The document discusses OAuth and OpenID Connect protocols. It provides diagrams illustrating the flows of OAuth authorization code grant, implicit grant and hybrid grant flows. It also compares OAuth and OpenID Connect, noting that OpenID Connect builds upon OAuth by adding an identity layer. Key aspects of OpenID Connect like ID tokens and their claims are outlined. Examples of OAuth and OpenID Connect implementations are provided at the end.
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
Authentication and Authorization Architecture in the MEAN StackFITC
Save 10% off ANY FITC event with discount code 'slideshare'
See our upcoming events at www.fitc.ca
Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate.
Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014
More info at FITC.ca
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
SpringOne Platform 2016
Speaker: David Ferriera; Director, Cloud Technology, Forgerock
Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
SpringOne Platform 2016
Speaker: David Ferriera; Director, Cloud Technology, Forgerock
Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
Slide de la conférence CCI Vaucluse sur le web mobile.( janvier 2011 )
Intervenants : Aliocha iordanoff de Semaweb et Ludwig Ferren de Nowhere-Entreprise.
Mobile Inception's mission "Enabling the mobile enterprise", is to help small & medium organisations to leverage the benefits and to tackle the multiple challenges of the mobile era.
Aside from designing & building tailored Mobile Enterprise Solutions, our experts provide guidance and consulting on the following topics:
- Modern Mobile & Cloud APIs
- Mobile Security & Privacy
- BYOD & Enterprise App Store
- Mobile Native User Experience
- Cross-platform mobile development w/ Xamarin
Contact us at info@mi8.be
La plateforme Web Microsoft ne cesse d'évoluer. La sortie de Visual Studio 2013 s'accompagne d'ASP.NET MVC5 et Web API 2, qui apportent chacunes leurs lots de nouveautés ! Dans cette session, vous découvrirez toutes les nouvelles APIs et nouveaux outils pour développer des applications Web avec Visual Studio 2013.
Speakers : Simon Ferquel (Infinite Square), Julien Corioland (Infinite Square)
Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.
Strong Authentication in Web Application #SCS IIISylvain Maret
Swiss Cyber Storm 3 Security Conference / OWASP Track
Strong Authentication: State of the Art 2011
Risk Based Authentication
Biometry - Match on Card
OTP for Smartphones
OTP SMS
PKI
SuisseID
Mobile-OTP
OATH (HOTP, TOTP, OCRA)
Open Source approach
How to integrate Strong Authentication in Web Application?
OpenID, SAML, Identity Federation for Strong Authentication
API, SDK, Agents, Web Services, Modules
PAM, Radius, JAAS
Reverse Proxy (WAF) and WebSSO
PKI / SSL client authentication
PHP example with Multi-OTP PHP class
AppSec (Threat Modeling - OWASP)
February 2016 Webinar Series - Best Practices for IoT Security in the CloudAmazon Web Services
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.
This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. This allows you to build interesting, meaningful applications while owning little to no infrastructure.
Learning Objectives:
Common Internet of Things security issues
AWS IoT Security and Access Control Mechanisms
Build secure interactions with the AWS Cloud
Who Should Attend:
Developers, makers
This session will introduce best practices for IoT security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services. As a result, you are able to scale and innovate, while maintaining a secure environment.
Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that connect your applications with your business partners? Recent trends and standards are creating a new generation of API-focused identity patterns.
Learn how to:
• Apply API access control patterns with existing identity infrastructure
• Support emerging standards such as OAuth, Open ID Connect
• Empower developers to create APIs that reach out to your organisation’s target audience
Client certificate validation in windows 8Ashish Agrawal
Client certificate and token decryption in winRT apps.
* Decoding xml token
* Accessing local x509 certificates
* Certificate validation and decryption
* Certificate enrollment
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with a heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions.
Learning Objectives:
• Common IoT Thing Management Issues
• Learn about AWS IoT Security and Access Control Mechanisms
• Build Secure interactions with the AWS Cloud
Who Should Attend:
• Technical Decision Makers, Developers, Makers
Hadj Ounis's most notable work is his sculpture titled "Metamorphosis." This piece showcases Ounis's mastery of form and texture, as he seamlessly combines metal and wood to create a dynamic and visually striking composition. The juxtaposition of the two materials creates a sense of tension and harmony, inviting viewers to contemplate the relationship between nature and industry.
2137ad - Characters that live in Merindol and are at the center of main storiesluforfor
Kurgan is a russian expatriate that is secretly in love with Sonia Contado. Henry is a british soldier that took refuge in Merindol Colony in 2137ad. He is the lover of Sonia Contado.
2137ad Merindol Colony Interiors where refugee try to build a seemengly norm...luforfor
This are the interiors of the Merindol Colony in 2137ad after the Climate Change Collapse and the Apocalipse Wars. Merindol is a small Colony in the Italian Alps where there are around 4000 humans. The Colony values mainly around meritocracy and selection by effort.
Explore the multifaceted world of Muntadher Saleh, an Iraqi polymath renowned for his expertise in visual art, writing, design, and pharmacy. This SlideShare delves into his innovative contributions across various disciplines, showcasing his unique ability to blend traditional themes with modern aesthetics. Learn about his impactful artworks, thought-provoking literary pieces, and his vision as a Neo-Pop artist dedicated to raising awareness about Iraq's cultural heritage. Discover why Muntadher Saleh is celebrated as "The Last Polymath" and how his multidisciplinary talents continue to inspire and influence.
3. Definition of “Federation” in NIST SP 800-63-3
“A process that allows for the conveyance of
identity and authentication information across
a set of networked systems.”
https://pages.nist.gov/800-63-3/
4. Definition of “Federation” in NIST SP 800-63-3
“ Identity
”
https://openid-foundation-japan.github.io/800-63-3/index.ja.html
5. Login / Sign-up
Request an Assertion
Authentication Event
Issue an Assertion
Request Attributes
AttributesWelcome, Nov!
Verify the Assertion
6. Login / Sign-up
Request an Assertion
Authentication Event
Issue an Artifact
Send the Artifact
Request Attributes
AttributesWelcome, Nov!
Assertion
7. Login / Sign-up
Request an Assertion
Authentication Event
Issue an Assertion w/ Attributes
Verify the Assertion
Welcome, Nov!