OAuth is an open standard for authorization that allows users to share private resources stored on one server with another server. It provides a process for users to authorize third-party access to their server resources without sharing credentials. OAuth has gone through several versions to address security issues and limitations of previous versions. OAuth involves resource owners, clients, and an authorization server, and defines common flows for authorization like authorization code flow and refresh token flow.
Extended Security with WSO2 API Management PlatformWSO2
To view recording of the webinar please use the below URL:
http://wso2.com/library/webinars/2015/04/extended-security-with-wso2-api-management-platform/
In this webinar we will take a look at how the WSO2 API Management platform addresses those needs. Uvindra Jayasinha, senior software engineer at WSO2 will discuss the following:
Best practices when requesting OAuth2.0 Access Tokens (including understanding the available grant types)
Adding SAML based Single Sign On (SSO) capabilities to API management and leveraging SAML2 Bearer Tokens to request OAuth2.0 Access Tokens
Federated identity: How to use a third-party identity provider with API Manager
How to enforce fine-grained entitlement policies at the API management layer
Allow external systems to take decisions based on API user's attributes
Extended Security with WSO2 API Management PlatformWSO2
To view recording of the webinar please use the below URL:
http://wso2.com/library/webinars/2015/04/extended-security-with-wso2-api-management-platform/
In this webinar we will take a look at how the WSO2 API Management platform addresses those needs. Uvindra Jayasinha, senior software engineer at WSO2 will discuss the following:
Best practices when requesting OAuth2.0 Access Tokens (including understanding the available grant types)
Adding SAML based Single Sign On (SSO) capabilities to API management and leveraging SAML2 Bearer Tokens to request OAuth2.0 Access Tokens
Federated identity: How to use a third-party identity provider with API Manager
How to enforce fine-grained entitlement policies at the API management layer
Allow external systems to take decisions based on API user's attributes
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
UMA is a profile and application of OAuth that defines how resource owners can control resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy. Recent investigations have shown promise for applying UMA to Internet of Things authorization use cases.
This is a presentation by Eve Maler for the IETF ACE working group.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
"OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol has been significantly repurposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers.
Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications"
(Source: Black Hat USA 2016, Las Vegas)
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
UMA is a profile and application of OAuth that defines how resource owners can control resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy. Recent investigations have shown promise for applying UMA to Internet of Things authorization use cases.
This is a presentation by Eve Maler for the IETF ACE working group.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
"OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. However, the protocol has been significantly repurposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers.
Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications"
(Source: Black Hat USA 2016, Las Vegas)
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.
OAuth2 is an authorization frame to perform app authorization to access resources.
The process is as below-
1. App sends authorization request.
2. API service provides auth code.
3. Application sends auth code with API gateway to issue access token.
4. Access token is used to access restricted resources.
5. Refresh token is used to renew access token.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
John Bradley, Senior Technical Architect, Ping Identity
OAuth 2.0 is the future of API Security, allowing software clients to request and use access tokens to access necessary APIs rather than caching and replaying usernames and passwords on every API fetch. John Bradley will explain the OAuth 2.0 protocol from top to bottom. Response types, authorization codes, front-channel vs. back-channel architecture decisions, security considerations and best practices will all be discussed. If you want to really understand OAuth, this session will dig deep.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
2. What is OAuth?
• OAuth provides a method for clients to access server resources on
behalf of a resource owner (such as a different client or an end- user).
It also provides a process for end-users to authorize third- party
access to their server resources without sharing their credentials
(typically, a username and password pair), using user- agent
redirections.
• Valet key metaphor
3.
4.
5. OAuth history
• Started around November 2006, while Blaine Cook was working on
the Twitter OpenID implementation.
• OAuth 1.0 was released in October 2007
• Modified as OAuth 1.0a in June 2009 due to security flaw
• OAuth 1.0a published as RFC 5849 in 2010
• Adopted by Twitter, Flickr, Yahoo
6. OAuth history
OAuth 1.0a quickly appeared to be limited for 3 essential reasons:
1. Signature scheme complex to implement for certain
developers.
2. Impossible to make the tokens expire.
3. No permissions management: couldn’t authorize access only
to certain resources.
7. OAuth history
• Workgroup was formed in 2010 to start work on OAuth 2.0
• The first OAuth 2.0 draft was published early 2010
• OAuth 2.0 published as RFC 6749 in October 2012
• Facebook and many others implemented it when not final
• Non-backwards compatible
• OAuth 2.0 is more flexible, wide range of non-interoperable
implementations
• Less secure than OAuth 1.0, relying on SSL connections rather than
signatures
9. OAuth Roles
• Resource Owner (User) - The resource owner is the user who
authorizes an application to access their account.
• Resource / Authorization Server (API) - The resource server
hosts the protected user accounts, and the authorization
server verifies the identity of the user then issues access
tokens to the application.
• Client (Application) - The client is the application that wants
to access the user's account. Before it may do so, it must be
authorized by the user, and the authorization must be
validated by the API.
10.
11. Application Registration
• When accessing 3rd party OAuth providers, your application
will need to be registered prior to using their service.
• Provider will then supply “client credentials” needed for
authorization grant
• Client Identifier
• Client Secret
12. OAuth 2 - Grant Types (Flows)
• Authorization Code: used with server-side Applications
• Implicit: used with Mobile Apps or Web Applications
(applications that run on the user's device)
• Resource Owner Password Credentials: used with trusted
Applications, such as those owned by the service itself
• Client Credentials: used with Applications API access
23. Inconsistency Examples
• Access Token
• Format: Facebook – JSON, Google – URL-encoded text
• HTTP request parameter and/or HTTP header
• Name: Facebook – access_token, Google – oauth_token
• Refresh Token
• Implemented differently (only Google & Github follow standard)
• Facebook – fb_exchange_token grant type
24. Client Token Storage
• HTML5 Web Storage (localStorage/sessionStorage)
function tokenSuccess(err, response) {
if(err){
throw err;
}
$window.sessionStorage.accessToken = response.body.access_token;
}
• Cookies
HTTP/1.1 200 OK
Set-Cookie: access_token=ACCESS_TOKEN; Secure; HttpOnly;
25. Client Token Storage
• HTML5 Web Storage (localStorage/sessionStorage)
• Any JavaScript running on your site will have access to web storage, making it
vulnerable to cross-site scripting (XSS) attacks
• Does not enforce any secure standards during transfer (always use HTTPS)
• Cookies
• Use HttpOnly flag – immune to XSS as not accessible via JavaScript
• Use Secure flag – ensures only sent via HTTPS
• Vulnerable to cross-site request forgery (CSRF)
• Angular: X-XSRF-TOKEN
Eran Hammer resigned his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification. "more complex, less interoperable, less useful, more incomplete, and most importantly, less secure."
1. The application requests authorization to access service resources from the user
2. If the user authorized the request, the application receives an authorization grant
3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
5. The application requests the resource from the resource server (API) and presents the access token for authentication
6. If the access token is valid, the resource server (API) serves the resource to the application
The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed.
The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed.
The standard proposes a refresh token method but only few providers implement it (Google, Github)