The document summarizes an OAuth tutorial presentation given at IETF #79 in Beijing. It discusses the problem of secure data sharing that OAuth addresses, provides examples of OAuth flows and exchanges, and describes the involved entities. The history of OAuth is outlined, from its inception in 2006 to its standardization efforts in the IETF. Security aspects like access tokens and message signing are also summarized.
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
The OAuth2 Framework allows you to protect your web resources using the next generation OAuth, (http://oauth.net/2/) as well as accessing OAuth2 protected resources, most notably the Facebook Graph API. The API consists of libraries for building your own OAuth2 server as well as client side access. The standard is still in draft mode so expect some level of changes. Currently version 10 of the OAuth 2 specification is the one being supported.
The framework is implemented in Java on top of Restlet.org HTTP framework.
It can execute on all platforms that Restlet is available on and it is validated using Java SE, EE and Android.
Donated to Restlet.org as an open source project with very generous open source license for reuse.
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
Adding Identity Management and Access Control to your AppFIWARE
Adding Identity Management and Access Control to your App presentation, by Alvaro Alonso & Cyril Dangerville.
Security Chapter. 1st FIWARE Summit, Málaga Dec. 13-15, 2016.
My 2012 homerun in IT-security: For many years nothing happened in Web security - with respect to security-enabling the HTTP stack. This is not true anymore: game-changing innovations do emerge right now. Their impact will - likely - be pervasive. It is important to understand what exactly is being launched, why this is happening and which forces are driving this. This presentation establishes this context and elaborates on the implications.
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
The OAuth2 Framework allows you to protect your web resources using the next generation OAuth, (http://oauth.net/2/) as well as accessing OAuth2 protected resources, most notably the Facebook Graph API. The API consists of libraries for building your own OAuth2 server as well as client side access. The standard is still in draft mode so expect some level of changes. Currently version 10 of the OAuth 2 specification is the one being supported.
The framework is implemented in Java on top of Restlet.org HTTP framework.
It can execute on all platforms that Restlet is available on and it is validated using Java SE, EE and Android.
Donated to Restlet.org as an open source project with very generous open source license for reuse.
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
Adding Identity Management and Access Control to your AppFIWARE
Adding Identity Management and Access Control to your App presentation, by Alvaro Alonso & Cyril Dangerville.
Security Chapter. 1st FIWARE Summit, Málaga Dec. 13-15, 2016.
My 2012 homerun in IT-security: For many years nothing happened in Web security - with respect to security-enabling the HTTP stack. This is not true anymore: game-changing innovations do emerge right now. Their impact will - likely - be pervasive. It is important to understand what exactly is being launched, why this is happening and which forces are driving this. This presentation establishes this context and elaborates on the implications.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
2. Acknowledgements
• I would like to thank to Pasi Eronen. We are
re-using some of his slides in this
presentation.
12/29/12 IETF #79, OAuth Tutorial Beijing 2
6. Entities
User Agent
(Web Browser)
Authorization Request User
Resource Consumer
(LinkedIn) Token request Authorization Server
(Yahoo)
Access Request
(incl. Token) Resource Server
(Yahoo)
12/29/12 IETF #79, OAuth Tutorial Beijing 6
7. User navigates to Resource Client
12/29/12 IETF #79, OAuth Tutorial Beijing 7
8. User authenticated by
Authorization Server
12/29/12 IETF #79, OAuth Tutorial Beijing 8
9. User authorizes Resource Consumer to
access Resource Server
12/29/12 IETF #79, OAuth Tutorial Beijing 9
10. Resource Client calls the
Resource Server API
12/29/12 IETF #79, OAuth Tutorial Beijing 10
11. Remark: Authentication
• Yahoo in our example may outside the authentication part to
other providers (e.g. using OpenID).
• Authorization Server and Resource Server do not need to be
operated by the same entity.
12/29/12 IETF #79, OAuth Tutorial Beijing 11
12. Remark: Authorization
• Asking the user for consent prior to share
information is considered privacy-friendly.
• User interfaces for obtaining user content may
not always be great.
12/29/12 IETF #79, OAuth Tutorial Beijing 12
19. History
• November 2006: Blaine Cook was looking into the possibility of
using OpenID to accomplish the functionality for delegated
authentication. He got in touch with some other folks that had
a similar need.
• December 2006: Blaine wrote a "reference implementation" for
Twitter based on all the existing OAuth-patterned APIs, which
Blaine and Kellan Elliott-McCrea turned into a rough functional
draft
• April 2007: Google group was created with a small group of
implementers to write a proposal for an open protocol.
• July 2007: OAuth 1.0 (with code for major programming
languages)
• September 2007: Re-write of specification to focus on a single
flow (instead of "web", "mobile", and "desktop" flows)
• Deployment of OAuth well on it’s way:
http://wiki.oauth.net/ServiceProviders
12/29/12 IETF #79, OAuth Tutorial Beijing 19
20. History, cont.
• 1st OAuth BOF (Minneapolis, November 2008, IETF#73)
– BOF Chairs: Sam Hartman, Mark Nottingham
– BOF went OK but a couple of charter questions couldn’t be resolved.
• 2nd OAuth BOF (San Francisco, March 2009, IETF#74)
– BOF Chairs: Hannes Tschofenig, Blaine Cook
– Charter discussed on the mailing list and also during the meeting. Finalized
shortly after the meeting
• IETF wide review of the OAuth charter text (28 th April 2009)
– Announcement: http://www.ietf.org/mail-archive/web/ietf-
announce/current/msg06009.html
• OAuth working group was created (May 2009)
– Chairs: Blaine Cook, Peter Saint Andre
• Feb 2010: 'The OAuth 1.0 Protocol ‘ approved as Informational RFC:
–
12/29/12 http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07047.html
IETF #79, OAuth Tutorial Beijing 20
21. History, cont.
• March 2010: Peter Saint Andre became Area Director and Hannes Tschofenig
became Blaine’s co-chair.
• March 2010: IETF OAuth meeting in Anaheim
• April 2010: OAuth 2.0 <draft-ietf-oauth-v2-00.txt> published co-authored by Eran,
Dick, David.
• May 2010: First OAuth interim meeting co-located with IIW to discuss open issues.
• July 2010: Maastricht IETF meeting
• November 2010: Document split into “abstract” specification and separate bearer
token and message signing specification.
• November 2010: Beijing IETF meeting – no official OAuth working group meeting.
Discussions about security for OAuth
12/29/12 IETF #79, OAuth Tutorial Beijing 21
22. Entities
User Agent
Authorization Request User
Resource Consumer
Token request Authorization Server
Access Request
(incl. Token) Resource Server
12/29/12 IETF #79, OAuth Tutorial Beijing 22
23. Scope of the OAuth WG
• Currently only one working group item:
– http://tools.ietf.org/html/draft-ietf-oauth-v2
– Unlike OAuth v1.0 it does not contain signature
mechanisms
• We have a punch of other documents as individual
items
– Providing security related extensions
– User interface considerations
– Token formats
– Token by reference
– Use case descriptions
– Other OAuth profiles OAuth Tutorial Beijing
12/29/12 IETF #79, 23
24. Work Areas
User Interface
User Agent
Authentication
Authorization Request User
Resource Consumer Token Format
Token Request
And Content Authorization Server
Authz Server
Data Exchange
Interaction
Access Request
(incl. Token) Resource Server
Request Security
OAuth Profiles
12/29/12 IETF #79, OAuth Tutorial Beijing 24
28. Work Areas
User Interface
User Agent
Authentication
Authorization Request User
Resource Consumer
Token Request
Authorization Server
Authz Server
Data Exchange
Interaction
Access Request
(incl. Token) Resource Server
OAuth Profiles
12/29/12 IETF #79, OAuth Tutorial Beijing 28
29. “Bearer Token”
Authorization
Server
Request
Token
TLS
Resource Token Resource
Consumer TLS
Server
30. “Message Signing”
Authorization
Server
Request
Token,SK,
TLS
{SK}Bob
Resource Resource
Consumer Token, Server
{Request}SK,
{SK}Bob
31. Conclusion
• Open Web Authentication (OAuth) is developed in
the IETF to provide delegated authentication for
Web-based environments.
– Usage for non-Web based applications has been proposed
as well.
• Work is in progress and re-chartering will expand the
work to include new features and use cases as well
as security.
• Join the OAuth mailing list at
http://datatracker.ietf.org/wg/oauth/charter/ to
make your contribution.
12/29/12 IETF #79, OAuth Tutorial Beijing 31