Back in 2015, Square and Google collaborated to launch gRPC, an open source RPC framework backed by protocol buffers and HTTP/2, based on real-world experiences operating microservices at scale. If you build microservices, you will be interested in gRPC.
This webcast covers:
- a technical overview of gRPC
- use cases and applicability in your stack
- a deep dive into the practicalities of operationalizing gRPC
KafkaConsumer - Decoupling Consumption and Processing for Better Resource Uti...confluent
When working with KafkaConsumer, we usually employ single thread both for reading and processing of messages. KafkaConsumer is not thread-safe, so using single thread fits in well. Downside of this approach is that you are limited to single thread for processing messages.
By decoupling consumption and processing, we can achieve processing parallelization with single consumer and get the most out of multi-core CPU architectures available today. While this can be very useful in certain use-case scenarios, it's not trivial to implement.
How do we use multiple threads with KafkaConsumer which is not thread safe? How do we react to consumer group rebalancing? Can we get desired processing and ordering guarantees? In this talk we 'll try to answer these questions and explore challenges we face on our path.
Back in 2015, Square and Google collaborated to launch gRPC, an open source RPC framework backed by protocol buffers and HTTP/2, based on real-world experiences operating microservices at scale. If you build microservices, you will be interested in gRPC.
This webcast covers:
- a technical overview of gRPC
- use cases and applicability in your stack
- a deep dive into the practicalities of operationalizing gRPC
KafkaConsumer - Decoupling Consumption and Processing for Better Resource Uti...confluent
When working with KafkaConsumer, we usually employ single thread both for reading and processing of messages. KafkaConsumer is not thread-safe, so using single thread fits in well. Downside of this approach is that you are limited to single thread for processing messages.
By decoupling consumption and processing, we can achieve processing parallelization with single consumer and get the most out of multi-core CPU architectures available today. While this can be very useful in certain use-case scenarios, it's not trivial to implement.
How do we use multiple threads with KafkaConsumer which is not thread safe? How do we react to consumer group rebalancing? Can we get desired processing and ordering guarantees? In this talk we 'll try to answer these questions and explore challenges we face on our path.
API Security in a Microservice ArchitectureMatt McLarty
This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
gRPC in Golang presentation
In this talk, I introduced gRPC, Protocol buffer, and how to use them with golang.
Source code used in the presentation: http://github.com/AlmogBaku/grpc-in-go
Watch this talk here: https://www.confluent.io/online-talks/apache-kafka-architecture-and-fundamentals-explained-on-demand
This session explains Apache Kafka’s internal design and architecture. Companies like LinkedIn are now sending more than 1 trillion messages per day to Apache Kafka. Learn about the underlying design in Kafka that leads to such high throughput.
This talk provides a comprehensive overview of Kafka architecture and internal functions, including:
-Topics, partitions and segments
-The commit log and streams
-Brokers and broker replication
-Producer basics
-Consumers, consumer groups and offsets
This session is part 2 of 4 in our Fundamentals for Apache Kafka series.
GraphQL is a query language for APIs and a runtime for fulfilling those queries. It gives clients the power to ask for exactly what they need, which makes it a great fit for modern web and mobile apps. In this talk, we explain why GraphQL was created, introduce you to the syntax and behavior, and then show how to use it to build powerful APIs for your data. We will also introduce you to AWS AppSync, a GraphQL-powered serverless backend for apps, which you can use to host GraphQL APIs and also add real-time and offline capabilities to your web and mobile apps. You can follow along if you have an AWS account – no GraphQL experience required!
Level: Beginner
Speaker: Rohan Deshpande - Sr. Software Dev Engineer, AWS Mobile Applications
For a long time in order to achieve mutual TLS between Kafka brokers and its clients we had to use long-lived certificates which is a nightmare to manage at large scale. At TransferWise, we have around 300 microservices and most of them use Kafka for the async communication, stream processing, event sourcing, etc. We wanted to implement Kafka security in a way that reduced the maintenance burden on platform teams, while making migration of diverse clients as simple as possible. In this talk we will describe how we have achieved that goal using SPIFFE with SPIRE and Envoy, requiring zero code changes on the client side.
Slides for the talk in Ruby SG meetup. (Apr 2018)
https://github.com/sathiyaseelan/grpc-client-ruby
https://github.com/sathiyaseelan/grpc-client-go
https://github.com/sathiyaseelan/grpc-rails-api
RESTful Architecture is effectively an implementation of Resource-Oriented architecture (ROA). ROA - is a good fit for Service oriented Architecture (SOA) implementation. Check out KickStartPros approach on RESTful API Design.
* REST = REpresentational State Transfer
* REST is Resource Based Representation. REST identifies things by JSON or XML & URIs.
* REST behavior/actions are identified by HTTP methods (GET, POST, PUT, DELETE).
* Using Uniform Interface Architecture with REST you can decouple Client (like Browser/Android App/iOS App) and Server.
* REST using Layered System and Cacheable Architecture gives better performance.
Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...Amazon Web Services
The appeal of SaaS has many ISVs interested in the power and value of delivering their solutions in a SaaS model. However, moving a single-tenant application to a multi-tenant environment can be daunting. In this session, we'll look at the obstacles that many ISVs face as they consider the move to a SaaS delivery model. We'll explore a wide range of transformation patterns that cover everything from lift-and-shift of your monolith to an incremental cutover to multi-tenant aware microservices, data, and infrastructure. Along the way, we'll highlight the challenges and technical considerations that shape your solution and allow you to better align your transformed solution with SaaS best practices. This includes looking at all the new architectural elements you'll need to add to your environment to support SaaS (onboarding, identity, billing, metering, analytics, and so on).
Kiến trúc phần mềm cho các site chịu tải lớn – Software architecture for high traffic Website
Case study giới thiệu về kiến trúc của một site traffic lớn đó là stackoverflow.com - trang hỏi đáp về lập trình rất nổi tiếng
Bài trình bày của bạn Ngô Xuân Hòa tại Meetup 4 của Ha Noi .NET Group.
Chi tiết vui lòng xem tại: http://tungnt.net
API Security in a Microservice ArchitectureMatt McLarty
This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
gRPC in Golang presentation
In this talk, I introduced gRPC, Protocol buffer, and how to use them with golang.
Source code used in the presentation: http://github.com/AlmogBaku/grpc-in-go
Watch this talk here: https://www.confluent.io/online-talks/apache-kafka-architecture-and-fundamentals-explained-on-demand
This session explains Apache Kafka’s internal design and architecture. Companies like LinkedIn are now sending more than 1 trillion messages per day to Apache Kafka. Learn about the underlying design in Kafka that leads to such high throughput.
This talk provides a comprehensive overview of Kafka architecture and internal functions, including:
-Topics, partitions and segments
-The commit log and streams
-Brokers and broker replication
-Producer basics
-Consumers, consumer groups and offsets
This session is part 2 of 4 in our Fundamentals for Apache Kafka series.
GraphQL is a query language for APIs and a runtime for fulfilling those queries. It gives clients the power to ask for exactly what they need, which makes it a great fit for modern web and mobile apps. In this talk, we explain why GraphQL was created, introduce you to the syntax and behavior, and then show how to use it to build powerful APIs for your data. We will also introduce you to AWS AppSync, a GraphQL-powered serverless backend for apps, which you can use to host GraphQL APIs and also add real-time and offline capabilities to your web and mobile apps. You can follow along if you have an AWS account – no GraphQL experience required!
Level: Beginner
Speaker: Rohan Deshpande - Sr. Software Dev Engineer, AWS Mobile Applications
For a long time in order to achieve mutual TLS between Kafka brokers and its clients we had to use long-lived certificates which is a nightmare to manage at large scale. At TransferWise, we have around 300 microservices and most of them use Kafka for the async communication, stream processing, event sourcing, etc. We wanted to implement Kafka security in a way that reduced the maintenance burden on platform teams, while making migration of diverse clients as simple as possible. In this talk we will describe how we have achieved that goal using SPIFFE with SPIRE and Envoy, requiring zero code changes on the client side.
Slides for the talk in Ruby SG meetup. (Apr 2018)
https://github.com/sathiyaseelan/grpc-client-ruby
https://github.com/sathiyaseelan/grpc-client-go
https://github.com/sathiyaseelan/grpc-rails-api
RESTful Architecture is effectively an implementation of Resource-Oriented architecture (ROA). ROA - is a good fit for Service oriented Architecture (SOA) implementation. Check out KickStartPros approach on RESTful API Design.
* REST = REpresentational State Transfer
* REST is Resource Based Representation. REST identifies things by JSON or XML & URIs.
* REST behavior/actions are identified by HTTP methods (GET, POST, PUT, DELETE).
* Using Uniform Interface Architecture with REST you can decouple Client (like Browser/Android App/iOS App) and Server.
* REST using Layered System and Cacheable Architecture gives better performance.
Migrating Single-Tenant Applications to Multi-Tenant SaaS (ARC326-R1) - AWS r...Amazon Web Services
The appeal of SaaS has many ISVs interested in the power and value of delivering their solutions in a SaaS model. However, moving a single-tenant application to a multi-tenant environment can be daunting. In this session, we'll look at the obstacles that many ISVs face as they consider the move to a SaaS delivery model. We'll explore a wide range of transformation patterns that cover everything from lift-and-shift of your monolith to an incremental cutover to multi-tenant aware microservices, data, and infrastructure. Along the way, we'll highlight the challenges and technical considerations that shape your solution and allow you to better align your transformed solution with SaaS best practices. This includes looking at all the new architectural elements you'll need to add to your environment to support SaaS (onboarding, identity, billing, metering, analytics, and so on).
Kiến trúc phần mềm cho các site chịu tải lớn – Software architecture for high traffic Website
Case study giới thiệu về kiến trúc của một site traffic lớn đó là stackoverflow.com - trang hỏi đáp về lập trình rất nổi tiếng
Bài trình bày của bạn Ngô Xuân Hòa tại Meetup 4 của Ha Noi .NET Group.
Chi tiết vui lòng xem tại: http://tungnt.net
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
https://www.hackmiami.com/hmc5-speakers-day-2
OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
Similar to Single-Page-Application & REST security (20)
The presentation talks about the components of FHIR, its distribution and use. Scenarios for the introduction of FHIR in the country using HL7 V3 are also offered.
Доклад рассказывает об поиске фантастическое устройства гравицапы, с помощью которого можно было бы перемещать данные между модулями больничной системы. И как гравицапой стал стандарт FHIR.
FHIR Developer Days 2015. Study on db implementations for FHIR serverIgor Bossenko
Presentation describes different approaches for implementing database for FHIR server, that were considered during implementation of Nortal National Healthcare System (NHS) for Lithuania.
Presentation describes different authentication ways to protect web application. It shows difference between custom approach and authentication with OAuth1 and OAuth2.
Данный доклад был представлен в Московской Медицинской Академии Наук в сентябре 2011 года. Доклад рассказывает он этапах внедрения ЭМЗ (NHR) в Эстонии, об успехах и неудачах, и архитектурном подходе состовления медицинских электронных документов
This presentation was made on 17.12.2013 in Vilnius (Lithuania) at the Centre of Registers. The purpose of the presentation create interest to the new HL7 FHIR standard to decision-makers, and then take it to use in the NHR project instead of HL7 V3
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
5. Authentication with API Key
Simplest way for REST authentication
Used for public or open APIs
Twitter, Google Maps, New York Times, …
API key usually used for
Identify the caller
Check IP addresses of caller
To limit the number of requests
Authentication with API Key only is
unsecure
7. New Google credential generation
Usually you must have separate API-Key for every API group
8. Authentication with secret key
API-key for identity
Secret-key (symmetric shared key) for
authentication
Authentication with additional secret
in header is not enough secure
(man-in-the-middle attacker risk)
9. Authentication with signature
API-key for identity
Secret-key for authentication, but secret key never sent with
request
Signature header is a HMAC-SHA256 hash of the nonce
concatenated with the full URL and body of the HTTP request,
encoded using your API secret-key.
Authentication with signature is secure.
11. Nonce
Nonce is an arbitrary (unique) number/string
Randon number
Number based on timestamp
Nonce included into signature
Requests with signature and nonce is very
secure and protect from replay attacks
12. Oauth (1.0)
In 2006 were no open standards for
API access delegation.
OAuth was designed to solve the
application-to-application security
problem.
OAuth Core 1.0 was released in 2007.
13. OAuth 1.0 concept
Terms
User, Consumer, Service Provider, Protected Resource, Provider
API
5 parameters to work with OAuth 1.0
Consumer key & Consumer secret
Request token URL
Authorize URL
Access token URL
OAuth 1.0 components
Token = Key + Secret
Message = Document + Digital Signature
Application = Consumer + Access to API
15. OAuth 1.0 summary
OAuth 1.0
=
Fetch Request Token +
Redirect to Authorization +
Fetch Access Token +
Call API +
Signature calculated with secret-key
16. vs
OpenID - protocol for fast user
registration on the current website
(“protocol for users”)
OAuth - protocol for authorized access
to the third-party vendor API („protocol
for robots“ ).
17. Non-repudiation
Non-repuduation - method to ensure that a
transferred message has been sent and
received by the parties claiming to have sent
and received the message
Nonrepudiation can be obtained through the
use of:
Digital signatures
Confirmation services
Timestamp
18. OAuth 1.0 vs Estonian xRoad
xRoad OAuth
PKI public/private
certificates
string as secret key or
public/private certificates
Certificate storage Secure server Any verified certificate
storage, such as AD, ..
Organization RIA (Estonian
Information System
Authority)
Required
API Developed by RIA (in
estonian)
Required
Special software xRoad server No
Scope Estonian standard International standard
Protocol SOAP REST
19. OAuth 2.0
OAuth 2.0 focuses on client developer simplicity
while providing specific authorization flows for
web applications, desktop applications, mobile
phones, and living room devices.
OAuth 2.0 is more a framework than it is a
defined protocol.
OAuth 2.0 is not backwards compatible with
OAuth 1.0.
In July 2012, Eran Hammer resigned his role of lead author for the OAuth
2.0 project, withdrew from the IETF working group, and removed his
name from the specification. Hammer: „OAuth 2.0 is more complex, less
interoperable, less useful, more incomplete, and most importantly, less
secure."
20. List of OAuth service providers (May/2014)
Service provider
OAuth
protocol
Amazon 2.0
AOL 2.0
Basecamp 2.0
Bitbucket 1.0a
Dropbox 1.0, 2.0
Evernote 1
Facebook 2.0 draft 12
Flickr 1.0a
Foursquare 2
GitHub 2
Goodreads 1
Google 2
Google App Engine 1.0a
Instagram 2
Intel Cloud Services 2
LinkedIn 1.0a, 2.0
Microsoft (Hotmail, Windows Live, Messanger, Xbox) 2
Netflix 1.0a
PayPal 2
Twitter 1.0a, 2.0
Ubuntu One 1
Vimeo 1.0a
Yandex 2
21. OAuth 1.0 vs OAuth 2.0
Problems of OAuth 1.0
Authentication and Signatures on client side
User Experience and Alternative Token Issuance Options
Performance at Scale
OAuth 2.0 changes:
OAuth 2.0 relies completely on SSL for some degree of
confidentiality and server authentication.
Cryptography-free option for authentication which is based
on existing cookie authentication architecture.
Simplified signatures
Separation of Roles (SSO support)
Short-lived tokens with Long-lived authorizations
22. OAuth 2.0 flows
Web Server Flow – for clients that are part of a web server
application, accessible via HTTP requests. This is a simpler version
of the flow provided by OAuth 1.0.
User-Agent Flow – for clients running inside a user-agent (browser).
Device Flow – suitable for clients executing on limited devices, but
where the end-user has separate access to a browser on another
computer or device.
Username and Password Flow – used in cases where the user
trusts the client to handle its credentials.
Client Credentials Flow (JWT) – the client uses its credentials to
obtain an access token. This flow supports what is known as the 2-
legged scenario.
Assertion Flow – the client presents an assertion such as a SAML
assertion to the authorization server in exchange for an access
token.
32. Does OAuth1 better than OAuth2?
Does OAuth1 better than OAuth2?
No, they have different purpose: OAuth1 for
server to server communication and OAuth2 for
user/device to server
Does OAuth1 more secure than
OAuth2?
Yes and No
OAuth 1.0 may be used without HTTPS
But, OAuth2 same secure as SSL
33. When to use OAuth1 & OAuth2?
OAuth 1.0 – server-to-server
OAuth 2.0 – browser/device/client-to-
server
34. I use OAuth. Does my app protected?
No
JSON may be changed before sending
Any URI may be called
OAuth just authentication for your app
and authorization to 3d-party apps
You may wants to do
Authorization and role/privilege check
Check of data consistency
State check or check of allowed actions
35. Authorization
You must check permissions every
time when REST service runs inside
service
You must also identify client and
context by cookie or by certificate
37. “Big” API vs “small” API
1 REST service or 3 services?
38. Profiles
Тhe server checks the data sent
regarding the xsd or profile or...
Profile example
Servoice LivingSubject Profile „Ivoice 1" Profile „Invoice 2" Profile „Invoice 3"
Recipient/Person N/A M N/A
Recipient/Organization N/A N/A M
Owner/-organization N/A O M
Owner/Person N/A O O
Row/Article M M M
Row/Quantity N/A M M
Row/Sum N/A N/A O
Payment/Sum O O N/A
constraints Row.size()==1 Row.size()==1 Row.size()>0
39. State validation
Stateless
OAuth2 provides token expiration
You can store frequently used data in
HTTP Cookie
Local storage
Memory DB
Cache (like Ehcache)
Use HATEOAS (Hypermedia as the Engine of Application
State or hypermedia-driven system) for form validation
Stateful
You can use it too, but why?
40. HATEOAS
Data and links content separated one from another
Server may store allowed links and refuse all other
REST queries
A simple JSON presentation is traditionally rendered as:
{
"name" : "Alice"
}
A HATEOAS-based response would provide relevant links like this:
{
"name": "Alice",
"links": [ {
"rel": "self",
"href": "http://localhost:8080/customer/1"
} ]
}
The client credentials grant type must only be used by confidential clients. The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control. The client can also request access to those of another Resource Owner that has been previously arranged with the Authorization Server (the method of which is beyond the scope of the specification).
A JSON Web Token (JWT) is a JSON-based security token encoding that enables identity and security information to be shared across security domains.
In the OAuth 2.0 JWT flow, the client application is assumed to be a confidential client that can store the client application’s private key. The X.509 certificate that matches the client’s private key must be registered in the API Manager. The API Gateway uses this certificate to verify the signature of the JWT claim.
POST /api/oauth/token HTTP/1.1
Content-Length: 424
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: 192.168.0.48:8080
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJS
UzI1NiJ9.eyJpc3MiOiAiU2FtcGxlQ29uZmlkZW50aWFsQXBwIiwgImF1ZCI6ICJodHRwOi8vYXBpc2Vy
dmVyL2FwaS9vYXV0aC90b2tlbiIsICJleHAiOiAiMTM0MTM1NDYwNSIsICJpYXQiOiAiMTM0MTM1NDMwN
SJ9.ilWR8O8OlbQtT5zBaGIQjveOZFIWGTkdVC6LofJ8dN0akvvD0m7IvUZtPp4dx3KdEDj4YcsyCEAPh
fopUlZO3LE-iNPlbxB5dsmizbFIc2oGZr7Zo4IlDf92OJHq9DGqwQosJ-s9GcIRQk-IUPF4lVy1Q7PidP
WKR9ohm3c2gt8