Latest Entries

RSS Feed
  • Discussion on Exploiting OAuth 2.0 in Mobile Applications by ENISA


    ENISA Homepage is Europe’s ’cyber security’ agency. Periodically, they publish “Info Notes” to provide background information and recommendations about cybersecurity. While not recommendations, ENISA explains that these notes “provide background information and recommendations derived from past experiences and common sense, and should be taken as starting points for discussions on possible courses of action.” The … Read more >>

    Email
  • JWT is not an authentication protocol


    Many developers who are lukewarm about OAuth 2.0 feel that JWTs (JSON Web Tokens) offer a compact, stateless alternative for authentication. Defined in RFC 7519, JWTs provide a mechanism for sending a JSON object that is optionally signed, and optionally encrypted, as one very compact, url-safe string. The JWT includes up to three components: a … Read more >>

    Email
  • Secure web apps with OpenID Connect using oxd


    Properly implementing federation protocols is hard. And in fact, poor implementations are a leading cause of security vulnerabilities in web and mobile applications. For instance, the white paper Signing into one billion mobile app accounts effortlessly with OAuth 2.0 publicizes a widespread but incorrect usage of OAuth by 3rd party mobile developers that would allow … Read more >>

    Email
  • OAuth vs. SAML vs. OpenID Connect


    The Gluu Server is a free open source platform that has both SAML and OAuth2 components. I have been trying to help educate the community for some time on the pro’s and con’s of both infrastructures. Here is a quick overview to help get you oriented! OAuth 2.0 is an authorization framework, not an authentication … Read more >>

    Email
  • OpenDJ to OpenLDAP — why we’re changing persistence in Gluu


    In the Gluu Server 3.0 (currently scheduled for release 01/01/2017), OpenDJ is being replaced by OpenLDAP. As the performance and manageability of the Gluu Server is driven to a large extent by the underlying LDAP directory service–this represents a significant change. OpenDJ has done a pretty good job for us in the past. But there … Read more >>

    Email
  • Limiting OpenID Connect Community Client Support


    The Gluu Server Community Edition is used by lots of organizations all over the globe. We do our best to provide free support to everyone who needs it. However, support is not supposed to be a substitute for reading the Gluu Server documentation, for reading the applicable technical specifications, and for researching on the Internet. … Read more >>

    Email
  • IIW Video Positions UMA as a Solution for Controlling Access and Enabling Privacy


    At the spring 2016 Internet Identity Workshop (IIW #22) in Mountain View, CA, Heather Schlegel (a.k.a. @heathervescent) filmed three short videos on areas of interest related to Internet identity. One of the videos focuses on the User Managed Access (“UMA”) protocol–a set of OAuth-based access management specifications being developed at the Kantara Initiative to enable distributed authorization of data sharing between … Read more >>

    Email