Category Archives: Uncategorized

Deploy OpenID Connect and OAuth 2.0 with a Reverse Proxy Architecture

I haven’t had much time for blog posts lately but if you are interested in my take on modern identity and how to rollout OpenID Connect and OAuth 2.0 for all of your applications without modifying them, please see the … Continue reading

Posted in Uncategorized | Leave a comment

OAuth 2.0 and OpenID Connect libraries for C

Just about 5 years ago I started to develop an OpenID Connect plugin for the Apache web server.  Over the years it has become a pretty popular project and lots and lots of input from real world experience has come … Continue reading

Posted in Uncategorized | Leave a comment

Token Binding specs are RFC: deploy NOW with mod_token_binding

Update 10/18/2018: Google Chrome actually removed Token Binding support in version 70 so you’ll have to be on an older version to see this work in action, or use MS Edge, also see here. See here to learn how to … Continue reading

Posted in Uncategorized | Leave a comment

A Security Token Service client for the Apache webserver

I’ve recently been working on mod_sts a so-called Security Token Service client for the Apache web server. This module allows for exchanging arbitrary security tokens by calling into a remote Security Token Service (STS). It operates as a so-called “active” STS … Continue reading

Posted in Uncategorized | 1 Comment

Access Control using Reverse Proxy XACML PEPs

Following the previous post that I wrote a while ago about authenticating reverse proxies in front of resources you want to protect with OpenID Connect or OAuth 2.0, this post is about the next step: access control using those proxies. … Continue reading

Posted in Uncategorized | Leave a comment

OAuth 2.0 and OpenID Connect for existing APIs and Web Applications

TLDR; deploy a reverse proxy with OAuth 2.0 and OpenID Connect capabilities in front of your existing API and web applications to secure those assets with the modern security and access control standards without having to touch them. Organizations these … Continue reading

Posted in Uncategorized | Leave a comment

Configuration-Managed Web Access Policies

Traditional Web Access Management (WAM) is heavily centralized because of legacy implementation restrictions. Access policies are defined, created and maintained in a centralized way by the IT department that runs a so-called access policy server. The policies execute at runtime by having … Continue reading

Posted in Uncategorized | 1 Comment