Summary OAuth 2 in Action teaches you the practical use and deployment of this HTTP-based protocol from the perspectives of a client, authorization server, and resource server. You'll learn how to confidently and securely build and deploy OAuth on both the client and server sides. Foreword by Ian Glazer. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the Technology Think of OAuth 2 as the web version of a valet key. It is an HTTP-based security protocol that allows users of a service to enable applications to use that service on their behalf without handing over full control. And OAuth is used everywhere, from Facebook and Google, to startups and cloud services. About the Book OAuth 2 in Action teaches you practical use and deployment of OAuth 2 from the perspectives of a client, an authorization server, and a resource server. You'll begin with an overview of OAuth and its components and interactions. Next, you'll get hands-on and build an OAuth client, an authorization server, and a protected resource. Then you'll dig into tokens, dynamic client registration, and more advanced topics. By the end, you'll be able to confidently and securely build and deploy OAuth on both the client and server sides. What's Inside Covers OAuth 2 protocol and design Authorization with OAuth 2 OpenID Connect and User-Managed Access Implementation risks JOSE, introspection, revocation, and registration Protecting and accessing REST APIs About the Reader Readers need basic programming skills and knowledge of HTTP and JSON. About the Author Justin Richer is a systems architect and software engineer. Antonio Sanso is a security software engineer and a security researcher. Both authors contribute to open standards and open source. Table of Contents Part 1 - First steps What is OAuth 2.0 and why should you care? The OAuth dance Part 2 - Building an OAuth 2 environment Building a simple OAuth client Building a simple OAuth protected resource Building a simple OAuth authorization server OAuth 2.0 in the real world Part 3 - OAuth 2 implementation and vulnerabilities Common client vulnerabilities Common protected resources vulnerabilities Common authorization server vulnerabilities Common OAuth token vulnerabilities Part 4 - Taking OAuth further OAuth tokens Dynamic client registration User authentication with OAuth 2.0 Protocols and profiles using OAuth 2.0 Beyond bearer tokens Summary and conclusions
Um bei einem Zugriff auf externe Webservices sensible Benutzerdaten nicht an Dritte weitergeben zu müssen, werden Authentifizierungs- und Autorisierungsverfahren eingesetzt, wie die derzeit populären Protokolle OAuth 2.0 und OpenID Connect. Das Ziel dieses vorliegenden Buches ist, Internetgrößen als Protokollanbieter (z. B. Facebook, Google, Microsoft), auf Angriffsflächen hin zu untersuchen, ob AngreiferInnen diese mit vertretbarem Aufwand nutzen können. Hierzu werden die Begriffe Authentifizierung und Autorisierung im Internet und häufig verwendete Verfahren beschrieben. Der theoretische Protokollablauf von OAuth 2.0 und OpenID Connect wird detailliert erläutert, um eine Analyse der Sicherheitsbedrohungen durchführen zu können. Gegliedert in neun Sicherheitsbedrohungen wurden 18 systematisch durchgeführte Versuchsreihen dokumentiert und die Ergebnisse diskutiert. Es konnten drei Sicherheitsbedrohungen nachgewiesen werden, unter anderem ein erfolgreich durchgeführter Cross-Site Request Forgery Angriff auf eine populäre österreichische Website, die OAuth 2.0 als Single Sign-On Protokoll verwendet.
This book will prepare you to meet the next wave of challenges in enterprise security, guiding you through and sharing best practices for designing APIs for rock-solid security. It will explore different security standards and protocols, helping you choose the right option for your needs. Advanced API Security, Second Edition explains in depth how to secure APIs from traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it. Keep your business thriving while keeping enemies away. Build APIs with rock-solid security. The book takes you through the best practices in designing APIs for rock-solid security, provides an in depth understanding of most widely adopted security standards for API security and teaches you how to compare and contrast different security standards/protocols to find out what suits your business needs, the best. This new edition enhances all the topics discussed in its predecessor with the latest up to date information, and provides more focus on beginners to REST, JSON, Microservices and API security. Additionally, it covers how to secure APIs for the Internet of Things (IoT). Audience: The Advanced API Security 2nd Edition is for Enterprise Security Architects and Developers who are designing, building and managing APIs. The book will provide guidelines, best practices in designing APIs and threat mitigation techniques for Enterprise Security Architects while developers would be able to gain hands-on experience by developing API clients against Facebook, Twitter, Salesforce and many other cloud service providers. What you'll learn - Build APIs with rock-solid security by understanding best practices and design guidelines. - Compare and contrast different security standards/protocols to find out what suits your busine ss needs, the best.- Expand business APIs to partners and outsiders with Identity Federation. - Get hands-on experience in developing clients against Facebook, Twitter, and Salesforce APIs. - Understand and learn how to secure Internet of Things.
KEY FEATURES- Hands-on examples- Connect with major online services like Google, Facebook,Twitter- Takes the reader from beginner to advanced OAuth 2 topics.AUDIENCEReaders need basic programming skills and knowledge of HTTP andJSON.
Twitter is rapidly moving up the social networking food chain and is currently outranked by only Facebook and MySpace. It features a programming API that allows you to build Web sites and applications (both desktop and mobile) for reading and posting to Twitter, finding other Twitter users, aggregating Twitter content, and other uses. This book walks you through the process of combining many programming tools in order to build exciting, useful, and profitable applications. You'll begin with a look at RESTful services and examine how to structure your queries, handle asynchronous operations, use headers, and post binary data. From there, author and TweetSharp developer Daniel Crenna explains how to authenticate with the OAuth specification for Web and Windows applications. * Twitter is growing in popularity at a rapid pace and this book shows you how to take advantage of its programming API to build applications * Explains the various ways to design a Twitter application, including caching, third party application interoperability, real-time data binding, push vs. pull data scenarios, and more * Takes an in-depth look at TweetSharp, a .NET library for developing Twitter applications-whose creator is also the author of this book * Walks you through requesting and retrieving responses from Twitter's API * Warns you of considerations to take into account regarding authentication and security Professional Twitter Development shows you how to get the most out of Twitter so that you can build your own applications for this exciting new platform.
Beginning iOS Apps with Facebook and Twitter APIs shows you how to add the power of social networking to your mobile apps on iPhone, iPad, and iPod touch. With this book as your guide, you can write apps that connect to Facebook and Twitter quickly, securely, and discreetly. Instead of starting from scratch, you will build on the vast resources, data storage capacity, and familiar features of these platforms which have become part of everyday life for hundreds of millions of users worldwide. Beginning iOS Apps with Facebook and Twitter APIs introduces you to the development tools, techniques, and design practices you will need to work with the APIs. It helps you decide whether to use Facebook, Twitter, or both, and explains the important issues of design, branding, and permissible use guidelines. You will learn how to guarantee privacy and use OAuth for authentication and single sign-on. Create news apps, shopping apps, contact apps, GPS apps, guides, and more, that let users transparently: * Sign on once, then freely work with and manage their Facebook and Twitter accounts * Publish game high scores, post likes, links, and status updates * Send messages, share pictures, and forward Tweets * Tweet a link to an event, show themselves as attending, and see who else is there * Show Tweets that are relevant to a topic within a news app * Show Tweets about a restaurant * Organize a group or community From time to time, new forms of communication come along that make it easier for people to communicate and manage their social lives. Like phone calls and SMS before them, Facebook and Twitter have, in a short time, become essential parts of the social fabric of life for an ever-growing number of people throughout the world. The knowledge you'll gain from Beginning iOS Apps with Facebook and Twitter APIs will help you create exciting and popular iOS apps that your users will rely on every day to help make their lives more meaningful and connected.
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. This book is your ultimate resource for Single sign-on (SSO). Here you will find the most up-to-date information, analysis, background and everything you need to know. In easy to read chapters, with extensive references and links to get you to know all there is to know about Single sign-on (SSO) right away, covering: Single sign-on, Password, 1dl, 2D Key, ATM SafetyPIN software, Canonical account, Challenge-Handshake Authentication Protocol, Challenge-response authentication, Cognitive password, Default password, Diceware, Draw a Secret, Duress code, LM hash, Munged password, One-time password, OpenID, OTPW, Partial Password, Passmap, PassPattern system, Passphrase, Password authentication protocol, Password cracking, Password fatigue, Password length parameter, Password management, Password manager, Password notification e-mail, Password policy, Password strength, Password synchronization, Password-authenticated key agreement, PBKDF2, Personal identification number, Pre-shared key, Privileged password management, Random password generator, Risk-based authentication, S/KEY, Secure Password Authentication, Secure Remote Password protocol, SecurID, Self-service password reset, Shadow password, Swordfish (password), Windows credentials, Zero-knowledge password proof, Federated identity, Federated identity management, Apple ID, Athens (access and identity management service), CoSign single sign on, Credential Service Provider, Crowd (software), Digital identity, E-Authentication, Enterprise Sign On Engine, EZproxy, Facebook Platform, Google Account, Higgins project, Identity Governance Framework, Identity metasystem, Information Card, Information Card Foundation, Janrain, JOSSO, Light-Weight Identity, Novell Access Manager, OneLogin, OpenAM, OpenSSO, Point of Access for Providers of Information, Pubcookie, Shibboleth (Internet2), Sun Java System Access Manager, Ubuntu Single Sign On, Windows CardSpace, Windows Live ID, Yadis, Access control list, Access Control Matrix, Atomic authorization, Authentication, Authorization, Bell-LaPadula model, Closed-loop authentication, Comparison of privilege authorization features, Computational trust, Context-based access control, Copy protection, Cryptographic log on, DACL, Database audit, DataLock Technology, Delegated administration, Delegation of Control, Digipass, Directory service, Discretionary access control, Distributed Access Control System, EAuthentication, Form-based authentication, Global Trust Council, HERAS-AF, HTTP cookie, HTTP+HTML form-based authentication, IBM Lightweight Third-Party Authentication, IBM Tivoli Access Manager, Identity Assertion Provider, Identity driven networking, Initiative For Open Authentication, Integrated Windows Authentication, Internet Authentication Service, Java Authentication and Authorization Service, Location-based authentication, Logical access control, Login, LOMAC, Mandatory access control, MicroID, Microsoft Fingerprint Reader, Mobilegov, Multi-factor authentication, Mutual authentication, NemID, NIST RBAC model, OAuth, Object-capability model...and much more This book explains in-depth the real drivers and workings of Single sign-on (SSO). It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of Single