Sep 25OAuth2 Token Exchange in PracticeOver time, OAuth2 has evolved to meet increasingly complex security needs that go beyond the basic capabilities of a Security Token Service (STS). In this post, we will discuss the Token Exchange grant type which is a versatile grant type designed to tackle a range of real-world challenges. At its…Oauth213 min readOauth213 min read
Apr 19, 2021How to register and manage OAuth2 clients?In the first post of this blog series about the OAuth2, I provided a comprehensive overview of the OAuth2 core specification and its supporting specification. In the 2nd post, I discussed the OAuth2 Authorization Server Metadata specification. In this post, I will discuss the OAuth2 Dynamic Client Registration (DCR) and…Oauth212 min readOauth212 min read
Apr 24, 2020How do you discover the OAuth2 server configuration?This article is the second post in my blog series about the OAuth2; reading the first post may help you to understand this current topic easily. Although I intended to provide an overview above the OAuth2 and related specifications, I have extensively discussed the Authorization Code grant type in the…Oauth28 min readOauth28 min read
Apr 19, 2020Understanding OAuth2 LandscapeNow it has been nearly 8 years after the formal approval of OAuth2 Core standard by IETF. Obviously, the OAuth2 is not a new technology for writing yet another introduction post, especially in 2020. So what has motivated me to write an introductory post about OAuth2 at this point? …Oauth220 min readOauth220 min read
Oct 2, 2019API Security: How to avoid Broken Object Level Authorization & Broken Function Level AuthorizationOWASP project recently finalised their API Security Top 10 list into RC level; you can have a look at it from here. When I went through the list, I was a bit surprised because most of the top security vulnerabilities are fundamental principles that we had been practising for a…Owasp Top 108 min readOwasp Top 108 min read
Jun 9, 2018Reloading SAML: Web Browser SSO ProfileSo far I have discussed key constructs of SAML 2.0 core standard and few supportive standards such as IDP Discovery and SAML Metadata too. Starting from this post, I’m planning to discuss SAML Profiles, if I recall our discussion about SAML profiles, profiles are practical use-cases defined in terms of…Authentication13 min readAuthentication13 min read
May 12, 2018Reloading SAML : IdP DiscoveryThis post is somewhat different from other posts of this series, majority of the concepts that we are discussing here are not only specific to SAML, those can be used with some other protocols as well, additionally, some of the real-world examples used here to describe some general concepts are…Saml14 min readSaml14 min read
Apr 8, 2018Looking for a GDPR compliant IAM product ?WSO2 Identity Server (WSO2 IS) is a leading open source IAM (Identity and Access Management ) product and a member of WSO2 middleware platform. Like any other WSO2 product WSO2 IS is also licensed with Apache 2.0 …Wso24 min readWso24 min read
Apr 1, 2018Reloading SAML: Why do you need SAML Metadata?As we previously discussed, SAML is a structured format to define security information (assertions) about a subject (usually about an individual) by an authorized authority called asserting party; however, there is no point to generate a SAML assertion and keep it itself by the asserting party, instead generated SAML assertions…Security9 min readSecurity9 min read
Mar 26, 2018Reloading SAML : SAML BasicsDuring the last post, I discussed some of the practical use cases of SAML, within this post I will try to discuss a few basic concepts related to SAML. Generally, we refer SAML as a one stranded but it has been evolved into a complex ecosystem with a number of…Saml10 min readSaml10 min read
