Podcasts about openid connect

GOTO - Today, Tomorrow and the Future

Play Episode Listen Later Jul 19, 2023 33:07

Let's talk about digital identity with Elizabeth Garber and Mark Haine, co-editors of the Global Assured Identity Network paper. In episode 95, Elizabeth Garber and Mark Haine, who were editors on the Global Assured Identity Network (GAIN) paper, join Oscar to share the latest updates for GAIN, including recapping what GAIN is, the challenges that have been faced, alongside successful case studies and what developments we can expect to see for the future of GAIN. [Transcript below] "It's all interconnected with standards development and has a really big impact on how identity systems will work, interoperable, in years to come." You'll remember Elizabeth Garber, who was one of the lead editors of the GAIN paper - we interviewed her in episode 52 (back in October 2021). Elizabeth has a long background in Customer Strategy and Product Management. She has also led the Open Digital Trust Initiative at the Institute of International Finance and co-chairs the OpenID Foundation's GAIN technical proof-of-concept, which strives to create globally interoperable networks for exchanging high-assurance identity information. Since we last interviewed her, she co-founded IDPartner, a venture-backed startup that puts people in control of their digital identities. It will be a key player in any Global Assured Identity Network (GAIN) as interoperable networks begin to flourish. Elizabeth and Mark recently published a draft paper for the OpenID Foundation called “Human-Centric Design: a primer for government officials” which is all about how to design identity systems to sustain and promote human rights. It is open for public comment - and may feature on a future episode. You can find it on the OpenID Foundation website and blog, openid.net. Connect with Elizabeth on LinkedIn. Mark is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate risk in financial services. Through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role in the OpenID Foundation as Co-Chair of the eKYC & Identity Assurance Working Group and is a co-author of OpenID Connect for Identity Assurance specification. Mark also is a board member of the Open Identity Exchange. Connect with Mark on LinkedIn. We'll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Go to @Ubisecure on YouTube to watch the video transcript for episode 95. Podcast transcript Let's Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello, everyone. You will remember Elizabeth Garber, who was one of the lead editors of the GAIN paper. We interviewed her in episode 52, late in 2021. Elizabeth has a long background in customer strategy and product management. She has also led the Open Digital Trust Initiative at the Institute of International Finance, and she co-chairs the OpenID Foundation's GAIN technical proof-of-concept. Since we last interviewed her, she co-founded IDPartner, a venture backed Start-Up that puts people in control of their digital identities. This will be a key player in any global assure identity network, as interoperable networks are beginning to flourish. We have a second guest. Our second guest today is Mark Haine. He is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate the risk in financial services through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role on the OpenID Foundation as co-chair of the eKYC and Identity Assurance Working Group and is co-author of OpenID Connect for Identity Assurance Specification. Mark also is a board member of the Open Identity Exchange. Elizabeth and Mark recently published a draft pape...

identity global network institute co chair product management assured latest updates garber haine international finance customer strategy openid connect ekyc

The Current State of Cyber Security • Eleanor Saitta & Aino Vonge Corry

Play Episode Listen Later Mar 31, 2023 14:10 Transcription Available

This interview was recorded for GOTO Unscripted at GOTO Amsterdam.gotopia.techRead the full transcription of this interview hereEleanor Saitta - International Security Researcher & Co-founder of Open Source Tool TrikeAino Vonge Corry - Author of "Retrospectives Antipatterns"DESCRIPTIONIt's almost a given that you or your company will be hacked one day. How fast and how you react is the thing that makes the difference. Eleanor Saitta explains the ins and outs of an attack and what you should have in place to surpass it successfully. The interview is led by Aino Vonge Corry.RECOMMENDED BOOKSAino Vonge Corry • Retrospectives AntipatternsLiz Rice • Container SecurityLiz Rice • Kubernetes SecurityAaron Parecki • OAuth 2.0 SimplifiedAaron Parecki • OAuth 2.0 ServersAaron Parecki • The Little Book of OAuth 2.0 RFCsErdal Ozkaya • Cybersecurity: The Beginner's GuideRicher & Sanso • OAuth 2 in ActionWilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0TwitterLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily

resilience security cybersecurity current state phishing immutable immutability sso oauth aino cncf waf saml appsec phishing attack openid connect u2f ephemerality eleanor saitta

#50 - OpenID4VC: OpenID for Verifiable Credentials (with Torsten Lodderstedt)

The SSI Orbit Podcast – Self-Sovereign Identity, Decentralization and Web3

Play Episode Listen Later Mar 10, 2023 54:41

Dr.-Ing. Torsten Lodderstedt is founder of Tuconic, a consulting firm specialising in digital identity and API-based software architectures, with more than 15 years experience in developing and running large scale consumer identity services. In his previous positions, he helped organisations in public, banking, railway communication, and telecommunication domains to implement highly-scalable and secure services. Torsten regularly contributes to identity standards, currently focusing on decentralized identity and global identity networks. He is co-author of OpenID for Verifiable Credentials and OAuth 2.1, and co-chairs the GAIN PoC community group. About Podcast Episode Read more about the episode by heading to https://northernblock.io/open-id-4-vc-openid-for-verifiable-credentials/ Some of the key topics covered during this episode with Torsten are: OpenID4VC's background, and its relationship to oAuth2 and OpenID Connect. How verifiable credential issuances and verifications are done using OpenID4CI and OIDC4VP (+ why Presentation Exchange was chosen as the verification protocol). Decisions behind supporting different credentials formats, identifiers, cryptography suites and trust management mechanisms. How OpenID4VC fits within the ToIP Hourglass Model (from the ToIP Technical Architecture Specification). How OpenID4VC can be used in conjunction with other protocols such as DIDComm to bootstrap workflows. Does OpenID4VC combined with trust frameworks help to solve the NASCAR problem we face today on the internet? SIOP: the protocol to exchange cryptographically verifiable identifiers and authenticate using the key material controlled by the End-User. Using OpenID4CI for ISO 18013-5 (mDL) to move away from wallet-specific credential issuance and towards an interoperable way of exchanging verifiable credentials between different decentralized identity systems. Where to find Torsten? LinkedIn: https://www.linkedin.com/in/dr-torsten-lodderstedt/ Twitter: https://twitter.com/tlodderstedt Follow Mathieu Glaude Twitter: https://twitter.com/mathieu_glaude LinkedIn: https://www.linkedin.com/in/mathieuglaude/ Website: https://northernblock.io/

decisions nascar api iso ing credentials torsten oauth end user mdl verifiable siop openid openid connect verifiable credentials

Rethinking Apache Kafka Security and Account Management

Streaming Audio: a Confluent podcast about Apache Kafka

Play Episode Listen Later Dec 8, 2022 41:23 Transcription Available

Is there a better way to manage access to resources without compromising security? New employees need access to a variety of resources within a company's tech stack. But manually granting access can be error-prone. And when employees leave, their access must be revoked, thus potentially introducing security risks if an admin misses one. In this podcast, Kris Jenkins talks to Anuj Sawani (Security Product Manager, Confluent) about the centralized identity management system he helped build to integrate with Apache Kafka® to prevent common identity management headaches and security risks.With 12+ years of experience building cybersecurity products for enterprise companies, Anuj Sawani explains how he helped build out KIP-768 (Secured OAuth support in Kafka) that supports a unified identity mechanism that spans across cloud and on-premises (hybrid scenarios).Confluent Cloud customers wanted a single identity to access all their services. The manual process required managing different sets of identity stores across the ecosystem. Anuj goes on to explain how Identity and Access Management (IAM) using cloud-native authentication protocols, such as OAuth or OpenID Connect, solves this problem by centralizing identity and minimizing security risks.Anuj emphasizes that sticking with industry standards is key because it makes integrating with other systems easy. With OAuth now supported in Kafka, this means performing client upgrades, configuring identity providers, etc. to ensure the applications can leverage new capabilities. Some examples of how to do this are to use centralized identities for client/broker connections.As Anuj continues to build and enhance features, he hopes to recommend this unified solution to other technology vendors because it makes integration much easier. The goal is to create a web of connectors that support the same standards. The future is bright, as other organizations are researching supporting OAuth and similar industry standards. Anuj is looking forward to the evolution and applying it to other use cases and scenarios.EPISODE LINKSIntroduction to Confluent Cloud SecurityKIP-768: Secured OAuth support in Apache KafkaConfluent Cloud Documentation: OAuth 2.0 SupportApache Kafka Security Best PracticesSecurity for Real-Time Data Stream Processing with Confluent CloudWatch the video version of this podcastKris Jenkins' TwitterStreaming Audio Playlist Join the Confluent CommunityLearn more with Kafka tutorials, resources, and guides at Confluent DeveloperLive demo: Intro to Event-Driven Microservices with ConfluentUse PODCAST100 to get an additional $100 of free Confluent Cloud usage (details)

identity security cloud rethinking kafka account management oauth anuj confluent apache kafka kris jenkins access management iam openid connect

ESW #296 - Travis Spencer, Sounil Yu, Brian Markham, Robert Graham, Rich Friedberg

Paul's Security Weekly

Play Episode Listen Later Nov 11, 2022 130:28

Don't leave the door open. Modern systems are complex and require you to consider many aspects. Here are some aspects we consider critical: - APIs are the dominant software development direction/trend. Traditional/legacy ways to grant access is not fit for purpose of protecting this new way of delivering products and services. - Customers are demanding better digital experiences. To maintain a competitive edge and drive brand loyalty businesses need to provide great online experiences. - Standards (such as OAuth and OpenID Connect) are important to ensure high-security levels. Also enables scalability and helps future-proof your infrastructure. For example in the financial sector, these standards play a key role in the drive toward open banking. - A modern architecture is a zero trust architecture. In a zero trust architecture, the new perimeter hinges on identity. Segment Resources: https://thenewstack.io/zero-trust-time-to-get-rid-of-your-vpn/ This segment is sponsored by Curity. Visit https://securityweekly.com/curity to learn more about them! In this panel discussion, we'll discuss the polarizing case of Joe Sullivan that has rattled the CISO community. Was the Sullivan case a rare anomaly? Were his actions in this scenario typical or unconscionable for the average CISO? Is it okay for Sullivan to take the fall while the rest of Uber and involved parties plead out with little to no punishment? We'll tackle all these questions and more with our excellent panel, comprised of: Sounil Yu, CISO and Head of Research at JupiterOne Brian Markham, CISO at EAB Rich Friedburg, CISO at Live Oak Bank Robert Graham, Owner at Errata Security Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw296

head research rich owner modern uber traditional customers standards apis ciso markham oauth friedberg joe sullivan robert graham openid connect sounil yu segment resources

ESW #296 - Travis Spencer, Sounil Yu, Brian Markham, Robert Graham, Rich Friedberg

Enterprise Security Weekly (Audio)

Play Episode Listen Later Nov 11, 2022 130:28

Don't leave the door open. Modern systems are complex and require you to consider many aspects. Here are some aspects we consider critical: - APIs are the dominant software development direction/trend. Traditional/legacy ways to grant access is not fit for purpose of protecting this new way of delivering products and services. - Customers are demanding better digital experiences. To maintain a competitive edge and drive brand loyalty businesses need to provide great online experiences. - Standards (such as OAuth and OpenID Connect) are important to ensure high-security levels. Also enables scalability and helps future-proof your infrastructure. For example in the financial sector, these standards play a key role in the drive toward open banking. - A modern architecture is a zero trust architecture. In a zero trust architecture, the new perimeter hinges on identity. Segment Resources: https://thenewstack.io/zero-trust-time-to-get-rid-of-your-vpn/ This segment is sponsored by Curity. Visit https://securityweekly.com/curity to learn more about them! In this panel discussion, we'll discuss the polarizing case of Joe Sullivan that has rattled the CISO community. Was the Sullivan case a rare anomaly? Were his actions in this scenario typical or unconscionable for the average CISO? Is it okay for Sullivan to take the fall while the rest of Uber and involved parties plead out with little to no punishment? We'll tackle all these questions and more with our excellent panel, comprised of: Sounil Yu, CISO and Head of Research at JupiterOne Brian Markham, CISO at EAB Rich Friedburg, CISO at Live Oak Bank Robert Graham, Owner at Errata Security Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw296

head research rich owner modern uber traditional customers standards apis ciso markham oauth friedberg joe sullivan robert graham openid connect sounil yu segment resources

Modern Access Security: Ditch Passwords, Implement 0-Trust & Secure APIs - Travis Spencer - ESW #296

Paul's Security Weekly TV

Play Episode Listen Later Nov 10, 2022 41:06

Don't leave the door open. Modern systems are complex and require you to consider many aspects. Here are some aspects we consider critical: - APIs are the dominant software development direction/trend. Traditional/legacy ways to grant access is not fit for purpose of protecting this new way of delivering products and services. - Customers are demanding better digital experiences. To maintain a competitive edge and drive brand loyalty businesses need to provide great online experiences. - Standards (such as OAuth and OpenID Connect) are important to ensure high-security levels. Also enables scalability and helps future-proof your infrastructure. For example in the financial sector, these standards play a key role in the drive toward open banking. - A modern architecture is a zero trust architecture. In a zero trust architecture, the new perimeter hinges on identity. Segment Resources: https://thenewstack.io/zero-trust-time-to-get-rid-of-your-vpn/ This segment is sponsored by Curity. Visit https://securityweekly.com/curity to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw296

trust modern security traditional customers secure standards ditch implement passwords apis oauth openid connect segment resources

Modern Access Security: Ditch Passwords, Implement 0-Trust & Secure APIs - Travis Spencer - ESW #296

Enterprise Security Weekly (Video)

Play Episode Listen Later Nov 10, 2022 41:06

Don't leave the door open. Modern systems are complex and require you to consider many aspects. Here are some aspects we consider critical: - APIs are the dominant software development direction/trend. Traditional/legacy ways to grant access is not fit for purpose of protecting this new way of delivering products and services. - Customers are demanding better digital experiences. To maintain a competitive edge and drive brand loyalty businesses need to provide great online experiences. - Standards (such as OAuth and OpenID Connect) are important to ensure high-security levels. Also enables scalability and helps future-proof your infrastructure. For example in the financial sector, these standards play a key role in the drive toward open banking. - A modern architecture is a zero trust architecture. In a zero trust architecture, the new perimeter hinges on identity. Segment Resources: https://thenewstack.io/zero-trust-time-to-get-rid-of-your-vpn/ This segment is sponsored by Curity. Visit https://securityweekly.com/curity to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw296

trust modern security traditional customers secure standards ditch implement passwords apis oauth openid connect segment resources

SAML with Joni Brennan, Paul Madsen and Prateek Mishra

Identity, Unlocked.

Play Episode Listen Later Aug 31, 2022 41:35

In this episode, Prateek, Paul, and Joni bring us back to a time in which single sign-on across domains on the web was a brand new problem. With the confidence (and the passion!) of the people who were there and made things happen, the guests take Vittorio and the listeners on a whirlwind tour touching on the technical and political challenges they had to overcome to bring SAML to life and make it the ubiquitous success it is today. From the basics of how the SAML protocol works to the entities and standard bodies that developed it, the discussion eventually reaches modern times and concludes on how in a world where old and new standards coexist, OpenID Connect picked up the innovation torch from SAML.

mishra vittorio prateek saml openid connect paul madsen

Expert Talk: Software Security • Jim Manico & John Steven

GOTO - Today, Tomorrow and the Future

Play Episode Listen Later Aug 5, 2022 47:18 Transcription Available

This interview was recorded for GOTO Unscripted.gotopia.techRead the full transcription of this interview hereJim Manico - Founder at Manicode Security & Co-Author of "Iron-Clad Java"John Steven - Founding Principal at Aedify Security & CTO at Concourse LabsDESCRIPTIONSecurity is a key topic in software. Lately, it has shifted from a security team responsibility to a task every single developer has to think about. Jim Manico, Founder and Secure Coding Educator at Manicode Security, and John Steven, the Founding Principal at Aedify Security, assess the evolution of the security role in order for developers to make the right decisions.RECOMMENDED BOOKSJim Manico & August Detlefsen • Iron-Clad JavaLiz Rice • Container SecurityLiz Rice • Kubernetes SecurityAaron Parecki • OAuth 2.0 SimplifiedAaron Parecki • OAuth 2.0 ServersAaron Parecki • The Little Book of OAuth 2.0 RFCsErdal Ozkaya • Cybersecurity: The Beginner's GuideRicher & Sanso • OAuth 2 in ActionWilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0TwitterLinkedInFacebookLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket at gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted almost daily.Discovery MattersA collection of stories and insights on matters of discovery that advance life...Listen on: Apple Podcasts Spotify Health, Wellness & Performance Catalyst w/ Dr. Brad CooperLooking for a catalyst to optimize your health, wellness & performance? You've found it!!Listen on: Apple Podcasts Spotify

founders security privacy cybersecurity cto programming co authors founding principal oauth cncf saml appsec ebpf software security openid connect john steven jim manico discovery mattersa

AMP 26: Rethinking Auth for SPAs and Micro Frontends by Manfred Steyer

Angular Master Podcast

Play Episode Listen Later Jul 2, 2022 23:05

What's up everyone, this is Dariusz Kalbarczyk co-founder of NG Poland, JS Poland, AngularMaster.dev & WorkshopFest.dev. Welcome back to the Angular Master Podcast. Today, together with Manfred Steyer, who is an excellent Speaker, Trainer, Consultant and Author with focus on Angular. We will talk about Auth for SPAs and Micro Frontends You started a blog series where you tell us that the browser is no safe place for storing security tokens. However, it's quite modern to directly use JWT tokens, OAuth 2 and OpenId Connect in the browser. What's the reason for this? Do we need to panic, if we still use tokens in the browser? If we should not directly use security tokens in the browser, how to implement Single-Sign-on with existing identity solutions like Active Directory? How to deal with APIs of different origins? You also mention that there is a way to use these ideas to improve security while making everything easier. How is this even possible? Let's assume, we have installed and configured such a Security Gateway. What do I need to do on the client-side for authentication and authorization? And what do I need to do on the server-side? Can you tell us a bit about your reference implementation for this idea? You are using ASP.NET Core for this. What to do, if this is not part of our stack? What Identity Solutions does this implementation support? What's with Cross-Site-Request-Forgery Attacks, now, as we have cookies again? Do we need to protect ourselves from them? You also talked a lot about Micro Frontends recently. Does this approach also work with them or do we have to adjust it? --- Send in a voice message: https://podcasters.spotify.com/pod/show/angular-master/message

speaker consultants trainers micro rethinking apis angular asp spas auth oauth active directory jwt net core frontends single sign openid connect manfred steyer

What is a BFF? - .NET 110

Adventures in .NET

Play Episode Listen Later Mar 8, 2022 27:42

Wai and Caleb sit down to discuss how authentication is evolving and how it works in Blazor. Identity server is now Duende server and with that comes the Backend for Frontend (BFF) pattern. From an authentication persepective this pattern can benefit SPA's because of the way it handles cookies and tokens. Caleb is in the process of integrating a .NET 6 Blazor app with Identity server 4 (IDS4) and wanted to use BFF but it isn't an option. We discuss alternatives and how those alternatives might be viewed from the business and developer perspectives. Join us and find out where Caleb ended up on his authentication journey. Have you had to handle authentication in a Blazor app? Let us know on Twitter at @dotnet_Podcast (https://twitter.com/dotNET_Podcast). Sponsors Top End Devs (https://topenddevs.com/) Coaching | Top End Devs (https://topenddevs.com/coaching) Links ASP.NET Core 6 and Authentication Servers (https://devblogs.microsoft.com/dotnet/asp-net-core-6-and-authentication-servers/) An alternative way to secure SPAs (with ASP.NET Core, OpenID Connect, OAuth (https://leastprivilege.com/2019/01/18/an-alternative-way-to-secure-spas-with-asp-net-core-openid-connect-oauth-2-0-and-proxykit/) Duende Software Documentation (https://docs.duendesoftware.com/identityserver/v6/bff/) RFC 7838 (https://datatracker.ietf.org/doc/html/rfc7636) Picks Caleb- Life Q20+ | Soundcore (https://us.soundcore.com/collections/frontpage/products/a3045011) Wai- Branch Education (https://www.youtube.com/c/BranchEducation)

identity spa bff backend asp spas duende rfc wai oauth net core blazor openid connect coaching top end devs wai liu dotnet podcast

Nat Sakimura delves into Financial-Grade API (FAPI) – Podcast Episode 59

mike jones openid connect connect with mike

Play Episode Listen Later Jan 12, 2022 28:10

Let's talk about digital identity with Nat Sakimura, Chairman at the OpenID Foundation. In episode 59, Nat returns to the podcast to explore Financial-Grade API (FAPI), the base security protocol for UK Open Banking, Australian Consumer Data Standard, and Brazil's Open Banking. He discusses why and how FAPI was formed; what exactly FAPI is – including technical characteristics; how FAPI is used today; and future plans for the specification - as well as how it connects to GAIN. [Transcript below] "The data economy needs a secure and interoperable data network. And we are finally getting there with FAPI and eKYC standards. So, you guys need to get ready for the ride. It's the time. You need to start acting, start preparing for that." Nat Sakimura is a well-known identity and privacy standardisation architect and the representative partner of NAT Consulting. Besides being an author/editor of such widely used standards as OpenID Connect, FAPI, JWT (RFC7519), JWS (RFC7515), OAuth PKCE (RFC7636) ISO/IEC 29184, ISO/IEC 29100 Amd.1, he helps communities to organise themselves to realise the ideas around identity and privacy. As the chairman of the board of the OpenID Foundation, he streamlined the process, bolstered the IPR management, and greatly expanded the breadth of the Foundation spanning over 10 working groups whose members include large internet services, mobile operators, financial institutions, governments, etc. He is also active in the public policy space. He has been serving in various committees in the Japanese government, including the Study Group on the Platform Services of the Ministry of Internal Affairs and Communications and the Study Group on the competition in Digital Market of the Fair Trade Commission of Japan. Find Nat on Twitter @_nat_en and LinkedIn. Nat also appeared in episode 54 of Let's Talk About Digital Identity, discussing how OpenID Connect took over the world. We'll be continuing this conversation on Twitter using #LTADI – join us @ubisecure! Podcast transcript Let's Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. Oscar Santolalla: Hello and welcome to the first episode of Let's Talk About Digital Identity for this New Year 2022. And we have a very special guest who has been in very short clips in an episode we had in October, very recently in October. A very special episode, a storytelling episode called How OpenID Connect took over the World, and today's guest was there. We are talking about our super special guest called Nat Sakimura, one of the creators of the OpenID Connect standard. Nat Sakimura is a well-known identity and privacy standardisation architect and a representative partner of NAT Consulting. Besides being an author and editor of such widely standards such as the OpenID Connect, FAPI, JWT, OAuth PKCE among others, he helps communities to organise themselves to realise the ideas around identity and privacy. As the chairman of the board of the OpenID Foundation, he streamlined the process, bolstered the IPR management, and greatly expanded the breadth of the Foundation spanning over 10 working groups whose members included large internet services, mobile operators, financial institutions, government, etc. He has been serving in various committees in the Japanese government, including a Study Group on the Platform Services of the Ministry of Internal Affairs and Communications and a Study Group on the competition in Digital Market of the Fair-Trade Commission of Japan. Hello, Nat. Nat Sakimura: Hi, Oscar. Thanks for inviting me. Oscar: Welcome. It's a great pleasure talking with you, Nat. And well, Happy New Year. And let's talk about digital identity. Nat: Likewise, yeah. Oscar: Fantastic. And I think we know a lot of your involvement, of course, you are leading one of the most important standardisation organisations in the digital space.

OpenID Connect with Mike Jones

Identity, Unlocked.

Play Episode Listen Later Dec 20, 2021 43:24

Decentralized Identity and OpenID Connect with Kristina Yasuda and Oliver Terbu

Identity, Unlocked.

Play Episode Listen Later Dec 6, 2021 37:40

identity decentralized yasuda openid connect

Introducing Single Sign-On to SecurityTrails: Secure Authentication with Okta SSO

SecurityTrails Blog

Play Episode Listen Later Dec 2, 2021 3:18

We are excited to announce that we are beginning the implementation of single sign-on (SSO) access across Securitytrails. Okta SSO is the first provider we're bringing on in this effort to deliver secure authentication and a better user experience to our users. SSO and its security benefits Single sign-on (SSO) is an authentication service offered by various providers that allows for the use of only one set of credentials, usually a username and password, to access multiple applications securely. With the emergence of cloud computing and the accelerated use of software-as-a-service (SaaS), organizations are adopting the centralized authentication of SSO as an efficient way to provide risk-free access to multiple resources. Some of the main security benefits organizations have reported with the implementation of SSO are: Decrease in likelihood of password theft: One of the best security practices is to have strong and unique passwords for each account/app, but that can be difficult to manage on an organizational level. With SSO, users only need one strong passphrase, meaning they're more likely to remember it and less likely to store it carelessly. Prevention of shadow IT: Shadow IT is becoming more prevalent in cloud-centric environments. SSO allows for monitoring which apps are used by and permitted for users, thus preventing further shadow IT. Help with regulatory compliance: Common regulations such as HIPAA require effective authentication of users as well as automatic logoff for all accessed resources, which SSO effectively enables. Our choice: Okta SSO Okta was our first choice, as it's one of the as an SSO provider best for enterprise users. Known for its numerous integrations, Okta SSO provides different directory types and powerful and essential features that allows for easy implementation and a user-friendly interface. Okta is standard-compliant with the O-Auth 2.0 protocol that controls authorization of access to sensitive resources and is a certified OpenID Connect provider, a protocol built on the OAuth 2.0 that provides user authentication and SSO functionality. How to enable SSO in Securitytrails To enable SSO authentication in your account, simply contact us requesting to change your default authentication scheme (please note that as a requirement you'll need to previously setup an application inside your Okta organization and provide its client_id along with your designated Okta login's domain name). For a detailed procedure on how to set it up, please check our SSO documentation. After SSO is enabled on your account, you'll receive an email containing an invite link to begin the authentication process. The link in the email will then redirect you to a confirmation page to continue. After confirmation, you'll be presented with a login prompt, where you'll need to sign in with your SSO credentials to be authenticated. Once you enter your credentials, user authentication takes place against the chosen SSO provider—currently with Okta SSO. You're all set! For future SSO authentication usage you can validate your account by using a login link that's unique to your organization, which will be in the following format: This is just the start Implementing Okta is the first step in enabling SSO across Securitytrails and providing centralized authentication to our users. More authentication protocols will be rolled out in the future—stay tuned!

secure prevention saas decrease hipaa authentication okta sso oauth single sign openid connect

How OpenID Connect took over the world – Podcast Episode 54

spotify google apple identity mobile skype snapchat yahoo vine minecraft app store angry birds world podcast principal scientist john bradley saml openid openid connect

Play Episode Listen Later Nov 3, 2021 24:05

Let's talk about digital identity with Oscar Santolalla, Nat Sakimura and Petteri Stenius. In this week's special episode, Oscar explores the history of OpenID Connect and how it became so prevalent, with special guests Nat Sakimura, Chairman at the OpenID Foundation, and Petteri Stenius, Principal Scientist at Ubisecure. Listen to the episode wherever you get your podcasts, or read the transcript below. "New technology seldomly completely replaces the older technologies. They will form additional layers, and slowly start replacing it." Podcast transcript Oscar Santolalla: Let's Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla. It was February 2014, already hundreds of millions of people worldwide had a smartphone in their pockets, with dozens of apps installed, apps like: Snapchat, Spotify, Vine, Skype, and games like Angry Birds and Minecraft. Mobile apps had been booming for a few years, and users were eager to install every app that resonated with them out of a seemingly unlimited stream of new apps. Indeed, the Apple's App Store had recently reached the 1 million mobile apps milestone. Not only mobile, but also in web services, for every new app I wanted to use, I needed to create a new user account, which was OK when I could count them with my own fingers. But what if I had 20, 30, 40 apps on my phone. This was becoming a headache for people, but especially it was clear to become a security concern. Identity professionals had seen this challenge even in their own lives. And there were combined efforts from big tech, mobile operators, identity software vendors, to architect a solution. An early effort was the OpenID standard, which gained promising interaction at the start of the 2010s. With my OpenID user account, I could log into Yahoo, Google MySpace, and dozens of thousands of web services. However, the lack of a uniform user experience didn't help people and not a massive audience got hooked with the standard. So, what happened after the setback? A new solution had been cooked by identity professionals, and finally solved this long living problem. OpenID Connect not only solved that problem for the big tech and social networks, but created a modern way of user authentication, especially for mobile. Today, if you are listening to this podcast, you have definitely used OpenID Connect before, with or without knowing it. To hear a story from the brilliant minds that designed this standard, let's hear from Nat Sakimura, one of the creators of the OpenID Connect 1.0 Standard, and today, Chairman of the OpenID Foundation. How was the world just before OpenID connect appeared? --- Nat Sakimura Nat Sakimura: So you know, the creation of OpenID Connect actually started in 2009. And contemplation on that was actually done from 2007. Even before OpenID 2.0 was published, right? There were things like XRI, XDI, SAML. And SAML was becoming pretty strong in the market, but at the same time, because of the XMLD Signature problems, people are starting to complain about that. And the OpenID Connect just started off with three people: Me, John Bradley, and Breno De Medeiros at the corner of the Internet Identity Workshop. And we were just sketching out a protocol, which is really dead simple to implement in the simple cases but at the same time, something that could be extended to a very high security, integrity protected federation protocol. And the years between 2010 and 2013 was spent on drafting it and implementing it. Actually, a lot of people started implementing OpenID Connect back in 2011 or something like that. And we had multiple rounds of interop tests as well as you know, they were actually deployed in the wild and was tested. So OpenID Connect was actually quite well-implemented by service providers like Google before it was published in 2014. Oscar: Yes, so that was my understanding that before the standard was published,

You might not want OpenID (Audio Only)

Play Episode Listen Later Oct 27, 2021 29:07

The modern de facto solution to identity management is OpenID Connect. OIDC and OAuth2 come with their own problems though. The intention of this session is to look at some of the problems these frameworks bring, to look at some alternatives to OpenID for identity in your applications and what kinds of cases they might be applicable in. Presenter: Mikael Viitaniemi

openid openid connect oidc

You might not want OpenID

Play Episode Listen Later Oct 27, 2021 29:07

The modern de facto solution to identity management is OpenID Connect. OIDC and OAuth2 come with their own problems though. The intention of this session is to look at some of the problems these frameworks bring, to look at some alternatives to OpenID for identity in your applications and what kinds of cases they might be applicable in. Presenter: Mikael Viitaniemi

openid openid connect oidc

Security in the New Normal with Ev Kontsevoy

Screaming in the Cloud

Play Episode Listen Later Sep 15, 2021 44:18

About EvEv Kontsevoy is Co-Founder and CEO of Teleport. An engineer by training, Kontsevoy launched Teleport in 2015 to provide other engineers solutions that allow them to quickly access and run any computing resource anywhere on the planet without having to worry about security and compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun, which he successfully sold to Rackspace. Prior to Mailgun, Ev has had a variety of engineering roles. He holds a BS degree in Mathematics from Siberian Federal University, and has a passion for trains and vintage-film cameras.Links: Teleport: https://goteleport.com Teleport GitHub: https://github.com/gravitational/teleport Teleport Slack: https://goteleport.slack.com/join/shared_invite/zt-midnn9bn-AQKcq5NNDs9ojELKlgwJUA Previous episode with Ev Kontsevoy: https://www.lastweekinaws.com/podcast/screaming-in-the-cloud/the-gravitational-pull-of-simplicity-with-ev-kontsevoy/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at VMware. Let's be honest—the past year has been far from easy. Due to, well, everything. It caused us to rush cloud migrations and digital transformation, which of course means long hours refactoring your apps, surprises on your cloud bill, misconfigurations and headache for everyone trying manage disparate and fractured cloud environments. VMware has an answer for this. With VMware multi-cloud solutions, organizations have the choice, speed, and control to migrate and optimizeapplications seamlessly without recoding, take the fastest path to modern infrastructure, and operate consistently across the data center, the edge, and any cloud. I urge to take a look at vmware.com/go/multicloud. You know my opinions on multi cloud by now, but there's a lot of stuff in here that works on any cloud. But don't take it from me thats: vmware.com/go/multicloud and my thanks to them again for sponsoring my ridiculous nonsense.Corey: You could build you go ahead and build your own coding and mapping notification system, but it takes time, and it sucks! Alternately, consider Courier, who is sponsoring this episode. They make it easy. You can call a single send API for all of your notifications and channels. You can control the complexity around routing, retries, and deliverability and simplify your notification sequences with automation rules. Visit courier.com today and get started for free. If you wind up talking to them, tell them I sent you and watch them wince—because everyone does when you bring up my name. Thats the glorious part of being me. Once again, you could build your own notification system but why on god's flat earth would you do that?Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Roughly a year ago, I had a promoted guest episode featuring Ev Kontsevoy, the co-founder and CEO of Teleport.A year has passed and what a year it's been. Ev is back to tell us more about what they've been up to for the past year and, ideally, how things may have changed over in the security space. Ev, thank you for coming back to suffer the slings and arrows I will no doubt be hurling your way almost immediately.Ev: Thanks for having me back, Corey.Corey: So, it's been a heck of a year. We were basically settling into the pandemic when last we recorded, and people's security requirements when everyone is remote were dramatically changing. A year later, what's changed? It seems like the frantic, grab a bucket and start bailing philosophy has largely been accepted with something that feels almost like a new normal, ish. What are you seeing?Ev: Yes, we're seeing exact same thing, that it's really hard to tell what is normal. So, at the beginning of the pandemic, our company, Teleport was, so we were about 25 people. And then once we got the vaccines, and the government restrictions started to, kind of, disappear, people started to ask, “So, when are we going to go back to normal?” But the thing is, we're 100 employees now, which means that three-quarters of the company, they joined us during the pandemic, so we have no normal to go back to. So, now we have to redefine—not redefined, we just basically need to get comfortable with this new, fully remote culture with fully remote identity that we have, and become comfortable with it. And that's what we're doing.Corey: Beyond what, I guess, you're seeing, as far as the culture goes, internally as well, it feels like there's been a distinct shift in the past year or so, the entire security industry. I mean, I can sit here and talk about what I've seen, but again, I'm all over the place and I deal with a very select series of conversations. And I try not to confuse anecdotes with data. Anecdata is not the most reliable thing. You're working in this space. That is the entire industry you're in. How has the conversation in the industry around security shifted? What's new? What trends are emerging?Ev: So, there are several things actually happening. So, first of all, I wouldn't call ourselves, like, we do all of security. So, we're experts in access; like, how do you act this everything that you have in your cloud or in your data centers? And that space has been going through one transformation after another. It's been basically under the same scaling stress as the rest of cloud computing industry.And we can talk about historical changes that have been happening, and then we can talk a little bit about, kind of, latest and greatest. And in terms of what challenges companies have with secure access, maybe it helps if I just quickly describe what ‘access' actually means.Corey: Please, by all means. It's one of those words that everyone knows, but if you ask three people to define it, you'll get five definitions—Ev: [laugh]. Exactly.Corey: —and they don't really align. So please, you're the expert on this; I am here to listen because I guarantee you I am guilty of misusing the term at least once so far, today.Ev: Can't blame you. Can't blame you. We are—I was same way until I got into this space. So, access basically means four things. So, if you want to have access done properly into your cloud resources, you need to think about four things.First is connectivity. That's basically a physical ability to deliver an encrypted packet from a client to destination, to a resource whatever that is, could be database, could be, like, SSH machine, or whatever it is you're connecting to. So, connectivity is number one. So, then you need to authenticate. Authentication, that's when the resource decides if you should have access or not, based on who you are, hopefully.So, then authorization, that's the third component. Authorization, the difference—like, sometimes people confuse the two—the difference between authentication and authorization is that authorization is when you already authenticated, but the resource decides what actions you are allowed to perform. The typical example is, like, is it read-only or read-write access? So, that's authorization, deciding on which actions you're allowed to perform. And the final component of having access properly is having audit or visibility which is, again, it could be real-time and historical.So ideally, you need to have both. So, once you have those two solved, then you solved your access problem. And historically, if you look at how access has been done—so we had these giant machines, then we had microcomputers, then we had PCs, and they all have these things. So, you login into your Mac, and then if you try to delete certain file, you might get access denied. So, you see there is connectivity—in this case, it's physical, a keyboard is physically connected to the [laugh] actual machine; so then you have authentication that you log in in the beginning; then authorization, if you can or cannot do certain things in your machine; and finally, your Mac keeps an audit log.But then once the industry, we got the internet, we got all these clouds, so amount of these components that we're now operating on, we have hundreds of thousands of servers, and load-balancers, and databases, and Kubernetes clusters, and dashboards, all of these things, all of them implement these four things: connectivity, authentication, authorization, audit.Corey: Let me drive into that for a minute first, to make sure I'm clear on something. Connectivity makes sense. The network is the computer, et cetera. When you don't have a network to something, it may as well not exist. I get that.And the last one you mentioned, audit of a trail of who done it and who did what, when, that makes sense to me. But authentication and authorization are the two slippery ones in my mind that tend to converge a fair bit. Can you dive a little bit in delineate what the difference is between those two, please?Ev: So authentication, if you try to authenticate into a database, database needs to check if you are on the list of people who should be allowed to access. That's authentication, you need to prove that you are who you claim you are.Corey: Do you have an account and credentials to get into that account?Ev: Correct. And they're good ways to do authentication and bad ways to do authentication. So, bad way to do authentication—and a lot of companies actually guilty of that—if you're using shared credentials. Let's say you have a user called ‘admin' and that user has a password, and those are stored in some kind of stored—in, like 1Password, or something like Vault, some kind of encrypted Vault, and then when someone needs to access a database, they go and borrow this credentials and they go and do that. So, that is an awful way to do authentication.Corey: Now, another way I've seen that's terrible as been also, “Oh, if you're connecting from this network, you must be allowed in,” which is just… yeee.Ev: Oh, yeah. That's a different sin. And that's a perimeter security sin. But a much better way to do authentication is what is called identity-based authentication. Identity means that you always use your identity of who you are within the company.So, you would go in through corporate SSO, something like Okta, or Active Directory, or even Google, or GitHub, and then based on that information, you're given access. So, the resource in this case database, [unintelligible 00:07:39] say, “Oh, it's Corey. And Corey is a member of this group, and also a member of that group.” And based on that it allows you to get in, but that's where authentication ends. And now, if you want to do something, like let's say you want to delete some data, now a database needs to check, ah, can you actually perform that action? That is the authorization process.And to do that, usually, we use some mechanism like role-based access control. It will look into which group are you in. Oh, you are an admin, so admins have more privileges than regular people. So, then that's the process of authorization.And the importance of separating the two, and important to use identity because remember, audit is another important component of implementing access properly. So, if you're sharing credentials, for example, you will see in your audit log, “Admin did this. Admin did that.” It's exact same admin, but you don't know who actually was behind that action. So, by sharing credentials, you're also obscuring your own audit which is why it's not really a good thing.And going back to this industry trends is that because the amount of these resources, like databases and servers and so on, in the cloud has gotten so huge, so we now have this hardware pain, we just have too many things that need access. And all of these things, the software itself is getting more complicated, so now we have a software pain as well, that you have so many different layers in your stack that they need to access. That's another dimension for introducing access pain. And also, we just have more developers, and the development teams are getting bigger and bigger, the software is eating the world, so there is a people-ware pain. So, on the one hand, you have these four problems you need to solve—connectivity, authentication, authorization, access—and on the other hand, you have more hardware, more software, more people, these pain points.And so you need to consolidate, and that's really what we do is that we allow you to have a single place where you can do connectivity, authentication, authorization, and audit, for everything that you have in the cloud. We basically believe that the future is going to be like metaverse, like in those books. So, all of these cloud resources are slowly converging into this one giant planetary-scale computer.Corey: Suddenly, “I live on Twitter,” is no longer going to be quite as much of a metaphor as it is today.Ev: [laugh]. No, no. Yeah, I think we're getting better. If you look into what is actually happening on our computing devices that we buy, the answer is not the lot, so everything is running in data centers, the paradigm of thin client seems to be winning. Let's just embrace that.Corey: Yeah. You're never going to be able to shove data centers worth compute into a phone. By the time you can get there, data centers will have gotten better. It's the constant question of where do you want things to live? How do you want that to interact?I talk periodically about multi-cloud, I talk about lock-in, everyone is concerned about vendor lock-in, but the thing that people tend to mostly ignore is that you're already locked in throught a variety of different ways. And one way is both the networking side of it as well as the identity management piece because every cloud handles that differently and equating those same things between different providers that work different ways is monstrous. Is that the story of what you're approaching from a Teleport perspective? Is that the primary use case, is that an ancillary use case, or are we thinking about this in too small a term?Ev: So, you're absolutely right, being locked in, in and—like, by itself is not a bad thing. It's a trade-off. So, if you lack expertise in something and you outsourcing certain capability to a provider, then you're developing that dependency, you may call it lock-in or not, but that needs to be a conscious decision. Like, well, you didn't know how to do it, then someone else was doing it for you, so you should be okay with the lock-in. However, there is a danger, that, kind of, industry-wide danger about everyone relying on one single provider.So, that is really what we all try to avoid. And with identity specifically, I feel like we're in a really good spot that fairly early, I don't see a single provider emerging as owning everyone's identity. You know, some people use Okta; others totally happy tying everything to Google Apps. So, then you have people that rely on Amazon AWS native credentials, then plenty of smaller companies, they totally happy having all of their engineers authenticate through GitHub, so they use GitHub as a source of identity. And the fact that all of these providers are more or less compatible with each other—so we have protocols like OpenID Connect and SAML, so I'm not that concerned that identity itself is getting captured by a single player.And Teleport is not even playing in that space; we don't keep your identity. We integrate with everybody because, at the end of the day, we want to be the solution of choice for a company, regardless of which identity platform they're using. And some of them using several, like all of the developers might be authenticating via GitHub, but everyone else goes through Google Apps, for example.Corey: And the different product problem. Oh, my stars, I was at a relatively small startup going through an acquisition at one point in my career, and, “All right. Let's list all of the SaaS vendors that we use.” And the answer was something on an average of five per employee by the time you did the numbers out, and—there were hundreds of them—and most of them because it started off small, and great, everyone has their own individual account, we set it up there. I mean, my identity management system here for what most of what I do is LastPass.I have individual accounts there, two-factor auth enabled for anything that supports it, and that is it. Some vendors don't support that: we have to use shared accounts, which is just terrifying. We make sure that we don't use those for anything that's important. But it comes down to, from our perspective, that everyone has their own ridiculous series of approaches, and even if we were to, “All right, it's time to grow up and be a responsible business, and go for a single-sign-on approach.” Which is inevitable as companies scale, and there's nothing wrong with that—but there's still so many of these edge cases and corner case stories that don't integrate.So, it makes the problem smaller, but it's still there rather persistently. And that doesn't even get into the fact that for a lot of these tools, “Oh, you want SAML integration? Smells like enterprise to us.” And suddenly they wind up having an additional surcharge on top of that for accessing it via a federated source of identity, which means there are active incentives early on to not do that. So it's—Ev: It's absolutely insane. Yeah, you're right. You're right. It's almost like you get penalized for being small, like, in the early days. It's not that easy if you have a small project you're working on. Say it's a company of three people and they're just cranking in the garage, and it's just so easy to default to using shared credentials and storing them in LastPass or 1Password. And then the interesting way—like, the longer you wait, the harder it is to go back to use a proper SSO for everything. Yeah.Corey: I do want to call out that Teleport has a free and open-source community edition that supports GitHub SSO, and in order to support enterprise SSO, you have to go to your paid offering. I have no problem with this, to be clear, that you have to at least be our customer before we'll integrate with your SSO solution makes perfect sense, but you don't have a tiering system where, “Oh, you want to add that other SSO thing? And well, then it's going to go from X dollars per employee to Y dollars.” Which is the path that I don't like. I think it's very reasonable to say that their features flat-out you don't get as a free user. And even then you do offer SSO just not the one that some people will want to pick.Ev: Correct. So, the open-source version of Teleport supports SSO that smaller companies use, versus our enterprise offering, we shaped it to be more appealing for companies at certain scale.Corey: Yeah. And you've absolutely nailed it. There are a number of companies in the security space who enraged people about how they wind up doing their differentiation around things like SSO or, God forbid, two-factor auth, or once upon a time, SSL. This is not that problem. I just want to be explicitly clear on that, that is not what I'm talking about. But please, continue.Ev: Look, we see it the same way. We sometimes say that we do not charge for security, like, top-level security you get, is available even in the open-source. And look, it's a common problem for most startups who, when you have an open-source offering, where do you draw the line? And sometimes you can find answers in very unexpected places. For example, let's look into security space.One common reason that companies get compromised is, unfortunately, human factor. You could use the best tool in the world, but if you just by mistake, like, just put a comma in the wrong place and one of your config files just suddenly is out of shape, right, so—Corey: People make mistakes and you can't say, “Never make a mistake.” If you can get your entire company compromised by someone in your office clicking on the wrong link, the solution is not to teach people not to click on links; it's to mitigate the damage and blast radius of someone clicking on a link that they shouldn't. That is resilience that understand their human factors at play.Ev: Yep, exactly. And here's an enterprise feature that was basically given to us by customer requests. So, they would say we want to have FedRAMP compliance because we want to work with federal government, or maybe because we want to work with financial institutions who require us to have that level of compliance. And we tell them, “Yeah, sure. You can configure Teleport to be compliant. Look, here's all the different things that you need to tweak in the config file.”And the answer is, “Well, what if we make a mistake? It's just too costly. Can we have Teleport just automatically works in that mode?” In other words, if you feed it the config file with an error, it will just refuse to work. So basically, you take your product, and you chop off things that are not compliant, which means that it's impossible to feed an incorrect config file into it, and here you got an enterprise edition.It's a version that we call its FIPS mode. So, when it runs FIPS mode, it has different runtime inside, it basically doesn't even have a crypto that is not approved, which you can turn on by mistake. It will just not work.Corey: By the time we're talking about different levels of regulatory compliance, yeah, we are long past the point where I'm going to have any comments in the slightest is about differentiation of pricing tiers and the rest. Yeah, your free tier doesn't support FedRAMP is one of those ludicrous things that—who would say that [laugh] actually be sincere [insane 00:18:28]?Ev: [laugh].Corey: That's just mind-boggling to me.Ev: Hold on a second. I don't want anyone to be misinformed. You can be FedRAMP compliant with the free tier; you just need to configure it properly. Like the enterprise feature, in this case, we give you a thing that only works in this mode; it is impossible to misconfigure it.Corey: It's an attestation and it's a control that you need—Ev: Yep. Yep.Corey: —in order to demonstrate compliance because half the joy of regulatory compliance is not doing the thing, it's proving you do the thing. That is a joy, and those of you who've worked in regulated environments know exactly what I'm talking about. And those of you who have not, are happy but please—Ev: Frankly, I think anyone can do it using some other open-source tools. You can even take, like, OpenSSH, sshd, and then you can probably build a different makefile for just the build pipeline that changes the linking, that it doesn't even have the crypto that is not on the approved list. So, then if someone feeds a config file into it that has, like, a hashing function that is not approved, it will simply refuse to work. So, maybe you can even turn it into something that you could say here's a hardened version of sshd, or whatever. So, same thing.Corey: I see now you're talking about the four aspects of this, the connectivity, the authentication, the authorization, and the audit components of access. How does that map to a software product, if that makes sense? Because it sounds like a series of principles, great, it's good to understand and hold those in your head both, separately and distinct, but also combining to mean access both [technical 00:19:51] and the common parlance. How do you express that in Teleport?Ev: So, Teleport doesn't really add authorization, for example, to something that doesn't have it natively. The problem that we have is just the overall increasing complexity of computing environments. So, when you're deploying something into, let's say, AWS East region, so what is it that you have there? You have some virtual machines, then you have something like Kubernetes on top, then you have Docker registry, so you have these containers running inside, then you have maybe MongoDB, then you might have some web UI to manage MongoDB and Grafana dashboard. So, all of that is software; we're only consuming more and more of it so that our own code that we're deploying, it's icing on a really, really tall cake.And every layer in that layer cake is listening on a socket; it needs encryption; it has a login, so it has authentication; it has its own idea of role-based access control; it has its own config file. So, if you want to do cloud computing properly, so you got to have this expertise on your team, how to configure those four pillars of access for every layer in your stack. That is really the pain. And the Teleport value is that we're letting you do it in one place. We're saying, consolidate all of this four-axis pillars in one location.That's really what we do. It's not like we invented a better way to authorize, or authenticate; no, we natively integrate with the cake, with all of these different layers. But consolidation, that is the key value of Teleport because we simply remove so much pain associated with configuring all of these things. Like, think of someone like—I'm trying not to disclose any names or customers, but let's pick, uh, I don't know, something like Tesla. So, Tesla has compute all over the world.So, how can you implement authentication, authorization, audit log, and connectivity, too, for every vehicle that's on the road? Because all of these things need software updates, they're all components of a giant machine—Corey: They're all intermittent. You can't say, “Oh, at this time of the day, we should absolutely make sure everything in the world is connected to the internet and ready to grab the update.” It doesn't work that way; you've got to be… understand that connectivity is fickle.Ev: So, most—and because computers growing generally, you could expect most companies in the future to be more like Tesla, so companies like that will probably want to look into Teleport technology.Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode.Corey: If we take a look at the four tenets that you've identified—connectivity, authentication, authorization, and audit—it makes perfect sense. It is something that goes back to the days when computers were basically glorified pocket calculators as opposed to my pocket calculator now being basically a supercomputer. Does that change as you hit cloud-scale where we have companies that are doing what seem to be relatively pedestrian things, but also having 100,000 EC2 instances hanging out in AWS? Does this add additional levels of complexity on top of those four things?Ev: Yes. So, there is one that I should have mentioned earlier. So, in addition to software, hardware, and people-ware—so those are three things that are exploding, more compute, more software, more engineers needing access—there is one more dimension that is kind of unique, now, at the scale that we're in today, and that's time. So, let's just say that you are a member of really privileged group like you're a DBA, or maybe you are a chief security officer, so you should have access to a certain privileged database. But do you really use that access 24/7, all the time? No, but you have it.So, your laptop has an ability, if you type certain things into it, to actually receive credentials, like, certificates to go and talk to this database all the time. It's an anti-pattern that is now getting noticed. So, the new approach to access is to make a tie to an intent. So, by default, no one in an organization has access to anything. So, if you want to access a database, or a server, or Kubernetes cluster, you need to issue what's called ‘access request.'It's similar to pull request if you're trying to commit code into Git. So, you send an access request—using Teleport for example; you could probably do it some other way—and it will go into something like Slack or PagerDuty, so your team members will see that, “Oh, Corey is trying to access that database, and he listed a ticket number, like, some issue he is trying to troubleshoot with that particular database instance. Yeah, we'll approve access for 30 minutes.” So, then you go and do that, and the access is revoked automatically after 30 minutes. So, that is this new trend that's happening in our space, and it makes you feel nice, too, it means that if someone hacks into your laptop at this very second, right after you finished authenticating and authorization, you're still okay because there is no access; access will be created for you if you request it based on the intent, so it dramatically reduces the attack surface, using time as additional dimension.Corey: The minimum viable permission to do a thing. In principle, least-access is important in these areas. It's like, “Oh, yeah, my user account, you mean root?” “Yeah, I guess that works in a developer environment,” looks like a Docker container that will be done as soon as you're finished, but for most use cases—and probably even that one—that's not the direction to go in. Having things scoped down and—Ev: Exactly.Corey: —not just by what the permission is, but by time.Ev: Exactly.Corey: Yeah.Ev: This system basically allows you to move away from root-type accounts completely, for everything. So, which means that there is no root to attack anymore.Corey: What really strikes me is how, I guess, different aspects of technology that this winds up getting to. And to illustrate that in the form of question, let me go back to my own history because, you know, let's make it about me here. I've mentioned it before on the show, but I started off my technical career as someone who specialized in large-scale email systems. That was a niche I found really interesting, and I got into it. So did you.I worked on running email servers, and you were the CEO and co-founder of Mailgun, which later you sold the Rackspace. You're a slightly bigger scale than I am, but it was clear to me that even then, in the 2006 era when I was doing this, that there was not going to be the same need going forward for an email admin at every company; the cloudification of email had begun, and I realized I could either dig my heels in and fight the tide, or I could find other things to specialize in. And I've told that part of the story, but what I haven't told is that it was challenging at first as I tried to do that because all the jobs I talked to looked at my resume and said, “Ah, you're the email admin. Great. We don't need one of those.”It was a matter of almost being pigeonholed or boxed into the idea of being the email person. I would argue that Teleport is not synonymous with email in any meaningful sense as far as how it is perceived in the industry; you are very clearly no longer the email guy. Does the idea being boxed in, I guess—Ev: [laugh].Corey: —[unintelligible 00:27:05] resonate at all with you? And if so, how did you get past it?Ev: Absolutely. The interesting thing is, before starting the Mailgun, I was not an email person. I would just say that I was just general-purpose technologist, and I always enjoyed building infrastructure frameworks. Basically, I always enjoyed building tools for other engineers. But then gotten into this email space, and even though Mailgun was a software product, which actually had surprisingly huge, kind of, scalability requirements early on because email is much heavier than HTTP traffic; people just send a lot of data via emails.So, we were solving interesting technical challenges, but when I would meet other engineers, I would experience the exact same thing you did. They would put me into this box of, “That's an email guy. He knows email technology, but seemingly doesn't know much about scaling web apps.” Which was totally not true. And it bothered me a little bit.Frankly, it was one of the reasons we decided to get acquired by Rackspace because they effectively said, “Why don't you come join us and we'll continue to operate as independent company, but you can join our cloud team and help us reinvent cloud computing.” It was really appealing. So, I actually moved to Texas after acquisition; I worked on the Rackspace cloud team for a while. So, that's how my transition from this being in the email box happened. So, I went from an email expert to just generally cloud computing expert. And cloud computing expert sounds awesome, and it allows me to work—Corey: I promise, it's not awesome—Ev: [laugh].Corey: —for people listening to this. Also, it's one of those, are you a cloud expert? Everyone says no to that because who in the world would claim that? It's so broad in so many different expressions of it. Because you know the follow-up question to anyone who says, “Yeah,” is going to be some esoteric thing about a system you've never heard of before because there's so many ridiculous services across totally different providers, of course, it's probably a thing. Maybe it's actually a Pokemon, we don't know. But it's hard to consider yourself an expert in this. It's like, “Well, I have some damage from [laugh] getting smacked around by clouds and, yeah, we'll call that expertise; why not?”Ev: Exactly. And also how frequently people mispronounce, like, cloud with clown. And it's like, “Oh, I'm clown computing expert.” [laugh].Corey: People mostly call me a loud computing expert. But that's a separate problem.Ev: But the point is that if you work on a product that's called cloud, so you definitely get to claim expertise of that. And the interesting thing that Mailgun being, effectively, an infrastructure-level product—so it's part of the platform—every company builds their own cloud platform and runs it, and so Teleport is part of that. So, that allowed us to get out of the box. So, if you working on, right now we're in the access space, so we're working closely with Kubernetes community, with Linux kernel community, with databases, so by extension, we have expertise in all of these different areas, and it actually feels much nicer. So, if you are computing security access company, people tend to look at you, it's like, “Yeah, you know, a little bit of everything.” So, that feels pretty nice.Corey: It's of those cross-functional things—Ev: Yeah, yeah.Corey: —whereas on some level, you just assume, well, email isn't either, but let's face it: email is the default API that everything, there's very little that you cannot configure to send email. The hard part is how to get them to stop emailing you. But it started off as far—from my world at least—the idea that all roads lead to email. In fact, we want to talk security, a long time ago the internet collectively decided one day that our email inbox was the entire cornerstone of our online identity. Give me access to your email, I, for all intents and purposes, can become you on the internet without some serious controls around this.So, those conversations, I feel like they were heading in that direction by the time I left email world, but it's very clear to me that what you're doing now at Teleport is a much clearer ability to cross boundaries into other areas where you have to touch an awful lot of different things because security touches everything, and I still maintain it has to be baked-in and an intentional thing, rather than, “Oh yeah, we're going to bolt security on after the fact.” It's, yeah, you hear about companies that do that, usually in headlines about data breaches, or worse. It's a hard problem.Ev: Actually, it's an interesting dilemma you're talking about. Is security built-in into everything or is it an add-on? And logically—talk to anyone, and most people say, “Yeah, it needs to be a core component of whatever it is you're building; making security as an add-on is not possible.” But then reality hits in, and the reality is that we're running on—we're standing on the shoulder of giants.There is so much legacy technologies that we built this cloud monster on top of… no, nothing was built in, so we actually need to be very crafty at adding security on top of what we already have, if we want to take advantage of all this pre-existing things that we've built for decades. So, that's really what's happening, I think, with security and access. So, if you ask me if Teleport is a bolt-on security, I say, “Yes, we are, but it works really well.” And it's extremely pragmatic and reasonable, and it gives you security compliance, but most of all, very, very good user experience out of the box.Corey: It's amazing to me how few security products focus on user experience out of the box, but they have to. You cannot launch or maintain a security product successfully—to my mind—without making it non-adversarial to the user. The [days of security is no 00:32:26] are gone.Ev: Because of that human element insecurity. If you make something complicated, if you make something that's hard to reason about, then it will never be secure.Corey: Yeah.Ev: Don't copy-paste IP table rules without understanding what they do. [laugh].Corey: Yeah, I think we all have been around long enough in data center universes remember those middle of the night drives to the data center for exactly that sort of thing. Yeah, it's one of those hindsight things of, set a cron job to reset the IP table rules for, you know, ten minutes from now in case you get this hilariously wrong. It's the sort of thing that you learn right after you really could have used that knowledge. Same story. But those are the easy, safe examples of I screwed up on a security thing. The worst ones can be company-ending.Ev: Exactly, yeah. So, in this sense, when it comes to security, and access specifically, so this old Python rule that there is only one way to do something, it's the most important thing you can do. So, when it comes to security and access, we basically—it's one of the things that Teleport is designed around, that for all protocols, for all different resources, from SSH to Kubernetes to web apps to databases; we never support passwords. It's not even in the codebase. No, you cannot configure Teleport to use passwords.We never support things like public keys, for example, because it's just another form of a password. It's just extremely long password. So, we have this approach that certificates, it's the best method because it supports both authentication and authorization, and then you have to do it for everything, just one way of doing everything. And then you apply this to connectivity: so there is a single proxy that speaks all protocols and everyone goes to that proxy. Then you apply the same principle to audit: there is one audit where everything goes into.So, that's how this consolidation, that's where the simplicity comes down to. So, one way of doing something; one way of configuring everything. So, that's where you get both ease of use and security at the same time.Corey: One last question that I want to ask you before we wind up calling this an episode is that I've been using Teleport as a reference for a while when I talk to companies, generally in the security space, as an example of what you can do to tell a story about a product that isn't built on fear, uncertainty, and doubt. And for those who are listening who don't know what I'm referring specifically, I'm talking about pick any random security company and pull up their website and see what it is that they talk about and how they talk about themselves. Very often, you'll see stories where, “Data breaches will cost you extraordinary piles of money,” or they'll play into the shame of what will happen to your career if you're named in the New York Times for being the CSO when the data gets breached, and whatnot. But everything that I've seen from Teleport to date has instead not even gone slightly in that direction; it talks again and again, in what I see on your site, about how quickly it is to access things, access that doesn't get in the way, easily implement security and compliance, visibility into access and behavior. It's all about user experience and smoothing the way and not explaining to people what the dire problems that they're going to face are if they don't care about security in general and buy your product specifically. It is such a refreshing way of viewing storytelling around a security product. How did you get there? And how do I make other people do it, too?Ev: I think it just happened organically. Teleport originally—the interesting story of Teleport, it was not built to be sold. Teleport was built as a side project that we started for another system that we were working on at the time. So, there was a autonomous Kubernetes platform called Grá—it doesn't really matter in this context, but we had this problem that we had a lot of remote sites with a lot of infrastructure on them, with extremely strict security and compliance requirements, and we needed to access those sites or build tools to access those sites. So, Teleport was built like, okay, it's way better than just stitching a bunch of open-source components together because it's faster and easier to use, so we're optimizing for that.And as a side effect of that simplification, consolidation, and better user experience is a security compliance. And then the interesting thing that happened is that people who we're trying to sell the big platform to, they started to notice about, “Oh, this access thing you have is actually pretty awesome. Can we just use that separately?” And that's how it turned into a product. So, we built an amazing secure access solution almost by accident because there was only one customer in mind, and that was us, in the early days. So yeah, that's how you do it, [laugh] basically. But it's surprisingly similar to Slack, right? Why is Slack awesome? Because the team behind it was a gaming company in the beginning.Corey: They were trying to build a game. Yeah.Ev: Yeah, they built for themselves. They—[laugh] I guess that's the trick: make yourself happy.Corey: I think the team founded Flickr before that, and they were trying to build a game. And like, the joke I heard is, like, “All right, the year is 2040. Stuart and his team have now raised $8 billion trying to build a game, and yet again it fails upward into another productivity tool company, or something else entirely that”—but it's a recurring pattern. Someday they'll get their game made; I have faith in them. But yeah, building a tool that scratches your own itch is either a great path or a terrible mistake, depending entirely upon whether you first check and see if there's an existing solution that solves the problem for you. The failure mode of this is, “Ah, we're going to build our own database engine,” in almost every case.Ev: Yeah. So just, kind of like, interesting story about the two, people will [unintelligible 00:38:07] surprised that Teleport is a single binary. It's basically a drop-in replacement that you put on a box, and it runs instead of sshd. But it wasn't initially this way. Initially, it was [unintelligible 00:38:16], like, few files in different parts of a file system. But because internally, I really wanted to run it on a bunch of Raspberry Pi's at home, and it would have been a lot easier if it was just a single file because then I just could quickly update them all. So, it just took a little bit of effort to compress it down to a single binary that can run in different modes depending on the key. And now look at that; it's a major benefit that a lot of people who deploy Teleport on hundreds of thousands of pieces of infrastructure, they definitely taking advantage of the fact that it's that simple.Corey: Simplicity is the only thing that scales. As soon as it gets complex, it's more things to break. Ev, thank you so much for taking the time to sit with me, yet again, to talk about Teleport and how you're approaching things. If people want to learn more about you, about the company, about the product in all likelihood, where can they go?Ev: The easiest place to go would be goteleport.com where you can find everything, but we're also on GitHub. If you search for Teleport in GitHub, you'll find this there. So, join our Slack channel, join our community mailing list and most importantly, download Teleport, put it on your Raspberry Pi, play with it and see how awesome it is to have the best industry, best security practice, that don't get in the way.Corey: I love the tagline. Thank you so much, once again. Ev Kontsevoy, co-founder and CEO of Teleport. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with a comment that goes into a deranged rant about how I'm completely wrong, and the only way to sell security products—specifically yours—is by threatening me with the New York Times data breach story.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

A beginners guide to OpenID Connect

beginners lessons learned beginner's guide okta openid openid connect futurice

Play Episode Listen Later Jul 2, 2021 22:13

Lessons Learned from moving futuLog to Okta In 2020, we built futuLog, an internal tool to help us manage the office usage during the pandemic. With futuLog, employees can book a slot at the office to make sure they'll have space with the pandemic restrictions. We decided early on that eventually we want to open source futuLog. But making something open source takes more than just changing the repository to public. What use would futuLog be to others if it required Futurice infrastructure to actually run? For instance, to build futuLog quickly we used playswarm, an internal environment that takes care of authentication and hosting. While the hosting part is easy, having single sign on for all Futurice employees is not. So as a step towards open sourcing it, Jan spent the last month implementing and debugging the OpenID connect protocol that allows futuLog to talk to Okta and similar identity services directly. This talk is a collection of lessons learned in the journey that took Jan from knowing nothing about OpenID, to deploying it to production. Presenter: Jan van Brügge

A beginners guide to OpenID Connect (Audio Only)

beginners lessons learned beginner's guide okta openid openid connect futurice

Play Episode Listen Later Jul 2, 2021 22:13

Lessons Learned from moving futuLog to Okta In 2020, we built futuLog, an internal tool to help us manage the office usage during the pandemic. With futuLog, employees can book a slot at the office to make sure they'll have space with the pandemic restrictions. We decided early on that eventually we want to open source futuLog. But making something open source takes more than just changing the repository to public. What use would futuLog be to others if it required Futurice infrastructure to actually run? For instance, to build futuLog quickly we used playswarm, an internal environment that takes care of authentication and hosting. While the hosting part is easy, having single sign on for all Futurice employees is not. So as a step towards open sourcing it, Jan spent the last month implementing and debugging the OpenID connect protocol that allows futuLog to talk to Okta and similar identity services directly. This talk is a collection of lessons learned in the journey that took Jan from knowing nothing about OpenID, to deploying it to production. Presenter: Jan van Brügge

Cloud identities and the transformation of cloud advocacy, with Christos Matskas

Cloud Gossip

Play Episode Listen Later Jun 28, 2021 43:07

Guest BioChristos Matskas is a Senior Program Manager working as a Developer Advocate for the Microsoft Identity Division. His role involves helping developers write more secure and robust software, leveraging the power of Identity and Cloud.Before joining Microsoft, he was a successful entrepreneur collaborating with companies such as MarkIT, Lockheed Martin, and Barclays. He routinely works with the Azure Active Directory, MS Graph, and Managed Identities and he's got 15 yrs of experience writing Software on the .NET stack.Christos contributes regularly to numerous OSS projects and works closely with the developer community to make the space bigger and better. He's also a dad, husband, speaker, and passionate streamer.Timestamps0:45 Speakers Introduction1:37 Christos typical day3:12 The transformation of Cloud Advocacy7:08 Which accounts to follow on TikTok/Discord8:51 External and Internal communication13:21 Managed Identities19:47 Microsoft.Identity.Web Library23:47 Securing Cloud Identity in the future29:57 Managed Identity in Cosmos DB32:29 Future of Tech37:30 Diversity and inclusion40:49 Community42:05 Episode Wrap-upConnect with Christos on:https://cmatskas.comhttps://twitter.com/christosmatskashttps://www.linkedin.com/in/christosmatskas/https://www.instagram.com/cmatskas/?hl=enhttps://github.com/cmatskasConnect with Cloud Gossip on:https://www.cloudgossip.nethttps://www.linkedin.com/company/cloud-gossiphttps://twitter.com/CloudGossipnetConnect with Annie on:https://twitter.com/AnnieTalvastohttps://www.linkedin.com/in/talvasto/Connect with Karl on:https://twitter.com/karlgotshttps://www.linkedin.com/in/karlots/Thanks for listening to Cloud Gossip! You can find us from our website CloudGossip.net. Please leave us a review and subscribe to us at iTunes, Google, or Spotify!

Ep.57 - Condividere in sicurezza informazioni e identità: Oauth 2.0 e OpenID Connect

Pensieri in codice

Play Episode Listen Later May 6, 2021 21:15

Esistono strumenti e funzionalità che utilizziamo tutti i giorni, a volte anche senza rendercene conto, dei quali però sappiamo molto poco. Oauth e OpenID Connect sono due di questi protocolli: ci permettono di condividere informazioni e identità tra i vari siti, facendoci risparmiare tempo e fatica. In questo episodio proviamo a capire come funzionano.I link dell'episodio di oggi: OAuth 2.0 - https://oauth.net/2/ An Illustrated Guide to OAuth and OpenID Connect - https://tumblr.giaguaroblu.it/post/188612484387/an-illustrated-guide-to-oauth-and-openid-connect ------------------------------------------Sito ufficiale di Pensieri in codice - https://pensieriincodice.it Per sostenere il progetto:Compra su Amazon* - https://amzn.to/2MGITWk Lista dei desideri - https://pensieriincodice.it/360s8Kx Attrezzatura:Shure Microfono Podcast USB MV7* - https://amzn.to/3862ZRf * Link affiliato: il costo di un qualsiasi acquisto non sarà maggiore per te, ma Amazon mi girerà una piccola parte del ricavato. I miei progetti social:Pensieri in codice - https://pensieriincodice.it Canale Twitch - https://valeriogalano.it/twitch Daredevel blog - https://valeriogalano.it/daredevel Newsletter - https://valeriogalano.it/newsletter Per essere aggiornati sulle novità:Canale Telegram - https://pensieriincodice.it/canaletelegram Profilo Instagram - https://valeriogalano.it/instagram Profilo Twitter - https://valeriogalano.it/twitter Per partecipare alla discussione:Gruppo Telegram - http://bit.ly/joinPicTelegram Servizi professionali:Lezioni private su Docety - https://valeriogalano.it/docety Consulenza professionale - https://valeriogalano.it Crediti:Voce intro - Costanza Martina VitaleMusica - Kubbi - Up In My JamMusica - Light-foot - Moldy Lotion

Condividere in Sicurezza Informazioni E Identità: Oauth 2.0 E OpenID Connect

Pensieri in codice

Play Episode Listen Later May 6, 2021 21:15

Esistono strumenti e funzionalità che utilizziamo tutti i giorni, a volte anche senza rendercene conto, dei quali però sappiamo molto poco. Oauth e OpenID Connect sono due di questi protocolli: ci permettono di condividere informazioni e identità tra i vari siti, facendoci risparmiare tempo e fatica. In questo episodio proviamo a capire come funzionano. I link dell’episodio di oggi: OAuth 2.0 - https://oauth.net/2/ An Illustrated Guide to OAuth and OpenID Connect - https://tumblr.giaguaroblu.it/post/188612484387/an-illustrated-guide-to-oauth-and-openid-connect —————————————— Sito ufficiale di Pensieri in codice - https://pensieriincodice.it Attrezzatura: Shure Microfono Podcast USB MV7* - https://amzn.to/3862ZRf Link affiliato: il costo di un qualsiasi acquisto non sarà maggiore per te, ma Amazon mi girerà una piccola parte del ricavato. I miei progetti social: Pensieri in codice - https://pensieriincodice.it Canale Twitch - https://valeriogalano.it/twitch Daredevel blog - https://valeriogalano.it/daredevel Newsletter - https://valeriogalano.it/newsletter Per essere aggiornati sulle novità: Canale Telegram - https://pensieriincodice.it/canaletelegram Profilo Instagram - https://valeriogalano.it/instagram Profilo Twitter - https://valeriogalano.it/twitter Per partecipare alla discussione: Gruppo Telegram - http://bit.ly/joinPicTelegram Servizi professionali: Lezioni private su Docety - https://valeriogalano.it/docety Consulenza professionale - https://valeriogalano.it Sostieni il progetto Sostieni tramite Satispay Sostieni tramite Revolut Sostieni tramite PayPal Sostieni utilizzando i link affiliati di Pensieri in codice: Amazon, Todoist, ProtonMail, ProtonVPN, Satispay Partner GrUSP (Codice sconto per tutti gli eventi: community_PIC) Schrödinger Hat Crediti Montaggio - Daniele Galano - https://www.instagram.com/daniele_galano/ Voce intro - Costanza Martina Vitale Musica - Kubbi - Up In My Jam Musica - Light-foot - Moldy Lotion Cover e trascrizione - Francesco Zubani

Folge 20: Identity, OAuth 2.0 und Open ID Connect

todo:cast - Entwickler Podcast

Play Episode Listen Later Apr 10, 2021 45:52

Da wir unseren Nutzer:innen einen einfachen und zugleich sicheren Zugang zu unseren Anwendungen ermöglichen wollen, kommen wir am Thema Identity Management nicht vorbei. Hierbei sollten wir wir auf etablierte Standards wie OAuth 2.0 und Open ID Connect setzen. In dieser Folge schauen wir uns das Thema zunächst grundsätzlich an und diskutieren dann die verschiedenen von den Standards vorgegeben Flows. Auch wer beim Identity Management keine vollständige Eigenentwicklung plant, sondern auf Dienstleister setzt, sollte einen Überblick über die verschiedenen Wege der Authentifizierung und Autorisierung haben. Ihr erreicht uns auf Twitter unter twitter.com/robinmanuelt und twitter.com/maltelantin Links: Okta: https://www.okta.com/ ORY: https://www.ory.sh/ Video OAuth 2.0 and OpenID Connect (in plain English) von Nate Barbettini : https://youtu.be/996OiexHze0 OAuth2 with PKCE for Mobile Apps and Single Page Apps: https://www.ory.sh/oauth2-for-mobile-app-spa-browser/ AppAuth SDK: https://appauth.io/ JWT.io: https://jwt.io/

english identity thema standards ihr wege zugang flows mobile apps nutzer hierbei anwendungen dienstleister oauth identity management jwt ory openid authentifizierung openid connect autorisierung single page apps eigenentwicklung

Amazon Cognito

School of Cloud

Play Episode Listen Later Feb 26, 2021 20:21

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.Twitter feedback: https://twitter.com/schoolofcloud

amazon google apple saml openid connect amazon cognito

Demytisfying oAuth And OpenID Connect

Master of None

Play Episode Listen Later Feb 1, 2021 49:31

Authentication and Authorization as a concept has been there for a long time. oAuth is the most standard way in which authorization is implemented and OpenID Connect is a preferred mechanism for authentication. In this podcast, we will Demystify oAuth and OpenID Connect - why, what and how. We will briefly touch upon the history of authentication, OAuth Grants, Scopes and Claims. We also discuss the different types of tokens like ID Token, Access Token and Refresh Tokens. We also briefly touch upon the differences between Cookie and Token and finally ending with how API validates these token. I hope you find the topics discussed in this episode useful.

claims api token authentication authorization scopes oauth openid connect

The Domains of Identity and SSI with “Identity Woman”, Kaliya Young – Podcast Episode 36

security dar verbindung rahmen produkt atemzug protokoll sso simon k openid connect

Play Episode Listen Later Jan 6, 2021 30:27

Let's Talk About Digital Identity with Kaliya Young – consultant, conference organiser, author, activist. In episode 36, Kaliya and Oscar discuss the long-running Internet Identity Workshop (IIW) that she co-founded, the effects of moving to virtual identity conferences in 2020, insights from Kaliya's books - 'The Domains of Identity', newly published in 2020, and 'A Comprehensive Guide to Self Sovereign Identity' – plus some great tips for all business leaders on how to view the role of identity in their organisation. "I think we may be selling self-sovereign identity all wrong. It should be infinitely scalable, low-cost federation. That's really powerful!" Kaliya Young is the author of two books “The Domains of Identity” and “A Comprehensive Guide to Self Sovereign Identity”. For the past 15 years, she has been working to catalyse the creation of a layer of identity for people based on open standards. She co-founded the Internet Identity Workshop (IIW) in 2005 to bring together technologists who want to see decentralised identity come into being. In the fifteen years their community has been meeting, they have created standards being used all over the internet, like OpenID Connect and OAuth. In 2012 she was recognised as a Young Global Leader by the World Economic Forum. The next IIW is in April. Sign up on Eventbrite. Kaliya is widely recognised for her community leadership. She travels to Africa and Asia at least once a year to ensure the development of person-centric identity is truly global and inclusive. Most recently, she co-founded HumanFirst.Tech with Shireen Mitchell, a project focused on creating space for diverse voices and building a more inclusive industry. In 2009, she was named one of Fast Company’s Most Influential Women in Technology. Find Kaliya on Twitter @IdentityWoman and LinkedIn. Check out Kaliya's website at identitywoman.net and her podcast with Seth Goldstein, PSA Today (Privacy, Surveillance, Anonymity). Regular listeners of Let's Talk About Digital Identity will know that Oscar asks every guest for their top tips on how to protect our digital identities. For 2021, Oscar has a new burning question for all LTADI guests – "for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?" We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

OpenID Connect und SSO

INNOQ Security Podcast

Play Episode Listen Later Dec 21, 2020 70:53

OpenID Connect und SSO werden oft in einem Atemzug genannt. Doch was ist OpenID Connect eigentlich genau? Eine Framework, ein Protokoll oder ein Produkt? Und welche Verbindung gibt es mit OAuth2? Darüber, und wie OpenID Connect im Rahmen von SSO-Verfahren funktioniert, sprechen Christoph Iserlohn, Simon Kölsch und Stefan Bodewig in dieser Folge.

Identity with Christos Matskas

The Unhandled Exception Podcast

Play Episode Listen Later Dec 20, 2020 70:02

In this last episode of the year, I was joined by Christos Matskas to talk all about Identity! Christos is the Program Manager for the Microsoft Identity Platform, so obviously the conversation was slightly biased towards AzureAD and B2C as an identity provider - but we also tried to cover some common identity topics, and demystify terminology such as OAuth, OpenID Connect, scopes, claims, and more! We even went a bit off-piste at the end and chatted about public speaking, languages (not programming languages), and even touched on speed reading!Links from the showChristos's social links:Twitter425 ShowTwitchYouTubeBlogDiscordEmailOAuthOpenID ConnectMicrosoft Identity Platform documentationAzure B2CJWT.MS / JWT.IOUpstream vs downstream Twitter poll

identity b2c program managers christos oauth jwt openid connect christos matskas

The Troubled History Of Voting Machines

The History of Computing

Play Episode Listen Later Oct 20, 2020 32:33

Voters elect officials in representative democracies who pass laws, interpret laws, enforce laws, or appoint various other representatives to do one of the above. The terms of elected officials, the particulars of their laws, the structure of courts that interpret laws, and the makeup of the bureaucracies that are necessarily created to govern are different in every country. In China, the people elect the People's Congresses who then elect the nearly 3,000 National People's Congress members, who then elect the Present and State Councils. The United States has a more direct form of democracy and the people elect a House of Represenatives, a Senate, and a president who the founders intentionally locked into a power struggle to keep any part of the government from becoming authoritarian. Russia is setup similar. In fact, the State Duma, like the House in the US are elected by the people and the 85 States, or federal subjects, then send a pair of delegates to a Federal Council, like the Senate in the US, which has 170 members. It works similarly in many countries. Some, like England, still provide for hereditary titles, such as the House of Lords - but even there, the Sovereign - currently Queen Elizabeth the second, nominates a peer to a seat. That peer is these days selected by the Prime Minister. It's weird but I guess it kinda' works. Across democracies, countries communist, socialist, capitalist, and even the constitutional monarchies practice elections. The voters elect these representatives to supposedly do what's in the best interest of the constituents. That vote cast is the foundation of any democracy. We think our differences are greater than they are, but it mostly boils down to a few percentages of tax and a slight difference in the level of expectation around privacy, whether that expectation is founded or not. 2020 poses a turning point for elections around the world. After allegations of attempted election tampering in previous years, the president of the United States will be voted on. And many of those votes are being carried out by mail. But others will be performed in person at polling locations and done on voting machines. At this point, I would assume that given how nearly every other aspect of American life has a digital equivalent, that I could just log into a web portal and cast my vote. No. That is not the case. In fact, we can't even seem to keep the voting machines from being tampered with. And we have physical control over those! So how did we get to such an awkward place, where the most important aspect of a democracy is so backwater. Let's start Maybe it's ok that voting machines and hacking play less a role than they should. Without being political, there is no doubt that Russia and other foreign powers have meddled in US elections. In fact, there's probably little doubt we've interfered in theirs. Russian troll farms and disinformation campaigns are real. Paul Manafort maintained secret communications with the Kremlin. Former US generals were brought into the administration either during or after the election to make a truce with the Russians. And then there were the allegations about tampering voting machines. Now effectively stealing information about voters from Facebook using insecure API permissions. I get that. Disinformation goes back to posters in the time of Thomas Jefferson. I get that too. But hacking voting machines. I mean, these are vetted, right? For $3,000 to $4,500 each and when bought in bulk orders of 16,000 machines like Maryland bought from Diebold in 2005, you really get what you pay for, right? Wait, did you say 2005? Let's jump forward to 2017. That's the year DefCon opened the Voting Machine Hacking Village. And in 2019 not a single voting machine was secured. In fact, one report from the conference said “we fear that the 2020 presidential elections will realize the worst fears only hinted at during the 2016 elections: insecure, attacked, and ultimately distrusted.” I learned to pick locks, use L0phtCrack, run a fuzzer, and so much more at DefCon. Now I guess I've learned to hack elections. So again, every democracy in the world has one thing it just has to get right, voting. But we don't. Why? Before we take a stab at that, let's go back in time just a little. The first voting machine used in US elections was a guy with a bible. This is pretty much how it went up until the 1900s in most districts. People walked in and told an election official their vote, the votes were tallied on the honor of that person, and everyone got good and drunk. People love to get good and drunk. Voter turnout was in the 85 percent range. Votes were logged in poll books. And the person was saying the name of the official they were voting for with a poll worker writing their name and vote into a pollbook. There was no expectation that the vote would be secret. Not yet at least. Additionally, you could campaign at the polling place - a practice now illegal in most places. Now let's say the person taking the votes fudged something. There's a log. People knew each other. Towns were small. Someone would find out. Now digitizing a process usually goes from vocal or physical to paper to digital to database to networked database to machine learning. It's pretty much the path of technological determinism. As is failing because we didn't account for adjacent advancements in technology when moving a paper process to a digital process. We didn't refactor around the now-computational advances. Paper ballots showed up in the 1800s. Parties would print small fliers that looked like train tickets so voters could show up and drop their ballot off. Keep in mind, adult literacy rates still weren't all that high at this point. One party could print a ticket that looked kinda' like the others. All kinds of games were being played. We needed a better way. The 1800s were a hotbed of invention. 1838 saw the introduction of a machine where each voter got a brass ball which was then dropped in machine that used mechanical counters to increment a tally. Albert Henderson developed a precursor to a computer that would record votes using a telegraph that printed ink in a column based on which key was held down. This was in 1850 with US Patent 7521. Edison took the idea to US Patent 90,646 and automated the counters in 1869. Henry Spratt developed a push-button machine. Anthony Beranek continued on with that but made one row per office and reset after the last voter, similar to how machines work today. Jacob Meyers built on Berenek's work and added levers in 1889 and Alfred Gillespie made the levered machine programmable. He and others formed the US Standard Voting Machine Company and slowly grew it. But something was missing and we'll step back a little in time. Remember those tickets and poll books? They weren't standardized. The Australians came up with a wacky idea in 1858 to standardize on ballots printed by the government, which made it to the US in 1888. And like many things in computing, once we had a process on paper, the automation of knowledge work, or tabulating votes would soon be ready to take into computing. Herman Hollerith brought punched card data processing to the US Census in 1890 and punch cards - his company would merge with others at the time to form IBM. Towards the end of the 1890s John McTammany had aded the concept that voters could punch holes in paper to cast votes and even went so far as to add a pneumatic tabulation. They were using rolls of paper rather than cards. And so IBM started tabulating votes in 1936 with a dial based machine that could count 400 votes a minute from cards. Frank Carrell at IBM got a patent for recording ballot choices on standardized cards. The stage was set for the technology to meet paper. By 1958 IBM had standardized punch cards to 40 columns and released the Port-A-Punch for so people in the field could punch information into a card to record findings and then bring it back to a computer for processing. Based on that, Joseph Harris developed the Votomatic punched-cards in 1965 and IBM licensed the technology. In the meantime, a science teacher Reynold Johnson had developed Mark Sense in the 1930s, which over time evolved into optical mark recognition, allowing us to fill in bubbles with a pencil. So rather than punch holes we could vote by filling in a bubble on a ballot. All the pieces were in place and the technology slowly proliferated across the country, representing over a third of votes when Clinton beat Dole and Ross Perot in 1996. And then 2000 came. George W. Bush defeated Al Gore in a bitterly contested and narrow margin. It came down to Florida and issues with the ballots there. By some tallies as few as 300 people decided the outcome of that election. Hanging chads are little pieces of paper that don't get punched out of a card. Maybe unpunched holes in just a couple of locations caused the entire election to shift between parties. You could get someone drunk or document their vote incorrectly when it was orally provided in the early 1800s or provide often illiterate people with mislabeled tickets prior to the Australian ballots. But this was the first time since the advent of the personal computer, when most people in the US had computers in their homes and when the Internet bubble was growing by the day that there was a problem with voting ballots and suddenly people started wondering why were still using paper. The answer isn't as simple as the fact that the government moves slowly. I mean, the government can't maintain the rate of technical innovation and progress anyways. But there are other factors as well. One is secrecy. Anywhere that has voting will eventually have some kind of secret ballots. This goes back to the ancient greeks but also the French Revolution. Secret ballots came to the UK in the 1840s with the Chartists and to the US after the 1884 election. As the democracies matured, the concept of voting rights matured and secret ballots were part of that. Making sure a ballot is secret means we can't just allow any old person to look at a ballot. Another issue is decentralization. Each state selects their own machines and system and sets dates and requirements. We see that with the capacity and allocation of mail-in voting today. Another issue is cost. Each state also has a different budget. Meaning that there are disparities between how well a given state can reach all voters. When we go to the polls we usually work with volunteers. This doesn't mean voting isn't big business. States (and countries) have entire bureaucracies around elections. Bureaucracies necessarily protect themselves. So why not have a national voting system? Some countries do. Although most use electronic voting machines in polling places. But maybe something based on the Internet? Security. Estonia tried a purely Internet vote and due to hacking and malware it was determined to have been a terrible idea. That doesn't mean we should not try again. The response to the 2000 election results was the Help America Vote Act of 2002 to define standards managed by the Election Assistance Commission in the US. The result was the proliferation of new voting systems. ATM machine maker Diebold entered the US election market in 2002 and quickly became a large player. The CEO ended up claiming he was “committed to helping Ohio deliver its electoral votes to” Bush. They accidentally leaked their source code due to a misconfigured server and they installed software patches that weren't approved. In short, it was a typical tech empire that grew too fast and hand issues we've seen with many companies. Just with way more on the line. After a number of transitions between divisions and issues, the business unit was sold to Election Systems & Software, now with coverage over 42 states. And having sold hundreds of thousands of voting machines, they now have over 60% of the market share in the us. That company goes back to the dissolution of a ballot tabulation division of Westinghouse and the Votronic. They are owned by a private equity firm called the McCarthy Group. They are sue-happy though and stifling innovation. The problems are not just with ES&S. Hart InterCivic and Dominion are the next two biggest competitors, with equal issues. And no voting machine company has a great track record with security. They are all private companies. They have all been accused of vote tampering. None of that has been proven. They have all had security issues. In most of these episodes I try to focus on the history of technology or technocratic philosophy and maybe look to the future. I rarely offer advice or strategy. But there are strategies not being employed. The first strategy is transparency. In life, I assume positive intent. But transparency is really the only proof of that. Any company developing these systems should have transparent financials, provide transparency around the humans involved, provide transparency around the source code used, and provide transparency around the transactions, or votes in this case, that are processed. In an era of disinformation and fake news, transparency is the greatest protection of democracy. Providing transparency around financials can be a minefield. Yes, a company should make a healthy margin to continue innovating. That margin funds innovators and great technology. Financials around elections are hidden today because the companies are private. Voting doesn't have to become a public utility but it should be regulated. Transparency of code is simpler to think through. Make it open source. Firefox gave us an open source web browser. ToR gave us a transparent anonymity. The mechanisms with which each transaction occurs is transparent and any person with knowledge of open source systems can look for flaws in the system. Those flaws are then corrected as with most common programming languages and protocols by anyone with the technical skills to do so. I'm not the type that thinks everything should be open source. But this should be. There is transparency in simplicity. The more complex a system the more difficult to unravel. The simpler a program, the easier for anyone with a working knowledge of programming to review and if needed, correct. So a voting system should be elegant in simplicity. Verifiability. We could look at poll books in the 1800s and punch the vote counter in the mouth if they counted our vote wrong. The transparency of the transaction was verifiable. Today, there are claims of votes being left buried in fields and fraudulent voters. Technologies like blockchain can protect against that much as currency transactions can be done in bitcoin. I usually throw up a little when I hear the term blockchain bandied about by people who have never written a line of code. Not this time. Let's take hashing as a fundamental building block. Let's say you vote for a candidate and the candidate is stored as a text field, or varchar, that is their name (or names) and the position they are running for. We can easily take all of the votes cast by a voter, store them in a json blob, commit them to a database, add a record in a database that contains the vote supplied, and then add a block in chain to provide a second point of verification. The voter would receive a guid randomly assigned and unique to them, thus protecting the anonymity of the vote. The micro-services here are to create a form for them to vote, capture the vote, hash the vote, commit the vote to a database, duplicate the transaction into the voting blockchain, and allow for vote lookups. Each can be exposed from an API gateway that allows systems built by representatives of voters at the federal, state, and local levels to lookup their votes. We now have any person voting capable of verifying that their vote was counted. If bad data is injected at the time of the transaction the person can report the voter fraud and a separate table connecting vote GUIDs to IP addresses or any other PII can be accessed only by the appropriate law enforcement and any attempt by law enforcement to access a record should be logged as well. Votes can be captured with web portals, voting machines that have privileged access, by 1800s voice counts, etc. Here we have a simple and elegant system that allows for transparency, verifiability, and privacy. But we need to gate who can cast a vote. I have a PIN to access by IRS returns using my social security number or tax ID. But federal elections don't require paying taxes. Nextdoor sent a card to my home and I entered a PIN printed on the card on their website. But that system has many a flaw. Section 303 of the Help America Vote Act of 2002 compels the State Motor Vehicle Office in each state to validate the name, date of birth, Social Security Number, and whether someone is alive. Not every voter drives. Further, not every driver meets voting requirements. And those are different per state. And so it becomes challenging to authenticate a voter. We do so in person, en masse, at every election due to the the staff and volunteers of various election precincts. In Minnesota I provided my drivers license number when I submitted my last ballot over the mail. If I moved since the last time I voted I also need a utility bill to validate my physical address. A human will verify that. Theoretically I could vote in multiple precincts if I were able to fabricate a paper trail to do so. If I did I would go to prison. Providing a web interface unless browsers support a mechanism to validate the authenticity of the source and destination is incredibly dangerous. Especially when state sponsored actors as destinations have been proven to be able to bypass safeguards such as https. And then there's the source. It used to be common practice to use Social Security Numbers or cards as a form of verification for a lot of things. That isn't done any more due to privacy concerns and of course due to identity theft. You can't keep usernames and passwords in a database any more. So the only real answer here is a federated identity provider. This is where OAuth, OpenID Connect, and/or SAML come into play. This is a technology that retains a centralized set of information about people. Other entities then tie into the centralized identity sources and pull information from them. The technology they use to authenticate and authorize users is then one of the protocols mentioned. I've been involved in a few of these projects and to be honest, they kinda' all suck. Identities would need to be created and the usernames and passwords distributed. This means we have to come up with a scheme that everyone in the country (or at least the typically ill-informed representatives we put in place to make choices on our behalf) can agree on. And even if a perfect scheme for usernames is found there's crazy levels of partisanship. The passwords should be complex but when dealing with all of the factors that come into play it's hard to imagine consensus being found on what the right level is to protect people but also in a way passwords can be remembered. The other problem with a federated identity is privacy. Let's say you forget your password. You need information about a person to reset it. There's also this new piece of information out there that represents yet another piece of personally identifiable information. Why not just use a social security number? That would require a whole other episode to get into but it's not an option. Suddenly if date of birth, phone number (for two factor authentication), the status of if a human is alive or not, possibly a drivers license number, maybe a social security number in a table somewhere to communicate with the Social Security databases to update the whole alive status. It gets complicated fast. It's no less private that voter databases that have already been hacked in previous elections though. Some may argue to use biometric markers instead of all the previous whatnot. Take your crazy uncle Larry who thinks the government already collects too much information about him and tells you so when he's making off-color jokes. Yah, now tell him to scan his eyeball or fingerprint into the database. When he's done laughing at you, he may show you why he has a conceal and carry permit. And then there's ownership. No department within an organization I've seen wants to allow an identity project unless they get budget and permanent head count. And no team wants another team to own it. When bureaucracies fight it takes time to come to the conclusion that a new bureaucracy needs to be formed if we're going anywhere. Then the other bureaucracies make the life of the new one hard and thus slow down the whole process. Sometimes needfully, sometimes accidentally, and sometimes out of pure spite or bickering over power. The most logical bureaucracy in the federal government to own such a project would be the social security administration or the Internal Revenue Service. Some will argue states should each have their own identity provider. We need one for taxes, social security, benefits, and entitlement programs. And by the way, we're at a point in history when people move between states more than ever. If we're going to protect federal and state elections, we need a centralized provider of identities. And this is going to sound crazy, but the federal government should probably just buy a company who already sells an IdP (like most companies would do if they wanted to build one) rather than contract with one or build their own. If you have to ask why, you've never tried to build one yourself or been involved in any large-scale software deployments or development operations at a governmental agency. I could write a book on each. There are newer types of options. You could roll with an IndieAuth Identity Provider, which is a decentralized approach, but that's for logging into apps using Facebook or Apple or Google - use it to shop and game, not to vote. NIST should make the standards, FedRAMP should provide assessment, and we can loosely follow the model of the European self-sovereign identity framework or ESSIF but build on top of an existing stack so we don't end up taking 20 years to get there. Organizations that can communicate with an identity provider are called Service Providers. Only FedRAMP certified public entities should be able to communicate with a federal federated identity provider. Let's just call it the FedIdP. Enough on the identity thing. Suffice it to say, it's necessary to successfully go from trusting poll workers to being able to communicate online. And here's the thing about all of this: confidence intervals. What I mean by this is that we have gone from being able to verify our votes in poll books and being able to see other people in our communities vote to trusting black boxes built by faceless people whose political allegiances are unknown. And as is so often the case when the technology fails us, rather than think through the next innovation we retreat back to the previous step in the technological cycle: if that is getting stuck at localized digitization we retreat back to paper. If it is getting stuck at taking those local repositories online we would have retreated back to the localized digital repository. If we're stuck at punch cards due to hanging chads then we might have to retreat back to voice voting. Each has a lower confidence interval than a verifiable and transparent online alternative. Although the chances of voter fraud by mail are still .00006%, close to a 5 9s. We need to move forward. It's called progress. The laws of technological determinism are such that taking the process online is the next step. And it's crucial for social justice. I've over-simplified what it will take. Anything done on a national scale is hard. And time consuming. So it's a journey that should be begun now. In the meantime, there's a DARPA prize. Given the involvement of a few key DARPA people with DefCon and the findings of voting machine security (whether that computers are online and potentially fallible or physically hackable or just plain bad) DARPA gave a prize to the organization that could develop a tamper proof, open-source voting machine. I actually took a crack at this, not because I believed it to be a way to make money but because after the accusations of interference in the 2016 election I just couldn't not. Ultimately I decided this could be solved with an app in single app mode, a printer to produce a hash and a guid, and some micro-services but that the voting machine was the wrong place for the effort and that the effort should instead be put into taking voting online. Galois theory gives us a connection from field theory and group theory. You simplify field theory problems so they can be solved by group theory. And I've oversimplified the solution for this problem. But just as with studying the roots of polynomials, sometimes simplicity is elegance rather than hubris. In my own R&D efforts I struggle to understand when I'm exuding each. The 2020 election is forcing many to vote by mail. As with other areas that have not gotten the innovation they needed, we're having to rethink a lot of things. And voting in person at a polling place should certainly be one. As should the cost of physically delivering those ballots and the human cost to get them entered. The election may or may not be challenged by luddites who refuse to see the technological determinism staring them in the face. This is a bipartisan issue. No matter who wins or loses the other party will cry foul. It's their job as politicians. But it's my job as a technologist to point out that there's a better way. The steps I outlined in this episode might be wrong. But if someone can point out a better way, I'd like to volunteer my time and focus to propelling it forward. And dear listener, think about this. When progress is challenged what innovation can you bring or contribute to that helps keep us from retreating to increasingly analog methods. Herman Hollerith brought the punch card, which had been floating around since the Jacquard loom in 1801. Those were individuals who moved technology forward in fundamental ways. In case no one ever told you, you have even better ideas locked away in your head. Thank you for letting them out. And thank you for tuning in to this episode of the History of Computing Podcast. We are so, so lucky to have you.

united states ceo american history google uk china apple internet house technology secret england russia european ohio australian russian meaning vote congress security maryland states id senate voting bush transparency ibm providing ip clinton parties irs hanging lords organizations prime minister voters queen elizabeth ii sovereign dominion george w bush api social security tor nextdoor estonia atm disinformation thomas jefferson kremlin us elections towns identities al gore pin r d french revolution firefox suffice financials bureaucracy darpa service providers defcon dole nist yah paul manafort ess former us internal revenue service us census idp ross perot westinghouse pii oauth voting machines social security numbers us patent national people saml congresses fedramp diebold jacquard galois troubled history openid connect state duma election assistance commission chartists help america vote act

Episode 222 - Researchers disclose vulnerability - Code replay attack on the myGovID Scheme

Cyber Security Weekly Podcast

Play Episode Listen Later Sep 22, 2020

Interview with Ben Frengley (Masters student, University of Melbourne) and Vanessa Teague (CEO, Thinking Cybersecurity Pty Ltd and the A/Prof (Adj.), Australian National University) Recorded 22 September 2020. Researcher notes can be sourced from https://www.thinkingcybersecurity.com/DigitalID/ ATO Response: An ‘ATO spokesperson’ provided the following points in response: ATO systems have not been compromised or hacked. The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform. This research is not disclosing a security vulnerability of the myGovID solution or application and this type of scam can be used against most existing credential types in the online sector including passwords, SMS, physical code generators and mobile apps codes The ATO takes IT security very seriously. We remind people to protect themselves online by ensuring to never click links in emails or SMS messages purporting to be from the ATO that ask you to log in and provide personal details. If people think their myGovID or other personal identifying information has been compromised, they should call the ATO’s dedicated hotline 1800 008 540. Examples of current scams are available at www.ato.gov.au/scam The ATO works with the Australian Cyber Security Centre (ACSC) when phishing scams are detected or reported to initiate defensive action to minimise harm to the community. On background myGovID was built in accordance with the Trusted Digital Identity Framework (TDIF) which is based upon international standard OpenID Connect 1.0 and is consistent with the International Government Assurance Profile (iGov) for OpenID Connect 1.0 – Draft 02. Further information can be found in “TDIF: 06b – OpenID Connect 1.0 profile” As part of complying with the TDIF’s requirements, the ATO is assessed against Australian Cyber Security Centre (ACSC) guidelines including the Protective Security Policy Framework and Information Security Manual controls. Prior to releasing myGovID the ATO undertook extensive assurance assessments, including: o Multiple rounds of security penetration testing by ATO internal security teams. o Multiple rounds of security penetration testing by an independent external assessor. o Independent Information Security Registered Assessors program (IRAP) assessment. o Independent Privacy Impact Assessment. ATO continuously tests and assesses the security risk for myGovID and prioritises improvements where appropriate, any indication by a third party that ATO refuses to address security vulnerabilities is not accurate myGovID represents an improvement over other credential types in this scenario. As no password is required within the browser the scammer has not harvested any part of the credential that could be used in a later attack. In most other credential types, the scammer would learn of the user’s password. As scams are a common problem across the community when interacting online (e.g. banking, shopping, utilities, government) the ATO provides advice on how to stay safe online https://www.ato.gov.au/general/online-services/online-security/ ____________________________________________ Researcher notes - sourced from https://www.thinkingcybersecurity.com/DigitalID/ Summary We explain a replay attack on the Australian Tax Office's myGovID scheme. When a user tries to use the myGovID scheme to log in to a website under the attacker's control, the attacker can immediately log in as the user via myGovID at any other site. The attack relies on the malicious site's ability to replay the 4-digit code that the myGovID scheme displays. Although the attack is visible to a vigilant user who knows the protocol, we believe that most ordinary users' logins would be successfully hijacked. At the server side, the login would be indistinguishable from a legitimate login from the user, so the attack is impossible to detect (excluding surveillance-based detection by device fingerprinting, login location, etc). This video shows nontechnical users how to protect themselves. Attack scenario Suppose Alice wants to log in to nottrustworthy.com, using myGovID. In the language of the Trusted Digital Identity Framework, nottrustworthy.com is the relying party (RP), Alice is the user, the ATO provides the Identity Exchange (IdX), and myGovID is the (sole) Identity Provider (IP). The myGovID system uses a client app that Alice runs on her phone. nottrustworthy.com does not need to be an authentic RP integrated with myGovID; instead, it only needs to appear to Alice as if she can log into it using myGovID. The adversary controls nottrustworthy.com and wishes to log in fraudulently, as Alice, at some other site, which we will call AlicesTaxService.gov.au. Assume AlicesTaxService.gov.au is an authentic RP in the myGovID system, such that users can use myGovID to log in. We assume that Alice already has the myGovID app installed and is somewhat familiar with its use but not an expert in its trust assumptions. Attack details The adversary edits the web page at nottrustworthy.com to present a fake button inviting users to log in with myGovID. (It is easy to copy a button that perfectly resembles the real one.) Instead of honestly redirecting users to mygovid.gov.au, the adversary makes up a frame or page on their own website that resembles a myGovID login and asks for the user's email. Again, this could perfectly copy the real myGovID site and say "Login with your myGovID to continue." A diligent user who knows this should come from https://mygovid.gov.au can detect this, but unless Alice knows exactly how the protocol works there is nothing suspicious about an email address request from a website she intended to interact with. The attack proceeds as follows. When Alice enters her email, the attacker (either by hand or in an automated way) goes to AlicesTaxService.gov.au, clicks on 'Log in with myGovID,' waits for the (honest) redirect to mygovid.gov.au, and enters Alice's email address. The myGovID system displays a 4-digit code, intended for Alice, on the mygovid.gov.au page that the adversary is reading. The attacker reads the code and replays it to Alice, on the page at nottrustworthy.com that Alice is looking at, in a way that makes it appear to be a legitimate code from myGovID. Alice reads the code and enters it into her app when requested. The attacker will now be logged in to AlicesTaxService.gov.au as Alice. In order to hide the attack completely from Alice, the attacker could show Alice a successful login at nottrustworthy.com. The crucial design flaw is that when Alice's myGovID app receives an authorisation request and invites Alice to enter her 4-digit code, there is nothing in the app's user interface that tells her the name of the entity (RP) seeking authorisation. Alice thinks that she is consenting to log in to nottrustworthy.com. However, the myGovID system (both the IdX and the IP) are conveying the attacker's authorisation request from AlicesTaxService.gov.au. Analysis of impact This attack is detectable by a diligent user who understands the protocol well enough to know that they should only accept 4-digit codes from mygovid.gov.au (and knows how to check for TLS). However we believe that there are very few users in this category, because it is a counter-intuitive protocol designed to reverse the information flow relative to what users are accustomed to. Users are generally told (from primary school) always to check carefully that they are visiting the right website when they are about to enter their login credentials. In practice maybe they do not always do this well, and most people don't know how to check for TLS, but browsers are getting better at this - for example, Firefox and Chrome both now warn when the user visits a not-TLS-protected site, or when a login and password is solicited in a way that seems suspicious. Common email clients warn when a link does not go where it looks like it goes. So most browsers and email clients put reasonable effort into thwarting the most obvious attacks on the traditional password-based information flow. This is imperfect but at least most educated people (including primary school children) are somewhat aware of the problem. The myGovID system aims to alleviate this problem (we assume) by reversing the information flow, so users never enter their password or 4-digit code into anything except their app. This is a noble goal, but the implementation introduces another equivalent problem. The main reason this is worse than the standard redirect-to-fake-login-site attack is that the information flow is so counter-intuitive and non-standard that users are much less likely to notice - we all know we are not supposed to enter credentials into websites we do not trust, but we have no intuition about whether we are supposed to enter a number from a website we semi-trust into an app we trust. Also none of the browser-based defences against the redirect-to-fake-login attack would work against this attack. There is nothing intuitively suspicious about getting a 4-digit code from a website you were trying to log in to, when that is standard in the typical authentication process when using myGovID. The user trusts the app, so the fact that they receive a notification from the app about the login may even alleviate their concern. A particularly knowledgeable user may notice that the code does not come from https://mygovid.gov.au, but otherwise there is nothing suspicious: neither the notification nor the code entry in the app provide any indication of which website the code applies to. Even in normal circumstances, the myGovID protocol can be confusing to the user — starting an authentication process at an RP, abandoning it at code entry, and starting a new authentication process at the same RP (e.g., by getting to the code entry page then clicking the Cancel button, then entering the same email) results in an invalid code entry popup in the app, which when closed will immediately yield another, totally indistinguishable, code entry popup, which this time is valid. In that scenario both code entry popups are honest and correspond to authentic login requests at a registered and trusted RP. However, they are entirely indistinguishable: nothing indicates to the user which RP they are from, when the login was initiated or that the first code entry popup is no longer valid and that there is a second popup awaiting user attention. Entering the code from the second login attempt at the first code entry popup yields a cryptic "Something is wrong with the code. Try again," error message with no indication of what the error is and no reason for the user to expect an error to occur. This kind of confusing user experience teaches even normally vigilant users to ignore things that might otherwise seem odd, and myGovID's lack of context for login requests exacerbates this issue, which makes this attack more concerning. Mitigations and their impact Short term - for users Users are advised not to use the myGovID system until the protocol is patched. If use of the myGovID system is unavoidable, each user should check diligently that the 4-digit code they are about to enter comes from a TLS-protected URL at https://mygovid.gov.au. This unlikely to work in practice for most users, who will struggle to recognise a secure website with the right URL. Short term - for government Even if all users carefully perform the check above, a randomised version of the same attack could still be attempted: the malicious website faithfully (but with a small delay) passes the user on to the real mygovid.gov.au login site, while more quickly trying to log on as that user elsewhere. Unless there are careful protections in place to ensure that the 4-digit codes are never the same, there is a chance of 1/10,000 that the codes will match, higher if we assume an opportunity for a few guesses. Without having seen the code generation algorithm, we cannot tell whether such a mitigation is in place or not, but if not it should be added urgently. The app should also be updated immediately with the following simple mitigation: When an authentication request is received, tell the user what website is requesting it. Technically, this is incompatible with the stated goals of the Trusted Digital Identify Framework, in which the Identity Exchange (provided by auth.ato.gov.au in our example) obscures the identity of the Relying Party (nottrustworthy.com in our example) from the Identity Provider (myGovID in our example). However, the ATO's Identity Exchange leaks the RP's identity to myGovID via the HTTP Referer header, so this information is already available and can be used as a mitigation. Hiding the RP's identity from the app seems to be a very low priority goal compared with preventing fraudulent logins. Attempting to certify trustworthy RPs would not help unless users have an simple way of checking who has been certified that can be easily included in a typical authentication process. Long term In the long run, the TDIF and all its current implementations should be deprecated and replaced with an open standard such as OpenID Connect or a protocol modelled on that of a nation with an existing secure public key infrastructure such as Belgium or Estonia. The implementation and design documentation should be openly available to the Australian public to allow for the identification and responsible disclosure of other vulnerabilities. We have no reason to believe that this is the only, or the worst, vulnerability in this system. Its complex nature and the desire to hide information makes enforcing and validating correct, secure behaviour close to impossible. Responsible disclosure history This problem was disclosed on 19th August 2020 to the Australian Signals Directorate, with an indicative expectation of a 90-day disclosure period. ASD communicated it to the ATO. At a meeting on 18th September 2020, ATO told us they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public on Monday 21st September. Acknowledgements Thanks to Rod Teague and Andrew Conway for their help. Thanks also to Yaakov Smith for helpful review of this work. Usage and Contacts You are welcome to quote or reuse this material as long as you credit the original source. Email contact: bfrengley [at] student.unimelb.edu.au or vanessa [at] thinkingcybersecurity.com

E15 - 5Minutes - IdentityServer

5Minds 5Minutes

Play Episode Listen Later Jun 12, 2020 8:52

In der 15. Folge unseres Podcast geht es um den IdentityServer, zu Besuch ist heute Marco Artz der aktuell am unserem Lösungen für und mit dem IdentityServer arbeitet. Bei dem IdentityServer handelt es sich um ein System, das die Aufgabe der Authentifizierung und Autorisierung für Softwareanwendungen in einer föderierten Umgebung übernimmt. Föderiert meint hierbei, dass diese über System- und Unternehmensgrenzen hinweg gekoppelt werden können. Der IdentityServer basiert auf den Standards OAuth2 bzw. OpenID Connect, die weit verbreitet sind und von vielen anderen namenhaften Unternehmen unterstützt werden. Die Anforderungen an dem Funktionsumfang des IdentityServers sind bei unseren Kunden so heterogen, dass wir eine flexible und erweiterbare Systemarchitektur gewählt haben, die mit Plugins dynamisch erweitert werden kann. Im Prinzip ein Baukastensystem, bestehend aus einer Bauplatte und vielen unterschiedlichen Bausteinen - Standardbausteine oder spezifische Bausteine, die nach Kundenwünschen gefertigt werden können.

system bei unternehmen besuch aufgabe kunden umgebung plugins bausteine im prinzip die anforderungen kundenw funktionsumfang authentifizierung openid connect baukastensystem autorisierung

OAuth2 Phishing Attacks

Phish Fryday

Play Episode Listen Later Jun 4, 2020 15:17

With credential theft making up a large portion of phishing attacks, many organizations wisely turn to MultiFactor Authentication (MFA) to protect the credentials of their employees. Attackers, however, are upping their game to continue gaining access to corporate accounts. Cofense Threat Analyst Elmer Hernandez joins us this week to discuss a particular attack observed by Cofense that leverages OAuth2 and OpenID Connect instead of passwords. Learn more OAuth2 Attack Bypasses MFA Google Docs Scam Questions or comments? Reach us at phishfryday@cofense.com The post Phish Fryday – OAuth2 Phishing Attacks appeared first on Cofense. Phish Fryday – OAuth2 Phishing Attacks was first posted on June 5, 2020 at 12:10 am.©2018 "Cofense". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at pmit@cofense.com

reach attacks phishing attackers openid connect

The API Economy and the role of identity in API security with Marjukka Niinioja – Podcast Episode 20

identity economy platform finland api apis founding partners apisecurity tampere university openid connect

Play Episode Listen Later May 6, 2020 37:08

Let's talk about digital identity with Marjukka Niinioja, co-author of API Economy 101 and Founding Partner at Osaango. Why are APIs not just a technical issue, but a business issue as well? In episode 20, Oscar chats to API guru Marjukka Niinioja about the opportunities APIs can create, how COVID-19 has highlighted the need for digitalisation, the role of identity in API security and the importance of standards like OpenID Connect. "You don't need to have an army of coders, you just need to buy the capabilities as APIs" Marjukka Niinioja is co-author of API Economy 101 book and founding partner and leading consultant at Osaango, a company specialising in API and Platform economy. Osaango has worked with several companies in Finland and abroad as well as public organisations to help them not only learn about the possibilities of API and Platform business models but also define their API and platform strategies and guide them in the implementations. For links and more information visit www.osaango.com Marjukka is also the "mother" of the lean, business-oriented and open APIOps Cycles method, creator of the open course about API Economy with Tampere University and the local organiser of APIdays Finland conferences. Visit APIOps Cycles at www.apiopscycles.com and check out the API Economy open course at Tampere University at www.osaango.academy/courses/intro-to-api-economy. For a roundup of APIdays Finland 2019, read Oscar's blog - www.ubisecure.com/api/apidays-finland-2019/ Find Marjukka on Twitter @MNiinioja and on LinkedIn. We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Ep. 03 - OpenID Connect

CastOverflow

Play Episode Listen Later Apr 10, 2020 2:39

No episódio anterior falamos de OAuth e nesse episódio falaremos de OIDC, OpenID Connect! =)

oauth openid connect oidc

AiA 268: Secure Angular Apps with Philippe De Ryck

Devchat.tv Master Feed

Play Episode Listen Later Dec 10, 2019 53:42

In this episode of Adventures in Angular the panel interviews Phillipe De Ryck. Phillipe is a web security expert out of Belgium. He shares ways for Angular developers to better secure their apps. Phillipe explains to the panel that his goal is not to shame developers but inspire them to do what they can. He knows most developers are just trying to get as much done in the time that they have. In this episode, he shares ways for developers to improve the security of their apps. The episode starts with some security scary stories. Phillipe invites everyone to check out the OWASP top ten projects. They have lists of the top ten security measures you should be doing, they have lists for different ecosystems and types of projects so there is something there for everyone. Phillipe explains what types of attacks are most common today. The panel wonders how do you know something is safe to install. Phillipe explains that there are no guarantees. Sharing statistics Phillipe tells then panel that it is worse than they thought, each package is most likely dependent on more packages and the odds are high that one of those packages has vulnerable code. He explains what you can do to check for those vulnerabilities and to see if they are exploitable. Phillipe shares recommendations for continuous monitoring services and other tools. He explains why Angular is the best framework for securing your apps and lists all the security features that come with Angular. He compares Angular, React, Amber, and Vue. Phillipe gives his opinion and recommendation on authentication libraries. He explains the differences between OpenID Connect and Allout, explaining how they work. The episode ends as Phillipe shares his contact information and the conferences he will be attending and speaking at. Panelists Aaron Frost Jennifer Wadella Brian Love Alyssa Nicoll Guest Philippe De Ryck Adventures in Angular is produced by DevChat.TV in partnership with Hero Devs Sponsors Sentry use the code “devchat” for 2 months free on Sentry small plan Cachefly Links OWASP Top Ten Project GitHub dependency graph https://snyk.io Angular and the OWASP top 10 | Philippe De Ryck | The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert https://twitter.com/philippederyck https://pragmaticwebsecurity.com https://www.facebook.com/adventuresinangular https://twitter.com/angularpodcast Picks Brain Love: Angular Ivy Jennifer Wadella: Red vs Blue Buttermilk-Marinated Roast Chicken Aaron Frost: The listeners The sponsors The panel Alyssa Nicoll: On a Scale of One to T-Rex Philippe De Ryck: https://ng-be.org/

tv sharing adventures scale apps secure belgium react github t rex panelists all out vue sentry angular phillipe owasp google developer expert cachefly ryck devchat openid connect aaron frost brian love jennifer wadella alyssa nicoll angular ivy

AiA 268: Secure Angular Apps with Philippe De Ryck

All Angular Podcasts by Devchat.tv

Play Episode Listen Later Dec 10, 2019 53:42

In this episode of Adventures in Angular the panel interviews Phillipe De Ryck. Phillipe is a web security expert out of Belgium. He shares ways for Angular developers to better secure their apps. Phillipe explains to the panel that his goal is not to shame developers but inspire them to do what they can. He knows most developers are just trying to get as much done in the time that they have. In this episode, he shares ways for developers to improve the security of their apps. The episode starts with some security scary stories. Phillipe invites everyone to check out the OWASP top ten projects. They have lists of the top ten security measures you should be doing, they have lists for different ecosystems and types of projects so there is something there for everyone. Phillipe explains what types of attacks are most common today. The panel wonders how do you know something is safe to install. Phillipe explains that there are no guarantees. Sharing statistics Phillipe tells then panel that it is worse than they thought, each package is most likely dependent on more packages and the odds are high that one of those packages has vulnerable code. He explains what you can do to check for those vulnerabilities and to see if they are exploitable. Phillipe shares recommendations for continuous monitoring services and other tools. He explains why Angular is the best framework for securing your apps and lists all the security features that come with Angular. He compares Angular, React, Amber, and Vue. Phillipe gives his opinion and recommendation on authentication libraries. He explains the differences between OpenID Connect and Allout, explaining how they work. The episode ends as Phillipe shares his contact information and the conferences he will be attending and speaking at. Panelists Aaron Frost Jennifer Wadella Brian Love Alyssa Nicoll Guest Philippe De Ryck Adventures in Angular is produced by DevChat.TV in partnership with Hero Devs Sponsors Sentry use the code “devchat” for 2 months free on Sentry small plan Cachefly Links OWASP Top Ten Project GitHub dependency graph https://snyk.io Angular and the OWASP top 10 | Philippe De Ryck | The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert https://twitter.com/philippederyck https://pragmaticwebsecurity.com https://www.facebook.com/adventuresinangular https://twitter.com/angularpodcast Picks Brain Love: Angular Ivy Jennifer Wadella: Red vs Blue Buttermilk-Marinated Roast Chicken Aaron Frost: The listeners The sponsors The panel Alyssa Nicoll: On a Scale of One to T-Rex Philippe De Ryck: https://ng-be.org/

tv sharing adventures scale apps secure belgium react github t rex panelists all out vue sentry angular phillipe owasp google developer expert cachefly ryck devchat openid connect aaron frost brian love jennifer wadella alyssa nicoll angular ivy

AiA 268: Secure Angular Apps with Philippe De Ryck

Adventures in Angular

Play Episode Listen Later Dec 10, 2019 53:42

In this episode of Adventures in Angular the panel interviews Phillipe De Ryck. Phillipe is a web security expert out of Belgium. He shares ways for Angular developers to better secure their apps. Phillipe explains to the panel that his goal is not to shame developers but inspire them to do what they can. He knows most developers are just trying to get as much done in the time that they have. In this episode, he shares ways for developers to improve the security of their apps. The episode starts with some security scary stories. Phillipe invites everyone to check out the OWASP top ten projects. They have lists of the top ten security measures you should be doing, they have lists for different ecosystems and types of projects so there is something there for everyone. Phillipe explains what types of attacks are most common today. The panel wonders how do you know something is safe to install. Phillipe explains that there are no guarantees. Sharing statistics Phillipe tells then panel that it is worse than they thought, each package is most likely dependent on more packages and the odds are high that one of those packages has vulnerable code. He explains what you can do to check for those vulnerabilities and to see if they are exploitable. Phillipe shares recommendations for continuous monitoring services and other tools. He explains why Angular is the best framework for securing your apps and lists all the security features that come with Angular. He compares Angular, React, Amber, and Vue. Phillipe gives his opinion and recommendation on authentication libraries. He explains the differences between OpenID Connect and Allout, explaining how they work. The episode ends as Phillipe shares his contact information and the conferences he will be attending and speaking at. Panelists Aaron Frost Jennifer Wadella Brian Love Alyssa Nicoll Guest Philippe De Ryck Adventures in Angular is produced by DevChat.TV in partnership with Hero Devs Sponsors Sentry use the code “devchat” for 2 months free on Sentry small plan Cachefly Links OWASP Top Ten Project GitHub dependency graph https://snyk.io Angular and the OWASP top 10 | Philippe De Ryck | The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert https://twitter.com/philippederyck https://pragmaticwebsecurity.com https://www.facebook.com/adventuresinangular https://twitter.com/angularpodcast Picks Brain Love: Angular Ivy Jennifer Wadella: Red vs Blue Buttermilk-Marinated Roast Chicken Aaron Frost: The listeners The sponsors The panel Alyssa Nicoll: On a Scale of One to T-Rex Philippe De Ryck: https://ng-be.org/

tv sharing adventures scale apps secure belgium react github t rex panelists all out vue sentry angular phillipe owasp google developer expert cachefly ryck devchat openid connect aaron frost brian love jennifer wadella alyssa nicoll angular ivy

Episode 271: Cheetos Finger Hot Dog Stylus

More Than Just Code podcast - iOS and Swift development, news and advice

Play Episode Listen Later Oct 26, 2019 74:49

This week we follow up on Move the Dial, how AstroPad HQ is dealing with being "Sherlocked", Apple surpasses Microsoft, and apps merged from iPad to Mac have troubles with user charges. We dig into security foibles with Google's Pixel 4 and Samsungs Galaxy 10. Apple Pay has overtaken Starbucks as a payment platform. Apple has implemented OpenID Connect with Sign in with Apple. SoftBank to Take Majority Stake in WeWork. There is a looming EMV "Y2K Moment". Picks: Dracula — A dark theme for Visual Studio Code and 50+ apps, Pixelmator Pro - on sale, Creative Things: A Collection Of Creative THINGS From Around The World. Outro by voiceover artist — Mike Vinakmens. Special Guest: Mike Vinakmens.

Episode 125: All The Connections, with Frederick Abeloos

Mac Admins Podcast

Play Episode Listen Later Jun 10, 2019 54:53

SYNOPSIS: Frederick Abeloos from Jamf joins us to talk all about OpenID Connect, Jamf Connect, Azure AD and all things local authentication against cloud directories. YOUR HOSTS: Tom Bridge, Partner, Technolutionary LLC [@tbridge777] Charles Edge, Director of Marketplace, Jamf [@cedge318] OUR GUEST: Frederick Abeloos, Jamf PRESENTING SPONSOR: VMWARE WORKSPACE ONE VMware Workspace ONE empowers you with full macOS lifecycle management. Get past the hassles of legacy imaging with faster modern onboarding. Easily deliver all your native Mac app packages as well as SaaS and virtual Windows apps, and empower users with one-click single sign on. Stay on top of your security needs with complete encryption management and rich conditional access. The recognized industry leading unified endpoint management solution is your one stop for all Apple devices and apps. Learn more at www.workspaceone.com LISTEN! LINKS: Travelling Tech Guy Deploy Jamf Connect Integrating Jamf Connect Login with Azure Active Directory OIDC JSON Web Tokens OAuth ROPG Jamf Connect Verify Docs Jamf Connect Docs Configure Azure AD as an OpenID Connect Provider Microsft Graph API Graph Explorer at Azure Microsoft Authenticator Configure Okta as an OpenID Connect Provider Okta MFA app Hardware token hacking SUPPORTING SPONSORS Thanks to new sponsor cmdReporter for sponsoring the Mac Admins Podcast! Use code MACADMINS at checkout, good for 50% off your first month of a Mac mini subscription! PATREON SPONSORS The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include Randy Wong, Chad Swartwout, Jonathan Spiva, William Smith, Justin Holt, Weldon Dodd, Jon Brown, Randy Wong, Dan Collings, Jason Dettbarn and Seb Nash. Thanks everyone! MAC ADMINS PODCAST COMMUNITY CALENDAR, SPONSORED BY WATCHMAN MONITORING Conference Sites Event Name Location Dates Cost MacDeployment Conference Calgary, Canada 10-11 June 2019 CAD$249 Early Bird until 10 May MacDevOps:YVR Vancouver, Canada 12-14 June, 2019 $275CAD – $495CAD X World Sydney, NSW, Australia 26-28 June 2019 $699 AUD Early Bird MacAdmins Conference State College, PA 9-12 July 2019 $649 Early Bird until 13 May MacTech Conference Los Angeles, CA 15-18 October 2019 $999 Early Bird til 28 June Jamf Nation User Conference Minneapolis, MN 12-14 November 2019 $799 Early Bird Rate ($699 for EDU) Meetups Event Name Location Dates Cost San Diego Mac Admins Karl Strauss, Downtown SD 11 June 2019, 6:00 p.m. PT Free Mac DMV Walter’s Bar 12 June 2019, 6:00 p.m. EDT Free Atlanta Apple Admins MacStadium 13 June 2019, 6:00 p.m. ET Free Austin Apple Admins The Home Depot Austin Technology Center 19 June 2019, 6:00 p.m. CT Free London Apple Admins Cloudflare 20 June 2019, 6.30 p.m. GMT+1 (BST) Free MacBrained Toronto LoyaltyOne Atrium 20 June 2019, 6:00 p.m. ET Free NYC Jamf User Group Apple NYC Office 25 June 2019, 4:30 p.m. ET Free, Must Register Houston Apple Admins TBD 17 July 2019, 5:30 p.m. CT Free RATE US ON ITUNES! Rate Us On Apple Podcasts! SPONSOR MAC ADMINS PODCAST! If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information. SOCIAL MEDIA Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!

director canada australia apple partner mac connections bar windows saas marketplace mn hardware nsw macos cad early bird william smith jamf jon brown openid connect justin holt charles edge early bird rate

30: Alex Ortiz, Chief Blockchain Evangelist at lifeID

Reversing Climate Change

Play Episode Listen Later Jul 10, 2018 37:48

Alex Ortiz believes that technology should be used as a tool to teach, to heal, and to create personal freedom—in short, it should be used for good to make the world a better place. Alex has spent the last 11 months doing a deep dive into the blockchain space, working to build a community that can learn together and develop use cases for the technology that will improve our lives. So, what exactly is the blockchain? What are some of its possible use cases? And how might it be used to incentivize positive behavior change? Alex is the Chief Blockchain Evangelist with lifeID, a blockchain-based identity ecosystem that aims to give people the tools to own and manage their own identities online. lifeID is on a mission to facilitate secure authentication and provide a mechanism for the sharing of verified credentials rather than personal information. In his role, Alex is responsible for building critical mass adoption of and finding integration partners for the lifeID identity platform. Today, Alex joins Ross, Christophe, and Paul to explain how a Forbes article initiated his interest in the blockchain. They share the fundamentals of blockchain technology and discuss some of the most noteworthy use cases. Alex speaks to the idea behind lifeID as an open-source platform that supports self-sovereign identity technology, describing what they are working on right now. Listen in for Alex’s advice on becoming a part of the blockchain community and learn how use cases like Nori can use the blockchain to incentivize behavior change. Resources lifeID lifeID on Twitter lifeID on LinkedIn ForbesGlobal Food Safety Article Nick Szabo on the Tim Ferriss Podcast Simon Sinek TED Talk UN Blockchain FunFair Bitnation Sweetbridge CryptoKitties Token Forum Blockchain Conference Seattle 2018 IBM Blockchain Essentials Course Blockchain Training Alliance Hands-On Blockchain with Hyperledgerby Nitin Gaur et al. OpenID Connect Resonate DigitalTown Sweatcoin Key Takeaways [2:15] Alex’s introduction to the blockchain Forbes article, Tim Ferriss podcast Started Slack group through LinkedIn Inspired by Simon Sinek TED Talk Use tech as tool to teach, heal and free [7:26] The fundamentals of the blockchain Move data efficiently via internet Transparent records as source of trust [11:33] Noteworthy use cases for the blockchain Self-sovereign identity tech to prove credentials UN Blockchain to feed refugees FunFair, Bitnation and Sweetbridge Digital collectibles (e.g.: CryptoKitties) [18:46] The current evolution of the blockchain Growing community (30 projects in Seattle alone) Better resources for newcomers More specialization [22:16] Alex’s insight on self-sovereign identity technology Accustomed to giving private info for access to services Allows for selective disclosure, data minimization Info stored locally, harder to hack than current system [28:06] The idea of a blockchain ecosystem to support applications Issuer, holder and verifier of credentials [30:14] How lifeID functions as blockchain infrastructure Users choose what to disclose, build in KYC offering Open-source platform for identity (vs. product company) [31:47] What lifeID is working on right now OpenID Connect service Build out smart contracts Partnerships with Resonate, DigitalTown [33:45] Alex’s advice for aspiring blockchain enthusiasts Look for local community to collaborate with Find blockchain use cases you are passionate about [35:04] The concept of monetizing positive behavior Nori rewards carbon removal Sweatcoin incentivizes getting fit

GPSTEC323: GPS: SaaS and OpenID Connect: The Secret Sauce of Multitenant Identity and Isolation

AWS re:Invent 2017

Play Episode Listen Later Nov 30, 2017 55:35

Identity is a foundational element of SaaS design, and getting it right can be challenging. You need a strategy that allows you to connect users to tenants, roles, and policies in a seamless model that doesn't handcuff developers. Fortunately, identity providers and OpenID Connect give us a model that equips SaaS providers with the tools they need to address all the moving parts of SaaS identity. In this session, we dive into the details of how you can use these solutions to build a robust identity solution—a solution that covers binding identities to tenants, supports tenant and system roles, and isolates tenant access. The goal here is to provide a concrete example of how to orchestrate all of these elements of the SaaS identity model on AWS.

identity isolation saas aws secret sauce openid connect

Security: Identity Management, RBAC, Authentication and Authorization

PodCTL - Kubernetes and Cloud-Native

Play Episode Listen Later Nov 12, 2017 25:49

Show: 15Show Overview: Brian and Tyler continue their focus on Security with Marc Boorshtein (@mlbiam, CTO of @tremolosecurity), discussing Identity Management, Container and Kubernetes Authorization and Authentication, RBAC, and how IT teams evolve to manage security in more agile environments. Show Notes:PodCTL #14 - Security: Hosts, Registries, Content and Pipelines[Video] Identity Management and Compliance[Video] DevOps Identity Management[Website] Tremolo Security10 Layers of Container SecurityOpen Source k8s SSO projectOpen Source OpenShift Identity Manager projectTopic 1 - Let’s talk about User authentication in Kubernetes>Certificate Authentication OpenID Connect Reverse ProxyTopic 2 - Let’s dig into the various types of AuthorizationsOverview of RBAC (Role-Based Access Control) Mapping of Roles to Users and Groups Organizational ChallengesTopic 3 - Given that various people (Devs & Ops) interact with dashboards, how do we manage that Authentication? Topic 4 - How are organizations evolving to keep up with this more agile form of software development and the associated security challenges?Feedback?Email: PodCTL at gmail dot comTwitter: @PodCTL Web: http://podctl.com

security roles cto user users devops container devs ops containers kubernetes authentication authorization identity management registries openshift rbac openid connect

PHP 7.2 Release Date and Managers Being Chosen - 7 Minutes Lately in PHP podcast episode 82

Lately in PHP podcast

Play Episode Listen Later May 25, 2017

PHP 7.2 Release Date and Managers Being Chosen - 7 Minutes Lately in PHP podcast episode 82 By Manuel Lemos PHP 7.2 development is reaching to the alpha stage in June, hopefully to have a final version released later this year. So for now the release managers are being chosen, so they can start preparing to work on each alpha, beta and release candidate version. This was one of the main topics discussed by Manuel Lemos and Arturs Sosins on the episode 82 of the Lately in PHP podcast. In this episode they also talked about other proposals for PHP cache keys for stream wrappers, serialized object validation with is_string, type variants, let range() return a generator, named parameters again, and removing the need for ; on the end of the line . They also commented on an article about promoting Open Source projects using data mining and business intelligence to boost SEO factors, and using OpenID Connect protocol to implement single sign-on social login systems. This article also contains a podcast summary as a text transcript and a 5 minute video of the summary. Listen to the podcast, or watch the hangout video, or read the transcript text to learn more about these interesting PHP topics.

seo chosen managers open source release date php openid connect manuel lemos

Open Standards: Identity’s Plumbing

State of Identity

Play Episode Listen Later Apr 24, 2017 16:49

Host Cameron D'Ambrosi is joined by Don Thibeau, President and Chairman of the Open Identity Exchange (OIX) to discuss why good open identity standards are like plumbing, the OpenID Connect self-certification program, and the future of digital identity.

president identity plumbing open standards ambrosi openid connect

#58 Brock Allen, Identity Server

no dogma podcast

Play Episode Listen Later Sep 12, 2016 46:31

Summary Brock Allen talks to me about Identity Server, authentication and balancing a consulting job with an open source project. Details Who he is and what he does; what Identity Server is and how it works, OpenId Connect, OAuth 2, examples of the protocols; Dominick Baier; what's wrong with a username and password, single sign on; how Identity Server works, can use multiple types of authentication, federation gateway pattern, third party permissions; Identity Server users, claims, roles, authorization, policy based authorization; are they building it for Microsoft, other third party libraries Microsoft is pushing; testing Identity Server; balancing consulting and building Identity Server; release candidate.

identity microsoft security privacy programming server oauth openid connect

Episode 084 on Clause Library Word add-in—Office 365 Developer Podcast

Microsoft 365 Developer Podcast

Play Episode Listen Later Feb 11, 2016 41:29

In this episode, Jeremy Thake talks to Brendon Ford from Provoke Solutions on the Clause Library Word add-in that integrates with SharePoint Online. The Clause Library app is a cloud-based information repository that can be accessed, searched, edited and retrieved directly from Microsoft Word. Whether you’re working on legal contracts, RFP/RFQ responses or sales proposal, your organization probably has certain phrases or clauses that are used repeatedly across multiple documents. After a painstaking review to get the perfect wording, it is difficult to ensure that information is always up-to-date and available for others. Clause Library solves this problem, using the power of Office 365 and SharePoint Online: Robust search functionality makes it easy to find the needed clause; with one click it can be added to the Word document you’re currently working in. New clauses can be added and existing clauses can be edited in the central cloud-based library—all from within Word. The library can easily be shared with approved people internal and external to the organization. Professional service organizations such as law firms, management consultants, agencies and architects can benefit from Clause Library: Attorneys can access the most current version of legal clauses while writing the contracts within Word. Salespeople can develop formal proposals and statements of work utilizing corporate approved messaging. Businesses can respond to Requests for Information (RFPs) quickly utilizing phrasing that helped win prior projects. Weekly updates Postman and Office 365 by Liam Cleary Retrying calls to the Microsoft Graph by Paul Schaeflein The New Azure Converged Auth Model and Office 365 APIs by Steve Peschka Speed up development in ‘Yo Office’ through browser-sync by Stefan Bauer Office Dev PnP webcast—Introduction to Microsoft Graph for Office 365 developer by Vesa Juvonen Office 365 Developer Patterns and Practices—February 2016 release by Vesa Juvonen ngOfficeUiFabric v0.4.0 Released—two new directives and one breaking change by Andrew Connell Angular 2 and OpenID Connect with Azure Active Directory by Scot Hillier Show notes Clause Library on GitHub.com Got questions or comments about the show? Join the O365 Dev Podcast on the Office 365 Technical Network. The podcast RSS is available iTunes or search for it on “Office 365 Developer Podcast” or add directly with the RSS http://feeds.feedburner.com/Office365DeveloperPodcast. About the hosts Jeremy is a technical product manager at Microsoft responsible for the Visual Studio Developer story for Office 365 development. Previously he worked at AvePoint Inc., a large ISV, as the chief architect shipping two apps to the Office Store. He has been heavily involved in the SharePoint community since 2006 and was awarded the SharePoint MVP award four years in a row before retiring the title to move to Microsoft. You can find Jeremy blogging at www.jeremythake.com and tweeting at @jthake. Richard is a software engineer in Microsoft’s Developer Experience (DX) group, where he helps developers and software vendors maximize their use of Microsoft cloud services in Office 365 and Azure. Richard has spent a good portion of the last decade architecting Office-centric solutions, many that span Microsoft’s diverse technology portfolio. He is a passionate technology evangelist and frequent speaker are worldwide conferences, trainings and events. Richard is highly active in the Office 365 community, popular blogger at www.richdizz.com and can be found on Twitter at @richdizz. Richard is born, raised and based in Dallas, TX, but works on a worldwide team based in Redmond. Richard is an avid builder of things (BoT), musician and lightning-fast runner

197 JSJ Auth0 with Kassandra Perch

All JavaScript Podcasts by Devchat.tv

Play Episode Listen Later Feb 3, 2016 40:58

02:03 - Kassandra Perch Introduction Twitter GitHub Blog 02:46 - Auth0 04:10 - Centralized Auth Services: Handing Out User Data to Third Parties 05:32 - Security, Storage, and Compliance 08:48 - Managing Session Data 09:35 - Cookies vs JSON Web Tokens (JWTs) How Authentication Works 12:47 - OAuth OpenID Connect 14:12 - Identification, Authorization, and Authentication 20:16 - Auth0 Infrastructure Chaos Monkey 22:10 - Using Node 23:06 - The Backend Firebase 24:25 - Documentation and Education 36:42 - The Value of OpenID Connect 38:25 - Identity Picks Add AJ on Tri-Force Heroes (AJ) Making a Murderer (AJ) Mazie's Girl Scout Digital Cookie Site (Aimee) React (with Introduction to Flux Architecture) (Aimee) Jordan Scales: Let’s Make A Webpage In 2016 (Jamison) building-brooklynjs (Jamison) Cult of the Party Parrot (Jamison) CSS-Tricks (Jamison) Auth0 Docs (Kassandra) OpenID Foundation (Kassandra) Mario & Luigi: Paper Jam (Kassandra)

197 JSJ Auth0 with Kassandra Perch

JavaScript Jabber

Play Episode Listen Later Feb 3, 2016 40:58

02:03 - Kassandra Perch Introduction Twitter GitHub Blog 02:46 - Auth0 04:10 - Centralized Auth Services: Handing Out User Data to Third Parties 05:32 - Security, Storage, and Compliance 08:48 - Managing Session Data 09:35 - Cookies vs JSON Web Tokens (JWTs) How Authentication Works 12:47 - OAuth OpenID Connect 14:12 - Identification, Authorization, and Authentication 20:16 - Auth0 Infrastructure Chaos Monkey 22:10 - Using Node 23:06 - The Backend Firebase 24:25 - Documentation and Education 36:42 - The Value of OpenID Connect 38:25 - Identity Picks Add AJ on Tri-Force Heroes (AJ) Making a Murderer (AJ) Mazie's Girl Scout Digital Cookie Site (Aimee) React (with Introduction to Flux Architecture) (Aimee) Jordan Scales: Let’s Make A Webpage In 2016 (Jamison) building-brooklynjs (Jamison) Cult of the Party Parrot (Jamison) CSS-Tricks (Jamison) Auth0 Docs (Kassandra) OpenID Foundation (Kassandra) Mario & Luigi: Paper Jam (Kassandra)

197 JSJ Auth0 with Kassandra Perch

Devchat.tv Master Feed

Play Episode Listen Later Feb 3, 2016 40:58

02:03 - Kassandra Perch Introduction Twitter GitHub Blog 02:46 - Auth0 04:10 - Centralized Auth Services: Handing Out User Data to Third Parties 05:32 - Security, Storage, and Compliance 08:48 - Managing Session Data 09:35 - Cookies vs JSON Web Tokens (JWTs) How Authentication Works 12:47 - OAuth OpenID Connect 14:12 - Identification, Authorization, and Authentication 20:16 - Auth0 Infrastructure Chaos Monkey 22:10 - Using Node 23:06 - The Backend Firebase 24:25 - Documentation and Education 36:42 - The Value of OpenID Connect 38:25 - Identity Picks Add AJ on Tri-Force Heroes (AJ) Making a Murderer (AJ) Mazie's Girl Scout Digital Cookie Site (Aimee) React (with Introduction to Flux Architecture) (Aimee) Jordan Scales: Let’s Make A Webpage In 2016 (Jamison) building-brooklynjs (Jamison) Cult of the Party Parrot (Jamison) CSS-Tricks (Jamison) Auth0 Docs (Kassandra) OpenID Foundation (Kassandra) Mario & Luigi: Paper Jam (Kassandra)

45: SSO, Open ID, & Anvil Connect

The Web Platform Podcast

Play Episode Listen Later May 26, 2015 53:59

Identity is the missing link that connects all your users, apps, services, and devices to each other and the rest of the world. Christian Smith (@anvilhacks) is founder of Anvil Research (@AnvilResearch) and the creator of Anvil Connect, an open source authorization server built with Node.js to authenticate your users and protect your APIs. Anvil Connect simplifies security when you have many apps and services to integrate. It acts as a broker between your apps, APIs, and a long list of OAuth providers like Google, Facebook, Twitter, and GitHub. The server works with apps written in any programming language that speaks HTTP. The code is MIT licensed and implements open standards like OAuth 2.0, OpenID Connect, and JSON Web Tokens. Resources Open ID - http://openid.net/ Anvil Connect - https://github.com/anvilresearch/connect Anvil - http://anvil.io/ Anvil Gitter Channel - https://gitter.im/christiansmith/anvil-connect Open ID Connect - http://en.wikipedia.org/wiki/OpenID_Connect Single Sign on - http://en.wikipedia.org/wiki/Single_sign-on OAuth3 - https://oauth3.org JWT (JSON Web Token) - http://jwt.io/ Let's Encrypt - https://letsencrypt.org Web Crypto - https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto Storm Path - https://stormpath.com/ Auth0 - https://auth0.com/ Service Worker - http://www.w3.org/TR/service-workers/ Ketboot - https://github.com/substack/keyboot scramble.io - https://scramble.io/ AJ's article on creating a CSR for Https (tls/ssl) RSA Pems - https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/ keybase.io - https://keybase.io/ Panelists Erik Isaksen - HTML5 Google Developer Expert & Front End Engineer at Deloitte Digital Nick Niemeir - Partner at Good News Everyone AJ O'Neal - JavaScript Engineer

google identity mit single server github apis csr node authentication anvil auth christian smith nodejs sso encrypt oauth service workers auth0 openid openid connect

Identity Server with Dominick Baier and Brock Allen

Play Episode Listen Later Jan 20, 2015 56:34

Carl and Richard talk to Dominick Baier and Brock Allen about the new version of Thinktecture IdentityServer. As Dominick explains, as soon as you have more than one web application that needs authentication, you want to go to a centralized authentication and authorization scheme, and that's where IdentityServer comes into play. Working with oAuth2 and OpenID Connect, you can create identities for your users from Active Directory, other IMAP stores or just a plain old SQL Server. Take your authentication strategy to the next level!Support this podcast at — https://redcircle.com/net-rocks/donations

identity microsoft studio visual vista server orcas asp vb baier sql server active directory imap openid connect

Identity Server with Dominick Baier and Brock Allen

identity server baier sql server active directory imap openid connect

Play Episode Listen Later Jan 20, 2015 56:33

Carl and Richard talk to Dominick Baier and Brock Allen about the new version of Thinktecture IdentityServer. As Dominick explains, as soon as you have more than one web application that needs authentication, you want to go to a centralized authentication and authorization scheme, and that's where IdentityServer comes into play. Working with oAuth2 and OpenID Connect, you can create identities for your users from Active Directory, other IMAP stores or just a plain old SQL Server. Take your authentication strategy to the next level!Support this podcast at — https://redcircle.com/net-rocks/donations

OpenID-Connect with Dominick Baier and Brock Allen

Play Episode Listen Later Jun 10, 2014 50:14

While at NDC in Oslo, Carl and Richard chat with Dominick Baier and Brock Allen about their latest thinking on consumer and enterprise identity solutions. Dominick talks about the conflict between WS-Federation, the confusion that is OAuth2 and how OpenID-Connect is bringing them together in a better solution. Brock digs into how a centralized security service simplifies coding for developers as well as strengthening the overall security of the system. Overall, the news is good - granular authentication and authorization is getting easier to implement, deploy and manage.Support this podcast at — https://redcircle.com/net-rocks/donations

microsoft studio visual oslo vista orcas asp vb baier ndc openid connect

OpenID-Connect with Dominick Baier and Brock Allen