ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

•

1 like•16 views

This document provides an overview of OAuth and OpenID Connect specifications and grant types. It begins with introductions and defining key terms like tokens, scopes, and claims. It then explains the four main grant types - Authorization Code Flow, Implicit Flow, Resource Owner Password Flow, and Client Credentials Flow. The document notes extensions and recommends the Authorization Code Flow with PKCE for most use cases. It discusses related specifications around JSON Web Tokens, introspection, and revocation. It closes by emphasizing the need to understand which combination of specifications are required for a given implementation.

Software

The Many
Layers Of OAuth
Danger Casey
API Problem Solver, GTM Guy, General Nuisance
danger@ngrok.com
May 2023

© ngrok. All rights reserved. Confidential Information of ngrok
01 Intro
02 OAuth Vocabulary
03 The Grant Types
04 Which one when?
05 The fun pain truth lies multitude of specs
06 Closing / Q&A
Agenda

© ngrok. All rights reserved. Confidential Information of ngrok
Who am I?

© ngrok. All rights reserved. Confidential Information of ngrok
Who am I?
https://www.youtube.com/@geekamongthetrees

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
What is OAuth 2.0?
It’s unrelated to OAuth 1.0

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
What is OpenID Connect (OIDC)?
It’s unrelated to OpenID

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Which is better: OAuth or OpenID Connect?
Trick question: OIDC is part of OAuth

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Authentication
- vs -
Authorization

© ngrok. All rights reserved. Confidential Information of ngrok
- Resource Owner is you
- Grant Type (aka Flow) describes the use case
- Tokens represents the authorization, user or state
- Authorization Server (aka Auth Server) creates the tokens
- Scopes are the permissions you request from the Auth Server
- Claims are the fields & data returned from the Auth Server
- Resource Server is where you use the auth and id tokens
Key OAuth Terms

© ngrok. All rights reserved. Confidential Information of ngrok
- Resource Owner is you
- Grant Type how you get the tokens
- Tokens are the tokens
- Authorization Server creates the tokens
- Scopes how you request stuff in the token
- Claims the stuff in the token
- Resource Server where you use the token
Key OAuth Terms (simplified)

© ngrok. All rights reserved. Confidential Information of ngrok
Hotel Key Cards but for Apps

© ngrok. All rights reserved. Confidential Information of ngrok
- Authorization Code Flow
- Implicit Flow
- Resource Owner Password Flow
- Client Credentials Flow
Grant Types (aka OAuth flows)

© ngrok. All rights reserved. Confidential Information of ngrok
Authorization Code Flow
User Auth
Client Auth

© ngrok. All rights reserved. Confidential Information of ngrok
Implicit Flow
User Auth
No Client Auth!

© ngrok. All rights reserved. Confidential Information of ngrok
Resource Owner Password Flow
User Auth
No Client Auth!
Wait. What does that mean!?
The app has your creds!

© ngrok. All rights reserved. Confidential Information of ngrok
Client Credential Flow
Client Auth
No User Auth!?

© ngrok. All rights reserved. Confidential Information of ngrok
Which do I use?
Wait. Where did
that come from?

© ngrok. All rights reserved. Confidential Information of ngrok
Authorization Code Flow with PKCE (RFC 7636)
User Auth
Client Auth

© ngrok. All rights reserved. Confidential Information of ngrok
SAML 2.0 Assertion Flow
Client Auth
No User Auth!?

© ngrok. All rights reserved. Confidential Information of ngrok
Which do I use?

© ngrok. All rights reserved. Confidential Information of ngrok
- Authorization Code Flow
- Implicit Flow - deprecated in favor of Auth Code+PKCE
- Resource Owner Password Flow - not recommended
- Client Credentials Flow
Extensions
- Authorization Code Flow with PKCE
- SAML 2.0 Assertion Flow
- Device Flow
- Okta: Interaction Grant Type
Grant Types (aka OAuth flows)

© ngrok. All rights reserved. Confidential Information of ngrok
OAuth (RFC 6749)

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Notice:
NOT authentication

© ngrok. All rights reserved. Confidential Information of ngrok
What about those tokens?

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
JWTs to the Rescue!
(JSON Web Tokens)

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Ha.
You wish.

© ngrok. All rights reserved. Confidential Information of ngrok
JSON Web Token (RFC 7519)

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
So then what do we do?

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
OpenID Connect FTW

© ngrok. All rights reserved. Confidential Information of ngrok
OpenID Connect

© ngrok. All rights reserved. Confidential Information of ngrok
● RFC 6749 OAuth Core
● RFC 7519 JSON Web Token
● RFC 7662 Token Introspection
● RFC 7009 Token Revocation
● OpenID Connect Specification
● RFC 8414 Authorization Server Metadata Discovery
More Pieces!

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
“We support OAuth”
is a meaningless statement

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
“We support OpenID Connect”
is useful (for SSO)

© ngrok. All rights reserved. Confidential Information of ngrok
© ngrok. All rights reserved. Confidential Information of ngrok
Figure out which combo of
specs you need & they have
*RFC 8414 is your best friend

This is my first public speech about way to secure your API. Interective presentation you could find here - https://sergeypodgornyy.github.io/oauth-webbylab-presentation/ Security is something you want to get right. If you need to secure an API right now, I imagine you are worrying about how, exactly, to do it. It is to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism. If you want simple stateless HTTP authentication to an API, then JWT is just fine and relatively quick to implement. But JWT is a simple authentication protocol, OAuth is an authentication framework, that enables a third-party application to obtain limited access to an HTTP service. OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

ForgeRock Open banking - Meetup 28/06/2018

Quentin Castel

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...

Ping Identity

As APIs continue to drive digital transformation efforts in the enterprise and support innovative customer experiences, securing them has never been more important. Principal Regional Solution Architect, Philippe Dubuc introduces how to leverage OpenID Connect, OAuth2 and new emerging standards to protect APIs at API Days Paris on 11 December, 2018. In addition, Philippe goes over how the Intelligent Ping Identity Platform can be used to protect APIs in a pro-active way and how AI can help to protect against attacks. Learn more: http://ow.ly/2Ojm30n1rCT

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...

CloudIDSummit

John DaSilva, Identity Architect, Ping Identity Brian Campbell, Portfolio Architect, Ping Identity If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.

CIS13: Introduction to OAuth 2.0

CloudIDSummit

John Bradley, Senior Technical Architect, Ping Identity OAuth 2.0 is the future of API Security, allowing software clients to request and use access tokens to access necessary APIs rather than caching and replaying usernames and passwords on every API fetch. John Bradley will explain the OAuth 2.0 protocol from top to bottom. Response types, authorization codes, front-channel vs. back-channel architecture decisions, security considerations and best practices will all be discussed. If you want to really understand OAuth, this session will dig deep.

The OpenID Connect ProtocolClément OUDOT

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.

Open APIs - Risks and Rewards (Øredev 2013)

Nordic APIs

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Stateless authentication for microservices - GR8Conf 2015

Alvaro Sanchez-Mariscal

How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team

OAuth FTW

Chris Messina

Auth proxy pattern on Kubernetes

Michał Wcisło

Secure your APIs using OAuth 2 and OpenID Connect

Nordic APIs

Session held by Travis Spencer at PayEx and Nordic APIs event "Secure, flexible and modern APIs for Payments" event in Oslo, May 10th. Description: When opening up secure APIs, OAuth 2 and OpenID Connect are the primary standards being used today. Implementing and using these standards can be challenging. In this session, Travis Spencer, CEO of Twobo Technologies, will provide an in-depth overview of these standards and explain how they can be integrated into financial services apps. The overview will include information on: The actors involved in OAuth and OpenID Connect The flows used in the standards What grant types are, which are defined, and the message exchanges of each What scopes are and examples of their use Different classes of tokens and how they are used Overview of the OpenID Foundation’s work in the Financial API WG Attendees will leave with: An overview of OAuth 2 and OpenID Connect Knowledge of the basics necessary to using these standards Resources and information sources where more information can be found

[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager

WSO2

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...

Leonard Moustacchis

Distributed Authorization with Open Policy Agent.pdf

Nordic APIs

apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...

apidays

apidays Helsinki & North 2023 API Ecosystems - Connecting Physical and Digital June 5 & 6, 2023 API authorization with Open Policy Agent Anders Eknert, Developer Advocate at Styra ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Deep dive into the Open Banking payments flows

ForgeRock Identity Tech Talks

Who’s Knocking? Identity for APIs, Web and Mobile

Nordic APIs

Leveraging open banking specifications for rigorous API security – What’s in...

Rogue Wave Software

Presented at APIdays Paris. API security is the principal concern when it comes to establishing a trusted API ecosystem. Rightly so, because opening up business systems through APIs by definition expands the attack surface that can be exploited. Although many threat vectors and vulnerabilities are well known, we have to remain on the lookout for new threats continuously. On the positive side, open standards that help defend against security threats are constantly being created and refined. What is even more helpful are the specifications that aggregate relevant standards into a comprehensive API security profile. Excellent examples of these are the current specifications that support open banking initiatives like UK Open Banking and PSD2. Could these specifications not have a wider applicability? In other words, would we be able to benefit from the security guidelines captured in these specifications in other verticals like logistics, retail, energy, healthcare and government, too? In this talk, we will compare security guidelines covered in the specifications and see to what extent they may benefit the wider enterprise API developer community.

CIS 2015 Extreme OpenID Connect - John Bradley

CloudIDSummit

Entreprises are deploying more applications to workers phones and tablets. These applications are currently all using separate authentications to establish user identity and authorization. This session will look at how the Native Application profile of OpenID Connect creates a local token broker on the device to centralize authentication for multiple enterprise and SaaS applications on a device. This can be used to increase security by enabling additional authentication factors and a enhanced view of device posture, as well as increasing usability, bu reducing the number of unnecessary authentications that interrupt the users work flow every day.

OAuth2 Authorization Server Under the Hood

Lohika_Odessa_TechTalks

Openstack identity protocols unconferenceDavid Waite

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

Into the Box 2024 - Keynote Day 2 Slides.pdf

Ortus Solutions, Corp

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

De la bonne utilisation de OAuth2

Leonard Moustacchis

Introduction to SAML & OIDC

ForgeRock Identity Tech Talks

Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...

Hitachi, Ltd. OSS Solution Center.

Stateless authentication for microservices - Greach 2015

Alvaro Sanchez-Mariscal

Open APIs - Risks and Rewards (Øredev 2013)

Nordic APIs

Stateless authentication for microservices - GR8Conf 2015

Alvaro Sanchez-Mariscal

How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team

OAuth FTW

Chris Messina

Auth proxy pattern on Kubernetes

Michał Wcisło

Secure your APIs using OAuth 2 and OpenID Connect

Nordic APIs

[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager

WSO2

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...

Leonard Moustacchis

Distributed Authorization with Open Policy Agent.pdf

Nordic APIs

apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...

apidays

Deep dive into the Open Banking payments flows

ForgeRock Identity Tech Talks

Who’s Knocking? Identity for APIs, Web and Mobile

Nordic APIs

Leveraging open banking specifications for rigorous API security – What’s in...

Rogue Wave Software

CIS 2015 Extreme OpenID Connect - John Bradley

CloudIDSummit

OAuth2 Authorization Server Under the Hood

Lohika_Odessa_TechTalks

Openstack identity protocols unconferenceDavid Waite

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf (20)

De la bonne utilisation de OAuth2

Introduction to SAML & OIDC

Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...

Stateless authentication for microservices - Greach 2015

Open APIs - Risks and Rewards (Øredev 2013)

Stateless authentication for microservices - GR8Conf 2015

How OAuth and portable data can revolutionize your web app - Chris Messina

OAuth FTW

Auth proxy pattern on Kubernetes

Secure your APIs using OAuth 2 and OpenID Connect

[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...

Distributed Authorization with Open Policy Agent.pdf

apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...

Deep dive into the Open Banking payments flows

Who’s Knocking? Identity for APIs, Web and Mobile

Leveraging open banking specifications for rigorous API security – What’s in...

CIS 2015 Extreme OpenID Connect - John Bradley

OAuth2 Authorization Server Under the Hood

Openstack identity protocols unconference

More from Ortus Solutions, Corp

BoxLang: Review our Visionary Licenses of 2024

Ortus Solutions, Corp

Into the Box 2024 - Keynote Day 2 Slides.pdf

Ortus Solutions, Corp

ITB2024 - Keynote Day 1 - Ortus Solutions.pdf

Ortus Solutions, Corp

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE

Ortus Solutions, Corp

Feeling lost in the trenches of complex SQL queries and manual database interaction? Join us for a beginner-friendly mission to conquer your data with ColdFusion ORM powered by Hibernate! Whether you're a fresh recruit in the coding field or a seasoned veteran navigating legacy ColdFusion applications, this session equips you with the tools and strategies to level up your development game. We will cover ORM session management, ORM settings, caching strategies, virtual service layers, dynamic finders, dynamic counters, and an enhanced Hibernate Criteria builder for ColdFusion to create easy and programmatic HQL queries. We will even see how to build automatic CRUD APIs using only your ORM definitions. Ready to win?

Ortus Government.pdf

Ortus Solutions, Corp

Luis Majano The Battlefield ORM

Ortus Solutions, Corp

Battlefield ORM : Learn the strategies and tactics to win with ColdFusion ORM powered by Hibernate! We have gone through the pain and frustrations of maturing with technology such as an Object Relational Mapper (ORM) powered by Hibernate. This advanced session will cover how to leverage the ColdFusion ORM to start creating amazing, fun, and smell-great applications, and you might even see flying unicorns as well. We will cover ORM session management, ORM settings, caching strategies, virtual service layers, dynamic finders, dynamic counters, and an enhanced Hibernate Criteria builder for ColdFusion to create easy and programmatic HQL queries. We will even see how to build automatic CRUD APIs using only your ORM definitions. Ready to win?

Brad Wood - CommandBox CLI

Ortus Solutions, Corp

You need to write a script you can call from cron to upload a directory of files to S3. Or perhaps zip log files and E-mail them? Or import a CSV into the DB. What do you use? Bash? Python? Node? No silly, you use CFML! ColdFusion developers have been able to write pure CLI scripts with CommandBox CLI for years now and it beats the pants of bash or Node. There's tools for creating interactive wizards, progress bar animations, colored console text output, and easy parameter handling. And the best thing is, CommandBox Task Runners are written in CFML so they can do anything CFML can do. Come learn how quick and easy Task Runners are to use so CFML can become the go-to language to use for anything.

Secure your Secrets and Settings in ColdFusion

Ortus Solutions, Corp

Daniel Garcia ContentBox: CFSummit 2023

Ortus Solutions, Corp

“Transitioning from WordPress to ContentBox: A Powerful ColdFusion Alternative” Are you a web developer tired of working with WordPress and its limitations? Look no further than ContentBox, a robust, open-source ColdFusion-based content management system built on the powerful ColdBox framework. While WordPress is popular due to its ease of use and extensive plugin ecosystem, it can sometimes fall short in terms of scalability and security. With ContentBox, you can enjoy the flexibility and stability of ColdFusion, a language we all know and love. This session will introduce you to ContentBox CMS, what it is, what you can do with it, and why you should consider ContentBox for your next ColdFusion project. We will also compare it to WordPress and show why you would want to use ContentBox instead. Finally, we will discuss modern hosting options and how you can get up and running with a ContentBox site in the cloud using Digital Ocean.

ITB_2023_Human-Friendly_Scheduled_Tasks_Giancarlo_Gomez.pdf

Ortus Solutions, Corp

ITB_2023_CommandBox_Multi-Server_-_Brad_Wood.pdf

Ortus Solutions, Corp

Come learn about of the flagship features of CommandBox Pro. CommandBox Multi-site allows you to completely replace your web server with CommandBox, hosting multiple websites all in a single process. Each site has its own web root, rewrites, logs, configuration, and HTTP bindings! This is a major new enhancement to CommandBox servers and finally bring CommandBox on par with other web servers and allows you to simplify your entire tech stack down to a single moving part for deployment.

ITB_2023_Relationships_are_Hard_Data_modeling_with_NoSQL_Curt_Gratz.pdf

Ortus Solutions, Corp

Some security vulnerabilities are more dangerous than others, or at least more commonly exploited. In this session, we'll look at the top 25 most dangerous software weaknesses and learn how to mitigate them in your CFML code. Target Audience Developers looking to learn when to use NoSQL databases over relational databases and who wonder how to model data for NoSQL Assumed knowledge of the topic Basic data modeling/database design principles The objective of the topic Learn data modeling with NoSQL databases, and how it differs from relational database data modeling., We will also look at good opportunities for using a NoSQL database and when a relational database is still the way to go. We will see why many NoSQL databases don’t pass the ACID (Atomicity, Consistency, Isolation, Durability) test on purpose and what this means to you, the developer.

ITB_2023_Extend_your_contentbox_apps_with_custom_modules_Javier_Quintero.pdf

Ortus Solutions, Corp

ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf

Ortus Solutions, Corp

ITB_2023_CBWire_v3_Grant_Copley.pdf

Ortus Solutions, Corp

CBWIRE is a ColdBox module that makes building modern, reactive CFML apps a breeze without needing JavaScript frameworks such as Vue or React, and without the hassle of creating unnecessary APIs. In this session, we will learn CBWIRE, how to use it, and why you would want to. We also cover CBWIRE version 3, which brings a greatly simplified component syntax and many other requested features from the community. Intended Audience This session is intended for developers looking to build modern applications with less JavaScript. Attendees will need familiarity with ColdBox and CFML.

ITB_2023_Practical_AI_with_OpenAI_-_Grant_Copley_.pdf

Ortus Solutions, Corp

In this session, we will explore various practical applications the OpenAI API. We will begin with an introduction to the API and an overview of its capabilities. Then, we will examine several examples of how the API can be used, including natural language processing, chatbots, content creation, and translation. We will also take a look at cbopenai, a new ColdBox module for working with OpenAI. We will discuss how to get started with the API, including setting up an account, selecting the appropriate API, and integrating it into existing workflows. We will also explore the limitations and considerations when using OpenAI, and discuss potential advancements in practical AI. Intended Audience Participants should have a basic understanding of programming concepts and experience working with APIs.

ITB_2023_When_Your_Applications_Work_As_a_Team_Nathaniel_Francis.pdf

Ortus Solutions, Corp

A logistical look at microservice style applications created at scale from practical experience. Purpose is to present the strengths and purpose of microservice solutions to empower teams working with them or considering them for their projects. Technology will include JavaScript and Java solutions in examples. Hosting concerns will include self-hosted and cloud considerations. Some attention given to comparison to standard or monolith solutions, but not much. Q&A by design as part of this talk. Willing to refine the scope and focus to fit conference leadership preference. Target Audience: developers, architects, managers, and teams working in or considering microservice architecture for their projects.

ITB_2023_Faster_Apps_That_Wont_Get_Crushed_Brian_Klaas.pdf

Ortus Solutions, Corp

We all want our web apps and APIs to respond quickly and scale to dizzying heights of traffic. The traditional request/response cycle of web applications gets us part way to that goal, but it certainly won't get us to being the next Amazon. Asynchronous messaging is a powerful architectural pattern that will help us avoid fundamental problems with scaling while keeping our CFML apps fast and responsive. In this session, we'll look at how systems like Amazon's Simple Queue Service (SQS) and Simple Notification Service (SNS) - along with similar systems in Azure and Google Cloud Platform - can help you build highly responsive, highly scalable CFML apps and services.

ITB_2023_Chatgpt_Box_Scott_Steinbeck.pdf

Ortus Solutions, Corp

Everyone has been hearing about Machine learning and AI for a while now, but recently, it exploded. Like you, Ortus and the CFML Community have been playing with AI too, and one of the end results is ChatGPT Box. AI is cool, and for some people scary, but a lot of people wonder if there is really any true value for us developers, or our businesses. In this session we’ll discuss what ChatGPT Box is, why we created it, what types of problems it solves, why we are using AI to solve those problems, and how we trained and tamed our own AI. We will also touch on some of the science behind the scenes, to help you understand the moving parts, and how ChatGPT Box v1.0.0 is just a drop in the ocean of the possibilities, we’ll touch on some ideas we have, and in the end, using ChatGPT Box can make you a much more productive Ortusian Developer!

ITB_2023_CommandBox_Task_Runners_Brad_Wood.pdf

Ortus Solutions, Corp

Task Runners are a way to automate anything you want from the command line using CFML! You write any sort of logic you want, just like you would with bash scripts, Node, or Python, except you can do it with your favorite language. Task Runners come with dozens of helpful utilities for downloading files, interacting with the user, printing formatted text, and interacting with the file system. Task Runners only require CommandBox to be installed and work great inside Docker as well. We'll cover many of the features available including using modules and lifecycle methods!

Recently uploaded

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Globus

COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.

Enhancing Research Orchestration Capabilities at ORNL.pdf

Globus

Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.

How Recreation Management Software Can Streamline Your Operations.pptx

wottaspaceseo

Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...

Globus

Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.

Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...

informapgpstrackings

Cyaniclab : Software Development Agency Portfolio.pdf

Cyanic lab

CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.

Corporate Management | Session 3 of 3 | Tendenci AMS

Tendenci - The Open Source AMS (Association Management Software)

Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have. For more Tendenci AMS events, check out www.tendenci.com/events

Lecture 1 Introduction to games development

abdulrafaychaudhry

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns

Unlocking Business Potential: Tailored Technology Solutions by Prosigns Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support. Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth. Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices. AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making. Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency. DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration. Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly. Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business. Join us on a journey of innovation and growth. Let's partner for success with Prosigns.

Orion Context Broker introduction 20240604

Fermin Galan

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

Graphic Design Crash Course for beginners

e20449

Globus Compute wth IRI Workflows - GlobusWorld 2024

Globus

As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.

GlobusWorld 2024 Opening Keynote session

Globus

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Natan Silnitsky

In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey. Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience. Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system. Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.

Globus Compute Introduction - GlobusWorld 2024

Globus

May Marketo Masterclass, London MUG May 22 2024.pdf

Adele Miller

A Sighting of filterA in Typelevel Rite of Passage

Philip Schwarz

Using IESVE for Room Loads Analysis - Australia & New Zealand

IES VE

Globus Connect Server Deep Dive - GlobusWorld 2024

Globus

Recently uploaded (20)

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Enhancing Research Orchestration Capabilities at ORNL.pdf

How Recreation Management Software Can Streamline Your Operations.pptx

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...

Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...

Cyaniclab : Software Development Agency Portfolio.pdf

Corporate Management | Session 3 of 3 | Tendenci AMS

Lecture 1 Introduction to games development

Prosigns: Transforming Business with Tailored Technology Solutions

Orion Context Broker introduction 20240604

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Graphic Design Crash Course for beginners

Globus Compute wth IRI Workflows - GlobusWorld 2024

GlobusWorld 2024 Opening Keynote session

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Globus Compute Introduction - GlobusWorld 2024

May Marketo Masterclass, London MUG May 22 2024.pdf

A Sighting of filterA in Typelevel Rite of Passage

Using IESVE for Room Loads Analysis - Australia & New Zealand

Globus Connect Server Deep Dive - GlobusWorld 2024

ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

1. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023

2. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda

3. 01 Who am I?

6. 02 OAuth Vocab

9. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth

11.

12. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms

13. © ngrok. All rights reserved. Confidential Information of ngrok - Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)

15. 03 Grant Types

21. 04 Which should I use?

24. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)

28. © ngrok. All rights reserved. Confidential Information of ngrok - Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)

29. Specifications 05

42. © ngrok. All rights reserved. Confidential Information of ngrok OIDC: Opinionated Structure ● openid ● profile ● email ● address ● phone ● name ● given_name ● email ● street_address ● phone_number And many more..

43. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces!

44. © ngrok. All rights reserved. Confidential Information of ngrok ● RFC 6749 OAuth Core ● RFC 7519 JSON Web Token ● RFC 7662 Token Introspection ● RFC 7009 Token Revocation ● OpenID Connect Specification ● RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all

45. 06 Closing Thoughts

48. © ngrok. All rights reserved. Confidential Information of ngrok © ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend

49. © ngrok. All rights reserved. Confidential Information of ngrok 01 Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap

50. Thank you

51. The Many Layers Of OAuth Danger Casey API Problem Solver, GTM Guy, General Nuisance danger@ngrok.com May 2023

ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

Recommended

Recommended

More Related Content

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf

Similar to ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf (20)

More from Ortus Solutions, Corp

More from Ortus Solutions, Corp (20)

Recently uploaded

Recently uploaded (20)

ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf