SlideShare a Scribd company logo

Token Binding Identiverse 2018

Download as PPTX, PDF
Brian Campbell
Brian Campbell

Token Binding is a new IETF protocol enabling strong cryptographic defenses against the use of stolen security tokens. This session will provide a technical overview of how Token Binding works and its application to session cookies and higher level protocols like OpenID Connect and OAuth. Bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.

Technology
1 of 28
© 2018 Brian Campbell @__b_c Token Binding2018 BRIAN CAMPBELL @__b_c
© 2018 Brian Campbell @__b_c FAQ Who the heck are you?
© 2018 Brian Campbell @__b_c About Me Distinguished Engineer at Ping Identity & Official Unofficial Identiverse (formerly CIS) Photographer
© 2018 Brian Campbell @__b_c FAQ Um… Photographer?
© 2018 Brian Campbell @__b_c Yes, been pretending to have a career as a “photographer” since 2011 “L’Arroseur Arrosé” by David Brossard
© 2018 Brian Campbell @__b_c FAQ Do you have any actual qualifications?
© 2018 Brian Campbell @__b_c Mr. Irrelevant
© 2018 Brian Campbell @__b_c FAQ Didn’t you do this talk last year?
© 2018 Brian Campbell @__b_c Yes
© 2018 Brian Campbell @__b_c FAQ Can you just get on with it already?
© 2018 Brian Campbell @__b_c yes… after just this one more photo
© 2018 Brian Campbell @__b_c What is a Bearer Token? • A security token with the property that any party in possession of that token (i.e. the "bearer") can use the token to access the associated resources • No other proof beyond just having it is needed
© 2018 Brian Campbell @__b_c The Problem With Bearer Tokens Two Truths and a Lie
© 2018 Brian Campbell @__b_c Bearer Tokens are Everywhere
© 2018 Brian Campbell @__b_c© 2017 Brian Campbell The Room Where It Happens Token Binding for binding tokens
© 2018 Brian Campbell @__b_c Token Binding Overview • Enables a long-lived binding of cookies or other security tokens to a client generated public-private key pair • Use is negotiated in TLS handshake via TLS extension • Possession of key is proven by signing the EKM (TLS Exported Keying Material) and sending an HTTP header in every request • Cookies and tokens can be bound to the key • Key is scoped to the effective top-level domain + 1 • Federated use-cases supported via referred token binding (vs. provided)
© 2018 Brian Campbell @__b_c Hello! Do you like my extension?
© 2018 Brian Campbell @__b_c Do you even bind tokens, bro? Client Server ClientHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2,0] ServerHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2] Key Parameters: (0) rsa2048_pkcs1.5 (1) rsa2048_pss (2) ecdsap256 Also need extenstions: Extended Master Secret Renegotiation Indication TLS Handshake
© 2018 Brian Campbell @__b_c Token Binding over HTTPS Client Server GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQLgtRpWFPN66kxhxGrtaKrzcMtHw7HV8 yMk_-MdRXJXbDMYxZCWnCASRRrmHHHL5wmpP3bhYt0ChRDbsMapfh_QAQ N1He3Ftj4Wa_S_fzZVns4saLfj6aBoMSQW6rLs19IIvHze7LrGjKyCfPT KXjajebxp-TLPFZCc0JTqTY5_0MBAAAA HTTP Request • Encoded Token Binding Message – (1 or more) Token Bindings • Type (provided / referred) • Token Binding ID (key type and public key) • Signature over type, key type, and EKM (TLS Exported Keying Material) • Extensions • Proves possession of the private key on the TLS connection • Keys are long-lived and span TLS connections • Keys are generated by the client
© 2018 Brian Campbell @__b_c Binding Cookies • The most straightforward application binds a cookie to the Token Binding key • Server associates Token Binding ID (key) with cookie & checks on subsequent use • Prevents the cookie from being used by a party that doesn’t have the key • Augments existing authentication and session mechanisms • Transparent to users • No key distribution (or certificates) • Deployment can be phased in
© 2018 Brian Campbell @__b_c Okay, Just Take It Easy Privacy Nerds Advocates • Token Binding is not a supercookie or new big brother tracking mechanism • Client generates a unique key pair per effective top-level domain + 1 (eTLD+1) – E.g., example.com, www.example.com, and etc.example.com share binding but not example.org or example.co.uk • Same scoping rules and privacy implications as cookies
© 2018 Brian Campbell @__b_c But what if we need 2Federate? • There’s an HTTP response header that tells the browser that it should reveal the Token Binding ID (the key) used between itself and the RP (referred) in addition to the one used between itself and the IDP (provided) Browser Identity Provider (IDP)Relying Party (RP) HTTP/1.1 302 Found Location: https://idp.example.com Include-Referred-Token-Binding-ID: true GET / HTTP/1.1 Host: idp.example.com Sec-Token-Binding: ARIAAgBBQB-XOPf5ePlf7ikATiAFEGOS503 lPmRfkyymzdWwHCxl0njjxC3D0E_OVfBNqrIQxzIfkF7tWby2Zfya E6XpwTsAQBYqhFX78vMOgDX_Fd_b2dlHyHlMmkIz8iMVBY_reM98O UaJFz5IB7PG9nZ11j58LoG5QhmQoI9NXYktKZRXxrYAAAECAEFAdU FTnfQADkn1uDbQnvJEk6oQs38L92gv-KO-qlYadLoDIKe2h53hSiK wIP98iRj_unedkNkAMyg9e2mY4Gp7WwBAeDUOwaSXNz1e6gKohwN4 SAZ5eNyx45Mh8VI4woL1BipLoqrJRoK6dxFkWgHRMuBROcLGUj5Pi OoxybQH_Tom3gAA two bindings: provided and referred
© 2018 Brian Campbell @__b_c The Specifications • Base – TLS Extension for Token Binding Protocol Negotiation https://tools.ietf.org/html/draft-ietf-tokbind-negotiation – The Token Binding Protocol https://tools.ietf.org/html/draft-ietf-tokbind-protocol – Token Binding over HTTP https://tools.ietf.org/html/draft-ietf-tokbind-https • OIDC – OpenID Connect Token Bound Authentication http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html • OAuth – OAuth 2.0 Token Binding https://tools.ietf.org/html/draft-ietf-oauth-token-binding • Deployment – HTTPS Token Binding with TLS Terminating Reverse Proxies https://tools.ietf.org/html/draft-ietf-tokbind-ttrp
© 2018 Brian Campbell @__b_c Base Specifications • Token Binding Negotiation, Protocol, and HTTP basically define what was described in the overview • All 3 IETF drafts are in the final throes of the IETF process, which is getting close* to RFC status Draft support in Google Chrome & Microsoft Edge/IE, .NET Framework, Google servers, open source work in OpenSSL, Apache, NGINX and Java
© 2018 Brian Campbell @__b_c OpenID Connect Token Bound Authentication • Utilizes the Include-Referred-Token- Binding-ID header and the Referred Token Binding • Binds the ID Token to the Token Binding ID the browser uses between itself and the Relying Party • Defines and uses token binding hash “tbh” member of the JWT confirmation claim “cnf” • OpenID Foundation spec is draft status but is presumably relatively stable
© 2018 Brian Campbell @__b_c Token Binding for OAuth Too • Binding of access tokens (via referred) – Uses JWT tbh cnf and defines it for token introspection • Binding of refresh tokens (via provided) • Client registration & server metadata • Binding of authorization codes via two PKCE variants – for native app clients – Web server clients • Binding of JWT Authorization Grants and JWT Client Authentication • IETF spec is a working group draft and, while there are no known/expected normative changes, it’s anticipated to be in draft for a considerable time
© 2018 Brian Campbell @__b_c HTTPS Token Binding with TLS Terminating Reverse Proxies (TTRP) • Defines HTTP headers that enable a proxy and backend server to function together as a single logical server side deployment of HTTPS Token Binding • Spec is an IETF working group draft with some hope of moving quickly
© 2018 Brian Campbell @__b_c Thanks! [probably no time for] Questions? Etc. BRIAN CAMPBELL @__b_c FIN

Recommended

Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebTrish McGinity, CCSK
 
Trading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDB
Trading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDBTrading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDB
Trading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDBMongoDB
 
Jax london - Battle-tested event-driven patterns for your microservices archi...
Jax london - Battle-tested event-driven patterns for your microservices archi...Jax london - Battle-tested event-driven patterns for your microservices archi...
Jax london - Battle-tested event-driven patterns for your microservices archi...Natan Silnitsky
 
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTPHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTAdam Englander
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
 
Ruby on Rails: The good parts - Boris Dinkevich, 500Tech
Ruby on Rails: The good parts - Boris Dinkevich, 500TechRuby on Rails: The good parts - Boris Dinkevich, 500Tech
Ruby on Rails: The good parts - Boris Dinkevich, 500TechCodemotion Tel Aviv
 

Recommended

Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebTrish McGinity, CCSK
 
Trading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDB
Trading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDBTrading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDB
Trading up: Adding Flexibility and Scalability to Bouygues Telecom with MongoDBMongoDB
 
Jax london - Battle-tested event-driven patterns for your microservices archi...
Jax london - Battle-tested event-driven patterns for your microservices archi...Jax london - Battle-tested event-driven patterns for your microservices archi...
Jax london - Battle-tested event-driven patterns for your microservices archi...Natan Silnitsky
 
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTPHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTAdam Englander
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST Security2018 jPrime Deconstructing and Evolving REST Security
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
 
Ruby on Rails: The good parts - Boris Dinkevich, 500Tech
Ruby on Rails: The good parts - Boris Dinkevich, 500TechRuby on Rails: The good parts - Boris Dinkevich, 500Tech
Ruby on Rails: The good parts - Boris Dinkevich, 500TechCodemotion Tel Aviv
 
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t HappenShopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t HappenGreg Castle
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimPayara
 
Past, Present and Future of WebSocket - HTML5DevConf May 2014
Past, Present and Future of WebSocket - HTML5DevConf May 2014Past, Present and Future of WebSocket - HTML5DevConf May 2014
Past, Present and Future of WebSocket - HTML5DevConf May 2014Frank Greco
 
Serverless Spring
Serverless SpringServerless Spring
Serverless SpringVMware Tanzu
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformAntonio Peric-Mazar
 
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFWebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFFrank Greco
 
Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocketJini Lee
 
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB
 
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...Natan Silnitsky
 
Introduction to GitHub Copilot
Introduction to GitHub CopilotIntroduction to GitHub Copilot
Introduction to GitHub CopilotAll Things Open
 
HostBridge Virtual User Group December 2020
HostBridge Virtual User Group December 2020HostBridge Virtual User Group December 2020
HostBridge Virtual User Group December 2020HostBridge Technology
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Brushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developersBrushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developersONE BCG
 
Microsoft_SC-100_April_2023-v1.3.pdf
Microsoft_SC-100_April_2023-v1.3.pdfMicrosoft_SC-100_April_2023-v1.3.pdf
Microsoft_SC-100_April_2023-v1.3.pdfCCIEHOMER
 
DEVNET-2006 Coding 210: Parsing JSON in C++
DEVNET-2006 Coding 210: Parsing JSON in C++DEVNET-2006 Coding 210: Parsing JSON in C++
DEVNET-2006 Coding 210: Parsing JSON in C++Cisco DevNet
 
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitRun Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitAmazon Web Services
 
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Amazon Web Services
 
Computer networking mcis 6163 project
Computer networking mcis 6163 projectComputer networking mcis 6163 project
Computer networking mcis 6163 projectAnakinzs
 
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...Amazon Web Services
 
Introduction to GitHub Copilot
Introduction to GitHub CopilotIntroduction to GitHub Copilot
Introduction to GitHub CopilotAll Things Open
 

More Related Content

What's hot

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t HappenShopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t HappenGreg Castle
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimPayara
 
Past, Present and Future of WebSocket - HTML5DevConf May 2014
Past, Present and Future of WebSocket - HTML5DevConf May 2014Past, Present and Future of WebSocket - HTML5DevConf May 2014
Past, Present and Future of WebSocket - HTML5DevConf May 2014Frank Greco
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformAntonio Peric-Mazar
 
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFWebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFFrank Greco
 
Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocketJini Lee
 
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB
 
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...Natan Silnitsky
 

What's hot (11)

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t HappenShopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.PilgrimJavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
JavaEE & GlassFish UG - Digital JavaEE 7 New & Noteworthy by P.Pilgrim
 
Past, Present and Future of WebSocket - HTML5DevConf May 2014
Past, Present and Future of WebSocket - HTML5DevConf May 2014Past, Present and Future of WebSocket - HTML5DevConf May 2014
Past, Present and Future of WebSocket - HTML5DevConf May 2014
 
Serverless Spring
Serverless SpringServerless Spring
Serverless Spring
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
 
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFWebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
 
Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocket
 
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB World 2019: MongoDB Atlas Data Lake Technical Deep Dive
 
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
Battle Tested Event-Driven Patterns for your Microservices Architecture - Ris...
 

Similar to Token Binding Identiverse 2018

Introduction to GitHub Copilot
Introduction to GitHub CopilotIntroduction to GitHub Copilot
Introduction to GitHub CopilotAll Things Open
 
HostBridge Virtual User Group December 2020
HostBridge Virtual User Group December 2020HostBridge Virtual User Group December 2020
HostBridge Virtual User Group December 2020HostBridge Technology
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
Brushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developersBrushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developersONE BCG
 
Microsoft_SC-100_April_2023-v1.3.pdf
Microsoft_SC-100_April_2023-v1.3.pdfMicrosoft_SC-100_April_2023-v1.3.pdf
Microsoft_SC-100_April_2023-v1.3.pdfCCIEHOMER
 
DEVNET-2006 Coding 210: Parsing JSON in C++
DEVNET-2006 Coding 210: Parsing JSON in C++DEVNET-2006 Coding 210: Parsing JSON in C++
DEVNET-2006 Coding 210: Parsing JSON in C++Cisco DevNet
 
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitRun Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitAmazon Web Services
 
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Amazon Web Services
 
Computer networking mcis 6163 project
Computer networking mcis 6163 projectComputer networking mcis 6163 project
Computer networking mcis 6163 projectAnakinzs
 
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...Amazon Web Services
 
Introduction to GitHub Copilot
Introduction to GitHub CopilotIntroduction to GitHub Copilot
Introduction to GitHub CopilotAll Things Open
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
Nodes 2023 - Knowledge graph based chatbot.pptx
Nodes 2023 - Knowledge graph based chatbot.pptxNodes 2023 - Knowledge graph based chatbot.pptx
Nodes 2023 - Knowledge graph based chatbot.pptxTomazBratanic1
 
Tokyo Release.pdf
Tokyo Release.pdfTokyo Release.pdf
Tokyo Release.pdfRajiv283486
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896
Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896
Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896Cisco DevNet
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Greg Castle
 
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explainedCisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explainedCisco Canada
 
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsA Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsAmazon Web Services
 

Similar to Token Binding Identiverse 2018 (20)

Introduction to GitHub Copilot
Introduction to GitHub CopilotIntroduction to GitHub Copilot
Introduction to GitHub Copilot
 
HostBridge Virtual User Group December 2020
HostBridge Virtual User Group December 2020HostBridge Virtual User Group December 2020
HostBridge Virtual User Group December 2020
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
Brushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developersBrushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developers
 
Microsoft_SC-100_April_2023-v1.3.pdf
Microsoft_SC-100_April_2023-v1.3.pdfMicrosoft_SC-100_April_2023-v1.3.pdf
Microsoft_SC-100_April_2023-v1.3.pdf
 
DEVNET-2006 Coding 210: Parsing JSON in C++
DEVNET-2006 Coding 210: Parsing JSON in C++DEVNET-2006 Coding 210: Parsing JSON in C++
DEVNET-2006 Coding 210: Parsing JSON in C++
 
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS SummitRun Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
Run Kubernetes with Amazon EKS - SRV318 - Chicago AWS Summit
 
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
Continuous Integration Best Practices (DEV319-R1) - AWS re:Invent 2018
 
Computer networking mcis 6163 project
Computer networking mcis 6163 projectComputer networking mcis 6163 project
Computer networking mcis 6163 project
 
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
How Rovio Uses Amazon CloudFront for Secure API Acceleration (CTD315) - AWS r...
 
Introduction to GitHub Copilot
Introduction to GitHub CopilotIntroduction to GitHub Copilot
Introduction to GitHub Copilot
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Nodes 2023 - Knowledge graph based chatbot.pptx
Nodes 2023 - Knowledge graph based chatbot.pptxNodes 2023 - Knowledge graph based chatbot.pptx
Nodes 2023 - Knowledge graph based chatbot.pptx
 
Tokyo Release.pdf
Tokyo Release.pdfTokyo Release.pdf
Tokyo Release.pdf
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896
Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896
Chatbots 101: design, code, deploy - Cisco Live Orlando 2018 - DEVNET-2896
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
 
Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?Walls Within Walls: What if your attacker knows parkour?
Walls Within Walls: What if your attacker knows parkour?
 
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explainedCisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
 
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsA Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
 

More from Brian Campbell

IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018Brian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Brian Campbell
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
 

More from Brian Campbell (13)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
 
I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSE
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security Protocols
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Token Binding Identiverse 2018

  • 1. © 2018 Brian Campbell @__b_c Token Binding2018 BRIAN CAMPBELL @__b_c
  • 2. © 2018 Brian Campbell @__b_c FAQ Who the heck are you?
  • 3. © 2018 Brian Campbell @__b_c About Me Distinguished Engineer at Ping Identity & Official Unofficial Identiverse (formerly CIS) Photographer
  • 4. © 2018 Brian Campbell @__b_c FAQ Um… Photographer?
  • 5. © 2018 Brian Campbell @__b_c Yes, been pretending to have a career as a “photographer” since 2011 “L’Arroseur Arrosé” by David Brossard
  • 6. © 2018 Brian Campbell @__b_c FAQ Do you have any actual qualifications?
  • 7. © 2018 Brian Campbell @__b_c Mr. Irrelevant
  • 8. © 2018 Brian Campbell @__b_c FAQ Didn’t you do this talk last year?
  • 9. © 2018 Brian Campbell @__b_c Yes
  • 10. © 2018 Brian Campbell @__b_c FAQ Can you just get on with it already?
  • 11. © 2018 Brian Campbell @__b_c yes… after just this one more photo
  • 12. © 2018 Brian Campbell @__b_c What is a Bearer Token? • A security token with the property that any party in possession of that token (i.e. the "bearer") can use the token to access the associated resources • No other proof beyond just having it is needed
  • 13. © 2018 Brian Campbell @__b_c The Problem With Bearer Tokens Two Truths and a Lie
  • 14. © 2018 Brian Campbell @__b_c Bearer Tokens are Everywhere
  • 15. © 2018 Brian Campbell @__b_c© 2017 Brian Campbell The Room Where It Happens Token Binding for binding tokens
  • 16. © 2018 Brian Campbell @__b_c Token Binding Overview • Enables a long-lived binding of cookies or other security tokens to a client generated public-private key pair • Use is negotiated in TLS handshake via TLS extension • Possession of key is proven by signing the EKM (TLS Exported Keying Material) and sending an HTTP header in every request • Cookies and tokens can be bound to the key • Key is scoped to the effective top-level domain + 1 • Federated use-cases supported via referred token binding (vs. provided)
  • 17. © 2018 Brian Campbell @__b_c Hello! Do you like my extension?
  • 18. © 2018 Brian Campbell @__b_c Do you even bind tokens, bro? Client Server ClientHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2,0] ServerHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2] Key Parameters: (0) rsa2048_pkcs1.5 (1) rsa2048_pss (2) ecdsap256 Also need extenstions: Extended Master Secret Renegotiation Indication TLS Handshake
  • 19. © 2018 Brian Campbell @__b_c Token Binding over HTTPS Client Server GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQLgtRpWFPN66kxhxGrtaKrzcMtHw7HV8 yMk_-MdRXJXbDMYxZCWnCASRRrmHHHL5wmpP3bhYt0ChRDbsMapfh_QAQ N1He3Ftj4Wa_S_fzZVns4saLfj6aBoMSQW6rLs19IIvHze7LrGjKyCfPT KXjajebxp-TLPFZCc0JTqTY5_0MBAAAA HTTP Request • Encoded Token Binding Message – (1 or more) Token Bindings • Type (provided / referred) • Token Binding ID (key type and public key) • Signature over type, key type, and EKM (TLS Exported Keying Material) • Extensions • Proves possession of the private key on the TLS connection • Keys are long-lived and span TLS connections • Keys are generated by the client
  • 20. © 2018 Brian Campbell @__b_c Binding Cookies • The most straightforward application binds a cookie to the Token Binding key • Server associates Token Binding ID (key) with cookie & checks on subsequent use • Prevents the cookie from being used by a party that doesn’t have the key • Augments existing authentication and session mechanisms • Transparent to users • No key distribution (or certificates) • Deployment can be phased in
  • 21. © 2018 Brian Campbell @__b_c Okay, Just Take It Easy Privacy Nerds Advocates • Token Binding is not a supercookie or new big brother tracking mechanism • Client generates a unique key pair per effective top-level domain + 1 (eTLD+1) – E.g., example.com, www.example.com, and etc.example.com share binding but not example.org or example.co.uk • Same scoping rules and privacy implications as cookies
  • 22. © 2018 Brian Campbell @__b_c But what if we need 2Federate? • There’s an HTTP response header that tells the browser that it should reveal the Token Binding ID (the key) used between itself and the RP (referred) in addition to the one used between itself and the IDP (provided) Browser Identity Provider (IDP)Relying Party (RP) HTTP/1.1 302 Found Location: https://idp.example.com Include-Referred-Token-Binding-ID: true GET / HTTP/1.1 Host: idp.example.com Sec-Token-Binding: ARIAAgBBQB-XOPf5ePlf7ikATiAFEGOS503 lPmRfkyymzdWwHCxl0njjxC3D0E_OVfBNqrIQxzIfkF7tWby2Zfya E6XpwTsAQBYqhFX78vMOgDX_Fd_b2dlHyHlMmkIz8iMVBY_reM98O UaJFz5IB7PG9nZ11j58LoG5QhmQoI9NXYktKZRXxrYAAAECAEFAdU FTnfQADkn1uDbQnvJEk6oQs38L92gv-KO-qlYadLoDIKe2h53hSiK wIP98iRj_unedkNkAMyg9e2mY4Gp7WwBAeDUOwaSXNz1e6gKohwN4 SAZ5eNyx45Mh8VI4woL1BipLoqrJRoK6dxFkWgHRMuBROcLGUj5Pi OoxybQH_Tom3gAA two bindings: provided and referred
  • 23. © 2018 Brian Campbell @__b_c The Specifications • Base – TLS Extension for Token Binding Protocol Negotiation https://tools.ietf.org/html/draft-ietf-tokbind-negotiation – The Token Binding Protocol https://tools.ietf.org/html/draft-ietf-tokbind-protocol – Token Binding over HTTP https://tools.ietf.org/html/draft-ietf-tokbind-https • OIDC – OpenID Connect Token Bound Authentication http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html • OAuth – OAuth 2.0 Token Binding https://tools.ietf.org/html/draft-ietf-oauth-token-binding • Deployment – HTTPS Token Binding with TLS Terminating Reverse Proxies https://tools.ietf.org/html/draft-ietf-tokbind-ttrp
  • 24. © 2018 Brian Campbell @__b_c Base Specifications • Token Binding Negotiation, Protocol, and HTTP basically define what was described in the overview • All 3 IETF drafts are in the final throes of the IETF process, which is getting close* to RFC status Draft support in Google Chrome & Microsoft Edge/IE, .NET Framework, Google servers, open source work in OpenSSL, Apache, NGINX and Java
  • 25. © 2018 Brian Campbell @__b_c OpenID Connect Token Bound Authentication • Utilizes the Include-Referred-Token- Binding-ID header and the Referred Token Binding • Binds the ID Token to the Token Binding ID the browser uses between itself and the Relying Party • Defines and uses token binding hash “tbh” member of the JWT confirmation claim “cnf” • OpenID Foundation spec is draft status but is presumably relatively stable
  • 26. © 2018 Brian Campbell @__b_c Token Binding for OAuth Too • Binding of access tokens (via referred) – Uses JWT tbh cnf and defines it for token introspection • Binding of refresh tokens (via provided) • Client registration & server metadata • Binding of authorization codes via two PKCE variants – for native app clients – Web server clients • Binding of JWT Authorization Grants and JWT Client Authentication • IETF spec is a working group draft and, while there are no known/expected normative changes, it’s anticipated to be in draft for a considerable time
  • 27. © 2018 Brian Campbell @__b_c HTTPS Token Binding with TLS Terminating Reverse Proxies (TTRP) • Defines HTTP headers that enable a proxy and backend server to function together as a single logical server side deployment of HTTPS Token Binding • Spec is an IETF working group draft with some hope of moving quickly
  • 28. © 2018 Brian Campbell @__b_c Thanks! [probably no time for] Questions? Etc. BRIAN CAMPBELL @__b_c FIN

Editor's Notes

  1. “Distinguished” – they ran out of titl
  2. CIS 2014 in Monterey
  3. Still believe it’s important Needed to justify coming here Slow process
  4. Spring of 2016 at IETF 95 Buenos Aires where I got more serious about TB
  5. From real job vs. pretend aspirational career
  6. Protections a plenty but compromise still happens Subdomain Takeovers (e.g. Uber in late 2017) Some are critical of on HttpOnly b/c it is narrow but it does this one thing
  7. Spring 2015 at IETF 92 Dallas Inoculate against use by unauthorized party
  8. IETF 100 in Singapore just one of the meetings involving this work
  9. 1st discussed in BA hotel room at IETF 95 April 2016
  10. 1st presented by Mike at Berlin IETF 96 July 2016
  11. First floated the idea at IETF 97 Seoul in Nov 2016