Posted on

Configure Single Sign-On for CockroachDB Dedicated With Google OAuth

Motivation

CockroachDB Dedicated is a fully-managed, reserved CockroachDB cluster ideal for a cloud database. We frequently get asked how to set up SSO for the individual CockroachDB Dedicated clusters and we have a detailed tutorial to walk you through that with a local, self-hosted cluster. What was unclear was that you can use the same steps to set up SSO with Dedicated. Based on this detailed document, CockroachDB Dedicated supports OIDC authentication. Today, we're going to provide details on how to leverage OIDC specifically with the Dedicated offering.

High-Level Steps

  • Provision Dedicated cluster
  • Configure OAuth Client ID
  • Configure CockroachDB with the OAuth details
  • Verify

Step by Step Instructions

Provision Dedicated Cluster

Follow this tutorial to set up a Dedicated cluster.

Posted on

Dive Into OAuth Grant Types and OpenID Connect Flows

In my last article, you could read about the differences between OAuth, SAML, and OpenID Connect. Today I want to continue the topic. We will dive deeper into the processes of authentication and authorization offered to us by respectively (OpenID Connect) and (OAuth). However, we will start with a few words about the naming conventions in both.

GrantTypes vs Flows — Semantic Difference

In general, both terms are correct and can be used simultaneously. Both of them describe the same thing – a process of obtaining an Access Token. Just keep in mind that the term “Grant Type” is more strongly related to OAuth, while the term “Flow” is more related to OpenID Connect. As a side note, I can add that the term “Flow” rarely occurs in the OAuth specification.

Posted on

What Is Keycloak and What Does It Offer?

Application security is becoming a more and more important topic on a day-to-day basis. Unauthorized access to protected data can potentially cost millions of dollars in the form of various financial penalties. Almost every application needs some reliable tool to manage its users’ identities and accesses. There are a bunch of solutions on the market — both free and paid — that promise to provide such features. In today’s article, I will try to present you one of these tools, which as you probably guess from the title, will be Keycloak. I hope that this article will give you a better understating of its basics and why it may be profitable for you to get more familiar with it. As usual, I will start with a short description of what Keycloak exactly is.

Before we start — a quick disclaimer

Posted on

API Security Weekly: Issue #113

This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery.

Vulnerability: YouTube

Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses.

Posted on

Introduction To OAuth Framework

You must have heard this word Oauth if you are from a development background. It is because of its popularity, in a few past years technology has evolved a lot and so the security. With increasing concerns of security, a lot of frameworks and patterns came into the picture and Oauth was one of them. When developers started using Oauth, they found it very secure and useful, and with increasing popularity, so many organizations started using this. 

Now, you will notice that millions of applications are now powered by the Oauth authorization framework. It's important that you know what it is all about and I think that's why you are reading this article.

Posted on

Securing Open Liberty Applications With Azure Active Directory via OpenID Connect

Long gone are the days when you had to create your own user account management, authentication, and authorization for your web delivered software. Instead, contemporary applications leverage these functions (Identity and Access Management, IAM for short) from an external provider. As a full featured Java application runtime, Open Liberty has great options for externally provided IAM. Open Liberty supports IAM mainstays such as social media login, SAML and OpenID Connect. In Bruce Tiffany's blog post Securing Open Liberty apps and micro-services with MicroProfile JWT and Social Media login, you have a solid example on how to use the Open Liberty social media login feature to authenticate users using their existing social media credentials. In this blog post, let's take a look at another example on how to configure the Liberty social login feature as an OpenID Connect client to secure Java applications with Azure Active Directory.

The code used in this blog post is hosted on this GitHub repository as part of the official Azure samples - feel free to check it out and follow its user guide to run the Java EE demo application before or after reading this blog.

Posted on

Securing Web Apps Using PKCE With Spring Boot

Technology has a way of updating faster than security standards. OAuth 2.0 is the latest and greatest standard for modern applications, but it’s eight years old now! Its contributors are working on the next version as we speak, and in the meantime, they release “guidance” periodically to help developers use OAuth 2.0 with new technology.

Last year, the developers submitted two drafts of important pieces of guidance for OAuth 2.0. OAuth 2.0 Security Best Current Practices gives advice for securing modern apps with OAuth 2.0, and OAuth 2.0 for Browser-Based Apps focuses specifically on web app best practices.

Posted on

Easy OAuth 2.0 Single Sign-on in Java

Different applications need different permissions. Although you might have a single resource server providing data to multiple apps, it’s often the case that you don’t want all users of application A to access application B. 

In this tutorial, you’ll learn how to use Okta and Spring Boot to implement SSO with two client applications and a single resource server. You’ll also learn how to restrict access to the resource server based on app scores and how to use access policies to enforce authentication and authorization rules.

Posted on

Authorization Approach for Multiple Web API Providers

Azure Active Directory (Azure AD) is a popular enterprise identity service used by many organizations for enabling single sign-on for applications and protect their web APIs.

Version 2.0 of Microsoft Identity platform (aka Azure AD) is the latest and improved implementation of OpenId Connect (OIDC) based authentication and OAuth 2.0 authorization flows.

Posted on

Origin Authentication and RBAC in Istio with Custom Identity Provider

The concept of access control can be boiled down to two factors: authentication (AuthN) and authorization (AuthZ). While authentication determines the identity of a client based on the data presented to the identity provider (e.g., Google and Microsoft AD), authorization determines whether an authenticated principal may interact with the resource.

Istio supports Token-based end-user authentication with JSON Web Tokens or JWT. In terms of Istio, the process of authentication of the end-user, which might be a person or a device, is known as origin authentication. Istio allows you to validate nearly all the fields of a JWT token presented to it. Since JWT is an industry-standard token format, the origin authentication feature of Istio is compatible with OpenID connect providers such as Auth0, Google Auth, and Key Cloak.