This document provides an overview of OAuth 2.0 and OpenID Connect (OIDC) for authentication and authorization. It begins with introducing the speaker, Matt Raible, and his background. It then discusses direct authentication vs federated identity and standards like SAML and OAuth. The document explains the key concepts of OAuth including actors, scopes and consent, tokens, flows, and common security issues. It outlines some enterprise use cases for OAuth and key facts about it being an authorization framework rather than protocol.
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Matt Raible
Microservices are all the rage and being deployed by many Java Hipsters. If you’re working with a large team that needs different release cycles for product components, microservices can be a blessing. If you’re working at your VW Restoration Shop and running its online store with your own software, having five services to manage and deploy can be a real pain.
Share your knowledge and experience about microservices in this informative and code-heavy talk. We’ll use JHipster (a Yeoman generator) to create Angular + Spring Boot apps on separate instances with a unified front-end. I’ll also show you options for securing your API gateway and individual applications using JWT. Heroku, Kubernetes, Docker, ELK, Spring Cloud, Okta; there will be plenty of interesting demos to see!
Java REST API Framework Comparison - PWX 2021Matt Raible
Use Spring Boot! No, use Micronaut!! Nooooo, Quarkus is the best!!!
There's a lot of developers praising the hottest, and fastest, Java REST frameworks: Micronaut, Quarkus, and Spring Boot. In this session, you'll learn how to do the following with each framework:
✅ Build a REST API
✅ Secure your API with OAuth 2.0
✅ Optimize for production with Docker and GraalVM
I'll also share some performance numbers and pretty graphs to compare community metrics.
Related blog post: https://developer.okta.com/blog/2021/06/18/native-java-framework-comparison
Apache Roller, Acegi Security and Single Sign-onMatt Raible
Acegi Security is quickly becoming a widely respected security framework for Java applications. Not only does this security framework solve many of the deficiencies of J2EE's security mechanisms, but it's also easy to implement and configure. This tutorial will help you learn more about Acegi Security, as well as how to integrate it into your web applications. The Roller Weblogger project (currently in Apache's incubator) uses Acegi Security for many of its features: authentication, password encryption, remember me and SSL switching. After learning about Roller and Acegi, you will see how to deploy Roller onto Tomcat and Geronimo. Following that, you will learn how to hook Roller/Acegi into Apache Directory Server for authentication. Finally, you will learn how to integrate Roller with a Single Sign-on System (Yale's Central Authentication Service).
Front End Development for Back End Developers - Denver Startup Week 2017Matt Raible
Are you a backend developer that’s being pushed into front end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We’ll explore the tools of the trade for fronted development (npm, yarn, Gulp, Webpack, Yeoman) and learn the basics of HTML, CSS, and JavaScript. I'll dive into the intricacies of Bootstrap, Material Design, ES6, and TypeScript. Finally, after getting you up to speed with all this new tech, I'll show how it can all be found and integrated through the fine and dandy JHipster project.
Bootiful Development with Spring Boot and React - UberConf 2018Matt Raible
To simplify development and deployment, you want everything in the same artifact, so you put your React app “inside” your Spring Boot app, right? But what if you could create your React app as a standalone app and make cross-origin requests to your API? A client app that can point to any server makes it easy to test your current client code against other servers (e.g. test, staging, production). This session shows how to develop with Java 8, Spring Boot, React, and TypeScript. You’ll learn how to create REST endpoints with Spring MVC, configure Spring Boot to allow CORS, and create a React app to display its data. If time allows we’ll cover authentication with OpenID Connect and deployment to Cloud Foundry.
Blog: https://developer.okta.com/blog/2017/12/06/bootiful-development-with-spring-boot-and-react
GitHub: https://github.com/oktadeveloper/spring-boot-react-example
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Utah JUG...Matt Raible
Microservices are all the rage and being deployed by many Java Hipsters. If you’re working with a large team that needs different release cycles for product components, microservices can be a blessing. If you’re working at your VW Restoration Shop and running its online store with your own software, having five services to manage and deploy can be a real pain.
Share your knowledge and experience about microservices in this informative and code-heavy talk. We’ll use JHipster (a Yeoman generator) to create Angular + Spring Boot apps on separate instances with a unified front-end. I’ll also show you options for securing your API gateway and individual applications using JWT. Heroku, Kubernetes, Docker, ELK, Spring Cloud, Okta; there will be plenty of interesting demos to see!
Java REST API Framework Comparison - PWX 2021Matt Raible
Use Spring Boot! No, use Micronaut!! Nooooo, Quarkus is the best!!!
There's a lot of developers praising the hottest, and fastest, Java REST frameworks: Micronaut, Quarkus, and Spring Boot. In this session, you'll learn how to do the following with each framework:
✅ Build a REST API
✅ Secure your API with OAuth 2.0
✅ Optimize for production with Docker and GraalVM
I'll also share some performance numbers and pretty graphs to compare community metrics.
Related blog post: https://developer.okta.com/blog/2021/06/18/native-java-framework-comparison
Apache Roller, Acegi Security and Single Sign-onMatt Raible
Acegi Security is quickly becoming a widely respected security framework for Java applications. Not only does this security framework solve many of the deficiencies of J2EE's security mechanisms, but it's also easy to implement and configure. This tutorial will help you learn more about Acegi Security, as well as how to integrate it into your web applications. The Roller Weblogger project (currently in Apache's incubator) uses Acegi Security for many of its features: authentication, password encryption, remember me and SSL switching. After learning about Roller and Acegi, you will see how to deploy Roller onto Tomcat and Geronimo. Following that, you will learn how to hook Roller/Acegi into Apache Directory Server for authentication. Finally, you will learn how to integrate Roller with a Single Sign-on System (Yale's Central Authentication Service).
Front End Development for Back End Developers - Denver Startup Week 2017Matt Raible
Are you a backend developer that’s being pushed into front end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We’ll explore the tools of the trade for fronted development (npm, yarn, Gulp, Webpack, Yeoman) and learn the basics of HTML, CSS, and JavaScript. I'll dive into the intricacies of Bootstrap, Material Design, ES6, and TypeScript. Finally, after getting you up to speed with all this new tech, I'll show how it can all be found and integrated through the fine and dandy JHipster project.
Bootiful Development with Spring Boot and React - UberConf 2018Matt Raible
To simplify development and deployment, you want everything in the same artifact, so you put your React app “inside” your Spring Boot app, right? But what if you could create your React app as a standalone app and make cross-origin requests to your API? A client app that can point to any server makes it easy to test your current client code against other servers (e.g. test, staging, production). This session shows how to develop with Java 8, Spring Boot, React, and TypeScript. You’ll learn how to create REST endpoints with Spring MVC, configure Spring Boot to allow CORS, and create a React app to display its data. If time allows we’ll cover authentication with OpenID Connect and deployment to Cloud Foundry.
Blog: https://developer.okta.com/blog/2017/12/06/bootiful-development-with-spring-boot-and-react
GitHub: https://github.com/oktadeveloper/spring-boot-react-example
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
Spring Boot is an efficient way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
* OIDC demo: http://bit.ly/spring-oidc-demo
Front End Development for Back End Developers - vJUG24 2017Matt Raible
Are you a backend developer that’s being pushed into front-end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We’ll explore the tools for frontend development and frameworks too!
Streamed live at 8pm MST on Oct 25, 2017! https://virtualjug.com/vjug24/
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Matt Raible
Mobile development offers a lot of options. To develop native apps, you can use Java or Kotlin on Android. On iOS, you can use Objective C or Swift. There are other options, too. You can build hybrid mobile apps and Progressive Web Apps (PWAs). Hybrid mobile apps are those created with web technologies (HTML, JavaScript, and CSS) that look like native apps. PWAs have the ability to work offline and act like mobile apps.
In this talk, we'll explore a few different mobile technologies: Ionic 4 (with Angular), React Native, and PWAs. You'll walk away with knowledge of how to build mobile + Spring Boot apps in minutes with JHipster.
Demo Script: https://github.com/mraible/mobile-jhipster/blob/master/demo.adoc
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Tips and criteria for selecting a web presentation framework. The focus is on Java-based frameworks, but the criteria are valid for any platform. From a panel discussion at the Seattle Java User Group (SeaJUG)
Front End Development for Backend Developers - GIDS 2019Matt Raible
Are you a backend developer that's being pushed into front-end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We'll explore the tools for frontend development and frameworks too!
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
Remember the choose your own adventure books that you used to read as a kid? This session is a reincarnation of a choose your own adventure book as a conference talk!
You'll learn about Spring Boot, Docker, and Kubernetes in this talk, along with the choices you make in the following areas:
* What kind of application architecture to build? Monolith or microservices?
* Would you like to use Java or Kotlin?
* MySQL, PostgreSQL, or MongoDB?
* Spring MVC or Spring WebFlux?
* Angular, React, or Vue.js?
* PWA or mobile app?
* Istio with Kubernetes or Kubernetes without Istio?
GitHub repos of demos:
* Monolith: https://github.com/mraible/healthy-hipster
* Microservices: https://github.com/mraible/ujug-microservices
Java Web Application Security - UberConf 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.
This talk covers the history of Spring, as well as what's new in Spring 3.1.
Specific areas discussed:
- Environments and Profiles
- Servlet 3.0 Support
- Hibernate 4 Support
- Cache Abstraction
- Java Configuration
- Test Context Support for Configuration Classes and Profiles
Read more about this presentation at:
http://raibledesigns.com/rd/entry/my_what_s_new_in
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019Matt Raible
You might’ve heard of Angular Schematics, but do you know what they do? Learn how you can use this powerful tool to develop workflows and simplify configurations for your Angular projects.
In this session, you'll learn how to create a schematic, how to test it, and how you can use them with non-Angular projects.
* YouTube video: https://youtu.be/bLLJqagO_dg
* Blog post: https://developer.okta.com/blog/2019/02/13/angular-schematics
* GitHub repo: https://github.com/oktadeveloper/schematics
Spring Boot APIs and Angular Apps: Get Hip with JHipster! KCDC 2019Matt Raible
JHipster is bad-ass. It's an Apache-licensed open source project that allows you to generate Spring Boot APIs and Angular (or React!) apps. It has a vibrant community and ecosystem with support for deploying to many cloud providers and using the latest DevOps buzzwords, like Docker and K8s.
This session will show you JHipster, why it's cool, and show you how to create an app with it.
* Demo Code: https://github.com/mraible/jhipster6-demo
* JHipster + OIDC: https://developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc
* JHipster + Microservices: https://developer.okta.com/blog/2019/05/23/java-microservices-spring-cloud-config
* JHipster + Ionic: https://developer.okta.com/blog/2019/06/24/ionic-4-angular-spring-boot-jhipster
* JHipster + React Native: https://developer.okta.com/blog/2018/10/10/react-native-spring-boot-mobile-app
A Gentle Introduction to Angular Schematics - Angular SF 2019Matt Raible
You might’ve heard of Angular Schematics, but do you know what they do? Learn how you can use this powerful tool to develop workflows and simplify configurations for your Angular projects.
Blog post: https://developer.okta.com/blog/2019/02/13/angular-schematics
Source code: https://github.com/oktadeveloper/okta-angular-schematics-example
Screencast: https://youtu.be/ANwZIt3Ni2s
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
Jennifer Hickey of SpringSource's Case Study of the results from Hyperic's recent migration from EJB to Spring. From the 2010 SpringOne 2GX conference.
Web App Security for Java Developers - UberConf 2021Matt Raible
Web app security is not just authentication and authorization. It's also the things you do to protect your web app from attackers with their XSS (cross-site scripting), SQL injection, DoS/DDoS attacks, and CSRF (cross-site request forgery), to name a few.
Web app security is a central component of any web-based business. The internet exposes web apps to attacks from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs.
In this presentation, you'll learn seven ways to better web app security, using Spring Security for code samples. You'll also see some quick demos of Spring Boot, Angular, and JHipster with Okta.
Front End Development for Back End Java Developers - Jfokus 2020Matt Raible
Are you a backend Java developer that's being pushed into front-end development? Are you frustrated with all the JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We'll explore the landscape of UI development, including web standards, frameworks, and what’s on the horizon (e.g., micro frontends).
Java Web Application Security - Jazoon 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020Matt Raible
Spring Boot is an efficient way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
* OIDC demo: http://bit.ly/spring-oidc-demo
Front End Development for Back End Developers - vJUG24 2017Matt Raible
Are you a backend developer that’s being pushed into front-end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We’ll explore the tools for frontend development and frameworks too!
Streamed live at 8pm MST on Oct 25, 2017! https://virtualjug.com/vjug24/
Mobile Development with Ionic, React Native, and JHipster - ACGNJ Java Users ...Matt Raible
Mobile development offers a lot of options. To develop native apps, you can use Java or Kotlin on Android. On iOS, you can use Objective C or Swift. There are other options, too. You can build hybrid mobile apps and Progressive Web Apps (PWAs). Hybrid mobile apps are those created with web technologies (HTML, JavaScript, and CSS) that look like native apps. PWAs have the ability to work offline and act like mobile apps.
In this talk, we'll explore a few different mobile technologies: Ionic 4 (with Angular), React Native, and PWAs. You'll walk away with knowledge of how to build mobile + Spring Boot apps in minutes with JHipster.
Demo Script: https://github.com/mraible/mobile-jhipster/blob/master/demo.adoc
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Matt Raible
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Tips and criteria for selecting a web presentation framework. The focus is on Java-based frameworks, but the criteria are valid for any platform. From a panel discussion at the Seattle Java User Group (SeaJUG)
Front End Development for Backend Developers - GIDS 2019Matt Raible
Are you a backend developer that's being pushed into front-end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We'll explore the tools for frontend development and frameworks too!
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Matt Raible
Remember the choose your own adventure books that you used to read as a kid? This session is a reincarnation of a choose your own adventure book as a conference talk!
You'll learn about Spring Boot, Docker, and Kubernetes in this talk, along with the choices you make in the following areas:
* What kind of application architecture to build? Monolith or microservices?
* Would you like to use Java or Kotlin?
* MySQL, PostgreSQL, or MongoDB?
* Spring MVC or Spring WebFlux?
* Angular, React, or Vue.js?
* PWA or mobile app?
* Istio with Kubernetes or Kubernetes without Istio?
GitHub repos of demos:
* Monolith: https://github.com/mraible/healthy-hipster
* Microservices: https://github.com/mraible/ujug-microservices
Java Web Application Security - UberConf 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.
This talk covers the history of Spring, as well as what's new in Spring 3.1.
Specific areas discussed:
- Environments and Profiles
- Servlet 3.0 Support
- Hibernate 4 Support
- Cache Abstraction
- Java Configuration
- Test Context Support for Configuration Classes and Profiles
Read more about this presentation at:
http://raibledesigns.com/rd/entry/my_what_s_new_in
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019Matt Raible
You might’ve heard of Angular Schematics, but do you know what they do? Learn how you can use this powerful tool to develop workflows and simplify configurations for your Angular projects.
In this session, you'll learn how to create a schematic, how to test it, and how you can use them with non-Angular projects.
* YouTube video: https://youtu.be/bLLJqagO_dg
* Blog post: https://developer.okta.com/blog/2019/02/13/angular-schematics
* GitHub repo: https://github.com/oktadeveloper/schematics
Spring Boot APIs and Angular Apps: Get Hip with JHipster! KCDC 2019Matt Raible
JHipster is bad-ass. It's an Apache-licensed open source project that allows you to generate Spring Boot APIs and Angular (or React!) apps. It has a vibrant community and ecosystem with support for deploying to many cloud providers and using the latest DevOps buzzwords, like Docker and K8s.
This session will show you JHipster, why it's cool, and show you how to create an app with it.
* Demo Code: https://github.com/mraible/jhipster6-demo
* JHipster + OIDC: https://developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc
* JHipster + Microservices: https://developer.okta.com/blog/2019/05/23/java-microservices-spring-cloud-config
* JHipster + Ionic: https://developer.okta.com/blog/2019/06/24/ionic-4-angular-spring-boot-jhipster
* JHipster + React Native: https://developer.okta.com/blog/2018/10/10/react-native-spring-boot-mobile-app
A Gentle Introduction to Angular Schematics - Angular SF 2019Matt Raible
You might’ve heard of Angular Schematics, but do you know what they do? Learn how you can use this powerful tool to develop workflows and simplify configurations for your Angular projects.
Blog post: https://developer.okta.com/blog/2019/02/13/angular-schematics
Source code: https://github.com/oktadeveloper/okta-angular-schematics-example
Screencast: https://youtu.be/ANwZIt3Ni2s
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatVMware Hyperic
Jennifer Hickey of SpringSource's Case Study of the results from Hyperic's recent migration from EJB to Spring. From the 2010 SpringOne 2GX conference.
Web App Security for Java Developers - UberConf 2021Matt Raible
Web app security is not just authentication and authorization. It's also the things you do to protect your web app from attackers with their XSS (cross-site scripting), SQL injection, DoS/DDoS attacks, and CSRF (cross-site request forgery), to name a few.
Web app security is a central component of any web-based business. The internet exposes web apps to attacks from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs.
In this presentation, you'll learn seven ways to better web app security, using Spring Security for code samples. You'll also see some quick demos of Spring Boot, Angular, and JHipster with Okta.
Front End Development for Back End Java Developers - Jfokus 2020Matt Raible
Are you a backend Java developer that's being pushed into front-end development? Are you frustrated with all the JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We'll explore the landscape of UI development, including web standards, frameworks, and what’s on the horizon (e.g., micro frontends).
Java Web Application Security - Jazoon 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and Open ID Connect? - UberConf 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information.
This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in-depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to get the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
JHipster and Okta - JHipster Virtual Meetup December 2020Matt Raible
YouTube video: https://www.youtube.com/watch?v=ym-OPn4e_nQ
When I first started working at Okta, I refactored JHipster's OAuth support to move from authentication on the client to the server, leveraging Spring Security. This allowed for easier client integration since we didn't need to worry about finding an OIDC client for each frontend framework.
Fast forward four years and JHipster's OAuth 2.0 and OIDC support is first-class! It uses Keycloak in a Docker container by default, but it's easy to switch to another identity provider (IdP) thanks to Spring Boot. Other blueprints like Micronaut, Quarkus, Node.js, and .NET support OAuth and OIDC too!
This presentation explains what OAuth 2.0 and OIDC is, gives an overview of JHipster’s OAuth implementation, and provides three quick demos with Keycloak, the Okta CLI, and Heroku.
See https://developer.okta.com/blog/tags/jhipster for Okta + JHipster tutorials and screencasts! 邏
You also might enjoy my What the Heck is OAuth? blog post:
https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
This is my first public speech about way to secure your API. Interective presentation you could find here - https://sergeypodgornyy.github.io/oauth-webbylab-presentation/
Security is something you want to get right. If you need to secure an API right now, I imagine you are worrying about how, exactly, to do it. It is to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism. If you want simple stateless HTTP authentication to an API, then JWT is just fine and relatively quick to implement. But JWT is a simple authentication protocol, OAuth is an authentication framework, that enables a third-party application to obtain limited access to an HTTP service. OAuth is a simple way to publish and interact with protected data. It's also a safer and more secure way for people to give you access.
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
This is a slide deck I created and used to explain what OAuth is and how to use it with the .NET framework to write clients for Facebook and Google.
My slides usually do not have a lot of text on them so it might be difficult to get the ideas I am trying to convey in each individual slide. They're only relevant with the commentary I present during a talk. I use slides as a secondary tool, the primary one being my narration.
Within May 2015, I will edit and upload the video of my talk on YouTube, and provide a link to the YouTube video here. That may make these slides more useful.
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
apidays Helsinki & North 2023
API Ecosystems - Connecting Physical and Digital
June 5 & 6, 2023
API authorization with Open Policy Agent
Anders Eknert, Developer Advocate at Styra
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022Matt Raible
What if keeping your user stores in sync across domains was as simple as running "java -jar"? With Apache SCIMPle, it is!
Apache SCIMple is a SCIM 2.0-compliant server powered by Spring Boot 3. You can run it standalone or embedded in your existing app. It exposes user management REST endpoints and handles the hassle of user synchronization for you. If your identity provider supports SCIM, use the simple way!
GitHub example: https://github.com/mraible/okta-scim-spring-boot-example
Demo script: https://github.com/mraible/okta-scim-spring-boot-example/blob/main/demo.adoc
Micro Frontends for Java Microservices - Belfast JUG 2022Matt Raible
You've figured out how to split up your backend services into microservices and scale your teams to the moon, right?
But what about the frontend? Are you still building monoliths for your UI?
If so, you might want to check out micro frontends—basically extensions to the microservices pattern, where the concept is extended to the frontend.
Find out how to package and deploy your microservices and their UIs in the same artifact, as well as make it possible to test and develop them independently.
In this live session, Matt will show you how to build a microservices and micro frontends architecture using Angular, Spring Boot, and Spring Cloud.
Related blog post: https://auth0.com/blog/micro-frontends-for-java-microservices
GitHub repo: https://github.com/oktadev/auth0-micro-frontends-jhipster-example
Micro Frontends for Java Microservices - Dublin JUG 2022Matt Raible
You've figured out how to split up your backend services into microservices and scale your teams to the moon, right?
But what about the frontend? Are you still building monoliths for your UI?
If so, you might want to check out micro frontends—basically extensions to the microservices pattern, where the concept is extended to the frontend.
Find out how to package and deploy your microservices and their UIs in the same artifact, as well as make it possible to test and develop them independently.
In this live session, Matt will show you how to build a microservices and micro frontends architecture using Angular, Spring Boot, and Spring Cloud.
YouTube: https://youtu.be/lKC55S-OxPQ
Related blog post: https://auth0.com/blog/micro-frontends-for-java-microservices
GitHub repo: https://github.com/oktadev/auth0-micro-frontends-jhipster-example
Micro Frontends for Java Microservices - Cork JUG 2022Matt Raible
You've figured out how to split up your backend services into microservices and scale your teams to the moon, right?
But what about the frontend? Are you still building monoliths for your UI?
If so, you might want to check out micro frontends—basically extensions to the microservices pattern, where the concept is extended to the frontend.
Find out how to package and deploy your microservices and their UIs in the same artifact, as well as make it possible to test and develop them independently.
In this live session, Matt will show you how to build a microservices and micro frontends architecture using Angular, Spring Boot, and Spring Cloud.
Related blog post: https://auth0.com/blog/micro-frontends-for-java-microservices
GitHub repo: https://github.com/oktadev/auth0-micro-frontends-jhipster-example
Comparing Native Java REST API Frameworks - Seattle JUG 2022Matt Raible
Use Spring Boot! No, use Micronaut!! Nooooo, Quarkus is the best!!! What about Helidon?
There are a lot of developers praising the hottest, and fastest, Java REST frameworks: Micronaut, Quarkus, Spring Boot, and Helidon. In this session, you'll learn how to do the following with each framework:
✅ Build a REST API
✅ Secure your API with OAuth 2.0
✅ Optimize for production with Docker and GraalVM
I'll also share some performance numbers and pretty graphs to compare community metrics.
Related blog post: https://developer.okta.com/blog/2021/06/18/native-java-framework-comparison
Helidon companion post: https://developer.okta.com/blog/2022/01/06/native-java-helidon
GitHub repo: https://github.com/oktadev/native-java-examples
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022Matt Raible
Microservice architectures are all the rage in JavaLand. They allow teams to develop services independently and deploy autonomously.
Why microservices?
IF
you are developing a large/complex application
AND
you need to deliver it rapidly, frequently, and reliably over a long period of time
THEN
the Microservice Architecture is often a good choice.
Reactive architectures are becoming increasingly popular for organizations that need to do more, with less hardware. Reactive programming allows you to build systems that are resilient to high load.
In this session, I'll show you how to use JHipster to create a reactive microservices architecture with Spring Boot, Spring Cloud, Keycloak, and run it all in Docker. You will leave with the know-how to create your own resilient apps!
Related blog post: https://developer.okta.com/blog/2021/01/20/reactive-java-microservices
YouTube demo: https://youtu.be/clkEUHWT9-M
GitHub repo: https://github.com/oktadev/java-microservices-examples/tree/main/reactive-jhipster
Comparing Native Java REST API Frameworks - Devoxx France 2022Matt Raible
Use Spring Boot! No, use Micronaut!! Nooooo, Quarkus is the best!!! What about Helidon?
There are a lot of developers praising the hottest, and fastest, Java REST frameworks: Micronaut, Quarkus, Spring Boot, and Helidon. In this session, you'll learn how to do the following with each framework:
✅ Build a REST API
✅ Secure your API with OAuth 2.0
✅ Optimize for production with Docker and GraalVM
I'll also share some performance numbers and pretty graphs to compare community metrics.
Related blog post: https://developer.okta.com/blog/2021/06/18/native-java-framework-comparison
Helidon companion post: https://developer.okta.com/blog/2022/01/06/native-java-helidon
GitHub repo: https://github.com/oktadev/native-java-examples
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...Matt Raible
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Native Java with Spring Boot and JHipster - Garden State JUG 2021Matt Raible
Do you want to deploy your Spring Boot apps in a serverless environment and have them start up in milliseconds? Of course, you do!
In this talk, Josh Long and Matt Raible will introduce you to Spring Native. They'll teach you all about how it can compile Spring Boot apps into native binaries that start faster than a speeding bullet! You'll learn about native testing support with JUnit 5 and the pros and cons of native vs JVM deployments.
This talk will also highlight a customer, the JHipster project. JHipster generates Spring Boot-based monoliths and microservices. You'll learn about the project's experience with Spring Boot, Spring Cloud, Spring WebFlux, and Spring Native. It ain't easy being a Java Hipster, but the Spring ecosystem does simplify the process quite a bit.
Recording on YouTube: https://youtu.be/k6nBB8FOmQ8
Examples on GitHub: https://github.com/mraible/spring-native-examples
Writeup on LinkedIn: https://www.linkedin.com/pulse/jhipster-works-spring-native-part-2-matt-raible/
Web App Security for Java Developers - PWX 2021Matt Raible
Web app security is not just authentication and authorization. It's also the things you do to protect your web app from attackers with their XSS (cross-site scripting), SQL injection, DoS/DDoS attacks, and CSRF (cross-site request forgery), to name a few.
Web app security is a central component of any web-based business. The internet exposes web apps to attacks from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs.
In this presentation, you'll learn seven ways to better web app security, using Spring Security for code samples. You'll also see some quick demos of Spring Boot, Angular, and JHipster with Keycloak, Auth0, and Okta.
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...Matt Raible
Mobile development offers a lot of options. To develop native apps, you can use Java or Kotlin on Android. On iOS, you can use Objective C or Swift. There are other options, too. You can build hybrid mobile apps and Progressive Web Apps (PWAs). Hybrid mobile apps are those created with web technologies (HTML, JavaScript, and CSS) that look like native apps. PWAs have the ability to work offline and act like mobile apps.
In this talk, we'll explore a few different mobile technologies: PWAs, React Native, and Ionic (with Angular). You'll walk away with knowledge of how to build mobile + Spring Boot apps in minutes with JHipster.
* GitHub repo: https://github.com/mraible/mobile-jhipster
* Demo script: https://github.com/mraible/mobile-jhipster/blob/main/demo.adoc
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Matt Raible
In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Delivered at JokerConf on October 28, 2021 at 11am MDT: https://jokerconf.com/en/talks/lock-that-sh*t-down-auth-security-patterns-for-apps-apis-and-infra/
Java REST API Framework Comparison - UberConf 2021Matt Raible
Use Spring Boot! No, use Micronaut!! Nooooo, Quarkus is the best!!!
There's a lot of developers praising the hottest, and fastest, Java REST frameworks: Micronaut, Quarkus, and Spring Boot. In this session, you'll learn how to do the following with each framework:
✅ Build a REST API
✅ Secure your API with OAuth 2.0
✅ Optimize for production with Docker and GraalVM
I'll also share some performance numbers and pretty graphs to compare community metrics.
Related blog post: https://developer.okta.com/blog/2021/06/18/native-java-framework-comparison
Native Java with Spring Boot and JHipster - SF JUG 2021Matt Raible
Do you want to deploy your Spring Boot apps in a serverless environment and have them start up in milliseconds? Of course, you do!
In this talk, Josh Long and Matt Raible will introduce you to Spring Native. They'll teach you all about how it can compile Spring Boot apps into native binaries that start faster than a speeding bullet! You'll learn about native testing support with JUnit 5 and the pros and cons of native vs JVM deployments.
This talk will also highlight a customer, the JHipster project. JHipster generates Spring Boot-based monoliths and microservices. You'll learn about the project's experience with Spring Boot, Spring Cloud, Spring WebFlux, and Spring Native. It ain't easy being a Java Hipster, but the Spring ecosystem does simplify the process quite a bit.
Recording on YouTube: https://youtu.be/F9oydL_MndA
Examples on GitHub: https://github.com/mraible/spring-native-examples
Writeup on LinkedIn: https://www.linkedin.com/pulse/jhipster-works-spring-native-matt-raible/
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Matt Raible
Microservice architectures are all the rage in JavaLand. They allow teams to develop services independently and deploy autonomously.
Why microservices?
IF
you are developing a large/complex application
AND
you need to deliver it rapidly, frequently, and reliably over a long period of time
THEN
the Microservice Architecture is often a good choice
Reactive architectures are becoming increasingly popular for organizations that need to do more, with less hardware. Reactive programming allows you to build systems that are resilient to high loads.
In this session, I'll show you how to use JHipster to create a reactive microservices architecture with Spring Boot, Spring Cloud, Keycloak, and run it all in Docker. You will leave with the know-how to create your own resilient apps!
Related blog post: https://developer.okta.com/blog/2021/01/20/reactive-java-microservices
YouTube demo: https://youtu.be/clkEUHWT9-M
YouTube recording: https://youtu.be/8OuZMFyh0xE
GitHub repo: https://github.com/oktadev/java-microservices-examples/tree/main/reactive-jhipster
Get Hip with JHipster - Colorado Springs Open Source User Group 2021Matt Raible
JHipster is bad-ass. It's an Apache-licensed open source project that allows you to generate Spring Boot APIs and Angular (or React/Vue) apps. It has a vibrant community and ecosystem with support for deploying to many cloud providers and using the latest DevOps buzzwords, like Docker and K8s.
This session will show you JHipster, why it's cool, and show you how to create an app with it.
JHipster 7 Demo: https://www.youtube.com/watch?v=6lf64CctDAQ
JHipster 7 Tutorial: https://github.com/mraible/jhipster7-demo#readme
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020Matt Raible
"Use Spring Boot! No, use Micronaut!! Nooooo, Quarkus is the best!!!"
There's a lot of developers praising the hottest, and fastest, Java REST frameworks: Micronaut, Quarkus, and Spring Boot. In this session, you'll learn how to do the following with each framework:
✅ Build a REST API
✅ Secure your API with OAuth 2.0
✅ Optimize for production with Docker and GraalVM
I'll also share some performance numbers and pretty graphs to compare community metrics.
Related blog post: https://developer.okta.com/blog/2020/01/09/java-rest-api-showdown
GitHub repo: https://github.com/oktadeveloper/okta-java-rest-api-comparison-example
Security Patterns for Microservice Architectures - SpringOne 2020Matt Raible
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...Matt Raible
Microservices are being deployed by many Java Hipsters. If you're working with a large team that needs different release cycles for product components, microservices can be a blessing. If you're working at your VW Restoration Shop and running its online store with your own software, having five services to manage and deploy can be a real pain.
This presentation will show you how to use JHipster to create a microservices architecture with Spring Boot, Spring Cloud, Keycloak, and run it all in Docker. You will leave with the know-how to create your own excellent apps!
Related blog posts:
* Java Microservices with Spring Boot and Spring Cloud: https://developer.okta.com/blog/2019/05/22/java-microservices-spring-boot-spring-cloud
* Java Microservices with Spring Cloud Config and JHipster: https://developer.okta.com/blog/2019/05/23/java-microservices-spring-cloud-config
* Secure Reactive Microservices with Spring Cloud Gateway: https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
What the Heck is OAuth and OpenID Connect - RWX 2017
1. Matt Raible | @mraible
What the Heck is OAuth and OIDC?
December 7, 2017 #RichWeb17
2. Blogger on raibledesigns.com
Web Developer and Java Champion
Father, Skier, Mountain Biker,
Whitewater Rafter
Open Source Connoisseur
Who is Matt Raible?
Bus Lover
Okta Developer Advocate
8. What about You?
Java, .NET, Python, or Node.js?
Have you ever written authentication
from scratch?
Have you implemented OAuth or OIDC?
Have you heard of Okta? Auth0?
Why are you here?
11. An open standard for authorization; anyone can implement it
Provides “secure delegated access” to client applications
Works over HTTPS and authorizes:
Devices
APIs
Servers
Applications
… with access tokens rather than credentials
What is OAuth?
32. OAuth 2.0
Enables apps to obtain limited access (scopes) to
a user’s data without giving away a user’s
password
Decouples authentication from authorization
Supports multiple use cases addressing different
client capabilities and deployment models
Server-to-server apps
Browser-based apps
Mobile/Native apps
Consoles/TVs
Web-scale delegated authorization framework for REST/APIs
Protecting APIs
Since
October 2012
35. Hotel Key Cards, but for Apps
OAuth Authorization Server Resource (API)Access Token
36. OAuth Simplified
App requests authorization from User1
User authorizes App and delivers proof2
App presents proof of authorization to server to get a Token3
Token is restricted to only access what the User authorized
for the specific App
4
42. Scopes
Additive bundles of permissions
asked by client when requesting a
token
Decouples authorization policy
decisions from enforcement
Who owns the data? End user or
the target service
Who gets to specify the
authorization policy? End user or
application owner
Scopes to Deny
Scopes to Allow
44. Tokens
• Short-lived token used by
Client to access Resource
Server (API)
• Opaque to the Client
• No client authentication
required (Public Clients)
• Optimized for scale and
performance
• Revocation is dependent on
implementation
Access Token (Required)
• Long-lived token that is
used by Client to obtain
new access tokens from
Authorization Server
• Usually requires
Confidential Clients with
authentication
• Forces client to rotate
secrets
• Can usually be revoked
Refresh Token (Optional)
OAuth doesn’t define the format of a token!
45. Access Token Types
Self-contained tokens
Protected, time-limited data structure agreed upon between Authorization Server and
Resource Server that contains metadata and claims about the identity of the user or
client over the wire.
Resource Server can validate the token locally by checking the signature, expected
issuer name and expected audience or scope.
Commonly implemented as a signed JSON Web Tokens (JWT)
Reference tokens (aka opaque tokens)
Infeasible-to-guess (secure-random) identifier for a token issued and stored by the
OAuth 2.0 Authorization Server
Resource Server must send the identifier via back-channel to the OAuth 2.0
Authorization Server’s token introspection endpoint to determine if the token is valid
and obtain claims/scopes
52. Front Channel Flow
Authorize via User Agent
Resource
Server (RS)
Authorization
Server (AS)
4
2
3
1
Resource Owner starts flow to
delegate access to protected
resource
1
Client
2 Client sends authorization request
with desired scopes via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Delegated Access (Grant)
4 Authorization Code Grant or Access
Token is returned to Client via
browser redirect
Resource
Owner (RO)
53. Authorization Request
GET https://accounts.google.com/o/oauth2/auth?
scope=gmail.insert gmail.send&
redirect_uri=https://app.example.com/oauth2/callback&
response_type=code&
client_id=812741506391&
state=af0ifjsldkj
HTTP/1.1 302 Found
Location: https://app.example.com/oauth2/callback?
code=MsCeLvIaQm6bTrgtp7&
state=af0ifjsldkj
Request
Response
Note: Parameters are not URL-encoded for example purposes
54. Back Channel Flow
Exchange Grants for Tokens
Resource
Server (RS)
Authorization
Server (AS)
1
Client
2 Client accesses protected
resource with Access Token
Resource
Owner (RO)
2
Client exchanges Authorization
Code Grant with token endpoint
on Authorization Server for an
Access Token and optionally
Refresh Token
1
55. Token Request
POST /oauth2/v3/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=MsCeLvIaQm6bTrgtp7&
client_id=812741506391&
client_secret={client_secret}&
redirect_uri=https://app.example.com/oauth2/callback&
grant_type=authorization_code
Note: Parameters are not URL-encoded for example purposes
58. OAuth 2.0 Grant Types (Flows)
• Optimized for browser-only
Public Clients
• Access token returned
directly from authorization
request (Front-channel only)
• Does not support refresh
tokens
• Assumes Resource Owner
and Public Client are on the
same device
• Most vulnerable to security
threats
Implicit (2 Legged)
• Front channel flow used by
Client to obtain
authorization code grant
• Back channel flow used by
Client to exchange
authorization code grant
for access token and
optionally refresh token
• Assumes Resource Owner
and Client are on separate
devices
• Most secure flow as tokens
never passes through user-
agent
Authorization Code (3 Legged)
• Optimized for server-only
Confidential Clients acting
on behalf of itself or a user
• Back-channel only flow to
obtain an access token
using the Client’s
credentials
• Supports shared secrets or
assertions as Client
credentials signed with
either symmetric or
asymmetric keys
Client Credential
59. OAuth 2.0 Grant Types (Flows)
• Legacy grant type for native
username/password apps
such as desktop apps
• Username/password is
authorization grant to
obtain access token from
Authorization Server
• Does not support refresh
tokens
• Assumes Resource Owner
and Public Client or on the
same device
Resource Owner Password
• Allows Authorization Server
to trust authorization
grants from third party such
as SAML IdP (Federation)
• Assertion is used to obtain
access token with token
request
• Does not support refresh
tokens
Assertion
• Optimized for devices that
do not have access to web-
browsers
• User code is returned from
authorization request that
must be redeemed by
visiting a URL on a device
with a browser to authorize
• Back channel flow used by
Client to poll for
authorization approval for
access token and optionally
refresh token
Device
60. OAuth Flows
Six different flows
Necessary because of:
How you get consent from client?
Who is making consent?
Adds a lot of complexity to OAuth
When people ask if you support OAuth, are they asking for all
six?
Image: Ian Sane, Spring Runoff
https://www.flickr.com/photos/31246066@N04/4620052369
61. Common OAuth 2.0 Security Issues
Too many inputs that need validation
Token hijacking with CSRF
Always use CSRF token with state parameter to ensure OAuth flow integrity
Leaking authorization codes or tokens through redirects
Always whitelist redirect URIs and ensure proper URI validations
Token hijacking by switching clients
Bind the same client to authorization grants and token requests
Leaking client secrets
Unbounded & Bearer Tokens
See draft specification of OAuth Proof-of-Possession Token Extension
62. Key Enterprise OAuth 2.0 Use Cases
Decouples authorization policy decisions from
enforcement
Enables the right blend of fine & coarse grained
authorization
Replaces traditional Web Access management (WAM)
Policies
Restrict and revoke which apps can access specific
APIs
Ensure only managed and/or complaint devices can
access specific APIs
Deep integration with identity deprovisioning
workflow to revoke all tokens for a user and device
Federation with an IdP
63. OAuth 2.0 Facts
Not backward compatible with
OAuth 1.0
Interoperability issues exists as
its not a protocol but rather an
authorization framework
OAuth 2.0 is not an
authentication protocol
OAuth 2.0 alone says absolutely
nothing about the user
66. Authorization Framework
Return of Complexity through Extensions
OAuth 2 Framework
RFC 6749
Assertion Framework
RFC 7521
Token Introspection
RFC 7662
Token Revocation
RFC 7009
Dynamic Client Registration
RFC 7591
JSON
RFC 7159
JSON Web Token Bearer Assertion
RFC 7523
Proof Key for Code Exchange (PKCE)
RFC 7636
Token Exchange
Draft
SAML 2.0 Bearer Assertion
RFC 7522
Proof of Possession
Draft
JSON Web Token (JWT)
RFC 7519
JSON Web Signature (JWS)
RFC 7515
JSON Web Encryption (JWE)
RFC 7516
JSON Web Key (JWK)
RFC 7517
Bearer Token
RFC 6750
67. Why all the complexity again?
Enterprise use cases such as federation
Interoperable tokens that can be signed and encrypted
Proof-of-Possession tokens that can’t be replayed
Embedded user agents with unsecure cross-app
communication channels
Bindings for non-HTTP transports and legacy protocols such as
LDAP or IMAP as well as constrained devices (IoT)
67
69. OAuth 2.0 as Pseudo-Authentication
Client accessing a https://
api.example.com/me resource with
an access token is not
authenticating the user
Access tokens just prove the Client
was authorized, are opaque, and
intended to only be consumed by
the Resource Server
Who is the user (claims)?
When did the user authenticate?
Does the user still have an active or
expired session?
How did the user authenticate?
Just password or password + second
factor
As made famous by Facebook Connect and Twitter
71. OpenID Connect
Extends OAuth 2.0 with new signed id_token for the
Client and UserInfo endpoint to fetch user attributes
Provides a standard set of scopes and claims for
identities
profile
email
address
phone
Built-in registration, discovery & metadata for
dynamic federations
Bring Your Own Identity (BYOI)
Supports high assurance levels and key SAML use
cases (enterprise)
OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts)
72. Authorization Request
GET https://accounts.google.com/o/oauth2/auth?
scope=openid email&
redirect_uri=https://app.example.com/oauth2/callback&
response_type=code&
client_id=812741506391&
state=af0ifjsldkj
HTTP/1.1 302 Found
Location: https://app.example.com/oauth2/callback?
code=MsCeLvIaQm6bTrgtp7&
state=af0ifjsldkj
Request
Response
Note: Parameters are not URL-encoded for example purposes
73. Token Request
POST /oauth2/v3/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=MsCeLvIaQm6bTrgtp7&
client_id=812741506391&
client_secret={client_secret}&
redirect_uri=https://app.example.com/oauth2/callback&
grant_type=authorization_code
Note: Parameters are not URL-encoded for example purposes
75. Validate ID
Token
Token Endpoint
Authorization Endpoint
/.well-known/
openid-configuration
JWKS Endpoint
UserInfo Endpoint
OAuth 2.0 Authorization Server &
OpenID Connect Provider (OP)
OAuth 2.0 Resource Server
Client
(Relying Party)
1
3
2
54
1 Discover OpenID Provider Metadata
2
Perform OAuth flow to obtain a ID
token and/or access token
3 Get JSON Web Key Set (JWKS) for
signature keys
4
Validate ID token
(JSON Web Token)
5
Get additional user attributes with
access token from UserInfo
endpoint
OpenID Connect
76. Which grant type is right for you?
Authorization
Code
Implicit Authorization
Code
Client Credentials
OAuth 2.0 Only
77. Implicit Flow (SPA)
Authenticate via User Agent
1
User starts flow by visiting Single
Page App Client with User Agent
2
Client sends authentication request
with openid scope via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
ID Token and optionally Access Token for
SPA app is returned to Client via browser
redirect
4
2
3
1
User
SPA
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
5
Client optionally fetches additional claims
with Access Token from UserInfo endpoint
5
78. Authorization Code Flow (Web)
Authenticate via User Agent
1
User starts flow by visiting Web App
Client with User Agent
2
Client sends authentication request
with openid scope via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
Authorization Code Grant and optionally
ID Token for Web App is returned to Client
via browser redirect
4
2
3
1
User
Web App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
79. Authorization Code Flow (Web)
Exchange Grant for Tokens
1b
1a
User
Web App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
2
2
Client optionally fetches additional
claims with Access Token from UserInfo
endpoint
Client authenticates & exchanges
Authorization Code Grant with token
endpoint on Authorization Server for an ID
Token, Access Token and optionally
Refresh Token
1
80. Session Best Practices
ID Tokens should be used to create a session for a
traditional web application or single-page application
Use subject claim (sub) as stable identifier for the user
account
Session cookies should be protected with HTTPOnly flag
to prevent JS access
Avoid using ID Tokens as a stateless “session token”
for Single Page Apps
API is not the audience of the token
ID Tokens can be large in size and often contain PII or
other sensitive data
ID Token lifetime is not your app’s session lifetime
81. Authorization Code Flow (Native)
Authenticate via User Agent
1
User starts flow by launching Native
App Client
2
Client launches User Agent and sends
authentication request with openid
scope and PKCE code challenge via
browser redirect to Authorize Endpoint
on Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
Authorization Code Grant and optionally
ID Token for Web App is returned to Client
via browser redirect and User Agent is
closed
4
2
3
1
User
Native App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
82. Authorization Code Flow (Native)
Exchange Grant for Tokens
1b
1a
User
Native App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
2
2
Client optionally fetches additional
claims with Access Token from UserInfo
endpoint
Client exchanges Authorization Code
Grant and PKCE code verifier with token
endpoint on Authorization Server for an ID
Token, Access Token and optionally
Refresh Token
1
83. Native App Best Practices
Do not use an embedded webviews for authenticating users!
App (or 3rd party library/script) can directly obtain the user’s
credentials which goes against OAuth’s raison d'être
Users can’t reuse their existing session with their IdP (SSO)
increasing friction for sign-in/sign-up
IdPs can’t implement new authentication methods
Do not store client secrets in apps that are distributed via App
Stores!
Use PKCE (RFC 7636) to protect authorization code from
interception
Follow guidelines outlined in OAuth 2.0 for Native Apps Best
Current Practice
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-12
302 Found
Location: app://redirect
87. Sign-In Widget and JS Auth SDK
87
Open-source embeddable widget for end-to-end
sign-in flow with MFA and account recovery
Returns an ID Token for authenticated user
Supports social authentication providers
Built-on common JS Auth SDK
Open source: https://github.com/okta/okta-signin-
widget
88. Sign-In Widget and JS Auth SDK
Wraps Okta authentication and session management APIs in JS callbacks
for custom UX
Implements custom web messaging OAuth 2.0 response mode (okta-post-
message) for single page applications with hidden iframe
Open source: https://github.com/okta/okta-auth-js
authClient.signIn({
username: 'some-username',
password: 'some-password'
})
.then(function(transaction) {
if (transaction.status === 'SUCCESS') {
authClient.session.setCookieAndRedirect(transaction.sessionToken);
}
});
91. Google OAuth Client Library
ScribeJava
Spring Security OAuth
Nimbus OAuth SDK
List of client and server libraries for many languages:
https://oauth.net/code/
OAuth and OIDC Libraries