Ignite Talk: I AM a robot, how do I log in?

•Descargar como PPTX, PDF•

1 recomendación•269 vistas

VMware Tanzu

SpringOne Platform 2016 Speaker: Jayson Delancy

Tecnología

Jayson Delancey
I am a robot, how do I login

jayson@robotgarden.org
***********
Welcome!
SIGN IN

UAA
User Account and
Authentication Server

• Headless
• Exposed
• Accessible
• Sensitive data
• Sensitive Hardware

draft-ietf-oauth-jwt-bearer
This specification defines the use
of a JSON Web Token (JWT) Bearer
Token as a means for requesting an
OAuth 2.0 access token as well as
for use as a means of client
authentication.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik
pvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6MTIzMTIzfQ.cUyTEK1BKsOU5stpPiM5-
PGT4nUrKwAHajhmb9Ojim7NbEwgsDAju9vlukBYJOSCFyXbG_N0zlQrO8n7yJ9G2OIOerQNqMTN
WcqwtcFha1TJyhv4tb40bLONfcrMIAO1L-oF9f27xwJQODJz4SmyU1nSI1dKeqN5KmyHVUqOLAI

$Header { "alg":"RS256" } Payload { "iss": <clientID> "sub": <device ID> "aud": <uaa> "exp": <expiration time of this token> "tenant_id": <tenant_id> } Signature SHA256withRSA( <base64(Header)>.<base64(Payload)>, <private key> )$

• Certificate-Signing
Request
• Certificate Authority
• Signature

• Device name
• Device serial no.
• Shared secret

Robots are users too.
https://github.com/GESoftware-CF/uaa
jwt_grant_3.4.0 branch

Más contenido relacionado

La actualidad más candente

Yevhen Teleshyk - OAuth Phishing

OWASP Kyiv

REST is bad - Kfir Bloch - OpenStack Day Israel 2017

Cloud Native Day Tel Aviv

Rest is bad

Kfir Bloch

DEMYSTIFYING REST Kirsten Jones REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.

Demystifying REST

Kirsten Hunter

Vulpes tribes backend

Jiří Soušek

The screencast of this presentation can be found at https://youtu.be/o3uy7dgG_n4 There is an assumption in the industry, amongst companies large and small alike, that if they store sensitive user data (and sometimes do some mild encryption) in their database, it's locked in and secured from potential attacks. People rely too heavily on their false assumptions of security, and it usually ends up costing them extensively when that is proven wrong. In this session, Jonathan will build a foundation for identity and data security that everyone dealing with sensitive data should understand. We'll break down concepts of identity security, common attack vectors and how to protect yourself, and how to harden your web application.

PHP Identity and Data Security

Jonathan LeBlanc

OAuth簡介

firestoke

La actualidad más candente (7)

Yevhen Teleshyk - OAuth Phishing

REST is bad - Kfir Bloch - OpenStack Day Israel 2017

Rest is bad

Demystifying REST

Vulpes tribes backend

PHP Identity and Data Security

OAuth簡介

Similar a Ignite Talk: I AM a robot, how do I log in?

Microservices have become the hottest topic in software architecture over the past year, and much can be said about their benefits. But there are many challenges related to their security implementation and security context propagation over their components. This session addresses how to perform authentication and authorization inside a microservices architecture, covering technologies such as OAuth2, OpenID Connect, and JSON Web Token and use of Spring Cloud Security to integrate with a Spring and/or Java EE–based application platform.

Protecting Java Microservices: Best Practices and Strategies

Rodrigo Cândido da Silva

OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication. Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

What the Heck is OAuth and OpenID Connect - RWX 2017

Matt Raible

OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTP and authorizes Devices, APIs, Servers and Applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and, as well as to obtain their basic profile information. This session covers how OAuth/OIDC work, when to use them, and frameworks/services that simplify authentication. Blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

What the Heck is OAuth and Open ID Connect? - UberConf 2017

Matt Raible

OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information. This session covers how OAuth/OIDC works, when to use them, and frameworks/services that simplify authentication. Companion blog post: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

What the Heck is OAuth and OpenID Connect - DOSUG 2018

Matt Raible

OpenID Connect with Neos and Flow

Robert Lemke

Atlassian provides two easy-to-use frameworks for getting a Connect add-on up and running quickly – atlassian-connect-express and ac-play. But what if these frameworks don't quite fit your bill? What does it mean to build a Connect add-on with your own stack? What components do you need to write? And how does it all fit together? Attending this talk will give you enough background information to implement an add-on in the language and technology stack of your choice.

AtlasCamp 2014: Building a Connect Add-on With Your Own Stack

Atlassian

INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta

apidays

Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.

I Don't Care About Security (And Neither Should You)

Joel Lord

Jwt Security

Seid Yassin

Microservices Security Landscape

Prabath Siriwardena

Cqcon

Antonio Sanso

Remember that time where setting up a login page was easy? It seems like nowadays, it take many weeks to start a project just to create a signup form, a login form and a forget password screen. And that is if you don’t need 2 factor authentication or passwordless authentication. In a world of security breaches and privacy violations, it is important for developers to understand how modern identity work. This talk will be in two parts. For starters, the attendees will be introduced to modern security protocols like OpenID Connect and OAuth. The basics of token authentication will be explained using simple examples that are easy to understand. The concept of tokens will also be explained, more specifically how JWTs work. In the second part of this presentation, the attendees will learn how to implement their own authentication server, how to secure their APIs and how to protect their Single Page Applications by making use of the protocols described in the first part. Finally, the presenter will show the participants how to add Auth0 as an authentication server with minimal code changes and will demonstrate the simplicity of using a third party to handle login, signups, lost password as well as 2 factor authentication or passwordless logins.

I Don't Care About Security

Joel Lord

Jwt the complete guide to json web tokens

remayssat

I Don't Care About Security (And Neither Should You)

Joel Lord

APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta

apidays

Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies December 6, 7 & 8, 2023 I Have an OAuth2 Access Token, Now what do I do with it Matthew Auburn, VP and Tech Lead at Morgan Stanley | Co-author of Mastering API Architecture ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...

apidays

Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs. In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.

Modern API Security with JSON Web Tokens

Jonathan LeBlanc

In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale. Topics Covered: Security Concerns for Modern Web Apps Cross-Site Scripting Prevention Working with 'Untrusted Clients' Securing API endpoints Cookies Man in the Middle (MitM) Attacks Cross-Site Request Forgery Session ID Problems Token Authentication JWTs Working with the JJWT library End-to-end example with Spring Boot

Securing Web Applications with Token Authentication

Stormpath

JSON WEB TOKEN

Knoldus Inc.

Jwt with flask slide deck - alan swenson

Jeffrey Clark

Similar a Ignite Talk: I AM a robot, how do I log in? (20)

Protecting Java Microservices: Best Practices and Strategies

What the Heck is OAuth and OpenID Connect - RWX 2017

What the Heck is OAuth and Open ID Connect? - UberConf 2017

What the Heck is OAuth and OpenID Connect - DOSUG 2018

OpenID Connect with Neos and Flow

AtlasCamp 2014: Building a Connect Add-on With Your Own Stack

INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta

I Don't Care About Security (And Neither Should You)

Jwt Security

Microservices Security Landscape

Cqcon

I Don't Care About Security

Jwt the complete guide to json web tokens

I Don't Care About Security (And Neither Should You)

APIdays Paris 2019 - Workshop: OAuth by Example by Andy March, Okta

Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...

Modern API Security with JSON Web Tokens

Securing Web Applications with Token Authentication

JSON WEB TOKEN

Jwt with flask slide deck - alan swenson

Más de VMware Tanzu

What AI Means For Your Product Strategy And What To Do About It

VMware Tanzu

Make the Right Thing the Obvious Thing at Cardinal Health 2023

VMware Tanzu

Enhancing DevEx and Simplifying Operations at Scale

VMware Tanzu

Spring Update | July 2023

VMware Tanzu

Platforms, Platform Engineering, & Platform as a Product

VMware Tanzu

Building Cloud Ready Apps

VMware Tanzu

Spring Boot 3 And Beyond

VMware Tanzu

Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf

VMware Tanzu

Simplify and Scale Enterprise Apps in the Cloud | Boston 2023

VMware Tanzu

Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023

VMware Tanzu

tanzu_developer_connect.pptx

VMware Tanzu

Tanzu Virtual Developer Connect Workshop - French

VMware Tanzu

Tanzu Developer Connect Workshop - English

VMware Tanzu

Virtual Developer Connect Workshop - English

VMware Tanzu

Tanzu Developer Connect - French

VMware Tanzu

Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023

VMware Tanzu

SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot

VMware Tanzu

SpringOne Tour: The Influential Software Engineer

VMware Tanzu

SpringOne Tour: Domain-Driven Design: Theory vs Practice

VMware Tanzu

SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions

VMware Tanzu

Más de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It

Make the Right Thing the Obvious Thing at Cardinal Health 2023

Enhancing DevEx and Simplifying Operations at Scale

Spring Update | July 2023

Platforms, Platform Engineering, & Platform as a Product

Building Cloud Ready Apps

Spring Boot 3 And Beyond

Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf

Simplify and Scale Enterprise Apps in the Cloud | Boston 2023

Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023

tanzu_developer_connect.pptx

Tanzu Virtual Developer Connect Workshop - French

Tanzu Developer Connect Workshop - English

Virtual Developer Connect Workshop - English

Tanzu Developer Connect - French

Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023

SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot

SpringOne Tour: The Influential Software Engineer

SpringOne Tour: Domain-Driven Design: Theory vs Practice

SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions

Último

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Exploring Multimodal Embeddings with Milvus

Zilliz

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Jago de Vreede

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

ICT role in 21st century education and its challenges

rafiqahmad00786416

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer