𝔖 Scriptorium
✦   LIBER   ✦
📁

Solving Identity Management in Modern Applications: Demystifying OAuth 2, OpenID Connect, and SAML 2

✍ Scribed by Yvonne Wilson, Abhishek Hingnikar

Publisher
Apress
Year
2022
Tongue
English
Leaves
398
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

Know how to design and use identity management to protect your application and the data it manages.

At a time when security breaches result in increasingly onerous penalties, it is paramount that application developers and owners understand identity management and the value it provides when building applications. This book takes you from account provisioning to authentication to authorization, and covers troubleshooting and common problems to avoid. The authors include predictions about why this will be even more important in the future. Application best practices with coding samples are provided.

Solving Identity and Access Management in Modern Applications gives you what you need to design identity and access management for your applications and to describe it to stakeholders with confidence. You will be able to explain account creation, session and access management, account termination, and more.This expanded edition has been revised to provide an overview of the new version of OAuth (2.1)―the primary changes in this version, including features that were removed from 2.1 that were in 2.0 and why they were removed. The discussion of the book's accompanying sample application has been revised to cover in more depth the approach for developing the application (also revised). A new section has been added on the OAuth 2.0 Device Authorization Grant (RFC 8628) specification, which is useful for devices with limited UI capability. Minor additions include the topics of identity proofing, the need to capture and organize consent information, the impact of tracking prevention technology on certain identity protocols, and the availability of additional options for authorization requests such as OAuth 2.0 Rich Authorization Requests and JWT-Secured Authorization Requests (RFC 9101).

What You’ll Learn• Understand key identity management concepts• Incorporate essential design principles• Design authentication and access control for a modern application• Know the identity management frameworks and protocols used today (OIDC/OAuth 2.0/2.1, SAML 2.0)• Review historical failures and know how to avoid them

Who This Book Is ForDevelopers, enterprise or application architects, business application or product owners, and anyone involved in an application's identity management solution

✦ Table of Contents

Table of Contents
About the Authors
About the Technical Reviewers
Acknowledgments
Introduction
Chapter 1: The Hydra of Modern Identity
Identity Challenges
Who Are Your Users? And Will They Authenticate?
Level of Authentication Strength
Simplifying Access for Users
Migrating Users from Legacy Applications
Regulatory Requirements
User Experience Constraints
Objective
Sample Application
Design Questions
Summary
Key Points
Notes
Chapter 2: The Life of an Identity
Terminology
Events in the Life of an Identity
Provisioning
Authorization
Authentication
Access Policy Enforcement
Sessions
Single Sign-On (SSO)
Stronger Authentication
Logout
Account Management and Recovery
Deprovisioning
Summary
Key Points
Chapter 3: Evolution of Identity
Identity Management Approaches
Per-Application Identity Silo
Centralized User Repository
Early SSO Servers
Federated Identity and SAML 2
WS-Fed
OpenID
OAuth 2
OpenID Connect (OIDC)
OAuth 2.1
Standard Protocols
Summary
Key Points
Notes
Chapter 4: Identity Provisioning
Provisioning Options
Self-Registration
Progressive Profiling
Invite-Only Registration
Identity Migration
Support Legacy Hashing Algorithm
Bulk Identity Migration
Gradual Migration of Users
Administrative Account Creation
Manual Account Creation
Automated Account Creation
Cross-Domain Account Creation
Leverage Existing Identity Service
Selecting an External Identity Service
Self-Registered Identities
Organization Identities
Government Identities
Industry Consortium Identities
Identity Provider Selection
Identity Proofing
Choosing and Validating Identity Attributes
Attribute Usage
Validating Critical Attributes
Consent Management
Summary
Key Points
Notes
Chapter 5: OAuth 2 and API Authorization
API Authorization
OAuth 2
Terminology
Roles
Confidential and Public Clients
Client Profiles
Tokens and Authorization Code
How It Works
Authorization Code Grant
Authorization Code Grant Type + PKCE
The Authorization Request
Response
Calling the Token Endpoint
Client Credentials Grant
The Authorization Request
Implicit Grant (Removed in OAuth 2.1)
Resource Owner Password Credentials Grant (Removed from OAuth 2.1)
Device Authorization Grant
The Authorization Request
Authorization Response
Polling the Authorization Server
Calling an API
Refresh Tokens
Token Usage Guidance
Access Tokens
Refresh Tokens
Confidentiality and Integrity
Token Revocation
Further Learning
Advanced Use Cases
Summary
Key Points
Notes
Chapter 6: OpenID Connect
Problem to Solve
Terminology
Roles
Client Types
Tokens and Authorization Code
Endpoints
ID Token
How It Works
OIDC Flows
OIDC Authorization Code Flow
Authentication Request
Authentication Response
Token Request
OIDC Implicit Flow
Authentication Request
Authentication Response
OIDC Hybrid Flow
Authentication Request
Authentication Response
UserInfo Endpoint
Further Learning
Summary
Key Points
Notes
Chapter 7: SAML 2
Problem to Solve
Terminology
How It Works
SP-Initiated SSO
Single Sign-On
IdP-Initiated Flow
Identity Federation
Authentication Brokers
Configuration
Summary
Key Points
Notes
Chapter 8: Authorization and Policy Enforcement
Authorization vs. Policy Enforcement
Levels of Authorization and Access Policy Enforcement
Level 1 – Application or API Access
Level 2 – Functional Access
Level 3 – Data Access
User vs. Application Authorization
User Authorization
User Profile Attributes
Transactional User Attributes
Delivery
Enforcement
Application Authorization
Application Attributes
Authorization
Delivery
Enforcement
Authorization and Enforcement Extensions
Summary
Key Points
Notes
Chapter 9: Sessions
Application Sessions
Identity Provider Sessions
Multiple Sessions
Session Duration
Session Renewal
Token Renewal
Reconstituted Sessions
Summary
Key Points
Notes
Chapter 10: Using Modern Identity to Build Applications
Sample Application: Collaborative Text Editor
Discovery
Who Are Your Users: Employees or Consumers?
How Will Users Authenticate?
Can Your App Be Used Anonymously?
Web-Based or Native App Format or Both?
Does Your Application Call APIs?
Does Your Application Store Sensitive Data?
What Access Control Requirements Exist?
How Long Should a User Session Last?
Will Users Need Single Sign-On (If More Than One Application)?
What Should Happen When a User Logs Out?
Are There Any Compliance Requirements?
Platform, Framework, and Identity Provider
Design
Buy vs. Build
Industry Standard Protocols
Architecture
Implementation: Front End
login() and handleCallback()
getToken() and getProfile()
A Detailed Note on Token Management in SPAs
.logout()
Closing Note
Implementation: Back-End API
.getUserId()
.canPerform()
Using OAuth 2 Scopes – for API Authorization
Linking Accounts
Anonymous Access
Granting Access Based on Domains
Other Applications
Additional Note on Sessions
Browsers, Trackers, and OAuth 2
Summary
Key Points
Notes
Chapter 11: Single Sign-On
What Is SSO?
How SSO Works
SSO Configuration
SSO Session Duration
Authentication Mechanisms
Login Page Branding
Multiple Identity Providers
Summary
Key Points
Notes
Chapter 12: Stronger Authentication
The Problem with Passwords
Stronger Forms of Authentication
Multi-factor Authentication
Step-Up Authentication
Multi-factor Authentication and SSO
Session Timeouts
Requesting Authentication Mechanisms
SAML 2
OIDC
Step-Down Authentication
Deployment
Summary
Key Points
Notes
Chapter 13: Logout
Multiple Sessions
Logout Triggers
Logout Options
Application Logout
OAuth 2
OIDC
SAML 2
Session Termination
Logout and Multilevel Authentication
Redirect After Logout
Summary
Key Points
Notes
Chapter 14: Account Management
Identity Attributes
User Profile Attributes
Update Process
Cached Identity Attributes
Updated Identifiers
Credential Reset
Account Recovery
Password Guidance
Helpdesk Reset
Notification
Summary
Key Points
Notes
Chapter 15: Deprovisioning
Account Termination
Best Practices
Just Do It
Provide a Soft Delete Technique
Reserve Deprovisioned Identities
Preserve Account Record
Data Transfer
Privacy Right to Erasure
Certificate of Deletion
Secure Delete
Consider Reprovisioning Requirements
Summary
Key Points
Notes
Chapter 16: Troubleshooting
Get Familiar with the Protocols
Prepare Your Tools
Test Environment
Independent Browser Windows
Capture HTTP Traces
View HTTP Traces
Make API Calls
View API Calls
View JWT and SAML 2 Tokens
Check the Simple Things
Gather Information
How Many Users Impacted?
Contributing Environmental Factors?
Which Applications Impacted?
Consistent or Intermittent Issue?
Worked Previously?
Where Does Failure Occur?
Replicate the Problem
Analyzing an HTTP/Network Trace
Capture a Trace
Check Sequence of Interaction
Check Parameters in Requests
Check HTTP Status Codes
Check Security Token Contents
Check for Security Token Validation Errors
Collaborating with Others
Summary
Key Points
Note
Chapter 17: Exceptions
Accounts
Data Restore
Account Decommission
Orphaned Account
Account Takeover
Phone Lost, Damaged, or Stolen
Identity Providers
Account Recovery Requests
Brute Force Attacks
Breached Passwords
System Outages
Authentication System Outage
Admin Access
Provisioning Systems
Cybersecurity Threats
Compromised Personal Data
Compromised Credentials
Compromised Secrets
Summary
Key Points
Notes
Chapter 18: Less Common Requirements
People
Family Accounts
Temporary Positions
Status Transition
No Email Address
Identity Defederation
Accounts
Mergers and Acquisitions
Account Linking
Progressive Profiling
Impersonation
Delegation
Environment
Shared Workstations
Identity Provider Discovery
Multitenant Applications
Summary
Key Points
Chapter 19: Failures
Pay Attention to Process
Beware of Phishy Emails
Use Multi-factor Authentication
Stay on Top of Patches
Secure Your Cloud Storage
Encrypt Sensitive Data
Do Not Store Cleartext Passwords
Provide Security Training to Developers
Vet Your Partners
Insider Threat
Summary
Key Points
Notes
Chapter 20: Compliance
What Is Compliance?
Government-Mandated Compliance
Industry Compliance
Elective Compliance Frameworks
Why Compliance
Data Protection
Competitive Advantage
Reduce Penalties
Efficiency
Compliance Landscape
Security Compliance
Privacy Compliance
Assessment and Certification
How to Proceed
Summary
Key Points
Notes
Chapter 21: Looking into the Crystal Ball
Continued Security Challenges
Ongoing Breaches
Evolving Targets
Increasing Complexity
Diversifying Motives
More Targets
Homes and Businesses
Cars
Medical Implants and Monitoring
Robots
Erosion of Perimeter Protection
Identity – Not Just for Humans
Personal Agents
Autonomous Vehicles
IoT Devices
Robots
On the Horizon
e-Identity
Stronger Authentication
Solutions for Smaller Devices
Asynchronous Online Interaction
Easier Adoption
Lessons Learned
Always Look Forward
Usability Is Important
Validation Is Critical
Logout Takes Time
Monitor Trends and Vulnerabilities
Summary
Key Points
Notes
Chapter 22: Conclusion
Appendix A: Glossary
Appendix B: Resources for Further Learning
B.1. OAuth 2 – Related Specifications
B.2. JWT
B.3. OIDC
B.4. SAML
B.5. Multi-factor Authentication
B.6. Background Information
B.7. Privacy
Appendix C: SAML 2 Authentication Request and Response
C.1. SAML 2 Authentication Request
C.2. SAML 2 Authentication Response
C.2.1. Response
C.2.1.1. Authentication Assertion (Beginning)
C.2.1.2. Digital Signature for Authentication Assertion
C.2.1.3. Subject
C.2.1.4. Conditions
C.2.1.5. Authentication Statement
C.2.1.6. Attribute Statements
C.3. Validation
Appendix D: Public Key Cryptography
Appendix E: Troubleshooting Tools
E.1. Capture an HTTP Trace
E.2. View a HAR File
E.3. Capture a Network Trace
E.4. View Security Tokens
E.5. Test APIs
Appendix F: Privacy Legislation
F.1. European Union
F.2. United States
F.3. Other Countries
F.4. Notes
Appendix G: Security Compliance Frameworks
G.1. General Security Frameworks
G.1.1. Center for Internet Security – Top 20 Controls
G.1.2. Cloud Security Alliance
G.1.3. ISO 27000
G.1.4. PCI DSS
G.2. US Frameworks
G.2.1. CJIS Security Policyv – Criminal Justice Information Services Security Policy
G.2.2. FFIEC Information Technology Examination Handbook and Cybersecurity Assessment Toolvi
G.2.3. FISMA – Federal Information Security Management Actvii
G.2.4. FedRAMP – Federal Risk and Authorization Management Programviii
G.2.5. GLBA Safeguards Ruleix
G.2.6. HIPAAx
G.2.7. HITECH Actxi
G.2.8. NISTxii
G.3. SOC(Service Organization Control)
G.3.1. SOC1
G.3.2. SOC2
G.4. Notes
Index

📜 SIMILAR VOLUMES

Solving Identity Management In Modern Ap
📁 Solving Identity Management In Modern Applications: Demystifying OAuth 2.0, OpenID Connect, And SAML 2.0
✍ Yvonne Wilson, Abhishek Hingnikar 📂 Library 📅 2019 🏛 Apress 🌐 English

Know how to design and use identity management to protect your application and the data it manages. At a time when security breaches result in increasingly onerous penalties, it is paramount that application developers and owners understand identity management and the value it provides when building

Keycloak - Identity and Access Managemen
📁 Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 [Team-IRA]
✍ Stian Thorgersen, Pedro Igor Silva 📂 Library 📅 2023 🏛 Packt Publishing 🌐 English

<p><span>Gain a firm practical understanding of Keycloak to enable authentication and authorization in applications while leveraging the additional features provided by Keycloak</span></p><p><span>Purchase of the print or Kindle book includes a free PDF eBook</span></p><h4><span>Key Features</span><

Keycloak - Identity and Access Managemen
📁 Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 protocols to secure applications
✍ Stian Thorgersen, Pedro Igor Silva 📂 Library 📅 2021 🏛 Packt Publishing 🌐 English

<p><b>Learn to leverage the advanced capabilities of Keycloak, an open-source identity and access management solution, to enable authentication and authorization in applications</b></p><h4>Key Features</h4><ul><li>Get up to speed with Keycloak, OAuth 2.0, and OpenID Connect using practical examples<

Keycloak - Identity and Access Managemen
📁 Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 protocols to secure applications
✍ Stian Thorgersen, Pedro Igor Silva 📂 Library 📅 2021 🏛 Packt Publishing 🌐 English

<p><b>Learn to leverage the advanced capabilities of Keycloak, an open-source identity and access management solution, to enable authentication and authorization in applications</b></p><h4>Key Features</h4><ul><li>Get up to speed with Keycloak, OAuth 2.0, and OpenID Connect using practical examples<

OAuth 2.0 Identity and Access Management
📁 OAuth 2.0 Identity and Access Management Patterns
✍ Martin Spasovski 📂 Library 📅 2013 🏛 Packt Publishing 🌐 English

<p> A practical hands-on guide to implementing secure API authorization flow scenarios with OAuth 2.0 </p> <p><b>Overview</b></p> <ul> <li>Build web, client-side, desktop, and server-side secure OAuth 2.0 client applications by utilizing the appropriate grant flow for the given scenario</li> <li>Get

OAuth 2.0 Identity and Access Management
📁 OAuth 2.0 Identity and Access Management Patterns
✍ Martin Spasovski 📂 Library 📅 2013 🏛 Packt Publishing 🌐 English

<p> A practical hands-on guide to implementing secure API authorization flow scenarios with OAuth 2.0 </p> <p><b>Overview</b></p> <ul> <li>Build web, client-side, desktop, and server-side secure OAuth 2.0 client applications by utilizing the appropriate grant flow for the given scenario</li> <li>Get