Author Archives: Hans Zandbelt

OAuth 2.0 and OpenID Connect for existing APIs and Web Applications

TLDR; deploy a reverse proxy with OAuth 2.0 and OpenID Connect capabilities in front of your existing API and web applications to secure those assets with the modern security and access control standards without having to touch them. Organizations these … Continue reading

Posted in Uncategorized | Leave a comment

Configuration-Managed Web Access Policies

Traditional Web Access Management (WAM) is heavily centralized because of legacy implementation restrictions. Access policies are defined, created and maintained in a centralized way by the IT department that runs a so-called access policy server. The policies execute at runtime by having … Continue reading

Posted in Uncategorized | 1 Comment

Token Binding for the Apache webserver (part 2)

Last year I blogged about some experiments with Token Binding support for the Apache webserver here. Token Binding essentially secures cookies by binding them to an HTTPs connection so they can’t be used or replayed outside of that connection. Recently I went a … Continue reading

Posted in Uncategorized | Leave a comment

OpenID Connect for Single Page Applications

OpenID Connect is an identity protocol that was designed not just for traditional Web SSO but it also caters for modern use cases like native mobile applications and API access. Most of these use cases have a clearly defined an preferred pattern as … Continue reading

Posted in Uncategorized | 2 Comments

OpenID Connect Relying Party Certification for mod_auth_openidc

Good news on the OpenID Connect front: after creating a software certification program for OpenID Connect Provider implementations (http://openid.net/certification/), the OpenID Foundation recently added a similar capability for testing and certifying Relying Party (RP) implementations. After putting in quite some … Continue reading

Posted in Uncategorized | Leave a comment

Apache module for OpenID Connect/Auth 2.0 release 2.0

Last Friday, September 9th 2016, I released a brand new version of mod_auth_openidc, the module that implements OpenID Connect RP and OAuth 2.0 RS functionality for the Apache webserver. So what’s the big deal with it and why does it … Continue reading

Posted in Uncategorized | Leave a comment

Token Binding for the Apache webserver

The vast majority of authenticated access from clients to servers on the Internet relies on tokens that are typically “bearer” tokens so that anyone who obtains the token can use it to access the protected resources associated with it. This holds for … Continue reading

Posted in Uncategorized | 1 Comment