Authentication, Cloud-Native
Facebook Twitter LinkedIn

Authentication, Cloud-Native

Combined Session
Wednesday, May 11, 2022 15:30—16:30
Location: A05-06

Certificate Based Authentication in a Cloud Native Environment - a Migration Journey from Handcrafted XML Signing to OpenID Connect

During this best practice session we will present you with hands-on experience from one of our financial services industry customers.

The company used a handcrafted xml signature mechanism to authenticate their business partners when initiating machine-to-machine communication to exchange data between data centers. When the customer decided to migrate to REST APIs in a cloud native setup, the existing mechanism was no longer fit for purpose. Together, we designed a solution to keep the benefits of certificate based authentication while establishing an interaction model conforming to the OpenID Connect standard. We implemented the mechanism based on the open source software Keycloak, successfully passed an external penetration test and have to this point authenticated hundres of thousands of sessions. After our session, attendees will

Tobias Larscheid
Tobias Larscheid
L21s Larscheid Schmitz-Hermes PartG
Tobias is a seasoned IT-Architect working on secure cloud applications primarily in the insurance and financial services industry. During his 10-year career, Tobias has worked on numerous...

OAuth DPoP (Demonstration of Proof of Possession): How to Not Let Attackers Steal your OAuth Token

Most OAuth deployments today use bearer tokens – tokens that can be used by anyone in possession of a copy of them, with no way to distinguish between legitimate uses of them and those that stole them and used them for nefarious purposes. The solution to this is proof-of-possession tokens, where the legitimate client supplies cryptographic material to the issuer that is bound to the token, enabling it to cryptographically prove that the token belongs to it – something attackers cannot do because they don’t possess the proof-of-possession cryptographic material.

The OAuth DPoP (Demonstration of Proof of Possession) specification defines a simple-to-implement means of applying proof of possession to OAuth access tokens and refresh tokens. We will describe real attacks occurring every day against bearer tokens and how they are mitigated by DPoP, providing defense in depth and making real deployed systems substantially more secure with minimal implementation and complexity costs.

These attacks and mitigations are particularly relevant to high-value enterprise deployments, such as in the financial, manufacturing, critical infrastructure, and government sectors.

Dr. Michael B. Jones
Dr. Michael B. Jones
Michael B. Jones is a Standards Architect at Microsoft. He is an editor of the OpenID Connect specifications, several IETF OAuth specifications, including JSON Web Token (JWT), the IETF JOSE (JSON...


On-Demand Access
Re-live EIC 2022
Watch 200 sessions on-demand
Download all available presentations
Subscribe for updates
Please provide your email address