IT Today

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...

If we are going to use OIDC (OpenID Connect), we have need to know the definitions of OAuth and OIDC. Because OAuth is for authorization and OIDC is on top of OAuth to provide authentication. So, OIDC is providing authorization and authentication.   What is OAuth? The OAuth 2.0 authorization framework enables third-party applications to obtain limited access to a web service. [To see more on OAuth itwithcs.blogspot.com: Click here ] What is OpenID Connect? OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. What are Identity Servers? Identity server are the core part of any identity and access control i...

When we are developing a web application/web page, session and cookies are the most important factors to handle the user operations as well as provide enough security to the application/page. Attackers are using many ways to attack the web based applications. But most of the time they are using session hijacking to hack the network. Because session hijacking is very easy to do and attacker no need to put his effort to hack that system [permission to the system provided by the session]. So, session/cookie implementation is not only a thing but proper [secure/httponly] cookie/session implementation is needed. This blog is written to “how to create cookie/session?”, “how to read cookie?”, “what is session hijacking?” and “how to protect the session hijacking?” What is cookie? Cookie is a file created by the web servers[here tomcat] to store some data specific to the website [here login app] to track the usage of the website by the user. Specific data/ anatomy of cookie as follows. N...

Registering App with Facebook To register app in Facebook follow the link and create a new app. https://developers.facebook.com/ Once we created the app you can see the app details in the dashboard and the screen that looks something like this. Here we can notice the Appid and Appsecret for the created Facebook app. [Client ID & Client Secret] When registering a client app to configure with OAuth we have need to consider 5 main parts, such as client ID, client secret, redirection endpoint, authorization endpoint and token endpoint. The "key" (that is, access token) is passed back via the redirection endpoint in step 4 Redirection endpoint: It is a very important property in the client application. This helps the service providers to call back the application and to pass control back to your application and even send you important information.[tokens/error messages] In OAuth authorization process [1st step] users need to login to the service provider’s au...

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...

In the Information Security secure/protected communication is essential to keep the CIA triangle (confidentiality, integrity and availability). When its come to secure communication encryption and hashing are the main important mechanisms. Hashing is a one way conversion, that means we can’t recover the original information (e.g. Passwords inside the database). Encryption is a 2 way conversion, that means data can locked and it can be retrieve again to its original form. Encryption can be done in 2 ways such as symmetric encryption and asymmetric encryption. What is Symmetric Encryption? It is a simple encryption method. Here it is having only ONE key for the encryption and decryption. This means if a sender wants to send an information sender and receiver wants to know the same key.    What is Asymmetric Encryption? It is an advance method for the encryption and decryption. Here it is managing TWO keys, such as public key and the p...