Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
Traditional security models no longer suffice in the new digital and API driven economy. APIs expose corporate data in very deliberate and thoughtful ways, but, as with any technology that involves enterprise data, security should always be a prime concern. How do you keep your customers' digital experiences as secure as your backend data and services?
OAuth is an API authorization protocol that enables apps to access information on behalf of users without requiring them to divulge their usernames and passwords.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
Traditional security models no longer suffice in the new digital and API driven economy. APIs expose corporate data in very deliberate and thoughtful ways, but, as with any technology that involves enterprise data, security should always be a prime concern. How do you keep your customers' digital experiences as secure as your backend data and services?
OAuth is an API authorization protocol that enables apps to access information on behalf of users without requiring them to divulge their usernames and passwords.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
OAuth2 Implementation Presentation (Java)Knoldus Inc.
The OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials or even their identity. It is commonly used in scenarios such as user authentication in web and mobile applications and enables a more secure and user-friendly authorization process.
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
The industry is shifting to mobile and wearable devices, and desktop apps are now only a part of the overall application landscape. In this new mobile-first context, security is one of the key concerns for Enterprise Architects. Salesforce has implemented the OAuth 2.0 specification to handle user authentication using industry standards. After reviewing OAuth basics, this session will take you through the different approaches to implement OAuth authentication on the Force.com platform.
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
OAuth2 Implementation Presentation (Java)Knoldus Inc.
The OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials or even their identity. It is commonly used in scenarios such as user authentication in web and mobile applications and enables a more secure and user-friendly authorization process.
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
The industry is shifting to mobile and wearable devices, and desktop apps are now only a part of the overall application landscape. In this new mobile-first context, security is one of the key concerns for Enterprise Architects. Salesforce has implemented the OAuth 2.0 specification to handle user authentication using industry standards. After reviewing OAuth basics, this session will take you through the different approaches to implement OAuth authentication on the Force.com platform.
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. AGENDA
● Introduction of oauth 2.0
● Oauth 2.0 Flows
● Oauth 2.0 Components
● How Oauth 2.0 scope helps to specify what resources or actions an client application
can access on behalf of the resource owner.
● Implementation
● Benefits of Oauth 2.0
● Demo
● Trivia Quiz *
4. Safe Harbour Statement
● Both the speaker and the host are organizing this meet-up in individual capacity only. We are
not representing our companies here.
● This presentation is strictly for learning purposes only. Organizer/Presenter do not hold any
responsibility that same solution will work for your business requirements.
● This presentation is not meant for any promotional activities.
5. A recording of this meetup will be uploaded to events page within 24 hours.
Questions can be submitted/asked at any time in the Chat/Questions & Answers Tab.
Make it more Interactive!!!
Share us the feedback! Rate this meetup session by filling feedback form at the end of the day.
We Love Feedbacks !!
Housekeeping
6. Speakers
Rupmita Kundu
● Working as Senior Engineer in Digital
Engineering@Nttdata
● 5.5 Years Of experience iIT
● Certified MuleSoft Developer
8. Introduction to OAUTH 2.0
OAuth 2.0, short for "Open Authorization 2.0," is an industry-standard authorization
framework that enables third-party applications to access a user's data without needing
the user's credentials.
It allows users to grant limited access to their resources, such as photos, videos, or
personal information, to other applications or websites without compromising their
security.
9. Oauth 2.0 Components
1. Client Application: This is the application that wants to access the user's data,
often referred to as the "client."
2. Resource Owner: The user who owns the data that the client wants to access.
3. Authorization Server: The server that authenticates the user and issues
access tokens after the user successfully authorizes the client application.
4. Resource Server: The server that hosts the protected resources, which the
client application wants to access on behalf of the user.
5. Authorization Grant: The credential representing the resource owner's
authorization (e.g., username and password, authorization code, etc.).
6. Access Token: A token that the client application presents to the resource
server to access protected resources on behalf of the user.
7. Scopes: It defines the specific permissions that the client is requesting.
10. Oauth 2.0 Authorization Flows
1. Authorization Code Grant:
● Description: This flow is designed for web applications where the client can
securely store a client secret. It involves multiple steps, including redirection of
the user to the authorization server’s authorization endpoint, authorization, and
exchange of an authorization code for an access token.
● Use Case: Web applications accessing resources on behalf of a user.
1. Implicit Grant:
● Description: This flow is suitable for client-side applications like single-page apps
(SPAs) or mobile apps where there's no secure storage for a client secret. It
returns the access token directly to the client after user authentication and
authorization.
● Use Case: Browser-based applications or mobile apps accessing resources on
behalf of a user without a backend server.
11. Oauth 2.0 Authorization Flows
3. Client Credentials Grant:
○ Description: This flow is used by confidential clients (those capable of
maintaining the confidentiality of their client credentials, typically server-side
applications) to obtain an access token using their own credentials, not on
behalf of a user.
○ Use Case: Server-to-server communication where the client is acting on its
own behalf.
4. Resource Owner Password Credentials Grant:
○ Description: This flow allows a client to directly exchange the resource
owner's (user's) credentials for an access token. It's considered less secure
because the client needs to handle the user's credentials.
○ Use Case: Legacy or highly trusted applications where other flows are not
feasible or practical.
12. Oauth 2.0 Authorization Flows
5. Refresh Token Grant:
○ Description: This flow allows a client to obtain a new access token using a
refresh token, typically without requiring the user to re-authenticate. It extends the
validity of access tokens.
○ Use Case: Long-lived sessions where access tokens need to be refreshed
periodically without requiring the user to log in again.
13. How scopes helps to prevent access to different
resources
OAuth 2.0 scopes access control to different resources within an API.
● When a client requests access to an API endpoint, the access token provided by
OAuth 2.0 contains scopes indicating the permissions granted.
● When a request is made, Mule 4 automatically checks if the access token contains the
necessary scopes for the requested resource. If the required scopes are present,
access is granted; otherwise, access is denied.
14. Mulesoft Oauth 2.0 Provider
● The Mule OAuth 2.0 Provider is an OAuth 2.0 provider developed by MuleSoft.
● The provider allows you to configure your Mule application as an Authentication
Manager in an OAuth 2.0 dance.
● With this role, your application can:
● Authenticate previously registered clients.
● Grant tokens.
● Validate tokens.
● Register and delete clients during the execution of a flow
16. Configure the OAuth 2.0 Provider Module:
● In Anypoint Platform, go to your Mule application.
● Add the "OAuth 2.0 Provider" module to your project from the Anypoint Exchange.
17. ● Configure the module by specifying parameters such as grant types,scopes,Token
endpoint, client store, token store
26. Test the application /authors endpoint with access token and
give successful response
27. Test the application /books endpoint with the same access token and this time it will
give error message "The required scopes are not authorized"
28. Benefits of Oauth 2.0
1. Enhanced Security:
● Uses tokens instead of passwords, making it safer for
users and apps.
2. Controlled Access:
● Lets users give apps permission to only the data they need.
3. Easy to Use:
● Users can allow access without sharing their login details.
4. Widely Supported:
● Works with many popular services like Google and
Facebook.
5. Flexible:
● Suitable for different types of apps, from web to mobile to
server-to-server.