Leo

By Leo Farrell and AdrianRinaldi Sasmita on February 12, 2019

OpenBanking: The state hash claim

OpenBanking: The state hash claim When implementing OpenBanking and following the foundation implementers draft  one of the requirements is to include several additional claim values. One of the claim values is s_hash the goal of this claim is to ensure the id_token returned in the authorization code flow matches the request to /authorize triggered by the […]

Continue reading

By Leo Farrell on February 1, 2019

Federated Single Sign On: Access Policy

Federated Single Sign on: Access policy Authentication is a requirement when performing Federated Single sign on. This is traditionally completed via a traditional forms based authentication. However there are several situations that require more than traditional forms based authentication. For example, some applications may have access to more sensitive data, or invoke more ‘risky’ APIs. […]

Continue reading

By Leo Farrell on December 2, 2018

Web Reverse Proxy: Rate Limiting

Web Reverse Proxy: Rate Limiting   Rate limiting is the act of stopping a client from requesting web resources too often. The ISAM web reverse proxy now supports rate limiting on  as of version 9.0.6.0. We identified rate limiting as something which is performed on one of two actors. A malicious actor who is trying […]

Continue reading

By Leo Farrell on November 15, 2018

OAuth: Custom token attributes

OAuth: Custom token attributes OAuth providers often provide extended functionality to clients, depending on individual requirements. This extended functionality often requires additional information to be stored with an OAuth grant. This article is going into how ISAM allows you to store additional information and metadata against an OAuth grant. The number of scenarios which can […]

Continue reading

By Leo Farrell on November 7, 2018

Open ID Connect: Sharing identity information with Applications

Open ID Connect: Sharing identity information with Applications When developing modern web applications, information about the user is essential for providing a rich user experience. There are many ways in which this identity information is gathered. Applications may source user data many different ways. They may simply request the user supply user profile information on […]

Continue reading

By Leo Farrell on September 11, 2018

OAuth: API Gateways and ISAM

OAuth: API Gateways and ISAM Today we’re going to explore the ways in which API gateways can integrate with ISAM, their different OAuth roles, and the interfaces for token validation and verification exposed by ISAM as an authorization server. ISAM has both an Authorization Server available in the form of API protection, as well as […]

Continue reading

By Leo Farrell on September 4, 2018

The history of support for OpenID Connect in ISAM

The history of support for OpenID Connect in ISAM Security Access Manager added support for OpenID Connect as a identity provider and as a relying party in version 9.0. These capabilities were introduced as part of the federation offering which was also added in version 9.0. This OpenID connect solution was capable of satisfying the browser […]

Continue reading

By Leo Farrell on August 7, 2018

OAuth: SAML and JWT as a Grant Type

OAuth: SAML and JWT as a Grant Type In an earlier article it was demonstrated how Security Access Manager supports RFC 7523 using JWT as a method for OAuth clients to make requests to OAuth endpoints which require authentication such as /token and /introspect. However there is another portion to this RFC which goes into detail on […]

Continue reading

By Leo Farrell on July 24, 2018

OpenID Connect: Request parameters via JWT

OpenID Connect: Request parameters via JWT The OpenID Connect specification has an optional section which goes into details of how a client can provide(Via the browser) a claims and OAuth parameters to /authorize in an alternative manner to query string or post parameter. This is of note as it allows the client to provide a trusted set […]

Continue reading

By Leo Farrell on July 19, 2018

OAuth: JWT as an Access Token

  OAuth: JWT as an Access Token on ISAM The OAuth 2.0 specification does not go into great detail about token formats  “Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements”.  On IBM Security Access manager(ISAM) access tokens issued are a short opaque string used as […]

Continue reading

By Leo Farrell on July 11, 2018

Introducing the LocalSTSClient

 Introducing the LocalSTSClient In IBM Security Access Manager 9.0, the Security Token Service (STS) from Federated Identity Manager (TFIM) was made available. The STS is essential when needing to transform a security token from one type to another. As usage of the STS has grown, we have seen adoption of simple security tokens such as JWT. The […]

Continue reading

By Leo Farrell on July 3, 2018

OAuth: Device Flows

OAuth: Device Flows Introduction to Device Flows As IOT devices become more prevalent, so does the importance of the way these devices interact with user information and the web. These devices often need to call APIs which require authentication, but cannot provide a suitable method of user interaction in order for traditional authentication mechanisms such as username/password. […]

Continue reading