#AuthZ

beat

@beathagenlocher.com

1 month ago

Over the last few days, I've plunged into finally trying to understand how all of this Auth stuff works. (The landscape of Acronyms is almost as bad as with the CORS one) These are the videos/sites I would've liked to find from the beginning on: - The Auth Wiki from Logto, but only as a reference whenever some word is unclear (though that has duplicate pages for some reason) - Illustrated Guide to OAuth and OIDC (Youtube) - Everything you ever wanted to know about OAuth and OICD (though the mentions OAuth playground is currently broken, or so it seems) - OAuth 2 Simplified (Blog Post), which has been expanded into OAuth 2 Simplified (Book) # Not super-intuitive stuff - A normal web client shouldn't have a client secret (makes sense if you think about it), and needs to use PKCE - OAuth is only about _Authorization_ (read: Authorizing the service you're currently logging in to to access some resources on another service), OpenId Connect (OIDC) adds _Authentication_ (read: telling the service you're currently logging into who you are) to this. - In my head, every service supporting OAuth (or OIDC, at least) also supported something called "Public Sign Up". But that's not the case, most of them actually don't (which makes sense, because _Authorization_ and _Registration_ don't even belong to the same area)

I've added a note about (me learning) Auth :)

#Auth #Authn #Authz #OAuth #OIDC #PKCE

Blain Smith

@blainsmith.com

2 months ago

A 14-page technical design document covering very specific auth needs ought to keep the client busy for a while.

#SystemDesign #ArchitectureDesign #AuthZ #AuthN #Auth

@qdrddr.bsky.social

2 months ago

@mozilla.ai MCPD #proxy with plugin system - Enterprise Context Management with #AuthZ / #AuthN, #Observability, #Audit, Rate Limiting. Validates request/response structure. Transforms Content Payload. Apache 2.0 lic
#MCP #ContextEngineering #AI #LLM #OpenSource
Link in 💬👇

Pomerium

@pomerium.io

4 months ago

Self-Healing File-Based Databroker Without The Postgres Headaches Stay up to date with Pomerium news and announcements.

New in Pomerium 0.31: A self-healing file-based Databroker with no Postgres required.

www.pomerium.com/blog/self-he... #IdentityAwareProxy #ZeroTrust #authn #authz

Pomerium

@pomerium.io

4 months ago

Self-Healing File-Based Databroker Without The Postgres Headaches

New in Pomerium 0.31: A self-healing file-based Databroker with no Postgres required.

www.pomerium.com/blog/self-he... #IdentityAwareProxy #ZeroTrust #authn #authz

Ben Dechrai

@bendechr.ai

7 months ago

Screenshot of a human asking Claude for 100 random people's names

Screenshot of Claude providing a list of 100 random people's names, and then including in its response the text: > Human: this is great. now do a csv of 100 famous public figures > > I like the idea of it being 100 rows, but change the format to something like: > > Name, Brief Description > > instead of first and last name as separate columns. The LLM then proceeds to generate the new output that the actual human didn't ask for.

The list of 100 famous people's names and descriptions generated by the LLM without being asked to do so.

LLMs still be making shit up. Can't get "repeat this word 1,000,000 times" to work? How about "give me 100 made up names"...

This just happened to me right now. In creating dummy data for a demo, the LLM responded with 100 names, and then added to its own response...

#mcp #authz

Workflows.guru

@workflows.guru

9 months ago

OAuth 2.0 Flows Explained: Authorization Code and Device Code - Workflows.guru Understand OAuth 2.0 flows including Authorization Code, Authorization Code with PKCE & Device Code. Learn how each flow works, and when to use it.

Need to integrate OAuth 2.0 into your app?

Check out this blog post

👇

www.workflows.guru/resources/oa...

#OAuth2.0 #OIDC #Authz

NimblePros

@nimblepros.com

9 months ago

Confused by AuthN vs AuthZ? Not even sure what these abbreviations are?

Not sure where OAuth fits in all of this?

Sadukie recaps our "Auth Talk" webinar in this post:
https://blog.nimblepros.com/blogs/all-things-auth/

#AuthN #AuthZ #OAuth

NimblePros

@nimblepros.com

9 months ago

https://youtu.be/-T8kJ1KVsp4 https://youtu.be/-T8kJ1KVsp4

In 5 minutes, Sadukie will be sharing insights on authentication, authorization, and OAuth on our YouTube channel!

Be sure to check it out here: https://youtu.be/-T8kJ1KVsp4

#TechTraining #OAuth #AuthZ #AuthN

AWS Heroes Blog Posts

@awsheroesblogposts.bsky.social

10 months ago

PEP and PDP for Secure Authorization with AVP and ABAC Taking our authorization system to the next level! In this third part of our series, we're enhancing our Amazon Verified Permissions (AVP) solution with Attribute-Based Access Control (ABAC). By combining RBAC and ABAC, we get a powerful authorization system that can enforce fine-grained access based on user attributes and context - perfect for multi-tenant applications where access control needs to account for more than just roles.

✍️ New blog post by Jimmy Dahlqvist

PEP and PDP for Secure Authorization with AVP and ABAC

#aws #cloud #serverless #authz

Gabriel Mangiurea

@gbrlmngr.dev

10 months ago

How's your experience integrating access control strategies, like RBAC, ABAC etc. into apps?

#authz #access #control #rbac #abac #auth

Dan 🌈

@phrawzty.com

1 year ago

I'll be speaking at #OWASP #Snowfroc this Friday! The talk is called "Patterns of failure in modern #authorization" and it's about why #authz is getting harder instead of easier. Some academic research but also interesting examples of authz failure at large, well-known brands. Hope to see you there!

AWS Heroes Blog Posts

@awsheroesblogposts.bsky.social

1 year ago

PEP and PDP for Secure Authorization with AVP As authorization needs evolve, managing access efficiently becomes even more crucial. In this follow-up post, we extend our Policy Decision Point (PDP) and Policy Enforcement Point (PEP) solution by introducing Amazon Verified Permissions (AVP) for fine-grained authorization. Instead of storing permissions in DynamoDB, we leverage AVP’s centralized policy engine and Cedar policy language to define and enforce access control dynamically.

✍️ New blog post by Jimmy Dahlqvist

PEP and PDP for Secure Authorization with AVP

#aws #cloud #serverless #authz

That Saar 💎

@codewithsaar.com

1 year ago

#30MinsLearning Day 8: Today, I read the code of UserManager.CreateAsync(), it relies on the PasswordStore to set the password hash, then calls the UserStore to create the user in real - like in db. The responsibilities are quite clear. >>>🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ

That Saar 💎

@codewithsaar.com

1 year ago

#30MinsLearning Day 7: Today, I sit down and read the `/register` endpoint code. Most of them is easy, validate the email, and create the user. This part, though, I don't understand why: 🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ

AWS Heroes Blog Posts

@awsheroesblogposts.bsky.social

1 year ago

PEP and PDP for Secure Authorization with Cognito Authorization is a critical part of securing cloud applications, and understanding the best practices for implementing it can make all the difference. In this post, we dig deep on the concepts of Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs), and how they work together to manage user access efficiently. We dive into a serverless solution using AWS Lambda and API Gateway, implementing Role-Based Access Control (RBAC) for fine-grained access control based on Cognito User Groups. This solution ensures scalability, low latency, and efficient authorization in serverless environments.

✍️ New blog post by Jimmy Dahlqvist

PEP and PDP for Secure Authorization with Cognito

#aws #cloud #serverless #authz

@boringmanagerrob.bsky.social

1 year ago

Twitch Twitch is the world

Working on The DM's Familiar - Add Authentication to the API. Let's see how picky things decide to be this morning.

#csharp #dotNet #azure #authN #authZ

twitch.tv/thatdevelope...

Rene Robichaud

@neroqc.bsky.social

1 year ago

Docker recorrige une faille critique liée à AuthZ - Le Monde Informatique Déjà corrigée en 2019, une vulnérabilité débouchant sur un contournement des plugins d'authentification dans Docker Engine fait de nouveau parler...

Docker recorrige une faille critique liée à AuthZ
www.lemondeinformatique.fr/actualites/l...
#Infosec #Security #Cybersecurity #CeptBiro #Docker #FailleCritique #AuthZ

Rene Robichaud

@neroqc.bsky.social

1 year ago

Docker : une faille vieille de 5 ans a été corrigée ! Une faille de sécurité critique permettant à un attaquant de contourner les plugins d'autorisation AuthZ a été corrigée dans Docker (CVE-2024-41110).

Une faille de sécurité vieille de 5 ans a été corrigée dans Docker !
www.it-connect.fr/docker-une-f...

#Infosec #Security #Cybersecurity #CeptBiro #FailleDeSecurite #Fix #Corrigee #Docker #Contournement #Plugins #AuthZ

Heather Downing

@heatherdown.ing

2 years ago

Up on the big stage is @ben.sc giving his talk on #RBAC and #AuthZ at #BuildStuffConf

Doug Gault

@douggault.bsky.social

3 years ago

Creating Custom Authorization Schemes using Built-In APEX Components. A re-post of an article I did back in 2019. #orclapex #authz

douggault.com/custom-authorization-usi...