Authentication with OAuth 2.0
|
|
- Millicent Caldwell
- 6 years ago
- Views:
Transcription
1 Authentication with OAuth 2.0 The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, including providing mechanisms for user authentication. This has lead many developers to incorrectly conclude that OAuth is itself an authentication protocol and to mistakenly use it as such. Let's say that again, to be clear: OAuth 2.0 is not an authentication protocol. Much of the confusion comes from the fact that OAuth is used inside of authentication protocols, and developers will see the OAuth components and interact with the OAuth flow and assume that by simply using OAuth, they can accomplish user authentication. What is authentication? Authentication tells an application who the current user is and whether or not they're present. A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an address, and what to call them when the application says "Good Morning". Authentication is all about the user and their presence with the application, and an internet-scale authentication protocol needs to be able to do this across network and security boundaries. However, OAuth tells the application none of that. OAuth says absolutely nothing about the user, nor does it say how the user proved their presence or even if they're still there. As far as an OAuth client is concerned, it asked for a token, got a token, and eventually used that token to access some API. It doesn't know anything about who authorized the application or if there was even a user there at all. In fact, much of the point of OAuth is about giving this delegated access for use in situations where the user is not present on the connection between the client and the resource being accessed. This is great for client authorization, but it's really bad for authentication where the whole point is figuring out if the user is there or not (and who they are). As it turns out, though, there are a handful of things that can be used along with OAuth to create an authentication and identity protocol on top of this delegation and authorization protocol. In nearly all of these cases, the core functionality of OAuth remains and what's happening is that the user is delegating access to their identity to the application. The client application then becomes a consumer of the identity API, thereby finding out who authenticated the client in the first place. One major benefit of this approach is that the user can delegate access to other protected APIs along side their identity at the same time, making it much simpler for both application developers and end users to manage. With one call, an application can find out if a user is logged in, what the app should call the user, download photos for printing, and post updates to their message stream. This simplicity is very compelling, but by doing both at the same time, many developers conflate the two functions. Authentication vs. Authorization: a metaphor To help clear things up, it may be helpful to think of the problem in terms of a metaphor: chocolate vs. fudge. From the start, the nature of these two things is quite different: chocolate is an ingredient, fudge is a confection. Chocolate can be used to make many different things, and it can even be used on its own. Fudge can be made out of many different things, and one of those things might be chocolate, but it takes more than one
2 ingredient to make fudge happen and it might not even involve chocolate. As such, it's incorrect to say that chocolate equals fudge, or even to say thatchocolate equals chocolate fudge. OAuth, in this metaphor, is chocolate. It's a versatile ingredient that is fundamental to a number of different things and can even be used on its own to great effect. Authentication is more like fudge. There are at least a few ingredients that must brought together in the right way to make it work, and OAuth can be one of these ingredients (perhaps the main ingredient) but it doesn't have to be involved at all. You need a recipe that says what to combine and how to combine them, and there are a large number of different recipes that say how that can be accomplished. And in fact, there are a number of well-known recipes out there for doing this with specific providers, like Facebook Connect, Sign In With Twitter, and OpenID Connect (which powers Google's sign-in system, among others). These recipes each add a number of items, such as a common profile API, to OAuth to create an authorization protocol. Common pitfalls for authentication using OAuth Even though it's very possible to use OAuth to build an authentication protocol, there are a number of things that tend to trip up those who who do so, either on the side of the identity provider or on the side of the identity consumer. Access tokens as proof of authentication Since the access token can be traded for a set of user attributes, it is tempting to think that posession of a valid access token is enough to prove that a user is authenticated. This assumption turns out to be true in some cases, where the token was freshly minted in the context of a user being authenticated at the authorization server. However, that's not the only way to get an access token in OAuth. Refresh tokens and assertions can be used to get access tokens without the user being present, and in some cases access grants can occur without the user having to authenticate at all. Furthermore, the access token will generally be usable long after the user is no longer present. This means that if a client wants to make sure that an authentication is still valid, it's not sufficient to simply trade the token for the user's attributes again because the OAuth protected resource, the identity API, has no way of re-authenticating the user. This problem stems from the fact that the client is not the audience of the OAuth access token. Instead, it is the authorized presenter of that token, and the audience is in fact the protected resource. The protected resource is not generally going to be in a position to tell if the user is still present by the token alone, since by the very nature and design of the OAuth protocol the user will not be available on the connection between the client and protected resource. To counter this, there needs to be an artifact that is directed at the client itself. This could be done by dual-purposing the access token, defining a format that the client could parse and understand. However, since general OAuth does not define a specific format or structure for the access token itself, protocols like OpenID Connect and Facebook Connect provide a secondary token along side the access token that communicates the authentication information directly to the client. This allows the primary access token to remain opaque to the client, just like in regular OAuth. Lack of audience restriction Another problem with trading the access token for a set of attributes to get the current user is that most OAuth APIs do not provide any mechanism of audience restriction for the
3 returned information. In other words, it is very possible to take a naive client, hand it the (valid) token from another client, and have the naive client treat this as a "log in" even. After all, the token is valid and it will return valid user information. The problem is of course that the user hasn't done anything to prove that they're present, and in this case they haven't even authorized the naive client. This problem can be mitigated by communicating the authentication information to a client along with an identifier that the client can recognize and validate, allowing the client to differentiate between an authentication for itself versus an authentication for another application. It is also mitigated by passing the set of authentication information directly to the client during the OAuth process instead of through a secondary mechanism such as an OAuth protected API, preventing a client from having an unknown and untrusted set of information injected later in the process. Injection of invalid user information If an attacker is able to intercept or coopt one of the calls from the client, it could alter the content of the returned user information without the client being able to know anything was amiss. This would allow an attacker to impersonate a user at a naive client by simply swapping out a user identifier in the right call sequence. This can be mitigated by getting the authentication information directly from the identity provider during the authentication protocol process (such as along side the OAuth token) and by protecting the authentication information with a verifiable signature. Different protocols for every potential identity provider One of the biggest problems with OAuth-based identity APIs is that even when using a fully standards-compliant OAuth mechanism, different providers will inevitably implement the details of the actual identity API differently. For example, a user's identifier might be found in a user_id field in one provider but in the subject field in another provider. Even though these are semantically equivalent, they would require two separate code paths to process. In other words, while the authorization may happen the same way at each provider, the conveyance of the authentication information could be different. This problem can be mitigated by providers using a standard authentication protocol built on top of OAuth so that no matter where the identity information is coming from, it is transmitted in the same way. A standard for authentication using OAuth: OpenID Connect OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication. In essence, it is a widely published recipe for chocolate fudge that has been tried and tested by a wide number and variety of experts. Instead of building a different protocol to each potential identity provider, an application can speak one protocol to as many providers as they want to work with. Since it's an open standard, OpenID Connect can be implemented by anyone without restriction or intellectual property concerns. OpenID Connect is built directly on OAuth 2.0 and in most cases is deployed right along with (or on top of) an OAuth infrastructure. OpenID Connect also uses the JSON Object Signing And Encryption (JOSE) suite of specifications for carrying signed and encrypted information around in different places. In fact, an OAuth 2.0 deployment with JOSE capabilities is already a long way to defining a fully compliant OpenID Connect system, and the delta between the two is relatively small. But that delta makes a big difference, and
4 OpenID Connect manages to avoid many of the pitfalls discussed above by adding several key components to the OAuth base: ID Tokens The OpenID Connect ID Token is a signed JSON Web Token (JWT) that is given to the client application along side the regular OAuth access token. The ID Token contains a set of claims about the authentication session, including an identifier for the user (sub), the identifier for the identity provider who issued the token (iss), and the identifier of the client for which this token was created (aud). Additionally, the ID Token contains information about the token's valid (and usually short) lifetime as well as any information about the authentication context to be conveyed to the client, such as how long ago the user was presented with a primary authentication mecehanism. Since the format of the ID Token is known by the client, it is able to parse the content of the token directly and obtain this information without relying on an external service to do so. Furthermore, it is issued in addition to (and not in lieu of) an access token, allowing the access token to remain opaque to the client as it is defined in regular OAuth. Finally, the token itself is signed by the identity provider's public key, adding an additional layer of protection to the claims inside of it in addition to the TLS transport protection that was used to get the token in the first place, preventing a class of impersonation attacks. By applying a few simple checks to this ID token, a client can protect itself from a large number of common attacks. UserInfo Endpoint In addition to the claims in the ID Token, OpenID Connect defines a standard protected resource that contains claims about the current user. The claims here are not part of the authentication process, as discussed above, but instead provide bundled identity attributes that make the authentication protocol more valuable to application developers. After all, it's preferable to say "Good Morning, Jane Doe" instead of "Good Morning, 9XE3- JI A". OpenID Connect defines set of standardized OAuth scopes that map to subsets of these attributes, allowing plain OAuth authorization request to carry the necessary information for a request. In particular, the OpenID Connect defines a special openid scope that switches on the issuance of the ID token as well as access to the UserInfo Endpoint by the access token. The OpenID Connect scopes can be used along side more plain OAuth scopes without issue. Dynamic server discovery and client registration OAuth 2.0 was written to allow a variety of different deployments, but by design does not specify how these deployments come to be set up or how the components know about each other. This is OK in the regular OAuth world where one authorizatoin server protects a specific API, and the two are closely coupled. With OpenID Connect, a common protected API is deployed across a wide variety of clients and providers, all of which need to know about each other to operate. It would not be scalable for each client to have to know ahead of time about each provider, and it would be even more unscalable to require each provider to know about each potential client. To counteract this, OpenID Connect defines a discovery protocol that allows clients to easily fetch information on how to interact with a specific identity provider. On the other side of the transaction, OpenID Connect defines a client registration protocol that allows clients to be introduced to new identity providers. By using these two mechanisms and a common
5 identity API, OpenID Connect can function at internet scale, where no parties have to know about each other ahead of time. Advanced capabilities OpenID Connect also defines a number of advanced capabilities beyond standard OAuth that are suitable for higher security profiles and deployments, including (among others): Public key client authentication Selecting and retrieving specific claims and values from the identity provider Signing and encrypting OAuth requests Session management over time Further Reading In the article OAuth 2.0 and Sign-in, Vittorio Bertocci provides detail on the security boundaries between parties and why the authorization layer makes sense as the lower layer to build on top of. Justin Richer presented a detailed overview of the technologies talked about here in Auth* In the Extended Enterprise at MIT.
Technical Overview. Version March 2018 Author: Vittorio Bertola
Technical Overview Version 1.2.3 26 March 2018 Author: Vittorio Bertola vittorio.bertola@open-xchange.com This document is copyrighted by its authors and is released under a CC-BY-ND-3.0 license, which
More informationConnect. explained. Vladimir Dzhuvinov. :
Connect explained Vladimir Dzhuvinov Email: vladimir@dzhuvinov.com : Twitter: @dzhivinov Married for 15 years to Java C Python JavaScript JavaScript on a bad day So what is OpenID Connect? OpenID Connect
More informationopenid connect all the things
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017-2017-07-01 Problem - More Client Devices per-human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs aren
More informationUMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group
UMA and Dynamic Client Registration Thomas Hardjono on behalf of the UMA Work Group 1 UMA is... A web protocol that lets you control authorization of data sharing and service access made on your behalf
More informationGDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0
GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0 Eve Maler VP Innovation & Emerging Technology, ForgeRock @xmlgrrl eve.maler@forgerock.com Chair and founder, Kantara UMA Work Group @UMAWG tinyurl.com/umawg
More informationCheck to enable generation of refresh tokens when refreshing access tokens
VERSION User: amadmin Server: sp.example.com LOG OUT OAuth2 Provider Save Reset Back to Services Realm Attributes Indicates required field Authorization Code Lifetime Refresh (seconds) If this field is
More informationBest Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,
Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques
More informationSecuring APIs and Microservices with OAuth and OpenID Connect
Securing APIs and Microservices with OAuth and OpenID Connect By Travis Spencer, CEO @travisspencer, @curityio Organizers and founders ü All API Conferences ü API Community ü Active blogosphere 2018 Platform
More informationOpenID Connect Update
OpenID Connect Update May 14, 2013 Dr. Michael B. Jones Identity Standards Architect Microsoft Working Together OpenID Connect Working Group Members Key working group participants: Nat Sakimura Nomura
More informationOAuth and OpenID Connect (IN PLAIN ENGLISH)
OAuth and OpenID Connect (IN PLAIN ENGLISH) NATE BARBETTINI @NBARBETTINI @OKTADEV A lot of confusion around OAuth. Terminology and jargon Incorrect advice Identity use cases (circa 2007) Simple login forms
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationReal-world security analyses of OAuth 2.0 and OpenID Connect
Real-world security analyses of OAuth 2.0 and OpenID Connect Wanpeng Li and Chris J Mitchell 1 Agenda Single sign-on and identity management OAuth 2.0 Two case studies Security analyses OpenID Connect
More informationfredag 7 september 12 OpenID Connect
OpenID Connect OpenID Connect Necessity for communication - information about the other part Trust management not solved! (1) OP discovery The user provides an identifier (for instance an email address)
More informationAuthentication in the Cloud. Stefan Seelmann
Authentication in the Cloud Stefan Seelmann Agenda Use Cases View Points Existing Solutions Upcoming Solutions Use Cases End user needs login to a site or service End user wants to share access to resources
More informationTutorial: Building the Services Ecosystem
Tutorial: Building the Services Ecosystem GlobusWorld 2018 Steve Tuecke tuecke@globus.org What is a services ecosystem? Anybody can build services with secure REST APIs App Globus Transfer Your Service
More informationThe OAuth 2.0 Authorization Protocol
The OAuth 2.0 Authorization Protocol Abstract The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by
More informationAuthentication in Cloud Application: Claims-Based Identity Model
Authentication in Cloud Application: Claims-Based Identity Model Upen H Nathwani 1*, Irvin Dua 1, Ved Vyas Diwedi 2 Abstracts: Basically cloud service provider (CSP) give facility to access Software as
More informationClient Certificates Are Going Away
Client Certificates Are Going Away What now? Garrett Wollman, TIG May 2, 2016 1 Overview of this talk 1. Review of the current situation and how we got here 2. Our response to the deprecation of client
More informationThe SciTokens Authorization Model: JSON Web Tokens & OAuth
The SciTokens Authorization Model: JSON Web Tokens & OAuth Jim Basney Brian Bockelman This material is based upon work supported by the National Science
More informationOPENID CONNECT 101 WHITE PAPER
OPENID CONNECT 101 TABLE OF CONTENTS 03 04 EXECUTIVE OVERVIEW WHAT IS OPENID CONNECT? Connect Terminology Relationship to OAuth 08 Relationship to SAML CONNECT IN MORE DETAIL Trust Model Discovery Dynamic
More informationThe OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30
OAuth Working Group D. Hardt, Ed. Internet-Draft Microsoft Obsoletes: 5849 (if approved) D. Recordon Intended status: Standards Track Facebook Expires: January 16, 2013 July 15, 2012 The OAuth 2.0 Authorization
More informationIdentity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014
Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2
More informationIntroduction to SciTokens
Introduction to SciTokens Brian Bockelman, On Behalf of the SciTokens Team https://scitokens.org This material is based upon work supported by the National Science Foundation under Grant No. 1738962. Any
More informationSingle Sign-On Best Practices
AUGUST 2018 WHITE PAPER Single Sign-On Best Practices Protecting Access in the Cloud Table of Contents Executive Summary... 3 Objectives... 3 Security Challenges... 4 Standards... 5 Conclusion... 6 Additional
More informationDeploying OAuth with Cisco Collaboration Solution Release 12.0
White Paper Deploying OAuth with Cisco Collaboration Solution Release 12.0 Authors: Bryan Morris, Kevin Roarty (Collaboration Technical Marketing) Last Updated: December 2017 This document describes the
More informationPrivacy and Security in Online Social Networks Department of Computer Science and Engineering Indian Institute of Technology, Madras
Privacy and Security in Online Social Networks Department of Computer Science and Engineering Indian Institute of Technology, Madras Lecture 08 Tutorial 2, Part 2, Facebook API (Refer Slide Time: 00:12)
More informationAPI Gateway. Version 7.5.1
O A U T H U S E R G U I D E API Gateway Version 7.5.1 15 September 2017 Copyright 2017 Axway All rights reserved. This documentation describes the following Axway software: Axway API Gateway 7.5.1 No part
More informationCSE 123A Computer Netwrking
CSE 123A Computer Netwrking Winter 2005 Mobile Networking Alex Snoeren presenting in lieu of Stefan Savage Today s s issues What are implications of hosts that move? Remember routing? It doesn t work anymore
More information1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague
1000 Ways to Die in Mobile OAuth Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague What is this work about? In 2014, Studied OAuth usage in 200 Android/iOS OAuth applications.
More informationDecentralized Action Integrity for Trigger-Action IoT Platforms. Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, Atul Prakash
Decentralized Action Integrity for Trigger-Action IoT Platforms Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, Atul Prakash Creates an account Creates an account Creates an account Connects LG account
More informationPartner Center: Secure application model
Partner Center: Secure application model The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including
More information5 OAuth EssEntiAls for APi AccEss control layer7.com
5 OAuth Essentials for API Access Control layer7.com 5 OAuth Essentials for API Access Control P.2 Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the
More informationMITOCW watch?v=kz7jjltq9r4
MITOCW watch?v=kz7jjltq9r4 PROFESSOR: We're going to look at the most fundamental of all mathematical data types, namely sets, and let's begin with the definitions. So informally, a set is a collection
More informationSecurity. SWE 432, Fall 2017 Design and Implementation of Software for the Web
Security SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Authorization oauth 2 Security Why is it important? Users data is
More information5 OAuth Essentials for API Access Control
5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows
More informationInfrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records
Infrastructure for Secure Sharing Between Picture Archiving and Communication System and Image enabled Electronic Health Records Krupa Anna Kuriakose MASc Candidate Dept. Electrical, Computer and Software
More informationAUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER
E-Guide AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER SearchSecurity E ffective IT security today demands that users be both authenticated and authorized. But even those
More informationJustin Richer Antonio Sanso
Justin Richer Antonio Sanso FOREWORD BY Ian Glazer MANNING OAuth 2 in Action by Justin Richer and Antonio Sanso Chapter 1 Copyright 2017 Manning Publications brief contents Part 1 First steps...1 1 What
More informationStateless Microservice Security via JWT, TomEE and MicroProfile
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe Why am I here today? Microservices architecture case Security opeons OAuth2 with JWT HTTP Signatures Demo with
More informationfirewalls and vpns 5A15E503E76294A6E25A62A93FCE442E Firewalls And Vpns 1 / 6
Firewalls And Vpns 1 / 6 2 / 6 3 / 6 Firewalls And Vpns About the Site. General information about Linux Home Networking.. Linux Home Networking PDF Chapters. Covers topics needed for Linux software certification
More informationOAuth 2.0 Incremental Auth
OAuth 2.0 Incremental Auth IETF 99 Prague, July 2017 William Denniss Incremental Auth Problem Statement Asking for the kitchen sink of scopes up-front is a bad thing. Users should have the context of the
More informationP1_L3 Operating Systems Security Page 1
P1_L3 Operating Systems Security Page 1 that is done by the operating system. systems. The operating system plays a really critical role in protecting resources in a computer system. Resources such as
More informationBIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1
BIG-IP Access Policy Manager : Authentication and Single Sign-On Version 13.1 Table of Contents Table of Contents Authentication Concepts... 15 About AAA server support... 15 About AAA high availability
More informationIntroduction to the FAPI Read & Write OAuth Profile
Nomura Research Institute Introduction to the FAPI Read & Write OAuth Profile Nat Sakimura(@_nat_en) Foundation 2017-11-08 Chairman of the board Research Fellow OpenID is a registered trademark of the
More informationIntroduction to RESTful Web Services. Presented by Steve Ives
1 Introduction to RESTful Web Services Presented by Steve Ives Introduction to RESTful Web Services What are web services? How are web services implemented? Why are web services used? Categories of web
More informationTHE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS
THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS TABLE OF CONTENTS 03 03 05 06 07 07 09 11 EXECUTIVE OVERVIEW MOTIVATING USE CASE: TRIPIT TERMINOLOGY INTRODUCTION THE OAUTH 2.0 MODEL
More informationDigital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2
Digital Identity Guidelines aka NIST SP 800-63 March 1, 2017 Ken Klingenstein, Internet2 Topics 800-63 History and Current Revision process Caveats and Comments LOA Evolution Sections: 800-63A (Enrollment
More informationAuthentication and Authorization of End User in Microservice Architecture
Journal of Physics: Conference Series PAPER OPEN ACCESS Authentication and Authorization of End User in Microservice Architecture To cite this article: Xiuyu He and Xudong Yang 2017 J. Phys.: Conf. Ser.
More informationCSE 123b Communications Software
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Stefan Savage Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to
More informationQuick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to be part of the
More informationIntegration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate
SafeNet Authentication Manager Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information
More informationOAuth securing the insecure
Black Hat US 2011 khash kiani khash@thinksec.com OAuth securing the insecure roadmap OAuth flow malicious sample applications mobile OAuth google app web-based OAuth facebook app insecure implementation
More informationIntegrating with ClearPass HTTP APIs
Integrating with ClearPass HTTP APIs HTTP based APIs The world of APIs is full concepts that are not immediately obvious to those of us without software development backgrounds and terms like REST, RPC,
More informationOverview! Automated Certificate Management (ACME) Protocol! IP-NNI Task Force! Mary Barnes - iconectiv!
Overview! Automated Certificate Management (ACME) Protocol! IP-NNI Task Force! Mary Barnes - iconectiv! ACME Overview! ACME is a protocol being developed in IETF for Automated Certificate Management.!
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK
EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationAuthentication. Katarina
Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1 Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2 Who am I? Ing. Katarina Valaliková
More informationCommunications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage
CSE 123b CSE 123b Communications Software Spring 2003 Lecture 10: Mobile Networking Stefan Savage Quick announcement My office hours tomorrow are moved to 12pm May 6, 2003 CSE 123b -- Lecture 10 Mobile
More informationQuick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003
CSE 123b Communications Software Quick announcement My office hours tomorrow are moved to 12pm Spring 2003 Lecture 10: Mobile Networking Stefan Savage May 6, 2003 CSE 123b -- Lecture 10 Mobile IP 2 Last
More informationTRANSFER MANAGER 2017
TRANSFER MANAGER 2017 LAST UPDATED: JULY 2017 System enhancements are located in Resolved system issues are located in WHAT S IMPROVED? BEFORE YOU BEGIN WEB SERVICE The Transfer Manager 2017 Web Service
More informationCommon IAM Flaws Plaguing Systems After Years of Assessment
SESSION ID: IDY-R04 Common IAM Flaws Plaguing Systems After Years of Assessment john (Steven) icto, Principal Consultant Cigital Inc. @m1splacedsoul What is an Architectural Flaw? Bug Flaw Metaphor: Fixing
More informationRESTful API Design APIs your consumers will love
RESTful API Design APIs your consumers will love Matthias Biehl RESTful API Design Copyright 2016 by Matthias Biehl All rights reserved, including the right to reproduce this book or portions thereof in
More informationTHE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS
THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS FIDO ALLIANCE WEBINAR MARCH 28, 2017 1 INTRODUCTION TO THE FIDO ALLIANCE ANDREW SHIKIAR SENIOR DIRECTOR OF MARKETING MARCH 28, 2017 2 THE FACTS ON
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationDigital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans
Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October 2014 Frazier D. Evans Evans_Frazier@bah.com There are four key areas that need to be investigated when talking
More informationBlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide
BlackBerry AtHoc Networked Crisis Communication BlackBerry AtHoc API Quick Start Guide Release 7.6, September 2018 Copyright 2018 BlackBerry Limited. All Rights Reserved. This document may not be copied,
More informationKerberos for the Web Current State and Leverage Points
Kerberos for the Web Current State and Leverage Points Executive Advisory Board Meeting and Financial Services Security Summit New York, 3-4 November 2008. Towards Kerberizing Web Identity and Services
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationJava Relying Party API v1.0 Programmer s Guide
Java Relying Party API v1.0 Programmer s Guide 4 June 2018 Authors: Peter Höbel peter.hoebel@open-xchange.com Vittorio Bertola vittorio.bertola@open-xchange.com This document is copyrighted by the ID4me
More informationCertification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.
Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER Summer 18 2018 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationXML Web Services Basics
MSDN Home XML Web Services Basics Page Options Roger Wolter Microsoft Corporation December 2001 Summary: An overview of the value of XML Web services for developers, with introductions to SOAP, WSDL, and
More informationEasily Secure your Microservices with Keycloak. Sébastien Blanc Red
Easily Secure your Microservices with Keycloak Sébastien Blanc Red Hat @sebi2706 Keycloak? Keycloak is an open source Identity and Access Management solution aimed at modern applications and services.
More informationThe Current State of OAuth 2. Aaron Open Source Bridge Portland, June 2011
The Current State of OAuth 2 Aaron Parecki Open Source Bridge Portland, June 2011 A Brief History Before OAuth aka the Dark Ages If a third party wanted access to an account, you d give them your password.
More informationForgeRock Access Management Customization and APIs
training@forgerock.com ForgeRock Access Management Customization and APIs Description AM-421 Course Description Revision B This course provides a hands-on technical introduction to ForgeRock Access Management
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More informationLUCITY REST API INTRODUCTION AND CORE CONCEPTS
LUCITY REST API INTRODUCTION AND CORE CONCEPTS REST API OFFERINGS Lucity Citizen Portal REST API Lucity REST API Both products are included in our REST API Historically we also offered a COM API and a.net
More informationCO Java EE 6: Develop Web Services with JAX-WS & JAX-RS
CO-77754 Java EE 6: Develop Web Services with JAX-WS & JAX-RS Summary Duration 5 Days Audience Java Developer, Java EE Developer, J2EE Developer Level Professional Technology Java EE 6 Delivery Method
More informationINDIGO AAI An overview and status update!
RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project
More informationBots. Table of Contents
Bots 101 Table of Contents What is a bot?.... 2 How are bots different than apps?... 2 What makes a bot intelligent?... 3 How do I engage with a bot?.... 5 How can bots help my business?.... 6 Bot benefits...
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More information[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol
[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft
More informationWhite Paper: Delivering Enterprise Web Applications on the Curl Platform
White Paper: Delivering Enterprise Web Applications on the Curl Platform Table of Contents Table of Contents Executive Summary... 1 Introduction... 2 Background... 2 Challenges... 2 The Curl Solution...
More informationCptS 464/564 Lecture 18
CptS 464/564 Lecture 18 2nd November 2004 Checkpoint What have we covered so far? Paradigms and Models: frameworks for the discussion of DS What is the plan ahead? Next: examples of distributed systems
More informationWelcome to this IBM Rational Podcast. I'm. Angelique Matheny. Joining me for this podcast, Delivering
Welcome to this IBM Rational Podcast. I'm Angelique Matheny. Joining me for this podcast, Delivering Next Generation Converged Applications with Speed and Quality, is Derek Baron, Worldwide Rational Communications
More informationHow Secured2 Uses Beyond Encryption Security to Protect Your Data
Secured2 Beyond Encryption How Secured2 Uses Beyond Encryption Security to Protect Your Data Secured2 Beyond Encryption Whitepaper Document Date: 06.21.2017 Document Classification: Website Location: Document
More informationUsing Twitter & Facebook API. INF5750/ Lecture 10 (Part II)
Using Twitter & Facebook API INF5750/9750 - Lecture 10 (Part II) Lecture contents Connecting to popular social APIs Authentication Authorization Common calls Privacy and understanding data storage Social
More informationSystem and Software Architecture Description (SSAD)
System and Software Architecture Description (SSAD) Perfecto Coffee Xpress Consistent Perfection Team 5 Chloe Good Yekaterina Glazko Edwards Hays Yucheng Hsieh Atreya Lahiri Jaimin Patel Yun Shen Andrew
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationWeb Security Model and Applications
Web Security Model and Applications In this Tutorial Motivation: formal security analysis of web applications and standards Our Model of the Web Infrastructure Single Sign-On Case Studies Formal Security
More informationMisconceptions about W3C Widgets
Misconceptions about W3C Widgets Prepared for the W3C Workshop on The Future of Off-line Web Applications, 5 November 2011, Redwood City, CA, USA. By: Marcos Cáceres Throughout the last few years, a number
More informationAccess Manager 4.4 Service Pack 3 Release Notes
Access Manager 4.4 Service Pack 3 Release Notes November 2018 Access Manager 4.4 Service Pack 3 (4.4.3) includes enhancements, improves usability, and resolves several previous issues. Many of these improvements
More informationComprehensive Guide to Evaluating Event Stream Processing Engines
Comprehensive Guide to Evaluating Event Stream Processing Engines i Copyright 2006 Coral8, Inc. All rights reserved worldwide. Worldwide Headquarters: Coral8, Inc. 82 Pioneer Way, Suite 106 Mountain View,
More informationJoint Initiative on a PSD2 Compliant XS2A Interface NextGenPSD2 XS2A Framework Operational Rules
Joint Initiative on a PSD2 Compliant XS2A Interface NextGenPSD2 XS2A Framework Operational Rules 02.10.2017 Notice This Specification has been prepared by the Participants of the Joint Initiative pan-european
More informationYour Auth is open! Oversharing with OpenAuth & SAML
Your Auth is open! Oversharing with OpenAuth & SAML Andrew Pollack Northern Collaborative Technologies 2013 by the individual speaker Sponsors 2013 by the individual speaker Who Am I? Andrew Pollack President
More informationAllowing the user to define the attribute release 21 May 2014
Allowing the user to define the attribute release policy @TNC2014 21 May 2014 Program Introduction to User Managed Access (UMA) Demo A GN3+ JRA3T2 work item User Managed Access Kantara project.. address
More informationAuthentication CS 4720 Mobile Application Development
Authentication Mobile Application Development System Security Human: social engineering attacks Physical: steal the server itself Network: treat your server like a 2 year old Operating System: the war
More informationScience-as-a-Service
Science-as-a-Service The iplant Foundation Rion Dooley Edwin Skidmore Dan Stanzione Steve Terry Matthew Vaughn Outline Why, why, why! When duct tape isn t enough Building an API for the web Core services
More informationMastering OAuth 2.0. Mastering OAuth 2.0. Charles Bihis. Mastering OAuth 2.0
Fr OAuth 2.0 is a powerful authorization framework that enables your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in
More information