OAuth and OpenID Connect for Microservices

•

35 likes•13,023 views

The document discusses using OAuth and OpenID Connect to secure microservices. It describes how OAuth allows for scalable delegation of access across services. OpenID Connect builds on OAuth to also return identity information to clients in a JSON Web Token (JWT), allowing for single sign-on. The document recommends using OAuth/OIDC to authenticate users centrally and issuing JWTs to microservices, translating tokens through an API gateway for service-to-service communication.

Technology

OAuth and OpenID Connect for Microservices
A homogenous solution for a heterogeneous problem!
Jacob Ideskog – Identity Specialist at Twobo Technologies!
Copyright © 2014 Twobo Technologies AB. All rights reserved

Copyright © 2014 Twobo Technologies AB. All rights reserved
A Traditional Service

With Traditional Subsystems
Copyright © 2014 Twobo Technologies AB. All rights reserved
Component C
Component D
Component A
Component B

… and traditional scalability
Copyright © 2014 Twobo Technologies AB. All rights reserved

But this is not always how we build systems
Copyright © 2014 Twobo Technologies AB. All rights reserved

A microservice
Copyright © 2014 Twobo Technologies AB. All rights reserved

Many microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved

Scaling microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved

So what’s the problem?
Copyright © 2014 Twobo Technologies AB. All rights reserved

Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved

Securing a traditional service
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository

So for microservices that would mean
Copyright © 2014 Twobo Technologies AB. All rights reserved
User repository

Not fantastic!
Copyright © 2014 Twobo Technologies AB. All rights reserved

Lets talk about OAuth
It’s not for Authentication
…and not for Authorization
OAuth is a scalable delegation protocol
Copyright © 2014 Twobo Technologies AB. All rights reserved

OAuth has 4 actors
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The client requests access
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The AS requires the RO to authenticate
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The AS issues the tokens
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The Client presents the token to the RS
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

The RS validates the Token
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

Access!
Resource Owner (RO)
Authorization Server (AS)
ClientResource Server (RS)
Copyright © 2014 Twobo Technologies AB. All rights reserved

One very important thing"
"
- The Client knows nothing about the user
Copyright © 2014 Twobo Technologies AB. All rights reserved

Open ID Connect"
(Simplified)
Copyright © 2014 Twobo Technologies AB. All rights reserved

Request Access
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Get Redirected to AS
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Challenged
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Now – an ID Token ( ) is also given
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Sessions can be created (SSO)
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

Tada!
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)
ClientResource Server (RS)
Sessions
MyMail.com

What was interesting there?
Copyright © 2014 Twobo Technologies AB. All rights reserved

TRUST
Copyright © 2014 Twobo Technologies AB. All rights reserved

The ID Token is a JWT"
(JSON Web Token)
Copyright © 2014 Twobo Technologies AB. All rights reserved

$A signed JSON document { } { "iss": "https://fs.oidc.net", "x5t": "5F0A1359B4BB9FBB104155908DEC1FDCB5AC8865", "typ": "JWT", "alg": "RS256” "sub": "janedoe", "name" : "Jane Doe", "email" : "jane@doe.com", "phone_number" "+46 (0) 12345678", "aud": "https://mymail.com", "iss": "https://fs.oidc.net", "nbf": 1409213888783, "jti": "622a9973-‐fc4d-‐4797-‐be31-‐7c2116f549df", "exp": 1409213890583, "iat": 1409213888783 } Copyright © 2014 Twobo Technologies AB. All rights reserved Certificate Signature orQOOKvXN3jbEpBSl0RHAyaQNxcx9DFgtMsJJgMxm9Az6QJMKKy6m0 WvP1UzXZA_nsK16g9etg2yEW9IXbQU0RbSQktUtObRB9SxHtW_AcCk6 93XDAz15Y4aP9DeD62nROzd1MS4FZTmY3Cgzo1-3- sqW6_4Rgzs94aLO3aLP_zoVtJycCUKtJQhGhPTyjXXYWMsp0E4uTtL8Ri f7cWu4olme_XNFlAs73pOrfzsQYc1GD2dB70l1M8SDaJZFURr9jAAaavX 7Xqs_FPXY1PZLXLbc3ARXFmRf_- Z4B6uLCGI2shzl12ni54Yun6dflL9rQwaxXYuNZZodUWchID2cA$

OAuth Access Tokens can also be JWTs
Copyright © 2014 Twobo Technologies AB. All rights reserved

2 types of tokens
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe
By Value
By Reference

By Reference
Contains NO information outside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
123XYZ
Jane Doe

Contains ALL necessary information
Copyright © 2014 Twobo Technologies AB. All rights reserved
By Value

External vs. Internal
By ReferenceBy Value
123XYZ
Outside the network
Inside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
API Firewall /
Reverse Proxy
API

Token Translation
By ReferenceBy Value
123XYZ
Outside the network
Inside the network
Copyright © 2014 Twobo Technologies AB. All rights reserved
API Firewall /
Reverse Proxy
API

Back to Microservices
Copyright © 2014 Twobo Technologies AB. All rights reserved

2 Problems"
"
- Identifying the user"
- Creating sessions"
Copyright © 2014 Twobo Technologies AB. All rights reserved

Leave authentication to the OAuth/OIDC server
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Authorization Server (AS)

Let all Microservices accept JWTs
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved

BUT…"
"
Translate!
Copyright © 2014 Twobo Technologies AB. All rights reserved

Let all Microservices accept JWTs
Resource Owner (RO)
Copyright © 2014 Twobo Technologies AB. All rights reserved
Reverse Proxy
123
XYZ

- everything is self contained"
- standards based"
- non-reputable"
- scalable
Copyright © 2014 Twobo Technologies AB. All rights reserved
Conclusion

Copyright © 2014 Twobo Technologies AB. All rights reserved
Thank you!

Session held by Travis Spencer at PayEx and Nordic APIs event "Secure, flexible and modern APIs for Payments" event in Oslo, May 10th. Description: When opening up secure APIs, OAuth 2 and OpenID Connect are the primary standards being used today. Implementing and using these standards can be challenging. In this session, Travis Spencer, CEO of Twobo Technologies, will provide an in-depth overview of these standards and explain how they can be integrated into financial services apps. The overview will include information on: The actors involved in OAuth and OpenID Connect The flows used in the standards What grant types are, which are defined, and the message exchanges of each What scopes are and examples of their use Different classes of tokens and how they are used Overview of the OpenID Foundation’s work in the Financial API WG Attendees will leave with: An overview of OAuth 2 and OpenID Connect Knowledge of the basics necessary to using these standards Resources and information sources where more information can be found

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Nordic APIs

This is a session given by Jacob Ideskog at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden. Description: In this talk Jacob Ideskog (Identity Expert at Twobo Technologies) address the growing need to secure the emerging devices accessible over the Internet. The Internet of Things has many interpretations, but the common denominator is that there will be a vast number of connected devices, and nobody (almost) want’s those hacked.

Incorporating OAuth

Twobo Technologies

The JSON-based Identity Protocol Suite

Twobo Technologies

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro. Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server. In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too. There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation. Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system. In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.

Open APIs - Risks and Rewards (Øredev 2013)

Nordic APIs

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Designing an API

Twobo Technologies

OAuth & OpenID Connect Deep Dive

Nordic APIs

OpenID Connect 1.0 Explained

Eugene Siow

OAuth Assisted Token Flow for Single Page Applications

Nordic APIs

In this talk, Daniel Lindau, Solution Architect at Curity, will show how OAuth can be integrated into Single Page Applications (SPAs) using the assisted token flow — a new OAuth message exchange pattern introduced at IETF 101. He will contrast it with implicit flow and show how framing, token storage, and other nuances are handled using this new alternative flow. He will highlight the use of the HTML postMessage interface for passing tokens (vis-a-vis redirects used by other flows). He will also demo how this protocol can be used with various JavaScript frameworks, like JQuery, in just a few lines of code. He will conclude by giving a state of the draft and its future.

Single Sign On with OAuth and OpenID

Gasperi Jerome

Mit 2014 introduction to open id connect and o-auth 2

Justin Richer

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit

Twobo LDAP Attribute Store for ADFSTwobo Technologies

Authentication and Authorization Architecture in the MEAN Stack

FITC

Save 10% off ANY FITC event with discount code 'slideshare' See our upcoming events at www.fitc.ca Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate. Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014 More info at FITC.ca

LASCON 2017: SAML v. OpenID v. Oauth

Mike Schwartz

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

ID連携入門 (実習編) - Security Camp 2016

Nov Matake

Stateless authentication for microservices

Alvaro Sanchez-Mariscal

This talk is about how to secure your frontend+backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Video available at https://skillsmatter.com/skillscasts/6058-stateless-authentication-for-microservices

Microservices Manchester: Authentication in Microservice Systems by David Borsos

OpenCredo

When implementing applications using a microservice architecture, concerns of authenticating and authorising end-users or other services requires a different approach, especially when scalability and no single points of failure is in mind. I’d like to talk about some “lessons learned” in the past few years and show a few ideas how to deal with these concerns. About David Borsos David is a Senior Consultant for OpenCredo having joined the company as a consultant in 2013. David works on a number of technical engagements for OpenCredo and has a several years experience working in the financial industry, developing web-based enterprise applications, mostly of internally used tools that supported the maintenance and operations of a large IT infrastructure.

What's hot

1400 ping madsen-nordicapis-connect-01Nordic APIs

Authorization The Missing Piece of the Puzzle

Nordic APIs

OpenID Connect Explained

Vladimir Dzhuvinov

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World

Twobo Technologies

Launching a Successful and Secure API

Nordic APIs

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

Open APIs - Risks and Rewards (Øredev 2013)

Nordic APIs

Designing an API

Twobo Technologies

OAuth & OpenID Connect Deep Dive

Nordic APIs

OpenID Connect 1.0 Explained

Eugene Siow

OAuth Assisted Token Flow for Single Page Applications

Nordic APIs

Single Sign On with OAuth and OpenID

Gasperi Jerome

Mit 2014 introduction to open id connect and o-auth 2

Justin Richer

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit

Twobo LDAP Attribute Store for ADFSTwobo Technologies

Authentication and Authorization Architecture in the MEAN Stack

FITC

LASCON 2017: SAML v. OpenID v. Oauth

Mike Schwartz

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

ID連携入門 (実習編) - Security Camp 2016

Nov Matake

What's hot (20)

1400 ping madsen-nordicapis-connect-01

Authorization The Missing Piece of the Puzzle

OpenID Connect Explained

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World

Launching a Successful and Secure API

An Authentication and Authorization Architecture for a Microservices World

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Open APIs - Risks and Rewards (Øredev 2013)

Designing an API

OAuth & OpenID Connect Deep Dive

OpenID Connect 1.0 Explained

OAuth Assisted Token Flow for Single Page Applications

Single Sign On with OAuth and OpenID

Mit 2014 introduction to open id connect and o-auth 2

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Twobo LDAP Attribute Store for ADFS

Authentication and Authorization Architecture in the MEAN Stack

LASCON 2017: SAML v. OpenID v. Oauth

CIS 2015 OpenID Connect and Mobile Applications - David Chase

ID連携入門 (実習編) - Security Camp 2016

Viewers also liked

Stateless authentication for microservices

Alvaro Sanchez-Mariscal

Microservices Manchester: Authentication in Microservice Systems by David Borsos

OpenCredo

Securing RESTful APIs using OAuth 2 and OpenID Connect

Jonathan LeBlanc

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

Testing strategies for micro services - Ketan Soni, Jesal Mistry, ThoughtWorksThoughtworks

Nginx Scripting - Extending Nginx Functionalities with LuaTony Fabeen

The Role of Enterprise Integration in Digital Transformation

Kasun Indrasiri

What is API's

John Pereless

Stateless token-based authentication for pure front-end applications

Alvaro Sanchez-Mariscal

This talk is about how to secure your frontend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications, when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. We will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Note: images are courtesy of Shutterstock.com

OAuth2 and Spring Security

Orest Ivasiv

muCon 2016: Authentication in Microservice Systems By David Borsos

OpenCredo

Software security is hard. Software security in Microservice Systems is even harder. Microservice-style software architectures have steadily been gaining popularity in recent years. They offer many benefits over traditional monolithic software products, however they also introduce new challenges - one of these being security. In recent years David has worked on this problem in several independent projects, and this talk will draw on his learnings within the topic of authenticating end-users. David will describe, compare and evaluate several authentication options from the perspective of how secure they are and how well they comply with the qualities of a well-designed microservice system. You will leave the talk with suggested evaluation criteria and guidance for implementation based on their use cases.

DevSecOps in Baby Steps

Priyanka Aash

OpenID Connect 入門〜コンシューマーにおけるID連携のトレンド〜

Masaru Kurahayashi

[参考情報] 【永久保存版】OAuth 2.0 / OpenID Connect シーケンスまとめ URL：https://qiita.com/kura_lab/items/812a62b5aa3427bdb49d タイトル：『OpenID Connect 入門〜コンシューマー領域におけるID連携のトレンド〜』概要：コンシューマー領域におけるID連携のトレンドであるOpenID Connectの概要と仕様のポイントについてご紹介します。 OpenID TechNight Vol.13 - ID連携入門 Aug. 26, 2015 URL：https://openid.doorkeeper.jp/events/29487

Analyzing OAuth

Oliver Pfaff

Modern authentication solutions in Angular 2 with OAuth 2.0 and OpenId Connect

Manfred Steyer

SäKerhet I MolnenPredrag Mitrovic

Tjänsteplattform i mtg - 2014 02-05

Advania

I den här presentationen diskuteras begreppet tjänsteplattform, e-tjänsteplattform, "kommunal tjänsteplattform" och vad den plattformen egentligen behöver innehålla för att svara upp mot en hållbar e-utveckling. Med hållbar avses här att göra rätt från början, att inte måla in sig i ett hörn, att inte hamna i en återvändsgränd - bara för att man inte hade hela bilden klart för sig när man startade. Och det går att börja smått, ändå. Med enkla e-tjänster.

2. Day 2 - Identify and SSOHuy Pham

Stateless authentication for microservices - Greach 2015

Alvaro Sanchez-Mariscal

Viewers also liked (19)

Stateless authentication for microservices

Microservices Manchester: Authentication in Microservice Systems by David Borsos

Securing RESTful APIs using OAuth 2 and OpenID Connect

Stateless authentication for microservices - Spring I/O 2015

Testing strategies for micro services - Ketan Soni, Jesal Mistry, ThoughtWorks

Nginx Scripting - Extending Nginx Functionalities with Lua

The Role of Enterprise Integration in Digital Transformation

What is API's

Stateless token-based authentication for pure front-end applications

OAuth2 and Spring Security

muCon 2016: Authentication in Microservice Systems By David Borsos

DevSecOps in Baby Steps

OpenID Connect 入門〜コンシューマーにおけるID連携のトレンド〜

Analyzing OAuth

Modern authentication solutions in Angular 2 with OAuth 2.0 and OpenId Connect

SäKerhet I Molnen

Tjänsteplattform i mtg - 2014 02-05

2. Day 2 - Identify and SSO

Stateless authentication for microservices - Greach 2015

Similar to OAuth and OpenID Connect for Microservices

Securing your Rails application

clucasKrof

Razorfish 2014 Tech Summit - Senior Principal Scientist at Adobe Roy Fielding

Razorfish

OAuth in the Real World featuring Webshell

CA API Management

Find out how today’s authorization experts are getting maximum value from OAuth OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.

DevOps, CD and [Data] Microservices

Fred Melo

OAuth2 - The Swiss Army Framework

Brent Shaffer

Microservices architecture

Daniel Foo

Mule4 EAIESB Meetup

Vijay Reddy

OGDC 2014_Cross platform mobile game application development_Mr. Makku J.Keroogdc

OGDC 2014: Cross Platform Mobile Game Application DevelopmentGameLandVN

CTD303_Korea’s Largest OTT provider

Amazon Web Services

POOQ - Content Alliance Platform is the primary OTT service provider in Korea. In this session, we discuss how Content Alliance Platform migrated its workloads to AWS this year using AWS Elemental Cloud, Amazon CloudFront, and other AWS services. After their initial migration, Content Alliance Platform has continuously optimized video transcoding for better quality and cost-effective delivery using CloudFront. To achieve this, they developed various video profiles using AWS Elemental Live, according to the content, by using various CloudFront features, such as geo-blocking, signed cookies and URLs, and HTTPS with ACM, and by adopting various new media technologies, such as H.265, UHD, VBR, and HFR. Finally, we discuss how Content Alliance Platform is developing its next generation of OTT services using microservice architecture with Docker.

Part 2: Architecture and the Operator Experience (Pivotal Cloud Platform Road...

VMware Tanzu

The primary goals of this session are to: Do a deep dive into the CF architecture via animated slides illustrating push, stage, deploy, scale, and health management. Also do a brief dive into BOSH, including why BOSH, what it is, and animations of how it works. It’s not an operations focused workshop, so we keep the treatment light. Discuss the value adds to CF BOSH OSS that Pivotal brings through the Pivotal Ops Manager product and our associated ecosystem of data and mobile services. Quickly prove that I can push an app to a Pivotal CF environment running on vCHS in the same exact way I can push an app to PWS. Pivotal Cloud Platform Roadshow is coming to a city near you! Join Pivotal technologists and learn how to build and deploy great software on a modern cloud platform. Find your city and register now http://bit.ly/1poA6PG

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Akana

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

Cloud native Microservices using Spring Boot

Sufyaan Kazi

Platform Security that will Last for Decades (Travis Spencer)

Nordic APIs

To Microservices and Beyond

Simon Elisha

Pivotal CenturyLink Cloud Platform Seminar Presentations: Architecture & Oper...

VMware Tanzu

Architecture & Operations

VMware Tanzu

The primary goals of this presentation are to: - Show how to easily deploy Pivotal Cloud Foundry to CenturyLink Cloud with CenturyLink’s Blueprint technology - Do a deep dive into the CF architecture via animated slides illustrating push, stage, deploy, scale and health management. - Discuss in depth how Pivotal Cloud Foundry simplifies many traditional operator concerns such as managing application updates, availability, user/quota management and monitoring. - Provide a brief introduction to BOSH, including why BOSH, what it is and animations of how it works. - Discuss the value adds to CF BOSH OSS that Pivotal brings through the Pivotal Ops Manager product and our associated ecosystem of data and mobile services.

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

CA API Management

By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn: • The top ways hackers exploit APIs in the wild • Common identity pitfalls and how to avoid them • Why OAuth scopes are essential to master • How to keep web developers from bringing bad habits with them

Enabling Voice Applications with WebRTC and ORTC in Microsoft Edge

Mark Roberts

The Fantastic Voyage to PaaS - Are we there yet? (Cloud Foundry Summit 2014)

VMware Tanzu

Keynote delivered by Casey Hadden, Software Developer and Architect at SAS. SAS is a software vendor with 35+ years of industry history (and 35+ years of software decisions). From mainframes, Unix workstations, and client-server to web applications, big data, and cloud; one constant has been the changing computing environment. Throughout these eras, SAS software and the SAS business has adapted to each change in order to deliver valuable analytics to our customers. With cloud environments firmly ensconced and PaaS gaining traction every day, how does SAS rework its software and business again to compete and thrive in this environment? How can SAS help to fill in the 'Analytics' portion of an enterprise PaaS strategy?

Similar to OAuth and OpenID Connect for Microservices (20)

Securing your Rails application

Razorfish 2014 Tech Summit - Senior Principal Scientist at Adobe Roy Fielding

OAuth in the Real World featuring Webshell

DevOps, CD and [Data] Microservices

OAuth2 - The Swiss Army Framework

Microservices architecture

Mule4 EAIESB Meetup

OGDC 2014_Cross platform mobile game application development_Mr. Makku J.Kero

OGDC 2014: Cross Platform Mobile Game Application Development

CTD303_Korea’s Largest OTT provider

Part 2: Architecture and the Operator Experience (Pivotal Cloud Platform Road...

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Cloud native Microservices using Spring Boot

Platform Security that will Last for Decades (Travis Spencer)

To Microservices and Beyond

Pivotal CenturyLink Cloud Platform Seminar Presentations: Architecture & Oper...

Architecture & Operations

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

Enabling Voice Applications with WebRTC and ORTC in Microsoft Edge

The Fantastic Voyage to PaaS - Are we there yet? (Cloud Foundry Summit 2014)

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Recently uploaded (20)