Modern identity and access management (IAM) on the Web is complex, putting a great burden on developers who have to integrate with modern authentication or access control layers. Jim Manico demystifies the relationship between modern protocols and frameworks such as OIDC, SAML, and OAuth that make up the core of modern web IAM.
Jim begins by discussing the security mechanisms critical when building an authentication (AuthN) layer of a web application and reviews a series of historical authentication threats that will inform a discussion on authentication design patterns necessary to build low-risk, high-security web applications. Jim also covers session management threats and best practices and offers several technical demonstrations and group code review labs.
Jim then turns to a deep discussion of SAML and OIDC, common technologies used for identity federation (and more), to ask how SAML and OIDC integrate with standard web authentication mechanisms and how these standard workflows are changed when modern protocols are introduced. These integrations can get complex fast, which often leads to insecurity.
Jim concludes with an exploration of the emerging importance of the OAuth framework. OAuth, a delegation framework that increasingly appears on the radar of security professionals and developers, intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management, or access control in your applications. Even more confusing, OAuth is not a standard; various service providers will likely have different implementations. To reiterate, OAuth is not a standard; it’s a framework for delegation—but what is delegation really and where does OAuth fit in? Jim explains how to use OAuth in a secure fashion, discusses the relationship between OAuth and OIDC, and outlines how OAuth integrates with SAML, tradition web authentication, web access control, single sign on, and similar technologies.
Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and is an investor/advisor for Signal Sciences. He is a frequent speaker on secure software practices, a member of the JavaOne Rock Star speaker community, and a volunteer and former board member for the OWASP foundation. Jim is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill).
Comments on this page are now closed.
©2016, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org