This document summarizes OAuth 2.0 threat landscapes and best practices for mitigation. It discusses threats such as CSRF, session injection, token leakage, IDP mix-up, and token reuse/misuse. Recommended mitigations include using the state parameter, PKCE, short-lived tokens, TLS, white-listing callback URLs, scoped tokens, audience restriction, OpenID Connect, and throttling. The document provides technical details on various OAuth 2.0 flows and threats as well as references to relevant IETF draft specifications.
The document discusses OpenIG, an identity gateway product from ForgeRock. OpenIG allows legacy applications and APIs to be integrated with identity and access management solutions without modifying the applications. It provides single sign-on, password capture and replay, OAuth 2.0 protection for APIs, and federation capabilities. The latest version of OpenIG includes support for OAuth 2.0, OpenID Connect, scripting with Groovy, SAML federation, and stateless sessions. The document promotes OpenIG as a cost-effective way to extend security and identity features to existing applications.
Extensible, server-side, open IoT architecture for device management, complete with integration capabilities, IoT analytics, and security for devices and data.
LUDOVIC POITOU, Director of ForgeRock France & OpenIG Product Manager, at the European IRM Summit 2014.
This presentation proves a general introduction to the API Economy, to the Blockchain network Alastria, and to the open source WSO2 API Manager. It also includes a demo on how to use API Manager for API consumption management and its integration with a Smart Contract deployed in blockchain for the automatic pricing of this consumption.
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Top 10 API security threats every API team should know Derric Gilling, CEO at Moesif
This document discusses strategies for scaling the ForgeRock identity platform to support 1 billion users. It describes how ForgeRock Directory Services provides a specialized, centralized, secure, highly available, and high-throughput identity store. It has been benchmarked to support 500 million users and tested to support 3 billion users over 1 week. The document also discusses how ForgeRock products are evolving to support cloud-native architectures with horizontal scalability, simplified replication, and data sharding to further increase capabilities.
Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around. Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications. These slides will review: - The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns - Sender-constrained token patterns - Solution patterns being employed to improve user experience in client-side applications
This document discusses the benefits of using open source software to manage API lifecycles. It notes that digital transformation requires integrating new technologies rapidly, which open source allows through wider collaboration and input. Open source ensures better security, transparency, and extensibility. It also leads to higher quality code through more eyeballs and passionate developers. Open source APIs are also more cost effective and support corporate social responsibility goals. The document cites WSO2 as an example of an open source API management vendor that contributes significantly to many open source projects.
Slides from the talk Token vs Cookies at Devoxx Morocco 2015. Introduction of Json Web Token JWT and comparison with (classic) Cookie handling. Find the demo project used during of this talk on github: https://github.com/madmas/TokenVsCookies
This document discusses Open Banking and PSD2 compliance for banks. It notes the upcoming deadlines for banks to have external testing facilities by March 2019 and full PSD2 compliance by September 2019. It then provides an overview of the key Open Banking API specifications from the UK and Berlin Group. The document outlines challenges banks may face in compliance and how WSO2 Open Banking can help achieve deadlines through its componentized architecture and regulatory expertise. It argues that Open Banking creates opportunities for banks through expanding distribution channels, enabling upselling and cross-selling, and generating new revenue streams.
apidays LIVE Paris 2021 - APIs and the Future of Software December 7, 8 & 9, 2021 How password managers are built for Privacy and Security Frederic Rivain, CTO at Dashlane
In this webinar from November 2015, John Barco (VP of Product Management) and Tim Sedlack (Sr. Product Manager) take you on a journey: A long time ago in a technology sector far, far away, organizations were promised a unified platform for centralizing identity and integrating it into resources everywhere. But this promise was never realized. Instead, organizations were forced down a dark path to implement a piecemeal identity infrastructure that was painful, with massive integration costs. Finally, the wait is over. In this webinar, we will provide an overview of ForgeRock's unified platform and highlight all the common services provided across the end-to-end solution to make your life easier. Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/
Identity Gateway with the ForgeRock Identity Platform - So What’s New? Devices, and Things: Better Than a Fish in Your Ear In the Hitchhiker’s Guide to the Galaxy they have a handy little thing called a Babel Fish. Put it in your ear and you can instantly communicate with anything, anywhere in the galaxy. It’s quick and painless and works great. And that’s exactly how the ForgeRock Identity Gateway works too. It’s a simple, standards-based approach to extend access to web applications, application programming interfaces (APIs), and devices and things. The ForgeRock Identity Gateway, provides a flexible policy enforcement point to support your current environment while migrating towards a modern, standards-based platform. So you can connect digital assets across your ecosystem, with minimal-to-no changes. And no slimy little fish required! Highlights: - Intro to the ForgeRock Identity Platform - New features available in this release - Maintaining existing infrastructure through password replay - Gateway and a Mobile device walk into a bar…. - Federating services - Mobilizing those apps Learn more about ForgeRock Access Management: https://www.forgerock.com/platform/access-management/ Learn more about ForgeRock Identity Management: https://www.forgerock.com/platform/identity-management/
This document discusses security approaches for microservices architectures. It begins by defining microservices as an application that calls API endpoints which then call other API endpoints. It then discusses four options for securing communication between microservices: 1) passing cleartext headers, 2) transmitting tokens, 3) using OAuth scopes, and 4) token exchange. Each option has advantages and disadvantages for security and complexity. The document also provides examples of microservices security architectures for three different companies. It concludes that the main challenge is implementing microservices security without mistakes by balancing requirements, capabilities, and choosing appropriate solutions.
Agos - in partnership with Profesia - showcase the DIANA infrastructure, describe the functional and the architectural requirements and detail the architectural implementation, explaining how the WSO2 products have been installed, configured and used.
As the popularity of cloud-based deployment is on the rise, more and more organizations are moving their mission-critical workloads into cloud services. Microsoft Azure is one of the fastest-growing cloud service providers. They have gained the trust and loyalty of lots of users over the year. WSO2 identity server is an extensible identity access management solution for implementing cost-effective identity management infrastructure. WSO2 Identity Server supports deployments on-premises, many cloud service providers and hybrid models. Watch the on-demand recording here - https://wso2.com/library/webinars/identity-server-on-azure-a-reference-architecture/
Identity provisioning has traditionally centered around user identities. However, as the digital transformation takes hold and more devices and things come online, there is a need to apply traditional provisioning practices to untraditional things. Identity administration in the modern age must be about managing the identity lifecycle of users’ devices and things and their relationships to one another. In this session, Victor and Stein will discuss different ways to address the complex identity challenges of IoT. With: Victor Ake, VP Customer Innovation, ForgeRock Stein Myrseth, Technology Solutions Director, ForgeRock
The OpenID Connect or OAuth frameworks can be used to achieve a range of security levels. Properly used, it mitigates many risks. However, OpenID Connect’s flexibility, combined with its shared ontogeny with OAuth 2.0, creates opportunities for error--developers may not use (or even know about ) certain features necessary to achieve the transaction integrity they desire. The good news is that client software and middleware services can do some of the heavy lifting. You can have the best of both worlds--maximizing security and developer joy. Whether you’re a developer or security architect, what should you look for in an application that acts as an OpenID Connect client?