authorization | The Blog Pros

April 3, 2020

How to Access Sensitive and Regulated Data Through Microservices and APIs

We’re seeing more businesses utilize microservices, service meshes and APIs to break down large, static applications and merge legacy systems with modern IT platforms. These agile and flexible application structures have changed the way we exchange data and are typically the method of choice when sharing data with external parties.

Microservices architecture is ideal for developing and updating mobile applications because it can simplify data sharing. In fact, according to recent research from Advanced Market Analytics “mobility and app proliferation is the primary factor augmenting the demand for API management” and they also point out “API security issues” as a potential constraint to growth.

March 25, 2020

Implementing MuleSoft as an OAuth Provider for Securing a Mule Application

Introduction

The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow.

MuleSoft supports various third-party OAuth 2.0 providers, as listed below:

February 26, 2020

Mule 4 – Client ID Enforcement

Hello, everyone! Today, I will try to explain in detail how to implement Client Id Enforcement in Mule 4. The purpose of the Client ID Enforcement policy is to allow access only to authorized client applications.

The Client Id Enforcement policy is used to restrict access to a protected resource by allowing requests only from registered client applications. The policy ensures that each request, which contains valid client credentials is able to access protected resources.

November 14, 2019

Four Misconceptions About Multi-Factor Authentication

It’s important that companies realize that without Multi-Factor Authentication (MFA), they are wide open to attacks if their employees fall for phishing scams or share passwords, which happens all the time.

There is no doubt that compromised credentials constitute one of the biggest security threats today. The challenge with compromised credentials is that the attacker is in possession of valid and legitimate corporate details. This means that it is very difficult to detect because all of the security tools you might have in place consider that the person who is logging in is precisely who they say they are.

November 1, 2019

Use MySQL Without a Password (And Still Be Secure)

Some say that the best password is the one you don’t have to remember. That’s possible with MySQL, thanks to the auth_socket plugin and its MariaDB version unix_socket.

Neither of these plugins is new, but while reviewing what’s new with MariaDB 10.4, I saw that the unix_socket now comes installed by default and is one of the authentication methods (one of them, because, in MariaDB 10.4, a single user can have more than one authentication plugin, as explained in the Authentication from MariaDB 10.4 document).

October 25, 2019

Authentication and Authorization: Mastering Security

Don't be this paranoid... but maybe be a little paranoid

In this edition of "Best of DZone," we dive into a topic that's forgotten all too often during software development: security. So, strap in, close the blinds, and, as our CTO likes to say, "Put on your tin foil hats," as we dive into all things authentication and authorization.

Whether it be auth basics, adding auth to your web apps, microservices, or APIs, or getting started with JSON Web Tokens (JWTs), we (meaning our amazing community of contributors) have your back to make sure your next project is completely secure, no matter the situation.

October 10, 2019

Deep Dive Into OAuth2.0 and JWT (Part 2 OAuth2.0)

In the previous article, we introduced Authentication and Authorization. In this article, let us have a look at one of the most commonly used implementation, i.e. OAuth2.0.

Introduction

In the traditional client-server authentication model, the client requests protected resources on the server by authenticating with the server using the resource owner's credentials. To provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. This sharing of credential can create several problems and limitations, some of which are listed below.

October 9, 2019

Deep Dive Into OAuth2.0 and JWT (Part 1 Setting the Stage)

Right from the inception of computer-based applications to today, one of the most common, yet complex problems that almost every developer must have come across during his career is security. Which, means understanding what data/information to be presented to whom — in addition to many other aspects like time, validation, re-validation and so on.

All the concerns related to security can be broken down into two categories. Authentication and Authorization.

October 7, 2019

Deep Dive to OAuth2.0 and JWT (Part 3)

In previous article we have introduced OAuth2.0. In this article let us have a look at JWT.

JSON Web Token (JWT), usually pronounced as “jot,” is an standard () that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. They contain information in terms of claims and are specially used in in space constrained environments such as HTTP. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSAor ECDSA.

September 26, 2019

Learn How to Use Okta’s Authentication API with Java Servlets

Get the authentication your application needs

Building an application from the ground up can be very satisfying. It can help you learn the nitty-gritty of software development and how to overcome its everyday challenges. Today, we’ll use Java Servlets to build an app from scratch.

There are numerous ways to add authentication to your app. To build this sample app, we’ll use Okta for simple and secure user authentication.

September 24, 2019

Login With Facebook and Google Using Angular 8

In this article, we will learn the step-by-step process of allowing users to log in to an application with Facebook and Gmail using Angular 8. Login with Facebook and Google makes it safe and easy for users to use applications. When a user clicks on the Login button with Facebook or Gmail, the user is navigated to Facebook or Google to give the app permission. In response, the user receives a Token key and other personal details. We will use the angular6-social-login Angular library in the demo.

You may also like: OAuth 2 Access Token Usage Strategies for Multiple Resources (APIs): Part 1.

Prerequisites

Visual Studio.
Basic knowledge of Angular and Web API.
Visual Studio Code.
SQL Server Management Studio.

This article covers the following:

July 26, 2019

Open ID Connect Authentication With OAuth2.0 Authorization

In the previous decade, Open Authorization (OAuth) has emerged as an industry-standard protocol for authorization. Today, almost, every web application, mobile application uses OAuth 2.0 (latest version of OAuth) for authorization.

OAuth 2.0 is used by tech giants like Facebook, Google, and Twitter. It allows the users to give information about their accounts with third-party applications or websites. It is also used to provide mechanisms for user authentication. So, this has led many developers and API providers to incorrectly conclude that OAuth is itself an authentication protocol and, thus, they use it to perform authentication. The question here is: are they right in doing that?

July 7, 2019January 24, 2020

Spring Boot REST Service Protected Using Keycloak Authorization Services

Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.

Keycloak provides fine-grained authorization services as well. This allows you to manage permissions for all your services from the Keycloak admin console and gives you the power to define exactly the policies you need.

July 3, 2019

Facebook Authentication and Authorization in Server-Side Blazor App

Introduction

The latest preview for .NET Core 3 (preview-6) has introduced the functionality to add authentication and authorization in a server-side Blazor application. In this article, we will learn how to implement authentication and authorization using Facebook in a server-side Blazor application. You can refer to my previous article Understanding Server-side Blazor to get in-depth knowledge on server-side Blazor.

Prerequisites

Install the latest .NET Core 3.0 Preview SDK from here.
Install the latest preview of Visual Studio 2019 from here.
Install ASP.NET Core Blazor Language Services extension from here.

Source Code

Get the source code from GitHub.

June 5, 2019

Device Authentication: Notify User of Login From New Device or Location

Spring Security is the framework most used framework along with Spring MVC for authentication and authorization purposes. It provides ways to create an authentication manager for authenticating different providers like OpenId, LDAP, database, etc.

In this tutorial, we are going to learn how to manage security: Whenever a user logs in from a new device or new location, we need to send an email to the user. For this, we need to get the location of the user and the device used to authenticate.

May 22, 2019

Authorization in Microservices With MicroProfile

I've been working on an example that demonstrates how to get started with cloud-native applications as a Java developer. The example is supposed to be a full end-to-end sample application which includes the topics of authentication and authorization, since that functionality is required by most applications. This article describes how to check authorization in microservices implemented with Java EE and Eclipse MicroProfile.

Get the code of the example application cloud-native-starter from GitHub.

May 16, 2019February 2, 2022

Introduction to Overhide-Ledger and Ledger-Based Authentication

I'd like to introduce overhide-ledger, a free, open-sourced, centralized web 2.0 ledger of dollar transactions exposed through a minimal API.

The intent of the ledger is to enable a simple authorization workflow that's useful both today, for dollars, and tomorrow, for cryptos.

May 14, 2019

IoT Security Compliance: Necessary?

With so many IoT devices clouding the market, we wonder about the security of each unit. And rightly so, if you consider that cyber attacks cost U.S. enterprises $1.3 million, on average, in 2017. It is predicted that around 29 billion connected devices will be present by 2022, of which around 18 billion will be related to IoT. Given these figures, it is easy to imagine how important it is to have safe and secure IoT devices. In fact, 70 percent of IoT devices have a significant security vulnerability. When there are so many devices connected to each other over nonsecure platforms, the possibility of data security and cybersecurity being compromised are incredibly high. For instance, Chevrolet reported an increase in data usage by 200 percent for its Internet-connected vehicles. In spite of its advantages, this also exposes vehicles to possibilities of a security breach. As expected, hackers were able to remotely control the brakes and steering of one of their vehicles. The impact of such hacking into any physical product is immense. Apart from the loss of brand loyalty, payment of claims, product recall, such security compromises can also lead to loss of life and property. To cite another instance, there have been studies where doctors have been handed hacked devices which have led to the death of simulated patients. It is horrifying to consider the real-life implications.

So, here is a checklist of all important points that must be considered while creating an IoT Security Compliance checklist.