Posted on

OAuth2 Bearer Token Usage

I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating) specifications, as you can imagine. It is critical that they be written in such a way that two independent parties can build interoperable implementations without relying on each other’s code. With this in mind, let’s have a brief chat about OAuth2 Bearer Token Usage with a focus on the token’s encoding.

But first, let’s have a brief talk about what OAuth2 is.

Posted on

Use Both JWT and Opaque Access Tokens With Spring Boot

How can one validate OAuth 2.0 access tokens? This question frequently comes up — along with the topic of validating JSON Web Tokens (JWT) based access tokens— however, this is NOT part of the OAuth 2.0 specification. JWTs are used so commonly that Spring Security supported them before adding support for remotely validating tokens. 

This article will introduce how to build a simple application that utilizes both types of validation.

Posted on

Attribute Based Access Control for Mulesoft APIs

How can we automate the processes of API registrations and access controls to make it easier to manage at scale? Attribute-based access control (ABAC) has unique advantages over role-based access control (RBAC) for API gateway management, especially when it’s enabled with the OAuth2 JSON web token (JWT). Let’s explore how ABAC could be implemented effectively for Mulesoft API gateway through a custom policy.

Background

By default, the Mule Anypoint Platform comes with its own identify provider (IdP) (ref2). This IdP is intended to help customers to jump-start their projects or create PoCs. It is not provided for production deployments, especially with a large number of client applications. For that purpose, Mule supports integration with external IdPs, such as Okta, OpenAM, etc. 

Posted on

Mule OAuth 2.0 Provider in Mule 4

Mule OAuth 2.0 Provider in Mule 4

First of all, thanks to MuleSoft for reducing and simplifying the steps to configure the Mule OAuth 2.0 policy by using Mule 4 components.

To apply the OAuth 2.0 policy, the below configuration needs to be done.

Posted on

Deep Dive Into OAuth2.0 and JWT (Part 2 OAuth2.0)

In the previous article, we introduced Authentication and Authorization. In this article, let us have a look at one of the most commonly used implementation, i.e. OAuth2.0.

Introduction

In the traditional client-server authentication model, the client requests protected resources on the server by authenticating with the server using the resource owner's credentials. To provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. This sharing of credential can create several problems and limitations, some of which are listed below.

Posted on

All You Need to Know About User Session Security

What follows is a two-part series on session management  —  inspired by extensive conversations with over 70 developers and our own intensive research. We will explore different session management practices, identify issues, and converge on a solution to these issues. Through it all, I hope to leave you with clarity on deciding how to manage user sessions (and auth tokens) for your application. In 20 minutes, we summarize all the important information it took us hundreds of hours to obtain and document.

This article will introduce session management, analyze commonly use session flaws, and demonstrate best practices. Part two will take a look at a new open-source flow that is secure and easy to integrate into existing systems.