Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
David Chase, Ping Identity
Exploring the implementation and architecture of OAuth and OpenID Connect, using web and mobile applications, with topics including grant types, choosing a grant type, refresh tokens, and managing sessions
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
David Chase, Ping Identity
Exploring the implementation and architecture of OAuth and OpenID Connect, using web and mobile applications, with topics including grant types, choosing a grant type, refresh tokens, and managing sessions
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally.
This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012
Best practices när det gäller inloggning (autentisering) från webapp-tiden är inte direkt applicerbara i den mobila världen. Kör du native-appar och RESTful webservices i backend så är inte en sessions-kaka lika självklar lösning längre.
Vi kommer titta på vilka möjligheter som finns och hur frågan adresseras på några större siter/tjänster runt omkring i världen.
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
If your B2B blogging goals include earning social media shares and backlinks to boost your search rankings, this infographic lists the size best approaches.
Each technological age has been marked by a shift in how the industrial platform enables companies to rethink their business processes and create wealth. In the talk I argue that we are limiting our view of what this next industrial/digital age can offer because of how we read, measure and through that perceive the world (how we cherry pick data). Companies are locked in metrics and quantitative measures, data that can fit into a spreadsheet. And by that they see the digital transformation merely as an efficiency tool to the fossil fuel age. But we need to stretch further…
In this talk, we'll dive into the basics of authentication from an asp.net developer's perspective. If words like "JWT", "claims", "OAuth", "OpenID", "authentication server", "refresh tokens" etc confuse you, then this talk is for you. We'll also peek into identity platforms like Auth0, Okta, Azure AD B2C, IdentityServer etc which are commonly used with asp.net. Finally we'll walk through some best practices and checklists. All slides & code samples will be publicly shared after the presentation.
Author: Mithun Shanbhag
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
Ember Authentication and Authorization with ToriiCory Forsyth
This talk was originally given on November 7 2015 at the Global Ember Meetup, demonstrating the usage of the Torii authentication library for Ember (https://github.com/vestorly/torii). It shows how Torii works, how Torii simplifies OAuth redirect-basd web flows in Ember, and how to use Torii for authentication.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
What is REST?
What is RESTful Webservices
HTTP-REST Request Basics
HTTP-REST Vocabulary
Authentication (OAuth)
OAuth 2.0 Web Server Flow
REST APIs using Apex REST
Resources
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway
Presentation to accompany blog post: https://sciencegateways.org/-/eds-tech-blog-using-keycloak-to-provide-authentication-authorization-and-identity-management-services-for-your-gateway
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
7. 1.3 Authorization Grant
• Four grant types
– authorization code
– implicit
– resource owner password credentials
– client credentials
– (extension grants…)
8. 1.4 Access Token
• a string representing an authorization
– usually opaque to the client
• may denote an identifier used to retrieve
the authorization information
• may self-contain the authorization
information in a verifiable manner
• details in companion specifications
9. 1.5 Refresh Token
• credentials used to obtain access tokens
– when access token has expired
– long lived (forever and ever)
– only sent to authorization server
– denotes an identifier used to retrieve the
authorization information
– OPTIONAL
24. 6.0 Refreshing an Access
Token
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
25. 7. Accessing Protected
Resources
• Present access token
– How depends on token_type
• Server validates (out of scope)
– Generally interaction with Authorization Server
26. 7.1 Access Token Types
• What type of token?
– Compare with concept of grant_type
• Not defined by OAuth2
– A registry is defined
• Contents
– Bearer (RFC6750)
– Mac (Oauth-HTTP-MAC)
27. Extensibility
• Defining Access Token Types
• Defining New Endpoint Parameters
• Defining New Authorization Grant Types
• Defining New Authorization Endpoint
Response Type
• Defining Additional Error Codes
31. Bearer Token Usage
• RFC6750
– Details on OAuth2 access_token
– Defines token_type bearer (first)
• “A security token with the property that any party in
possession of the token (a "bearer") can use the token in
any way that any other party in possession of it can.
Using a bearer token does not require a bearer to prove
possession of cryptographic key material (proof-of-
possession).”
32. Bearer Token Usage
• does not specify the encoding or the
contents of the token??
• Methods
– Authorization Request Header Field
– Form-Encoded Body Parameter
– URI Query Parameter
36. SAML2 Bearer Assertion
• Note: ‘Bearer’ now used to describe
assertion on Authorization Grant – not
Access Token
• SAML2 Assertion – another possible
grant_type
38. JWT Bearer Tokens
• Similar to SAML2
• grant_type: urn:ietf:params:oauth:grant-
type:jwt-bearer
39. JWT Tokens
• JSON Web Token (JWT) is a compact
means of representing claims to be
transferred between two parties.
– JSW (JSON Web Signature)
– JWE (JSON Web Encryption)
• Enables MAC/signed/encrypted
40. OpenID Connect
• a simple identity layer on top of the OAuth
2.0 protocol.
• allows Clients to verify the identity of the
End-User based on the authentication
performed by an Authorization Server
43. additions
• response_type: id_token
• endpoint: /check_id, /userinfo
• id_token is returned
• send as access_token to /check_id
• control info returned
• send access_token to /userinfo
• user_info is returned
53. Why – the plot?
53
: Hmm, don’t know - could it be, lisa@hotmail.com?
: h4pp1n3ss!
: Perfect! We’ll steal your paypal, twitter and facebook account through the hotmail account and print your photos right away. If we
find any other interesting private photos while we are in there we’ll print them too for our personal viewing pleasure.fake
: Ok, great! What’s your password?fake
: Hi Lisa, what’s your username?
fake
55. 55
: Hi, ! I would like to order printouts of some of my
on , they are marked as private.
Could you please print them?
: Sure, we just need to ask permission from
Step 1: Intent
56. 56
Hi ! This is speaking! Can I have a Request Token?
HMAC-SHA1 (Yours Truly, Moo.)
: “Sure! Your Request Token is: 9iKot2y5UQTDlS2V
and your secret is: 1Hv0pzNXMXdEfBd”
: Thanks!
Step 2: Request Token
57. 57
Step 3: Authorize Request Token
: Sure, just redirect my browser and I will be
done in a second!
: Hi , could you please go to to authorize
the Request Token:9iKot2y5UQTDlS2V?
When you have made the authorization, I can
fetch your .
58. 58
Step 3, Continued
: , I would like to authorize 9iKot2y5UQTDlS2V
: Sure - to be on the safe side; you are allowing to read your
private pictures? We trust them, so there are no issues from our
side.
: Yes, that is correct!
: Ok, good. Now get back too and tell them it is ok to proceed.
59. 59
Step 3, Optional Notify
: Hi , I just told that you are allowed to access my
private pictures and they told me the pictures are ready for
you to access them.
: Perfect, thank you!
60. 60
Step 4: Exchange Token
: Hi, . Could I exchange this token: 9iKot2y5UQTDlS2V
for an Access Token? HMAC-SHA1 (Yours Truly, Moo.)
: Sure! Your Access Token is: 94S3sJVmuuxSPiZz
and your Secret is: 4Fc8bwdKNGSM0iNe”
: Perfect, thank you!
61. 61
Step 5: Access Data
: Hi , I would like to fetch the private pictures owned by
94S3sJVmuuxSPiZz. HMAC-SHA1 (Yours Truly, Moo.)
: Here they are , anything else?
62. 62
Take Away
• No information on the identity of Lisa is passed to
Moo and Moo have no idea of what Lisas
credentials on Flickr is.
• => Not an authentication protocol/standard/
technology
• API independent
– there are lots of different implementations on both client and
server side
The Standard
64. 64
— 2006-11 Blaine Cook, Twitter started working on Twitter’s OpenID implementation.
— 2007-04 A Google group started to write a draft protocol specification
— 2007-06 A first draft was ready and the group was opened for everyone interested in
contributing to the specification
When?
t
65. 65
• 2007-12 Initial version OAuth 1.0 ready
• mainly based on the Flickr Auth API and Google AuthSub
• 2009-06 Revised version 1.0a due to a security flaw
• http://oauth.net/core/1.0a
• 2010-04 RFC 5849 - IETF Informational RFC “The OAuth 1.0 Protocol”
• OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-v2-31
• New protocol, not backward compatible with OAuth1
• Simplify and create a better user experience
• Less secure due to no digital signature?
When?
t