The document discusses OAuth 2.0 and implementing an OAuth 2.0 authorization server. It covers the different grant types (authorization code, implicit, password, client credentials), how each works, and which are best for different client types like web apps, browser-based apps, and mobile apps. It also discusses topics like scopes, limiting access to resources, accessing protected resources with an access token, and refreshing expired access tokens. The document provides guidance on implementing an OAuth 2.0 server including choosing library, grant types, token types, and defining scopes.
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Shows how to be an oauth consumer and provider from PHP - OAuth 1 - including handling of tokens, secrets, and handling the workflow for devices. Also covers the workflow for OAuth 2
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
The presentation done at Colombo White Hat Security Meetup for introducing OAuth framework to the security enthusiasts. The event details are in [1].
[1] https://www.meetup.com/Colombo-White-Hat-Security/events/255358391/
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
DevTeach Montreal 2017 Talk on OAuth and OpenId Connect, how the technology works the communication channels used and the different kind of grants in OAuth and how OpenId Connect plays in the entire ecosystem
As part of exercise to test the extensibility of OpenID Connect to other protocols than HTTP, we have created a custom scheme binding. This is still a rough sketch but should give you some ideas on what it is. It may seem to be a bit of stretch, but has a niche characteristics that it does not "leak" information to external OPs.
There will be a companion RP side as well, which would be a more normal case.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
http://www.springio.net/stateless-authentication-for-microservices/
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider.
In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails.
Low Friction Personal Data Collection - Quantified Self Global Conference 2013Aaron Parecki
Location, sleep and weight are the three things Aaron has managed to track consistently. Combining these data sources helped him learn new things about himself.
Presented at http://quantifiedself.com/conference/San-Francisco-2013/
Low Friction Personal Data Collection - QS PortlandAaron Parecki
http://www.meetup.com/PDX-Quantified-Self/events/136825772/
Aaron will be discussing his challenges with finding self-tracking tools that make it easy to collect data with minimum effort on his part. This is a preview of the talk that Aaron will give at the QS Global Conference in San Francisco in October.
When our company was acquired we needed a way to keep our team and remote teams updated on what we was done. Some members were often travelling or in different time zones. We needed a way to see everything that was done each day all in one place, especially as the teams worked on more complex projects. Everyone was using different methods to do this: standups, written reports, emails and meetings. Nothing stuck.
“!done reports” introduce a simple IRC command: !done. Team members say !done and what they just did. These !dones are put into a daily report. !done becomes a part of everyday at work, not a strained task that’s easily forgotten.
Many development teams already use IRC, Skype and other systems to communicate. !done is an addition to existing systems, is open source and easily modified. It is built off of ZenIRC bot and bundled into Loqi, the friendly IRC bot lurking in the #pdxtech channel on freenode. This presentation will show you how a simple bot solved a lot of problems for a lot of distributed people.
Have you ever wanted to automatically turn on your lights when you get home, or turn them back off when you leave? What about controlling your lights by SMS or IRC? This presentation will teach you how to automate your life with location-based hacks and SMS.
Geolocation in Web and Native Mobile AppsAaron Parecki
While location-based mobile apps are becoming increasingly popular, they are still relatively new. Special considerations need to be made for battery life and handling large data sets of geolocated data. The good news is there are many services and technologies you can use to assist you in building mobile location-based apps.
In this session, Aaron Parecki, co-founder of Geoloqi.com, shows you services you can leverage to do things like nearby business lookups, location-based triggers, nearest intersection queries, and more. Aaron also covers the location services available on the various mobile platforms as well as in HTML 5, and shares some insights on how to deal with battery life. The session concludes with some real-world use cases for real-time location such as turning on and off your lights in your house or sending an SMS when you leave work.
A vowel? Yep! I'll show you spectrograms of various words to illustrate how "R" is just as much a vowel as "E" and "I". Of course there's also the vowels "Y" and "W", but those are a little more obvious. You'll leave with a basic understanding of phonetics as well as a soft spot in your heart for the vowel "R".
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
The State of OAuth2
1. The State of
OAuth 2
Aaron Parecki • @aaronpk • aaronparecki.com
State of the Auth • January 2013
2. Before OAuth
Apps stored the user’s password
Apps got complete access to a user’s account
Users couldn’t revoke access to an app except by
changing their password
Compromised apps exposed the user’s password
aaron.pk/oauth2 @aaronpk
3. Before OAuth
Services recognized the problems with password
authentication
Many services implemented things similar to OAuth
1.0
Each implementation was slightly different, certainly
not compatible with each other
aaron.pk/oauth2 @aaronpk
4. Before OAuth 1.0
Flickr: “FlickrAuth” frobs and tokens
Google: “AuthSub”
Facebook: requests signed with MD5 hashes
Yahoo: BBAuth (“Browser-Based Auth”)
aaron.pk/oauth2 @aaronpk
7. Definitions
Resource Owner: The User
Resource Server: The API
Authorization Server: Often the same
as the API server
Client: The Third-Party Application
aaron.pk/oauth2 @aaronpk
10. Web Server Apps
Authorization Code Grant
aaron.pk/oauth2 @aaronpk
11. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
12. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
13. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
14. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
15. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=code&client_id=YOUR_CLIENT_ID&redirect
_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
16. User visits the authorization page
https://facebook.com/dialog/oauth?response_
type=code&client_id=28653682475872&redirect
_uri=everydaycity.com&scope=email
aaron.pk/oauth2 @aaronpk
17. On success, user is redirected back
to your site with auth code
https://example.com/auth?code=AUTH_CODE_HERE
On error, user is redirected back to
your site with error code
https://example.com/auth?error=access_denied
aaron.pk/oauth2 @aaronpk
18. Server exchanges auth code
for an access token
Your server makes the following request
POST
https://graph.facebook.com/oauth/access_to
ken
Post Body:
grant_type=authorization_code
&code=CODE_FROM_QUERY_STRING
&redirect_uri=REDIRECT_URI
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
aaron.pk/oauth2 @aaronpk
19. Server exchanges auth code
for an access token
Your server gets a response like the following
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
or if there was an error
{
"error":"invalid_request"
}
aaron.pk/oauth2 @aaronpk
21. Create a “Log In” link
Link to:
https://facebook.com/dialog/oauth?response_
type=token&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email
aaron.pk/oauth2 @aaronpk
22. User visits the authorization page
https://facebook.com/dialog/oauth?response_
type=token&client_id=2865368247587&redirect
_uri=everydaycity.com&scope=email
aaron.pk/oauth2 @aaronpk
23. On success, user is redirected back
to your site with the access token in
the fragment
https://example.com/auth#token=ACCESS_TOKEN
On error, user is redirected back to
your site with error code
https://example.com/auth#error=access_denied
aaron.pk/oauth2 @aaronpk
24. Browser-Based Apps
Use the “Implicit” grant type
No server-side code needed
Client secret not used
Browser makes API requests directly
aaron.pk/oauth2 @aaronpk
26. Password Grant
Password grant is only appropriate for trusted
clients, most likely first-party apps only.
If you build your own website as a client of your
API, then this is a great way to handle logging
in.
aaron.pk/oauth2 @aaronpk
27. Password Grant Type
Only appropriate for your
service’s website or your
service’s mobile apps.
aaron.pk/oauth2
28. Password Grant
POST https://api.example.com/oauth/token
Post Body:
grant_type=password
&username=USERNAME
&password=PASSWORD
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Response:
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
aaron.pk/oauth2 @aaronpk
29. Password Grant
User exchanges username and password for a token
No server-side code needed
Client secret only used from confidential clients
(Don’t send client secret from a mobile app!)
Useful for developing a first-party login system
aaron.pk/oauth2 @aaronpk
31. Client Credentials Grant
POST https://api.example.com/1/oauth/token
Post Body:
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Response:
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
aaron.pk/oauth2 @aaronpk
32. Grant Type Summary
authorization_code:
Web-server apps
implicit:
Mobile and browser-based apps
password:
Username/password access
client_credentials:
Application access
aaron.pk/oauth2 @aaronpk
35. Authorization Code
User visits auth page
response_type=code
User is redirected to your site with auth code
http://example.com/?code=xxxxxxx
Your server exchanges auth code for access token
POST /token
code=xxxxxxx&grant_type=authorization_code
aaron.pk/oauth2 @aaronpk
36. Implicit
User visits auth page
response_type=token
User is redirected to your site with access token
http://example.com/#token=xxxxxxx
Token is only available to the browser since it’s in the fragment
aaron.pk/oauth2 @aaronpk
37. Password
Your server exchanges username/password for access token
POST /token
username=xxxxxxx&password=yyyyyyy&
grant_type=password
aaron.pk/oauth2 @aaronpk
38. Client Credentials
Your server exchanges client ID/secret for access token
POST /token
client_id=xxxxxxx&client_secret=yyyyyyy&
grant_type=client_credentials
aaron.pk/oauth2 @aaronpk
39. Mobile Apps
Implicit Grant
aaron.pk/oauth2 @aaronpk
42. Redirect back to your app
Facebook app redirects back to your app using
a custom URI scheme.
Access token is included in the redirect, just like
browser-based apps.
fb2865://authorize/#access_token=BAAEEmo2nocQBAFFOeRTd
aaron.pk/oauth2 @aaronpk
44. Mobile Applications
Use the “Implicit” grant type
No server-side code needed
Client secret not used
Mobile app makes API requests directly
aaron.pk/oauth2 @aaronpk
45. Mobile Applications
External user agents are best
Use the service’s primary app for authentication, like
Facebook – provides a superior user experience
Or open native Safari on iPhone, still better than using an
embedded browser
Auth code or implicit grant type
In both cases, the client secret should never be used,
since it is possible to decompile the app which would
reveal the secret
aaron.pk/oauth2 @aaronpk
46. Accessing Resources
So you have an access token. Now
what?
aaron.pk/oauth2 @aaronpk
47. Use the access token to make
requests
Now you can make requests using the access token.
GET https://api.example.com/me
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
Access token can be in an HTTP header or a query string
parameter
https://api.example.com/me?access_token=RsT5Ojb
zRn430zqMLgV3Ia
aaron.pk/oauth2 @aaronpk
48. Eventually the access token
may expire
When you make a request with an expired token, you will
get this response
{
"error":"expired_token"
}
Now you need to get a new access token!
aaron.pk/oauth2 @aaronpk
49. Get a new access token using
a refresh token
Your server makes the following request
POST https://api.example.com/oauth/token
grant_type=refresh_token
&reresh_token=e1qoXg7Ik2RRua48lXIV
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Your server gets a similar response as the original call to
oauth/token with new tokens.
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
aaron.pk/oauth2 @aaronpk
50. Scope
Limiting access to resouces
aaron.pk/oauth2 @aaronpk
54. OAuth 2 scope
Created to limit access to the third party.
The scope of the access request expressed as a list of space-delimited
strings.
In practice, many people use comma-separators instead.
The spec does not define any values, it’s left up to the implementor.
If the value contains multiple strings, their order does not matter, and
each string adds an additional access range to the requested scope.
aaron.pk/oauth2 @aaronpk
57. OAuth 2 scope on Github
https://github.com/login/oauth/authorize?
client_id=...&scope=user,public_repo
user
• Read/write access to profile info only.
public_repo
• Read/write access to public repos and organizations.
repo
• Read/write access to public and private repos and organizations.
delete_repo
• Delete access to adminable repositories.
gist
• write access to gists.
aaron.pk/oauth2 @aaronpk
58. OAuth 2 scope
The challenge is displaying this to the user succinctly in a way they will
actually understand
If you over-complicate it for users, they will just click “ok” until the app
works, and ignore any warnings
Read vs write is a good start for basic services
aaron.pk/oauth2 @aaronpk
60. What I just described is
one possible
implementation
of an OAuth 2 server
aaron.pk/oauth2 @aaronpk
61. Indecision
No required token type
No agreement on the goals of an HMAC-enabled
token type
No requirement to implement token expiration
No guidance on token string size, or any value for that
matter
No strict requirement for registration
Loose client type definition
aaron.pk/oauth2 @aaronpk
62. Indecision (continued)
Lack of clear client security properties
No required grant types
No guidance on the suitability or applicability of grant
types
No useful support for native applications (but lots of lip
service)
No required client authentication method
No limits on extensions
aaron.pk/oauth2 Source: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ @aaronpk
63. The result:
the OAuth RFC is a
framework, not a protocol
aaron.pk/oauth2 @aaronpk
68. Implementing an OAuth 2
Server
Find a server library already written:
A short list available here: http://oauth.net/2/
Read the OAuth spec in its entirety
Study other implementations like Google
Make decisions based on the security requirements of your
application. In many cases the spec says SHOULD and leaves the
choice up to the implementer.
Understand the security implications of the implementation choices
you make.
aaron.pk/oauth2 @aaronpk
69. Implementing an OAuth 2
Server
Choose which grant types you want to support
Authorization Code – for traditional web apps
Implicit – for browser-based apps and mobile apps
Password – for your own website or mobile apps
Client Credentials – if applications can access resources on their own
Choose whether to support Bearer tokens, MAC or both
If using Bearer tokens, choose whether to use a DB lookup or
use self-container tokens
Define appropriate scopes for your service
aaron.pk/oauth2 @aaronpk
70. Access Tokens
Bearer tokens vs
MAC tokens
aaron.pk/oauth2 @aaronpk
71. Bearer Tokens
GET /1/profile HTTP/1.1
Host: api.example.com
Authorization: Bearer B2mpLsHWhuVFw3YeLFW3f2
Bearer tokens are a cryptography-free way to access protected
resources.
Relies on the security present in the HTTPS connection, since the
request itself is not signed.
Application developers do not need to do any cryptography, they just
pass the token string in the header.
aaron.pk/oauth2 @aaronpk
72. Dangers of Using Bearer Tokens
Requests are not signed, so are vulnerable to reply
attacks if someone intercepts the token.
When storing tokens in cookies, must ensure the
cookie is only sent via an https connection.
If a token is leaked, there is a large potential for
abuse.
aaron.pk/oauth2 @aaronpk
73. Security Recommendations
for Clients Using Bearer Tokens
Safeguard bearer tokens
Validate SSL certificates
Always use https
Don’t store bearer tokens in plaintext cookies
Issue short-lived bearer tokens
Don’t pass bearer tokens in page URLs
aaron.pk/oauth2 @aaronpk
74. MAC Tokens
GET /1/profile HTTP/1.1
Host: api.example.com
Authorization: MAC id="jd93dh9dh39D",
nonce="273156:di3hvdf8”,
mac="W7bdMZbv9UWOTadASIQHagZyirA="
MAC tokens provide a way to make authenticated requests with
cryptographic verification of the request.
Similar to the original OAuth 1.0 method of using signatures.
Application developers must sign each request, preventing forgery
and replay even when requests are sent in the clear.
@aaronpk
75. Bearer, MAC, or Both?
Should you support Bearer tokens, MAC tokens or
both?
MAC tokens are technically safer and more secure
Application developers will prefer working with Bearer
tokens since it is easier
aaron.pk/oauth2 @aaronpk
76. Scalability Concerns
Token lookups from a database can become a
bottleneck.
Can be addressed by heavy use of caching to avoid
DB lookups
Can be addressed by a good master/slave database
architecture
An alternative is to use “self-encoded” tokens where
all the needed information is contained within the
token string itself, avoiding the need to do a database
lookup
aaron.pk/oauth2 @aaronpk
77. Self-Encoded Tokens
The token is a string which is encrypted or signed
The string contains all necessary information to avoid
doing a database lookup
These tokens cannot be revoked, so must expire
frequently (requires heavy use of the
refresh_token grant type)
Can be implemented with either Bearer or MAC
tokens
aaron.pk/oauth2 @aaronpk
78. DB Token Lookups vs
Self-Encoded Tokens
Token table probably looks like
Token
User ID
Expiration Date
Scopes
Instead, encode that into a JSON payload which *is*
the token:
{“user_id”:1000,”exp”:1355429676,”scopes”:[“email
”,”payment”]}
See JSON Web Signature for example of signing this
token
aaron.pk/oauth2 @aaronpk
80. JSON Web Signature
Complete Token Example:
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3M
iOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA
6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ
4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Header, data, signature are base64 encoded and
concatenated with a “period” between each.
aaron.pk/oauth2 @aaronpk
82. oauth.net Website
http://oauth.net
Source code available on Github
github.com/aaronpk/oauth.net
Please feel free to contribute to the website
Contribute new lists of libraries, or help update information
aaron.pk/oauth2 @aaronpk