Slides from SpringOne 2012 (http://www.springone2gx.com/conference/speaker/dave_syer).
One of the questions we get asked the most by developers and architects is: when and why would I use OAuth2? The answer, as often with such questions, is “it depends”, but there are some features of OAuth2 that make it compelling in some situations, especially in systems composed of many lightweight web services, which becoming a very common architectural pattern.
This presentation will not go into a lot of detail about the OAuth2 protocol and related specifications, but will attempt to show some of the key features of a system secured with OAuth2 and the decision points when choosing to build such a system.
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
UAA, as a core component of Cloud Foundry, is responsible for authenticating and authorizing requests between platform users (e.g. those that push apps) and platform components (e.g. the cloud controller). But when it came to doing auth for the apps you push and the end users of those apps, using the built-in UAA wasn't the best fit, and you could easily end up shooting yourself in the foot. Until now. This talk will guide you though UAA's new multi-tenancy features, and show you how to use the built-in UAA to create arbitrary authorization scenarios for your products without the danger of affecting the security of the core platform. With this level of freedom, you'll have complete and fine-grained control over who is allowed to access your product's components, and how those components are allowed to interact with one another.
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
Ensuring hi-fidelity delivery of applications to a mobile user base is a major challenge. User expectations for performance and ease of use are set by consumer-centric services. However, we must maintain enterprise security and compliance standards. Proper integration of network services and identity management can simplify user experience while ensuring rapid application response time and preserving security. Identity management is fundamental. Not only must it be strong, to ensure usability it must be as transparent as possible. This session will describe the integration of Citrix NetScaler SDX and CA Single Sign-On together provide for highly performing, highly secure and highly available delivery of mobile applications to a global user base.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
Scott Tomilson discusses integrating mobile applications with PingFederate using OAuth 2. He covers OAuth 2 terminology, common grant types for mobile including authorization code, implicit, and resource owner password credentials. The presentation includes demonstrations of obtaining authorization codes and access tokens on mobile devices. Topics like secure token handling, single sign-on approaches, and challenges of combining native apps with browsers are also covered.
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
This presentation illustrates the applicability of API keys, OAuth, SAML, OpenID, and a number of proprietary mechanisms such as HMAC signatures for consuming and exposing Web APIs and RESTful web services.
The document discusses Cloud Foundry, an open innovation platform. It describes Cloud Foundry's characteristics that enable rapid application development and deployment through microservices and continuous delivery. Cloud Foundry supports rapid innovation through features like rapid provisioning, monitoring, deployment automation and a developer-friendly environment. Pivotal contributes to and promotes Cloud Foundry through open source development and community involvement.
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
Building an application that can be provisioned and used in multiple Azure AD tenants goes far beyond just flipping a switch in your app configuration. The developer has to undertake application provisioning, decide on a provisioning strategy, push changes to customers, manage identities flowing from multiple tenants, collect essential information from authentication signals, learn to differentiate the different types of users they will encounter and understand the key differences from the B2B scenarios. In this community call, Kalyan Krishnan reviews the steps and considerations required to develop, configure, provision, and manage multi-tenant applications.
For more information, visit https://aka.ms/identityplatform
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth.
In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution in a microservices environment based on fine-grained permissions and end to end automation.
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
UAA, as a core component of Cloud Foundry, is responsible for authenticating and authorizing requests between platform users (e.g. those that push apps) and platform components (e.g. the cloud controller). But when it came to doing auth for the apps you push and the end users of those apps, using the built-in UAA wasn't the best fit, and you could easily end up shooting yourself in the foot. Until now. This talk will guide you though UAA's new multi-tenancy features, and show you how to use the built-in UAA to create arbitrary authorization scenarios for your products without the danger of affecting the security of the core platform. With this level of freedom, you'll have complete and fine-grained control over who is allowed to access your product's components, and how those components are allowed to interact with one another.
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
Ensuring hi-fidelity delivery of applications to a mobile user base is a major challenge. User expectations for performance and ease of use are set by consumer-centric services. However, we must maintain enterprise security and compliance standards. Proper integration of network services and identity management can simplify user experience while ensuring rapid application response time and preserving security. Identity management is fundamental. Not only must it be strong, to ensure usability it must be as transparent as possible. This session will describe the integration of Citrix NetScaler SDX and CA Single Sign-On together provide for highly performing, highly secure and highly available delivery of mobile applications to a global user base.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
Scott Tomilson discusses integrating mobile applications with PingFederate using OAuth 2. He covers OAuth 2 terminology, common grant types for mobile including authorization code, implicit, and resource owner password credentials. The presentation includes demonstrations of obtaining authorization codes and access tokens on mobile devices. Topics like secure token handling, single sign-on approaches, and challenges of combining native apps with browsers are also covered.
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
This presentation illustrates the applicability of API keys, OAuth, SAML, OpenID, and a number of proprietary mechanisms such as HMAC signatures for consuming and exposing Web APIs and RESTful web services.
The document discusses Cloud Foundry, an open innovation platform. It describes Cloud Foundry's characteristics that enable rapid application development and deployment through microservices and continuous delivery. Cloud Foundry supports rapid innovation through features like rapid provisioning, monitoring, deployment automation and a developer-friendly environment. Pivotal contributes to and promotes Cloud Foundry through open source development and community involvement.
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
Building an application that can be provisioned and used in multiple Azure AD tenants goes far beyond just flipping a switch in your app configuration. The developer has to undertake application provisioning, decide on a provisioning strategy, push changes to customers, manage identities flowing from multiple tenants, collect essential information from authentication signals, learn to differentiate the different types of users they will encounter and understand the key differences from the B2B scenarios. In this community call, Kalyan Krishnan reviews the steps and considerations required to develop, configure, provision, and manage multi-tenant applications.
For more information, visit https://aka.ms/identityplatform
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth.
In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution in a microservices environment based on fine-grained permissions and end to end automation.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
The Ultimate Guide to Mobile API SecurityStormpath
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
The document summarizes an agenda for a workshop on advanced federation use cases with PingFederate. It includes introductions of the presenters, an overview of new features in PingFederate like OAuth and adaptive federation, demos of these features, and how to extend PingFederate through plugins and the software development kit.
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure Web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder Secure Proxy Server). This presentation provides a comprehensive overview of the new features in CA Single Sign On.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
Private Apps in the Public Cloud - DevConTLV March 2016Issac Goldstand
In the current technical world, SaaS providers have plenty to help them out: from public clouds, to containers. From microservices architectures, to limitless scaling potential. But when you need to deploy multiple singe-tenant applications that use these, how do you manage to share resources while keeping sensitive data apart? In this presentation I'll talk about how we did it at ironSource.
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
A digital lab provides access to real devices and browsers through an automation interface with a guaranteed level of uptime, or service availability, to support Agile development of web and mobile apps. This article will help you to gather some knowledge about the various digital labs and device farm. Desired Capabilities help to configure the Appium server and provide the criteria which you wish to use for running your automation script. Try to utilize all the desired capabilities of various digital labs in your automation and enjoy the script
execution in the cloud.
CIS14: Early Peek at PingFederate Administrative REST APICloudIDSummit
PingFederate provides REST-based administrative APIs to enable self-service administration, common administration across products, configuration scaling, and configuration management. The APIs support flexible authentication, centralized authorization, validation and error handling comparable to the admin UI. An interactive API documentation and roadmap are shown, including capabilities that can be built now like self-service SSO portals and OAuth client registration.
Microservices - Hitchhiker's guide to cloud native applicationsStijn Van Den Enden
Microservices are a true hype these days. Netflix, Amazon, eBay, … are all using microservices, but why? The idea is simple; split your application into multiple services which can evolve autonomously through time. The name suggests to keep these services small. Conceptually this seems not all that different from a classical Service Oriented Architecture (SOA). Nonetheless, microservices do offer a new perspective. A monolithic application is divided into a couple small services which can be independently developed, deployed and scaled. Flexibility is increased, but using this model also has some pitfalls.This session sheds a light on the microservices landscape; the key drivers for using the pattern, tooling to support development and maintenance, and the pros and cons that go with it. We’ll also introduce some key design principles that can be used in creating and modelling these modular enterprise applications.
In May's Microsoft identity platform call, Navya Canumalla went into detail on MSAL Java and Python, including an overview, supported scenarios and calling patterns. Quickstart demo, token cache and ADAL to MSAL migration.
View recording https://youtu.be/yCCjNqFva9w
Resources:
MSAL Java https://aka.ms/msaljavadocs
MSAL Python https://aka.ms/msalpythondocs
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
This document discusses various topics related to AWS Identity and Access Management (IAM), including:
1. An overview of IAM roles, policies, and the Security Token Service (STS), as well as a discussion on compliance and security.
2. Details about upcoming meetup topics on Virtual Private Cloud (VPC) networking and AWS Organizations.
3. Examples and explanations of IAM policies, roles, resource-based vs user-based policies, policy variables, Amazon Resource Names (ARNs), and other IAM concepts.
4. A demonstration of custom login URLs and switching roles in the AWS Management Console.
This document is the user manual for the iVMS-4200 client software. It describes the software's functions, configuration, and operation steps across 18 chapters. These include live view, remote storage and playback, event management, E-map management, device management, and more. The software provides functions for real-time monitoring, video recording, search and playback, alarm notifications, and other surveillance tasks.
This document provides an overview of RESTful web services. It defines REST as an architectural style for building web services over HTTP. The document discusses key REST concepts like representations, state transfer, and HATEOAS. It also covers benefits of REST like cacheability and use of existing HTTP infrastructure. The document provides examples of designing RESTful URIs and using HTTP methods like GET, POST, PUT, DELETE. It discusses using frameworks like JAX-RS and Spring for developing RESTful services and securing them using approaches like SSL, OAuth, and OpenID.
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
This document summarizes an AWS webinar about IAM (Identity and Access Management) and consolidated billing. The webinar covered IAM user and group management, access policies, identity federation, and how consolidated billing allows billing for multiple AWS accounts to be combined. Identity federation allows users authenticated by a company's system to be granted temporary AWS credentials. Consolidated billing enables centralized billing management and potential volume discounts by aggregating usage across accounts.
WSO2Con USA 2017: Building a Secure EnterpriseWSO2
This document discusses building a secure enterprise identity and access management system using WSO2 Identity Server. It covers the architecture of WSO2 Identity Server and how it implements standards like SAML, OAuth, OpenID Connect, XACML and SCIM. It describes how single sign-on and access control work across multiple service providers. It also discusses how to manage user identities across different systems using federated provisioning and integrating external user stores.
Standardizing Identity Provisioning with SCIMHasiniG
The document discusses the Simple Cloud Identity Management (SCIM) specification for provisioning and managing user identities in cloud applications and services. It provides an overview of SCIM, including its use of REST APIs, platform-neutral schemas, and SAML bindings. Examples are given of how SCIM allows for automated provisioning, just-in-time provisioning with single sign-on, bulk user management operations, and de-provisioning of user accounts. The document also notes how SCIM addresses issues with redundant integration efforts and maintenance headaches when provisioning to multiple systems.
Oracle API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems. It serves REST APIs and SOAP Web Services to clients, converting between REST and SOAP and XML and JSON. It applies security rules like authentication and content filtering. It also provides monitoring of API and service usage, caching, and traffic management.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The document discusses OAuth 2.0 and how it addresses issues with traditional approaches to authorizing third party access to user accounts and resources. It provides an overview of OAuth 2.0 concepts like authorization grants, access tokens, refresh tokens, and the roles of the client, resource owner, authorization server and resource server. It then describes the authorization code grant flow and client credentials flow in more detail through examples. The goal is to explain how OAuth 2.0 works and how it can be used to securely authorize access to resources while avoiding the risks of directly sharing user credentials.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
The Ultimate Guide to Mobile API SecurityStormpath
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
The document summarizes an agenda for a workshop on advanced federation use cases with PingFederate. It includes introductions of the presenters, an overview of new features in PingFederate like OAuth and adaptive federation, demos of these features, and how to extend PingFederate through plugins and the software development kit.
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure Web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder Secure Proxy Server). This presentation provides a comprehensive overview of the new features in CA Single Sign On.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
Private Apps in the Public Cloud - DevConTLV March 2016Issac Goldstand
In the current technical world, SaaS providers have plenty to help them out: from public clouds, to containers. From microservices architectures, to limitless scaling potential. But when you need to deploy multiple singe-tenant applications that use these, how do you manage to share resources while keeping sensitive data apart? In this presentation I'll talk about how we did it at ironSource.
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
A digital lab provides access to real devices and browsers through an automation interface with a guaranteed level of uptime, or service availability, to support Agile development of web and mobile apps. This article will help you to gather some knowledge about the various digital labs and device farm. Desired Capabilities help to configure the Appium server and provide the criteria which you wish to use for running your automation script. Try to utilize all the desired capabilities of various digital labs in your automation and enjoy the script
execution in the cloud.
CIS14: Early Peek at PingFederate Administrative REST APICloudIDSummit
PingFederate provides REST-based administrative APIs to enable self-service administration, common administration across products, configuration scaling, and configuration management. The APIs support flexible authentication, centralized authorization, validation and error handling comparable to the admin UI. An interactive API documentation and roadmap are shown, including capabilities that can be built now like self-service SSO portals and OAuth client registration.
Microservices - Hitchhiker's guide to cloud native applicationsStijn Van Den Enden
Microservices are a true hype these days. Netflix, Amazon, eBay, … are all using microservices, but why? The idea is simple; split your application into multiple services which can evolve autonomously through time. The name suggests to keep these services small. Conceptually this seems not all that different from a classical Service Oriented Architecture (SOA). Nonetheless, microservices do offer a new perspective. A monolithic application is divided into a couple small services which can be independently developed, deployed and scaled. Flexibility is increased, but using this model also has some pitfalls.This session sheds a light on the microservices landscape; the key drivers for using the pattern, tooling to support development and maintenance, and the pros and cons that go with it. We’ll also introduce some key design principles that can be used in creating and modelling these modular enterprise applications.
In May's Microsoft identity platform call, Navya Canumalla went into detail on MSAL Java and Python, including an overview, supported scenarios and calling patterns. Quickstart demo, token cache and ADAL to MSAL migration.
View recording https://youtu.be/yCCjNqFva9w
Resources:
MSAL Java https://aka.ms/msaljavadocs
MSAL Python https://aka.ms/msalpythondocs
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
This document discusses various topics related to AWS Identity and Access Management (IAM), including:
1. An overview of IAM roles, policies, and the Security Token Service (STS), as well as a discussion on compliance and security.
2. Details about upcoming meetup topics on Virtual Private Cloud (VPC) networking and AWS Organizations.
3. Examples and explanations of IAM policies, roles, resource-based vs user-based policies, policy variables, Amazon Resource Names (ARNs), and other IAM concepts.
4. A demonstration of custom login URLs and switching roles in the AWS Management Console.
This document is the user manual for the iVMS-4200 client software. It describes the software's functions, configuration, and operation steps across 18 chapters. These include live view, remote storage and playback, event management, E-map management, device management, and more. The software provides functions for real-time monitoring, video recording, search and playback, alarm notifications, and other surveillance tasks.
This document provides an overview of RESTful web services. It defines REST as an architectural style for building web services over HTTP. The document discusses key REST concepts like representations, state transfer, and HATEOAS. It also covers benefits of REST like cacheability and use of existing HTTP infrastructure. The document provides examples of designing RESTful URIs and using HTTP methods like GET, POST, PUT, DELETE. It discusses using frameworks like JAX-RS and Spring for developing RESTful services and securing them using approaches like SSL, OAuth, and OpenID.
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
This document summarizes an AWS webinar about IAM (Identity and Access Management) and consolidated billing. The webinar covered IAM user and group management, access policies, identity federation, and how consolidated billing allows billing for multiple AWS accounts to be combined. Identity federation allows users authenticated by a company's system to be granted temporary AWS credentials. Consolidated billing enables centralized billing management and potential volume discounts by aggregating usage across accounts.
WSO2Con USA 2017: Building a Secure EnterpriseWSO2
This document discusses building a secure enterprise identity and access management system using WSO2 Identity Server. It covers the architecture of WSO2 Identity Server and how it implements standards like SAML, OAuth, OpenID Connect, XACML and SCIM. It describes how single sign-on and access control work across multiple service providers. It also discusses how to manage user identities across different systems using federated provisioning and integrating external user stores.
Standardizing Identity Provisioning with SCIMHasiniG
The document discusses the Simple Cloud Identity Management (SCIM) specification for provisioning and managing user identities in cloud applications and services. It provides an overview of SCIM, including its use of REST APIs, platform-neutral schemas, and SAML bindings. Examples are given of how SCIM allows for automated provisioning, just-in-time provisioning with single sign-on, bulk user management operations, and de-provisioning of user accounts. The document also notes how SCIM addresses issues with redundant integration efforts and maintenance headaches when provisioning to multiple systems.
Oracle API Gateway integrates, accelerates, governs, and secures Web API and SOA-based systems. It serves REST APIs and SOAP Web Services to clients, converting between REST and SOAP and XML and JSON. It applies security rules like authentication and content filtering. It also provides monitoring of API and service usage, caching, and traffic management.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The document discusses OAuth 2.0 and how it addresses issues with traditional approaches to authorizing third party access to user accounts and resources. It provides an overview of OAuth 2.0 concepts like authorization grants, access tokens, refresh tokens, and the roles of the client, resource owner, authorization server and resource server. It then describes the authorization code grant flow and client credentials flow in more detail through examples. The goal is to explain how OAuth 2.0 works and how it can be used to securely authorize access to resources while avoiding the risks of directly sharing user credentials.
The document discusses OAuth 2.0 libraries for PHP and Ruby. For PHP, it describes thephpleague/oauth2-client library which allows configuring 3 endpoint URLs and implementing the OAuth flow with conditional checks. For Ruby, it mentions omniauth/omniauth libraries like omniauth-twitter which simplify implementation by handling most complexity, with differences only in the 3 URLs. It also describes Doorkeeper for developing OAuth servers in Ruby on Rails, which works with Devise and allows registering client apps and users through predefined functions.
SAML, OAuth 2.0, and OpenID Connect are the three most common authentication protocols. SAML provides authentication and authorization assertions while OAuth 2.0 focuses on authorization. OpenID Connect builds on OAuth 2.0 by adding authentication features and using claims to provide user information. It has a lower implementation barrier than SAML and is well-suited for mobile and API use cases. The document compares the protocols and their applications, security considerations, and history of adoption.
The document discusses various authentication and authorization methods for REST APIs, including API keys, signatures, OAuth 1.0, and OAuth 2.0. It provides details on implementing authentication with an API key, secret key, or signature for identity and authorization. The document contrasts OAuth 1.0 and 2.0, covering their concepts, authentication flows, and differences. It also discusses using OAuth for SSO, refreshing tokens, and consuming secured RSS/ATOM feeds, as well as validating state, data consistency, and enforcing authorization with REST services.
1) The document discusses various methods for securing RESTful APIs, including choosing the right security protocol, understanding authentication vs authorization, and exploring specific protocols like basic authentication, JSON web tokens, OAuth1.0a, and OAuth2.
2) It provides details on each protocol, including how they work, benefits, structures like the JWT header and payload, and code examples for implementation flows.
3) The key takeaways are to never use basic authentication without TLS, favor HMAC algorithms over bearer tokens, and use OAuth1.0a or OAuth2 (preferably MAC) for authentication, as OAuth is an authorization protocol rather than authentication standard.
This document discusses using Doorkeeper and OAuth 2.0 to protect APIs. It provides an overview of OAuth concepts like access tokens, scopes, applications, roles, and grant types. It then covers setting up Doorkeeper, including defining scopes, protecting controllers, handling user groups, password resets, and testing. Real-world uses of OAuth like email logins, first-party apps, third-party apps, native apps, and API documentation are also mentioned.
This document describes the OAuth 1.0 protocol, which provides a method for clients to access server resources on behalf of a resource owner. It defines a redirection-based process for users to authorize third-party access to their resources without sharing credentials. It also defines a method for clients to make authenticated HTTP requests using credentials that identify both the client and the resource owner on whose behalf the request is being made. The protocol introduces the roles of client, server, protected resource, and resource owner to the traditional client-server authentication model.
The document describes the OAuth 1.0 protocol, which provides a method for clients to access server resources on behalf of a resource owner without requiring the resource owner's credentials. It defines a redirection-based process for users to authorize access via their user-agent and browser. The protocol consists of the client obtaining temporary credentials from the server, redirecting the user to authorize access, and exchanging the temporary credentials for token credentials to access protected resources.
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
https://www.hackmiami.com/hmc5-speakers-day-2
OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.
Profesia, Lynx Group, presenta la quinta puntata della serie di master class sulla tecnologia WSO2 di cui è Distributore esclusivo per l'Italia.
Il webinar, con la partecipazione straordinaria di WSO2, descrive come implementare nei client l'autorizzazione OAUTH2.
Scrivi a contact@profesia.it se stai pensando a una trasformazione digitale per evolvere verso un business agile
The document discusses RESTful APIs and some of their key concepts and design principles. It defines REST as an architectural style for building web APIs and describes six constraints of REST including a uniform interface, statelessness, cacheability, being client-server, having a layered system, and using hypermedia as the engine of application state. It then provides more details on concepts like resources, endpoints, verbs, versioning, authentication, and filtering.
The document discusses OAuth 2.0 and JSON Web Tokens (JWT). It defines OAuth 2.0 as the industry standard framework for authorization that enables third party applications to obtain limited access to HTTP services. It describes the common roles in OAuth 2.0 including the resource owner, resource server, client, and authorization server. It also explains the different token types used in OAuth like access tokens and refresh tokens. Finally, it provides an overview of JSON Web Tokens, defining them as a way to securely transmit information between parties as a JSON object using digital signatures.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.
Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that connect your applications with your business partners? Recent trends and standards are creating a new generation of API-focused identity patterns.
Learn how to:
• Apply API access control patterns with existing identity infrastructure
• Support emerging standards such as OAuth, Open ID Connect
• Empower developers to create APIs that reach out to your organisation’s target audience
This document provides an overview of OAuth 2.0 including key terms, grant types, and workflows. It describes OAuth as an authorization framework that allows clients to access protected resources from an API without sharing the user's credentials. The document explains the roles of clients, resource owners, resource servers, and authorization servers. It also summarizes the authorization code grant flow, refresh tokens, and different OAuth grant types.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication.
Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
UserCentric Identity based Service Invocationguestd5dde6
The document discusses user-centric identity and service invocation. It describes existing protocols like OpenID, SAML, and proprietary protocols from companies. It then introduces OAuth as an open standard for service invocation that is authentication method agnostic, easy for users and developers to implement, and provides security and privacy. OAuth defines a process for requesting user authorization for third-party access to protected services and resources in a standardized way.
This document provides an overview of OAuth 2 including:
- Problems with OAuth 1.0 included apps storing user passwords, lack of access revocation, and compromised apps exposing passwords.
- Key definitions in OAuth 2 including resource owner, resource server, authorization server, and client.
- The basic OAuth 2 authorization code flow involving 6 steps including redirection of the user to the authorization server and issuance of an access token.
- Improvements OAuth 2 makes over 1.0 such as removing the need to sign every request, accommodating native apps, and clearer separation of roles.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
When and Why Would I use Oauth2?
1. OAuth2 and REST
Securing REST-ful Web Services with OAuth2
Dave Syer, 2012
Twitter: @david_syer
Email: dsyer@vmware.com
Agenda
Why would I use OAuth2?
If I was going to use Spring how would that look?
What's the easiest way to get something working?
Blog: http://blog.cloudfoundry.org/2012/10/09/oauth-rest/
Introduction
There is a strong trend distributed systems with lightweight architectures
So what are people doing about security in such systems?
What is a Lightweight Service?
HTTP transport.
Text-based message content, usually JSON.
Small, compact messages, and quick responses.
REST-ful, or at least inspired by the REST
Some degree of statelessness
Interoperability.
What Are the Security Requirements
Identity and permissions:
how is identity and permission information conveyed to a service?
how is it decoded and interpreted?
what data are needed to make the access decision (user accounts, roles, ACLs etc.)?
how is the data managed: who is responsible for storing and retrieving it?
HTTP Basic Authentication
something of a lowest common denominator
supported on practically all servers natively and out of the box
ubiquitous support on the client side in all languages
Example:
1 of 10 17/10/12 05:40
2. OAuth2 and REST
$ curl "https://$username:$password@myhost/resource"
So what's wrong with that?
Nothing, but...
Where do you get the credentials (the username and password)?
Fine for systems where all participants can share secrets securely
In practice that means small systems
Only supports username/password
Only covers authentication
User or Client Permissions
Finer-grained information about the authenticated party
Role-based access: very common, sometimes available in server/container
Need to categorize user accounts, e.g. USER and ADMIN
Often business requirements are more complex
Identity Management: Three Corners
Identity Management: Four Corners
2 of 10 17/10/12 05:40
3. OAuth2 and REST
Centralized Identity Management
Centralized Identity Management
Centralized: scales better than peers sharing secrets
Peer-to-peer: N(N-1)/2 pairs
Centralized: N pairs
For user accounts the scalability benefit is even bigger
OAuth2
Centralizing accounts and secrets is great, but what about permissions?
3 of 10 17/10/12 05:40
4. OAuth2 and REST
OAuth 2.0 adds an extra dimension - more information for the access decision
Standards always help in security
Lightweight - easy to curl
Requires HTTPS for secure operation, but you can test with HTTP
Quick Introduction to OAuth2
A Client application, often web application, acts on behalf of a User, but with the User's approval
Authorization Server
Resource Server
Client application
Common examples of Authorization Servers on the internet:
Facebook - Graph API
Google - Google APIs
Cloud Foundry - Cloud Controller
Typical Web Application Client
OAuth2 and the Lightweight Service
Example command line Client:
$ curl -H "Authorization: Bearer $TOKEN" https://myhost/resource
is a Resource Server
https://myhost
TOKENis a Bearer Token
it came from an Authorization Server
Role of Client Application
Register with Authorization Server (get a client_id and maybe a client_secret)
Do not collect user credentials
Obtain a token (opaque) from Authorization Server
On its own behalf - client_credentials
On behalf of a user
4 of 10 17/10/12 05:40
5. OAuth2 and REST
Use it to access Resource Server
Obtaining a Client Credentials Token
A client can act in its own right (not on behalf of a user):
$ curl "https://myclient:mysecret@uaa.cloudfoundry.com"
-d grant_type=client_credentials -d client_id=myclient
Result:
{
access_token: FUYGKRWFG.jhdfgair7fylzshjg.o98q47tgh.fljgh,
expires_in: 43200,
client_id: myclient,
scope: uaa.admin
}
OAuth2 Key Features
Extremely simple for clients
Access tokens carry information (beyond identity)
Resource Servers are free to interpret tokens
Example token contents:
Client id
Resource id (audience)
User id
Role assignments
UAA Bearer Tokens
OAuth 2.0 tokens are opaque to clients
But they carry important information to Resource Servers
Example of implementation (from Cloud Foundry UAA, JWT = signed, base64-encoded, JSON):
{ "client_id":"vmc",
"exp":1346325625,
"scope":["cloud_controller.read","openid","password.write"],
"aud":["openid","cloud_controller","password"],
"user_name":"vcap_tester@vmware.com",
"user_id":"52147673-9d60-4674-a6d9-225b94d7a64e",
"email":"vcap_tester@vmware.com",
"jti":"f724ae9a-7c6f-41f2-9c4a-526cea84e614" }
Web Application Client Again
The Client wants to access a Resource on behalf of the User
5 of 10 17/10/12 05:40
6. OAuth2 and REST
Obtaining a User Token
A client can act on behalf of a user (e.g. authorization_code grant):
Authorization Code Grant Summary
1. Authorization Server authenticates the User
2. Client starts the authorization flow and obtain User's approval
3. Authorization Server issues an authorization code (opaque one-time token)
4. Client exchanges the authorization code for an access token.
Role of Resource Server
6 of 10 17/10/12 05:40
7. OAuth2 and REST
1. Extract token from request and decode it
2. Make access control decision
Scope
Audience
User account information (id, roles etc.)
Client information (id, roles etc.)
3. Send 403 (FORBIDDEN) if token not sufficient
Role of the Authorization Server
1. Grant tokens
2. Interface for users to confirm that they authorize the Client to act on their behalf
3. Authenticate users (/authorize)
4. Authenticate clients (/token)
#1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons).
Client Registration and Scopes
For secure channels a client has to authenticate itself to obtain a token, so it has to be known to the Authorization
Server. Registration provides at a mimimum:
authentication (shared secret)
registered redirect URI (optional but essential to prevent attacks)
allowed scopes (clients are not permitted access to all resources)
Also useful:
a way to identify which resources can be accessed
ownership information (which user registered the client)
More on Scopes
Per the spec they are arbitrary strings. The Authorization Server and the Resource Servers agree on the content
and meanings.
Examples:
Google: https://www.googleapis.com/auth/userinfo.profile
Facebook: email, read_stream, write_stream
UAA: cloud_controller.read, cloud_controller.write, scim.read, openid
Authorization Server has to decide whether to grant a token to a given client and user based on the requested
scope (if any).
UAA Scopes
UAA scopes are actually Groups in the User accounts
GET /Groups, Get /Users/{id}
{
"id": "73ba999e-fc34-49eb-ac26-dc8be52c1d82",
"meta": {...},
"userName": "marissa",
"groups": [
...
{
"value": "23a71835-c7ce-43ac-b511-c84d3ae8e788",
"display": "uaa.user",
"membershipType": "DIRECT"
}
],
}
Special Mention for Vmc
7 of 10 17/10/12 05:40
8. OAuth2 and REST
The UAA authenticates requests from vmc in a special way:
$ curl https://uaa.cloudfoundry.com/oauth/authorize
-d response_type=token -d client_id=vmc
-d redirect_uri=https:uaa.cloudfoundry.com/redirect/vmc
-d source=credentials
-d username=$username -d password=$password
Result:
302 FOUND
...
Location: https:uaa.cloudfoundry.com/redirect/vmc#access_token=FUYGKRWFG.jhdfgair7fylzshjg.o98q47tgh.fljgh...
Authentication and the Authorization Server
Authentication (checking user credentials) is orthogonal to authorization (granting tokens)
They don't have to be handled in the same component of a large system
Authentication is often deferred to existing systems (SSO)
Authorization Server has to be able to authenticate the OAuth endpoints ( /authorize and /token)
It does not have to collect credentials (except for grant_type=password)
Cloud Foundry UAA Authorization Server
Cloud Foundry Login Server
8 of 10 17/10/12 05:40
9. OAuth2 and REST
Role of Login Server
Authenticate users and collect user approvals for OAuth2 scopes
Send authenticated user info in trusted channel to UAA
Maintain SSO state (e.g. session cookie)
Branded UI
OAuth2 endpoints - delegate (pass through) to UAA
Cloud Foundry UAA as a General Purpose Solution
User Account and Authentication Service is part of Cloud Foundry
open source and fairly generic
sample apps (including login server)
wrapper for Spring Security OAuth
runs in a servlet container (e.g. tomcat)
easy for Spring developers to install and customize
look for UAA blogs at http://blog.cloudfoundry.org (and .com)
UAA OAuth Implementation
UAA makes some explicit choices where the spec allows it, and also adds some useful features:
Client registration validation, e.g. implicit has no secret
Client has separate allowed scopes for user tokens and client tokens (if allowed).
User account management: groups = scopes, period-separated
JWT tokens, signed but not encoded, includes audience (a.k.a. resource_id)
/userinfo endpoint for remote authentication (SSO)
Auto-approve for client apps that are part of platform
Special authentication channels for /authorize:
source=credentials - used by vmc
source=login - used by Login Server
(Login Server) autologin via code=...
UAA Resources (Endpoints)
Brief list of all the UAA endpoints (with valid scopes if it is an OAuth2 resource):
9 of 10 17/10/12 05:40
10. OAuth2 and REST
OAuth2 Authorization Server: oauth/authorize and /oauth/token
User info endpoint (for SSO): /userinfo, scope openid
Token decoding endpoint: /check_token
Login info endpoint (open to anyone): /login
SCIM user account management: /Users, scopes [scim.read, scim.write].
Password changes: /Users/{id}/password, scope password.write
UAA Resources (continued)
Token management, e.g. cancelling an approval: /oauth/users/{id}/tokens and /oauth/clients/{id}/tokens, scopes
[tokens.read, tokens.write]
Client registration: /oauth/clients, scopes [clients.read, clients.write, clients.secret]
Password strength meter: /password
Management endpoints, used by the Cloud Foundry platform internally: /health and /varz
Alternatives to OAuth2
OAuth 1.0a
SAML
Custom solution, e.g. HMAC signed requests
Extensions to OAuth2
In Conclusion
Lightweight services demand lightweight infrastructure
Security is important, but should be unobtrusive
OAuth 2.0 is a standard, and has a lot of useful features
Spring Security OAuth aims to be a complete solution at the framework level
Cloud Foundry UAA adds some implementation details and makes some concrete choices
Links
http://github.com/springsource/spring-security-oauth
http://github.com/cloudfoundry/uaa
http://blog.cloudfoundry.org
http://blog.cloudfoundry.com
http://blog.springsource.org
10 of 10 17/10/12 05:40