Author Archives: Hans Zandbelt

Configuration-Managed Web Access Policies

Traditional Web Access Management (WAM) is heavily centralized because of legacy implementation restrictions. Access policies are defined, created and maintained in a centralized way by the IT department that runs a so-called access policy server. The policies execute at runtime by having … Continue reading

Posted in Uncategorized | Leave a comment

Token Binding for the Apache webserver (part 2)

Last year I blogged about some experiments with Token Binding support for the Apache webserver here. Token Binding essentially secures cookies by binding them to an HTTPs connection so they can’t be used or replayed outside of that connection. Recently I went a … Continue reading

Posted in Uncategorized | Leave a comment

OpenID Connect for Single Page Applications

OpenID Connect is an identity protocol that was designed not just for traditional Web SSO but it also caters for modern use cases like native mobile applications and API access. Most of these use cases have a clearly defined an preferred pattern as … Continue reading

Posted in Uncategorized | 2 Comments

OpenID Connect Relying Party Certification for mod_auth_openidc

Good news on the OpenID Connect front: after creating a software certification program for OpenID Connect Provider implementations (http://openid.net/certification/), the OpenID Foundation recently added a similar capability for testing and certifying Relying Party (RP) implementations. After putting in quite some … Continue reading

Posted in Uncategorized | Leave a comment

Apache module for OpenID Connect/Auth 2.0 release 2.0

Last Friday, September 9th 2016, I released a brand new version of mod_auth_openidc, the module that implements OpenID Connect RP and OAuth 2.0 RS functionality for the Apache webserver. So what’s the big deal with it and why does it … Continue reading

Posted in Uncategorized | Leave a comment

Token Binding for the Apache webserver

The vast majority of authenticated access from clients to servers on the Internet relies on tokens that are typically “bearer” tokens so that anyone who obtains the token can use it to access the protected resources associated with it. This holds for … Continue reading

Posted in Uncategorized | 1 Comment

Client Certificates and REST APIs

In high-security environments the use of public/private key infrastructures (PKI) is wide-spread for good reasons. A mechanism that is often found in more traditional client/server environments is to leverage X.509 client certificates to authenticate clients on a TLS level to the … Continue reading

Posted in Uncategorized | Leave a comment