SlideShare a Scribd company logo

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

Matt Raible
Matt Raible

The document presents a comprehensive overview of authentication security patterns for applications, APIs, and infrastructure, highlighting concepts such as authentication vs authorization, OAuth 2.0, JWT, and multi-factor authentication. It covers specific patterns for app, API, and infrastructure security, along with actionable strategies for implementing these patterns effectively. Key practices include the use of encryption, automation, and regular security audits to enhance security measures.

Software
1 of 57
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra Brian Demers and Matt Raible @briandemers / @mraible April 13, 2022
@briandemers / @mraible Who are we? Brian Demers Open Source Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible
@briandemers / @mraible Today's Agenda What is Auth? AuthN vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 Infra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible
@briandemers / @mraible 01 What is Auth? @briandemers / @mraible
@briandemers / @mraible Soooo ... Why should you care? @briandemers / @mraible
A brief history of Auth @briandemers / @mraible 60s: First Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE
@briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitoring Security Concerned Consultant Paranoid Geek Security over performance @briandemers / @mraible
@briandemers / @mraible 02 App Auth Security Patterns @briandemers / @mraible
@briandemers / @mraible Web vs SPA vs Mobile App @briandemers / @mraible
@briandemers / @mraible HTTP Basic Authentication @briandemers / @mraible
@briandemers / @mraible Form-based Authentication @briandemers / @mraible
CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML is to OIDC as SOAP is to REST. -Joël Franusic (@jf)
@briandemers / @mraible JWT Authentication @briandemers / @mraible
@briandemers / @mraible @briandemers / @mraible Why JWTs Suck as Session Tokens -@rdegges on developer.okta.com, 2017 What do we do about JWT? -Security. Cryptography. Whatever. podcast, 2021
@briandemers / @mraible OpenID Connect (OIDC) for Auth @briandemers / @mraible Identity Provider 🔒Verify
@briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible
@briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible
Passwordless password Password1 Password1! We like to think we know what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible
@briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible
@briandemers / @mraible App Auth Security Patterns Tired Wired Apps handling passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code with PKCE Use headers or the body @briandemers / @mraible
@briandemers / @mraible 03 API Auth Security Patterns @briandemers / @mraible
@briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud: config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin
@briandemers / @mraible Tokens @briandemers / @mraible $20
@briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
@briandemers / @mraible OAuth 2.0 @briandemers / @mraible
@briandemers / @mraible OAuth 2.0 @briandemers / @mraible
@briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization Code + PKCE Client Credentials Device Grant
@briandemers / @mraible OAuth Client Credentials @briandemers / @mraible
@briandemers / @mraible API Gateway API Gateway App App App /dogs /cats /fish @briandemers / @mraible { Rest } Client
@briandemers / @mraible Use API SDKs @briandemers / @mraible
@briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible
@briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups Admin User Help Desk Privilege Record : Read Record : Create Record : Update Record : Delete Users
@briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐ API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
@briandemers / @mraible API Auth Security Patterns Tired Wired Build it yourself Static API Tokens CORS wildcard Use existing libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible
@briandemers / @mraible 04 Infra Auth Security Patterns @briandemers / @mraible
CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible Software is Automation and Automation is less toil. -Mark Shuttleworth Canonical CEO Larry Ewing
@briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol
Certificates CC BY 3.0: EFF.org @briandemers / @mraible
@briandemers / @mraible @briandemers / @mraible SSO for Servers https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam Active Directory Pluggable Authentication Modules (PAM) for Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
Scan Docker Images @briandemers / @mraible
@briandemers / @mraible Know Your Cloud and Cluster Security @briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993
@briandemers / @mraible The 4C's of Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/ @briandemers / @mraible
@briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible
@briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion: v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"
@briandemers / @mraible Automation is Key @briandemers / @mraible WSJ
@briandemers / @mraible @briandemers / @mraible
@briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ Infra Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Images ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your Infra ⭐ ⭐ ⭐ ⭐ ⭐ SSO for Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
@briandemers / @mraible Infra Auth Security Patterns Tired Wired FROM: some-large-image:1.2.3 Secrets in Images Shared Credentials Use minimal images HashiCorp Vault Limit Access @briandemers / @mraible
@briandemers / @mraible 05 Action! @briandemers / @mraible
@briandemers / @mraible Action How to codify these patterns? @briandemers / @mraible spring security
@briandemers / @mraible Action How to test for lack of patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access
@briandemers / @mraible Action How to test for vulnerabilities? @briandemers / @mraible
@briandemers / @mraible What about ? @briandemers / @mraible
The OWASP Top 10 really hasn’t changed all that much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible
@briandemers / @mraible developer.okta.com/blog @oktadev @briandemers / @mraible
@briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers brian.demers@okta.com Matt Raible @mraible @mraible @mraible matt.raible@okta.com https://speakerdeck.com/mraible
developer.okta.com

More Related Content

Similar to Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022 (20)

PDF
Secret Sprawl and Electric Vehicle Charging Stations
Roger Qiu
 
PDF
Secure Architecture and Programming 101
QAware GmbH
 
PDF
Secure Architecture and Programming 101
Mario-Leander Reimer
 
PDF
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
PDF
Attacking AWS: the full cyber kill chain
SecuRing
 
PPTX
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
PDF
Security Theatre (PHP Leuven)
xsist10
 
PPTX
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PROIDEA
 
PDF
Stop expecting magic fairy dust: Make apps secure by design
Patrick Walsh
 
PDF
Apache Milagro Presentation at ApacheCon Europe 2016
Brian Spector
 
PDF
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PDF
CredHub and Secure Credential Management
VMware Tanzu
 
PDF
Security Theatre - AmsterdamPHP
xsist10
 
PDF
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
PPTX
Secure Application Development InfoShare 2022
Radu Vunvulea
 
PDF
Security Theatre - PHP UK Conference
xsist10
 
PDF
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
werhkr1
 
PPTX
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
PDF
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 
Secret Sprawl and Electric Vehicle Charging Stations
Roger Qiu
 
Secure Architecture and Programming 101
QAware GmbH
 
Secure Architecture and Programming 101
Mario-Leander Reimer
 
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
Attacking AWS: the full cyber kill chain
SecuRing
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
Security Theatre (PHP Leuven)
xsist10
 
PLNOG23 - Paweł Rzepa - Attacking AWS: the full cyber kill chain
PROIDEA
 
Stop expecting magic fairy dust: Make apps secure by design
Patrick Walsh
 
Apache Milagro Presentation at ApacheCon Europe 2016
Brian Spector
 
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
API SECURITY
Tubagus Rizky Dharmawan
 
CredHub and Secure Credential Management
VMware Tanzu
 
Security Theatre - AmsterdamPHP
xsist10
 
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
Secure Application Development InfoShare 2022
Radu Vunvulea
 
Security Theatre - PHP UK Conference
xsist10
 
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
werhkr1
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
André Goliath
 

More from Matt Raible (20)

PDF
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
PDF
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
PDF
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
PDF
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
PDF
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
PDF
Web App Security for Java Developers - PWX 2021
Matt Raible
 
PDF
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
PDF
Web App Security for Java Developers - UberConf 2021
Matt Raible
 
PDF
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
PDF
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
PDF
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
PDF
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
PDF
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Matt Raible
 
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
Web App Security for Java Developers - PWX 2021
Matt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
Web App Security for Java Developers - UberConf 2021
Matt Raible
 
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Matt Raible
 
Ad

Recently uploaded (20)

PDF
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
PPTX
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PDF
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
PPTX
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
PPTX
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PPTX
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
PDF
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PPTX
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
PDF
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례
Seongdae Kim
 
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
Ad

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022