Tired of “just use JWT!” tutorials? Learn how you could move your existing legacy authn/authz to a centralised service working together with your ingress gateway. Convert basic, bearer or other authentication mechanisms into a common format, even handling multiple auth types for all your endpoints.
Tired of “just use JWT!” tutorials? Learn how you could move your existing legacy authn/authz to a centralised service working together with your ingress gateway. Convert basic, bearer or other authentication mechanisms into a common format, even handling multiple auth types for all your endpoints.
The document provides an overview of OAuth 2.0 and how it works. It describes how OAuth 1.0 had many different implementations by sites like Flickr, Google, and Facebook. OAuth 2.0 standardized the process and replaced signatures with HTTPS. It then outlines the key parts of OAuth 2.0, including authorization, accessing resources with an access token, refreshing expired tokens, and different authorization methods like authorization codes, passwords, and implicit grants. It concludes with security recommendations for clients using bearer tokens.
Ikai Lan gave a talk about building cloud applications using Google App Engine. They demonstrated TweetEngine, an open source Twitter application built on App Engine, to explain key concepts. These included OAuth for secure authentication, internationalization (i18n) for localized versions, AppStats for application profiling, and Task Queues for background processing. The talk aimed to show how App Engine handles infrastructure concerns so developers can focus on code, and whet the audience's appetite for building cloud applications.
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
OpenSocial is a specification that allows third-party applications called gadgets to be included into social networking services. A gadget can access a user's social graph and social data through the OpenSocial API. Gadgets are rendered within a container/host site through the use of a proxy server called Shindig that handles authentication and API calls on behalf of the gadget to work around same-origin policy limitations. The presentation provided examples of how OpenSocial allows for embedded experiences, templates, authorization flows, and other features to enable cross-site development of social applications.
The document provides an overview of the history and development of OAuth standards for authorization. It describes some of the issues with early implementations that prompted the creation of OAuth 1.0, including services storing user passwords and lack of ability to revoke access. OAuth 1.0 introduced signatures to address these issues. OAuth 2.0 replaced signatures with HTTPS and defines common flows for different use cases, including authorization code, implicit, password, and client credentials grants.
OAuth is an open standard for authentication that allows users to log into third party applications using their existing credentials from another service, without having to expose their password. OEmbed is a format for converting URLs into embeddable rich content like photos or videos. It allows websites to display content from other sites without having to manually embed HTML or write custom code. Both standards aim to simplify authentication and content embedding while keeping users' data and identities secure.
Tired of “just use JWT!” tutorials? Learn how you could move your existing legacy authn/authz to a centralised service working together with your ingress gateway. Convert basic, bearer or other authentication mechanisms into a common format, even handling multiple auth types for all your endpoints.
The document provides an overview of OAuth 2.0 and how it works. It describes how OAuth 1.0 had many different implementations by sites like Flickr, Google, and Facebook. OAuth 2.0 standardized the process and replaced signatures with HTTPS. It then outlines the key parts of OAuth 2.0, including authorization, accessing resources with an access token, refreshing expired tokens, and different authorization methods like authorization codes, passwords, and implicit grants. It concludes with security recommendations for clients using bearer tokens.
Ikai Lan gave a talk about building cloud applications using Google App Engine. They demonstrated TweetEngine, an open source Twitter application built on App Engine, to explain key concepts. These included OAuth for secure authentication, internationalization (i18n) for localized versions, AppStats for application profiling, and Task Queues for background processing. The talk aimed to show how App Engine handles infrastructure concerns so developers can focus on code, and whet the audience's appetite for building cloud applications.
Crossing the Boundaries of Web Applications with OpenSocialBastian Hofmann
OpenSocial is a specification that allows third-party applications called gadgets to be included into social networking services. A gadget can access a user's social graph and social data through the OpenSocial API. Gadgets are rendered within a container/host site through the use of a proxy server called Shindig that handles authentication and API calls on behalf of the gadget to work around same-origin policy limitations. The presentation provided examples of how OpenSocial allows for embedded experiences, templates, authorization flows, and other features to enable cross-site development of social applications.
The document provides an overview of the history and development of OAuth standards for authorization. It describes some of the issues with early implementations that prompted the creation of OAuth 1.0, including services storing user passwords and lack of ability to revoke access. OAuth 1.0 introduced signatures to address these issues. OAuth 2.0 replaced signatures with HTTPS and defines common flows for different use cases, including authorization code, implicit, password, and client credentials grants.
OAuth is an open standard for authentication that allows users to log into third party applications using their existing credentials from another service, without having to expose their password. OEmbed is a format for converting URLs into embeddable rich content like photos or videos. It allows websites to display content from other sites without having to manually embed HTML or write custom code. Both standards aim to simplify authentication and content embedding while keeping users' data and identities secure.
The document summarizes the key features and highlights of Spring Boot 1.3, which is scheduled for release in September 2015. Some of the main things covered include Spring 4.2 support, new auto-configurations for caching, OAuth2, and other components, improvements to non-functional aspects like metrics export, and enhancements to DevOps tools including a systemd service generator and improved development tools. Upcoming user group events related to Spring are also announced.
Altitude San Francisco 2018: Authentication at the EdgeFastly
Turning away unwanted traffic close to the source is a common and key use case for edge networks like Fastly, but identity, authentication, and authorization at the edge can go far beyond blocking DDoS. The unique way that you identify your site’s users can probably move to the edge too, allowing you to cut response times in your critical path, offload more origin traffic, and make smarter routing decisions at the edge.
In this talk we’ll cover a number of patterns in use by real Fastly customers. Whether you prefer token authentication, pre-shared keys, OAuth, HTTP auth, JSON web tokens, or a complex paywall, learn how you can potentially make your authentication decisions at the edge.
This document discusses securing MQTT communication for IoT. It begins with an overview of MQTT and IoT concepts. It then covers MQTT security topics like TLS, authentication using JSON web tokens and OAuth2.0. Finally, it provides steps to secure a Mosquitto MQTT broker using TLS, authentication and access control lists. The goal is to help secure MQTT protocols which are widely used for IoT communication.
The document is a presentation on OAuth 2 that:
1) Explains the key concepts of OAuth 2 including resource owners, authorization servers, clients, and scopes.
2) Describes the common OAuth 2 grant types including authorization code, implicit, password, and client credentials and how they apply to different use cases like web apps, mobile apps, and application access.
3) Provides examples of implementing each grant type with code snippets and diagrams of the authorization flows.
The document describes how to build a cross-domain API called @anywhere that allows Twitter functionality to be embedded on third-party sites. It discusses using postMessage to enable cross-domain communication and implementing an RPC layer to wrap Twitter's REST API. It also covers how to handle authentication and authorization using OAuth, passing the access token back to the embedding page securely using the window.name polling technique. The goal is to provide a secure, frictionless, and unobtrusive way to access Twitter APIs from any domain.
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Vault is a tool for centrally managing secrets like passwords, API keys, and certificates. It addresses the problem of "secrets sprawl" where credentials are stored insecurely in multiple places like source code, emails, and configuration files. Vault centralizes secrets management, provides access control and auditing, and generates unique short-lived credentials to reduce risk if a secret is compromised. It also supports encrypting sensitive data for additional protection. Implementing Vault involves deciding where it will run, who will manage encryption keys, which secrets it will store, where audit logs will go, and who will operate and configure the system on an ongoing basis.
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
The document discusses OAuth2 and OpenId Connect protocols for securing web applications. It provides an overview of how OAuth2 is used to get tokens in exchange for secrets to allow software access to resources without revealing the secret. OpenId Connect extends OAuth2 to provide authentication by using OAuth tokens to identify users. The document outlines common scenarios and actors in the protocols, describes different token types and flows, and demonstrates how to implement OAuth2 and OpenId Connect.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
This document discusses OAuth 2.0 and provides recommendations for its use. It summarizes the history of OAuth 1.0 and 2.0, key concepts of OAuth 2.0 like grant types and token types, and real-world usage by major APIs. It recommends sticking to the basic OAuth 2.0 standard without extensions like refresh tokens for most use cases, and authenticating users through existing authentication mechanisms rather than custom implementations.
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
This document provides an overview of OAuth and OAuth2 authentication protocols. It discusses the key components of OAuth including the resource owner, client, authorization server and access tokens. It explains the OAuth workflow and signature process. It also covers OAuth2 improvements like removing the need for cryptography and access tokens being short-lived. Finally, it discusses implementations of OAuth in Ruby using gems like OAuth and Faraday as well as OmniAuth for multi-provider authentication in Rails applications.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
How to Implement Token Authentication Using the Django REST FrameworkKaty Slemon
I'm sure you may also find it challenging while implementing token authentication using the Django Rest framework. so here is the solutions that help you out to solve the issue.
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
The document discusses OAuth 2.0 authorization concepts including access tokens, refresh tokens, scopes, and grant types. It provides examples of how a third-party web application can use the authorization code grant type to obtain an access token from an authorization server to access protected resources, such as by redirecting the user to a login page to authenticate.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
The document discusses OAuth 2.0 and authorization. It describes OAuth 2.0 as a mechanism for applications to access restricted resources without sharing credentials. It outlines the roles in OAuth 2.0 including resource owner, resource server, client, and authorization server. It also describes the different OAuth 2.0 grant types including authorization code, implicit, resource owner password credentials, and client credentials. The document then discusses using OAuth 2.0 and PEP proxies to secure web applications and backends as well as authenticating IoT devices. It also provides an overview of key FIWARE security generic enablers for identity management, authorization, and PEP proxy functionality.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
More Related Content
Similar to Centralise legacy auth at the ingress gateway
The document summarizes the key features and highlights of Spring Boot 1.3, which is scheduled for release in September 2015. Some of the main things covered include Spring 4.2 support, new auto-configurations for caching, OAuth2, and other components, improvements to non-functional aspects like metrics export, and enhancements to DevOps tools including a systemd service generator and improved development tools. Upcoming user group events related to Spring are also announced.
Altitude San Francisco 2018: Authentication at the EdgeFastly
Turning away unwanted traffic close to the source is a common and key use case for edge networks like Fastly, but identity, authentication, and authorization at the edge can go far beyond blocking DDoS. The unique way that you identify your site’s users can probably move to the edge too, allowing you to cut response times in your critical path, offload more origin traffic, and make smarter routing decisions at the edge.
In this talk we’ll cover a number of patterns in use by real Fastly customers. Whether you prefer token authentication, pre-shared keys, OAuth, HTTP auth, JSON web tokens, or a complex paywall, learn how you can potentially make your authentication decisions at the edge.
This document discusses securing MQTT communication for IoT. It begins with an overview of MQTT and IoT concepts. It then covers MQTT security topics like TLS, authentication using JSON web tokens and OAuth2.0. Finally, it provides steps to secure a Mosquitto MQTT broker using TLS, authentication and access control lists. The goal is to help secure MQTT protocols which are widely used for IoT communication.
The document is a presentation on OAuth 2 that:
1) Explains the key concepts of OAuth 2 including resource owners, authorization servers, clients, and scopes.
2) Describes the common OAuth 2 grant types including authorization code, implicit, password, and client credentials and how they apply to different use cases like web apps, mobile apps, and application access.
3) Provides examples of implementing each grant type with code snippets and diagrams of the authorization flows.
The document describes how to build a cross-domain API called @anywhere that allows Twitter functionality to be embedded on third-party sites. It discusses using postMessage to enable cross-domain communication and implementing an RPC layer to wrap Twitter's REST API. It also covers how to handle authentication and authorization using OAuth, passing the access token back to the embedding page securely using the window.name polling technique. The goal is to provide a secure, frictionless, and unobtrusive way to access Twitter APIs from any domain.
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Vault is a tool for centrally managing secrets like passwords, API keys, and certificates. It addresses the problem of "secrets sprawl" where credentials are stored insecurely in multiple places like source code, emails, and configuration files. Vault centralizes secrets management, provides access control and auditing, and generates unique short-lived credentials to reduce risk if a secret is compromised. It also supports encrypting sensitive data for additional protection. Implementing Vault involves deciding where it will run, who will manage encryption keys, which secrets it will store, where audit logs will go, and who will operate and configure the system on an ongoing basis.
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
The document discusses OAuth2 and OpenId Connect protocols for securing web applications. It provides an overview of how OAuth2 is used to get tokens in exchange for secrets to allow software access to resources without revealing the secret. OpenId Connect extends OAuth2 to provide authentication by using OAuth tokens to identify users. The document outlines common scenarios and actors in the protocols, describes different token types and flows, and demonstrates how to implement OAuth2 and OpenId Connect.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
This document discusses OAuth 2.0 and provides recommendations for its use. It summarizes the history of OAuth 1.0 and 2.0, key concepts of OAuth 2.0 like grant types and token types, and real-world usage by major APIs. It recommends sticking to the basic OAuth 2.0 standard without extensions like refresh tokens for most use cases, and authenticating users through existing authentication mechanisms rather than custom implementations.
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
This document provides an overview of OAuth and OAuth2 authentication protocols. It discusses the key components of OAuth including the resource owner, client, authorization server and access tokens. It explains the OAuth workflow and signature process. It also covers OAuth2 improvements like removing the need for cryptography and access tokens being short-lived. Finally, it discusses implementations of OAuth in Ruby using gems like OAuth and Faraday as well as OmniAuth for multi-provider authentication in Rails applications.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
How to Implement Token Authentication Using the Django REST FrameworkKaty Slemon
I'm sure you may also find it challenging while implementing token authentication using the Django Rest framework. so here is the solutions that help you out to solve the issue.
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop Apigee | Google Cloud
The document discusses OAuth 2.0 authorization concepts including access tokens, refresh tokens, scopes, and grant types. It provides examples of how a third-party web application can use the authorization code grant type to obtain an access token from an authorization server to access protected resources, such as by redirecting the user to a login page to authenticate.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
The document discusses OAuth 2.0 and authorization. It describes OAuth 2.0 as a mechanism for applications to access restricted resources without sharing credentials. It outlines the roles in OAuth 2.0 including resource owner, resource server, client, and authorization server. It also describes the different OAuth 2.0 grant types including authorization code, implicit, resource owner password credentials, and client credentials. The document then discusses using OAuth 2.0 and PEP proxies to secure web applications and backends as well as authenticating IoT devices. It also provides an overview of key FIWARE security generic enablers for identity management, authorization, and PEP proxy functionality.
Similar to Centralise legacy auth at the ingress gateway (20)
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMydbops
This presentation, titled "MySQL - InnoDB" and delivered by Mayank Prasad at the Mydbops Open Source Database Meetup 16 on June 8th, 2024, covers dynamic configuration of REDO logs and instant ADD/DROP columns in InnoDB.
This presentation dives deep into the world of InnoDB, exploring two ground-breaking features introduced in MySQL 8.0:
• Dynamic Configuration of REDO Logs: Enhance your database's performance and flexibility with on-the-fly adjustments to REDO log capacity. Unleash the power of the snake metaphor to visualize how InnoDB manages REDO log files.
• Instant ADD/DROP Columns: Say goodbye to costly table rebuilds! This presentation unveils how InnoDB now enables seamless addition and removal of columns without compromising data integrity or incurring downtime.
Key Learnings:
• Grasp the concept of REDO logs and their significance in InnoDB's transaction management.
• Discover the advantages of dynamic REDO log configuration and how to leverage it for optimal performance.
• Understand the inner workings of instant ADD/DROP columns and their impact on database operations.
• Gain valuable insights into the row versioning mechanism that empowers instant column modifications.
TrustArc Webinar - Your Guide for Smooth Cross-Border Data Transfers and Glob...TrustArc
Global data transfers can be tricky due to different regulations and individual protections in each country. Sharing data with vendors has become such a normal part of business operations that some may not even realize they’re conducting a cross-border data transfer!
The Global CBPR Forum launched the new Global Cross-Border Privacy Rules framework in May 2024 to ensure that privacy compliance and regulatory differences across participating jurisdictions do not block a business's ability to deliver its products and services worldwide.
To benefit consumers and businesses, Global CBPRs promote trust and accountability while moving toward a future where consumer privacy is honored and data can be transferred responsibly across borders.
This webinar will review:
- What is a data transfer and its related risks
- How to manage and mitigate your data transfer risks
- How do different data transfer mechanisms like the EU-US DPF and Global CBPR benefit your business globally
- Globally what are the cross-border data transfer regulations and guidelines
ScyllaDB Leaps Forward with Dor Laor, CEO of ScyllaDBScyllaDB
Join ScyllaDB’s CEO, Dor Laor, as he introduces the revolutionary tablet architecture that makes one of the fastest databases fully elastic. Dor will also detail the significant advancements in ScyllaDB Cloud’s security and elasticity features as well as the speed boost that ScyllaDB Enterprise 2024.1 received.
ScyllaDB Leaps Forward with Dor Laor, CEO of ScyllaDB
Centralise legacy auth at the ingress gateway
1. @magickatt on Twitter, GitHub
Background by M-ART Production https:/
/www.pexels.com/photo/a-back-view-of-a-man-in-brown-coat-standing-between-ticket-barriers-7252569/
Centralise legacy auth at the
ingress gateway
Andrew Kirkpatrick
SREday 2023
2. @magickatt on Twitter, GitHub
Image from https:/
/www.osohq.com/post/microservices-authorization-patterns
The problem?
3. @magickatt on Twitter, GitHub
Image from https:/
/www.osohq.com/post/microservices-authorization-patterns
A (possible) solution…?
4. @magickatt on Twitter, GitHub
Overview
1. But why not just use something off-the-shelf?
2. Identifying and categorising authentication
3. What information to send downstream?
4. Where to handle authorization
5. Stand-alone auth next to your gateway
6. Summary
Background by Codioful https:/
/www.pexels.com/photo/multicolor-photo-7130469/
5. @magickatt on Twitter, GitHub
But why not just use something
off-the-shelf?
Background by M-ART Production https:/
/www.pexels.com/photo/a-person-inserting-a-ticket-7252259/
6. @magickatt on Twitter, GitHub
Choosing an off-the-shelf solution
● Greenfield (brand new) project
○ No existing users?
○ No existing authentication/authorisation?
● Existing (possibly legacy) project?
○ Add to tech stack, or refactor existing?
○ Introducing a new authentication type
○ Deprecate existing authentication types?
○ Backwards compatibility with data?
○ Able to migrate/synchronise identity data?
https:/
/twitter.com/elonmusk/status/1632810081497513993
7. @magickatt on Twitter, GitHub
Migrate or synchronise identity data
If using an off-the-shelf solution, either have to migrate your users, or
find a way to (accurately) synchronise them
● How easy is it to copy/synchronise?
○ Extract data from your current platform
○ Add/update data in the new solution
● If migrating identity data across, move it in 1 go or keep in active
synchronisation?
8. @magickatt on Twitter, GitHub
Migrate or synchronise user data
If using an off-the-shelf solution, either have to migrate your users, or
find a way to (accurately) synchronise them
● How tricky is it to keep data in-sync?
○ How real-time is the synchronisation?
○ How often does user access and/or
permissions change?
○ How dangerous is it if out-of-sync?
9. @magickatt on Twitter, GitHub
Identifying and categorising
Background by cottonbro studio https:/
/www.pexels.com/photo/person-sitting-on-the-chair-near-the-plastic-containers-with-lables-6591427/
10. @magickatt on Twitter, GitHub
What mechanisms are you using?
Many, many different authentication types
● HTTP Basic
● HTTP Bearer
● Cookies
● API key
● OAuth 1.0, 1.0a
● OAuth 2.0
https:/
/blog.risingstack.com/web-authentication-methods-explained/
https:/
/blog.restcase.com/4-most-used-rest-api-authentication-methods/
https:/
/blog.stoplight.io/api-keys-best-practices-to-authenticate-apis
https:/
/www.synopsys.com/blogs/software-security/oauth-2-0-vs-oauth-1-0/
https:/
/www.wallarm.com/what/oauth-vs-jwt-detailed-comparison
11. @magickatt on Twitter, GitHub
How are these authentication types being used?
● What paths, subdomains and/or headers for which authentication type?
● Does each authentication type represent the same kind of identity?
(always a user?)
● How is auth configured?
○ Router
○ Method annotations/decorators
○ Middleware
○ Framework hooks/events/signals
○ Database page/object permissions
○ Configuration file
○ …
12. @magickatt on Twitter, GitHub
How are these authentication types being used?
● Multiple authentication types in a monolith, or different types
per-service?
● Are different implementations using different programming
languages/technology stacks?
● How would you combine these?
13. @magickatt on Twitter, GitHub
Example authentication identification
Try and choose 1 (or more) authentication types based on host, path or
headers
14. @magickatt on Twitter, GitHub
Example authentication identification
Alternatively try all authentication types until you determine which one is
being used
15. @magickatt on Twitter, GitHub
What information to send downstream?
Background by Aleksandr Burzinskij https:/
/www.pexels.com/photo/young-woman-swinging-on-swing-and-splashing-water-4834565/
16. @magickatt on Twitter, GitHub
Enhanced context
If handling multiple authentication types, you can consolidate their
identity/authorization information into a standardised format
● What does your current identity data look like?
● Can you represent different authentication types using a similar/same
data structure? (such as JSON)
● Ingress gateway can add headers from the auth service response to the
request sent downstream
● Header can contain identity data so do not need to look it up again
username,
password
{
user_id: 1,
company_id: 2,
name: Person
}
17. @magickatt on Twitter, GitHub
Example transformation
Users
Gateway
(add/remove
headers)
Auth service
Gateway removes Authorization header
Adds X-Internal-Auth header
Auth service fetches user using
credentials from Authorization
header (username and password)
Returns identity information in
header as encoded JSON
18. @magickatt on Twitter, GitHub
Multiple authentication types
Authorization Basic
username:password
X-Api-Key: key
If sometimes the identity object will not have a user,
does that change how you represent the company?
Each authentication type might not
represent the same thing. What if an
API key represents actions of whole a
company, rather than an individual
user in that company?
?
19. @magickatt on Twitter, GitHub
Where to handle authorisation
Background by Erik Mclean https:/
/www.pexels.com/photo/policeman-standing-near-modern-car-on-road-5662832/
20. @magickatt on Twitter, GitHub
Authentication versus authorisation
Centralise authentication, not necessarily all authorisation
● Typical auth response true/false (HTTP 2XX/4XX)
● Authentication as purely identity (who are they?)
● Authorisation as role or permission-based gate
● Most basic authorization “not logged in” (deny anonymous role)
Authenticate
identity
Authorize
identity
Fetch identity
using credentials
Does this
endpoint allow
anonymous
access?
21. @magickatt on Twitter, GitHub
{
"path": "/v1/admin/user/add",
"user": {
"name": "Somebody else",
"role": "member"
}
}
Broad authorization
Authenticate
identity
Authorize
identity
Fetch identity
using credentials
For this path
the user must
be an admin
{
"user_id": 1,
"name": "Somebody",
"role": "admin"
}
Request information
Identity information
(fetched during
authentication)
Use combination of
request and identity
information to
perform top-level
authorization
22. @magickatt on Twitter, GitHub
Delegates granular authorization
Authenticate
identity
Authorize
identity
Fetch identity
using credentials
Broad
authz
{
"user_id": 1,
"name": "Somebody",
"group": 2,
"roles": [
"document/viewer",
"group/moderator",
"report/viewer"
],
"acl": {
"document/1/admin": true,
"document/4/admin": true,
"document/8/admin": true
}
}
Too complicated
to authorize here,
let downstream
service decide…
{
"path": "/v1/document/123/attachment/456/delete"
}
Check
ACLs
Check
roles
Delete
document
Document service
23. @magickatt on Twitter, GitHub
Stand-alone auth next to your gateway
Background by Keenan Constance https:/
/www.pexels.com/photo/woman-sitting-on-wooden-planks-2865901/
24. @magickatt on Twitter, GitHub
Possible options for integrating
Most ingress gateways/proxies will allow you to specify an external auth
service via HTTP or gRPC
● Emissary Ingress AuthService (Envoy)
● Gloo Custom Auth server (Envoy)
● Kong Custom Plug-in (Nginx)
● Traefik ForwardAuth middleware
● Tyk custom plugin
● Nginx Subrequest Result
● AWS API Gateway Lambda Authorizers (Proprietary, Bearer only)
https:/
/www.getambassador.io/docs/emissary/latest/topics/running/services/auth-service
https:/
/docs.solo.io/gloo-edge/master/guides/security/auth/custom_auth/
https:/
/konghq.com/blog/custom-authentication-and-authorization-framework-with-kong
https:/
/doc.traefik.io/traefik/middlewares/http/forwardauth/
https:/
/tyk.io/blog/how-to-setup-custom-authentication-middleware-using-grpc-and-java/
https:/
/docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
25. @magickatt on Twitter, GitHub
Web
request
Example ExtAuth request flow
Gateway HTTP/gRPC
Denied
Allowed
Auth service
● Headers
● Body
● Path
● Headers
● Path
● Response code (2XX or 4XX)
● Headers (modified)
● Body
● Path
1. Allow or deny based on headers
and path?
2. If allow, optionally add identity
and/or authorization information
26. @magickatt on Twitter, GitHub
Envoy ext_authz (Emissary Ingress AuthService)
Gateway HTTP/gRPC Auth service
Port 3000
https:/
/www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter#arch-overview-ext-authz
https:/
/www.getambassador.io/docs/emissary/latest/topics/running/services/auth-service
27. @magickatt on Twitter, GitHub
Practical example
Background by Ekaterina Bolovtsova https:/
/www.pexels.com/photo/a-figurine-of-the-lady-justice-on-the-table-of-a-judge-6077381/
28. @magickatt on Twitter, GitHub
Flask route auth via decorator request flow
Denied
Allowed
Auth
service Database
Route
decorator
All within the same
running application
/orders
API route
35. @magickatt on Twitter, GitHub
Background by Mitchell Luo https:/
/www.pexels.com/photo/anonymous-woman-walking-near-pay-gates-5918868/
Summary
36. @magickatt on Twitter, GitHub
Summary
● Can use (almost) any type of authentication
● Try and determine what authentication types are used for which
paths/domains/headers to reduce checks/lookups (if possible)
● Pass identity and/or authorisation information onto your downstream
services
● Consider how to represent authentication/authorization data sent
downstream
● Handle none, some or all authorization before it reaches your services
● Ensure the auth service is highly available to ensure availability
38. @magickatt on Twitter, GitHub
Thank you!
Hopefully this gives you some ideas as to how you might be
able to centralise legacy auth in some of your projects?
Slides (should be) available at
https://www.slideshare.net/magickatt/centralise-legacy-aut
h-at-the-ingress-gateway
Code example available at
https://github.com/magickatt/AuthAtTheGatewayTalk
● https://www.linkedin.com/in/andrewkirkpatrick/
● https://www.andrew-kirkpatrick.com
● https://github.com/magickatt
● https://twitter.com/magickatt