity.
When you log in to
an online banking
application, you
are challenged to
identify yourself,
and that identity is
authenticated by a
trusted provider. In the early 2000’s people started
thinking about federated identity for the Internet,
inspired by kerberos and later brought mainstream in
Windows 2000 (Kohl, J., & Neumon, C., 1993). This led to
SAML, and a standard representation of Identity. With
SAML, we can think about identity in terms of:
● The IdP (Identity Provider): an actor that issues
identity
● The SP (Service Provider): an actor that trusts
the IdP as a way to establish who the user is
SAML gave us the concept of identity as a document of
attributes.
Authentication and Identity tells us who you are, but does
not tell us what resources you are authorized to access.
When the social media giants Twitter, Facebook and
Google realized we had no open and standard way to
delegate access to resources, they solved this problem
with OAuth (Hammer, E., 2007). Thanks to OAuth, an
authenticated Facebook user can share their profile with
We envision a future where the people who imagine and build technology mirror the people and societies for whom they build it.
2. friends, without giving those friends their password (yes,
OAuth was born of the need to share embarrassing
information about ourselves).
OAuth also gave us the concept of access scope, which
we see in social media. When a social media site or app
asks for
permission to
access your
photos, profile, or
other resources
you own, access to
those resources is
granted, or
delegated, via
OAuth, without giving out your account name or
password. In our film clip, the ‘quest’ defines a requested
scope of access.
Identity, authentication, and scope of access are the keys
to protecting resources. But, our quest is not complete.
And now for something completely standard
OAuth brought us an open, secure way to delegate access
to our social media resources, but that’s not quite enough
for the enterprise. We don’t really share access to a
financial API the same way we share access to our photos
on Instagram. In addition, OAuth makes an assumption: I
am holding key, therefore I am owner of the resources,
much the way a hotel key card works.
OAuth leaves some
important details up to
the engineer. For
instance, it defines the
concept of scope, but
does not define
standard or default
scopes. It specifies the
use of access tokens, but does not define the token
format. Software engineers building upon OAuth were
left to define their own approaches for tokens, scopes
and claims, for the resources they wanted to protect.
Since the specification is not prescriptive, if you’ve ever
tried to integrate multiple OAuth based APIs, you may
have written more code than you wanted or needed.
OpenID Connect (OIDC)
OIDC extends both SAML and OAuth, and standardizes
what OAuth leaves to choice, such as scopes, endpoint
discovery, and dynamic registration of clients. This makes
it easier to write code that can leverage multiple OIDC
compliant providers such as AzureAD, Okta, or Google.
(The OpenID Foundation, 2014)
OIDC specifies standard access and identity tokens, and
defines a set of specific scope names that can be used to
request specific sets of claims. Since the OIDC
specification dictates the token format, it is easier to
work with tokens across implementations, and possible
for providers to offer consistent libraries that developers
can use to enforce authentication and authorization.
Given the clear separation of identity tokens and access
tokens, it is also possible to use an IdP for identity and
some other service or services for authorization, without
having different authorization approaches and
implementations for each microservice or each API.
Back to our regularly scheduled programming
With OIDC, developers can have consistent interactions
with IdPs and authorization servers to protect business
resources that are exposed via APIs. Several certified
OIDC libraries are available to validate access tokens and
inspect custom scopes and claims in an open and
standard way, in order to enforce access to resources. To
illustrate this, we’ll look at the mechanics of OIDC, using a
simple client that requests an Identity Token and Access
Token, and uses that Access Token to call a specific
microservice API. [demo with multiple IdPs]
Authorization design considerations
Microservice design approaches apply to authorization,
including the principles of Domain Driven Design (DDD)
and bounded context (Fowler, M., 2014, Jan). For
authorization, each bounded context represents a
boundary for logical access control. There is a one-to-one
relationship between an authorization server and a
bounded context, with separate scopes to enforce access
control for individual API endpoints and HTTP Verb
combinations. Custom scopes allow for fine grained
authorization of API endpoints, for example, creating one
scope to authorize GET Products, and another to
authorize POST Products. The use of OIDC tokens can
support messaging and event driven architectures as well,
with choices for trusting queues vs. authorizing
messages. Authorization design follows naturally from
We envision a future where the people who imagine and build technology mirror the people and societies for whom they build it.
3. the domain of the application and should be part of any
DDD or event storming discussion.
Scope and claim design should reflect business needs
and provide only the minimum sufficient level of fine
grained access control, to minimize complexity. When
authorization requires ad-hoc evaluation of information
specific to the user, an engineer may collaborate with
SecOps stakeholders to create a custom claim, and
associate that claim with scopes created to authorize the
API. For example, you may authorize access to a Votes
API based on a
‘CanVote’ claim that
inspects the birth date
of the user. However,
avoid complex custom
claims when scopes
alone can suffice (i.e.
avoid asking for the
favorite color of each
caller in order to authorize access to an API).
Authorization Operations and Testing
The job of an OIDC authorization server is to issue tokens
for requested scopes. Operating an authorization server
requires defining which clients can request tokens, and
creating policies to define what scopes can be requested.
OIDC provides standards for client registration, and
authorization providers such as Auth0 or Okta include
administration consoles and APIs for policy management.
As an alternative, In 2003, the OASIS standards body
ratified XACML as a standard access control policy
language (OASIS 2013, Jan). While XACML can be applied
to OAuth, it has not been widely adopted. But, whether
managed via policy configuration language or API,
authorization servers, scopes, claims, and policies should
be managed as code and deployed via a build pipeline.
Engineers who adopt OIDC will collaborate with SecOps
stakeholders on topics such as token and refresh token
lifetimes, and authorization flows. When authorization
artifacts are maintained as code, automated API testing
can include security stakeholders, enforcing positive and
negative validation of scopes and access p0licies. For
example, tokens can be pre-generated to test for proper
handling of invalid or expired tokens. Automated API
testing with tools such as Postman can then then address
both functional and authorization testing needs.
API gateways present another alternative to OIDC
authorization servers. Centrally managed API gateways
can be less flexible that independent authorization
servers per bounded context, may also be limited strictly
to REST, as opposed to a messaging or event driven
architecture. For a more flexible and distributed
approach to enterprise API authorization, multiple
options for lightweight OIDC authorization servers are
available, including open source implementations
(IdentityServer4, Ory/Hydra) and authorization servers
integrated with and supported by IdPs (Okta, Auth0).
Have we chosen wisely?
Using separate OIDC compliant authorization servers and
scopes aligned with each product or bounded context, is a
wise choice. This allows engineering teams to
independently define and manage custom scopes that
are specific to application needs, and enforce access
policies with OIDC compliant libraries available for the
languages and frameworks of their choice. When
authorization artifacts managed as code, authorization
can be part of the CI/CD pipeline, the true grail.
OUTCOMES/CONCLUSION
After this presentation, attendees will:
- Understand the concepts of Identity, Authentication and
Authorization as they apply to access control
- Understand the background and history of application
access management, through SAML, OAuth and OIDC
- Understand the benefits of OIDC for microservice and
API authorization
- Take away some design considerations for designing
authorization using OIDC
- Gain some insight to operational, SecOps, and testing
considerations for OIDC and authorization servers
PARTICIPATION STATEMENT
If accepted, I will attend the conference.
REFERENCES/BIBLIOGRAPHY
- Fowler, M. (2014, Jan). Bliki: Bounded Context.
Retrieved March 05, 2018, from http://bit.ly/2thC7vJ
- Hammer, E. (2007, Oct). Beginner's Guide to OAuth -
Part I: Overview. Retrieved March 04, 2018, from
http://bit.ly/2CYACly
- Kohl, J., & Neumon, C. (1993, Sep). The Kerberos
Network Authentication Service (V5). Retrieved
March 04, 2018, from http://bit.ly/2FsCOXQ
- OASIS (2013, Jan). eXtensible Access Control Markup
Language (XACML) TC. Retrieved March 04, 2018,
from http://bit.ly/1cEGf5g
- Python Pictures. (1991). Monty Python and the Holy
Grail. Burbank, CA :RCA/Columbia Pictures Home
Video, from http://bit.ly/2Frf2vx
- The OpenID Foundation (2014, Feb). Welcome to
OpenID Connect. Retrieved March 04, 2018, from
https://openid.net/connect/
We envision a future where the people who imagine and build technology mirror the people and societies for whom they build it.
4. BIO
Paula entered the workforce as a software engineer with
IBM in the early 80’s, where she shipped her first product
on magnetic tape. She’s shipped many software products
since then, evangelized .NET with Microsoft, held
executive positions in technology architecture and
operations, and taught people of all ages to code. Paula is
passionate about equal opportunities for technical
literacy, and enjoys (half) joking about how Kubernetes
reminds her of IBM/370 systems programming.
Paula is a Technology Principal with ThoughtWorks,
where she helps clients adopt cloud native technology,
and serves the community as an ABI Syster, diversity
speaker, and mentor.
We envision a future where the people who imagine and build technology mirror the people and societies for whom they build it.