Category Archives: Uncategorized

Replacing legacy enterprise SSO systems with modern standards

I would like to highlight a digital transformation that I have witnessed and contributed to since a few years now. This transformation is about the adoption of standards based software to achieve Single Sign On (SSO) in enterprise environments, replacing … Continue reading

Posted in Uncategorized | Leave a comment

Deploy OpenID Connect and OAuth 2.0 with a Reverse Proxy Architecture

I haven’t had much time for blog posts lately but if you are interested in my take on modern identity and how to rollout OpenID Connect and OAuth 2.0 for all of your applications without modifying them, please see the … Continue reading

Posted in Uncategorized | Leave a comment

OAuth 2.0 and OpenID Connect libraries for C

Just about 5 years ago I started to develop an OpenID Connect plugin for the Apache web server.  Over the years it has become a pretty popular project and lots and lots of input from real world experience has come … Continue reading

Posted in Uncategorized | Leave a comment

Token Binding specs are RFC: deploy NOW with mod_token_binding

Update 10/18/2018: Google Chrome actually removed Token Binding support in version 70 so you’ll have to be on an older version to see this work in action, or use MS Edge, also see here. See here to learn how to … Continue reading

Posted in Uncategorized | Leave a comment

A Security Token Service client for the Apache webserver

I’ve recently been working on mod_sts a so-called Security Token Service client for the Apache web server. This module allows for exchanging arbitrary security tokens by calling into a remote Security Token Service (STS). It operates as a so-called “active” STS … Continue reading

Posted in Uncategorized | 1 Comment

Access Control using Reverse Proxy XACML PEPs

Following the previous post that I wrote a while ago about authenticating reverse proxies in front of resources you want to protect with OpenID Connect or OAuth 2.0, this post is about the next step: access control using those proxies. … Continue reading

Posted in Uncategorized | Leave a comment

OAuth 2.0 and OpenID Connect for existing APIs and Web Applications

TLDR; deploy a reverse proxy with OAuth 2.0 and OpenID Connect capabilities in front of your existing API and web applications to secure those assets with the modern security and access control standards without having to touch them. Organizations these … Continue reading

Posted in Uncategorized | Leave a comment

Configuration-Managed Web Access Policies

Traditional Web Access Management (WAM) is heavily centralized because of legacy implementation restrictions. Access policies are defined, created and maintained in a centralized way by the IT department that runs a so-called access policy server. The policies execute at runtime by having … Continue reading

Posted in Uncategorized | 1 Comment

Token Binding for the Apache webserver (part 2)

Last year I blogged about some experiments with Token Binding support for the Apache webserver here. Token Binding essentially secures cookies by binding them to an HTTPs connection so they can’t be used or replayed outside of that connection. Recently I went a … Continue reading

Posted in Uncategorized | Leave a comment

OpenID Connect for Single Page Applications

OpenID Connect is an identity protocol that was designed not just for traditional Web SSO but it also caters for modern use cases like native mobile applications and API access. Most of these use cases have a clearly defined an preferred pattern as … Continue reading

Posted in Uncategorized | 3 Comments