SOLVING IDENTITY MANAGEMENT IN MODERN APPLICATIONS : demystifying oauth 2.0, openid connect, and... saml 2.0
معرفی کتاب «SOLVING IDENTITY MANAGEMENT IN MODERN APPLICATIONS : demystifying oauth 2.0, openid connect, and... saml 2.0» نوشتهٔ Lovecraft، Howard Phillips و Yvonne Wilson, Abhishek Hingnikar، منتشرشده توسط نشر Apress L. P. در سال 2022. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
Know how to design and use identity management to protect your application and the data it manages. At a time when security breaches result in increasingly onerous penalties, it is paramount that application developers and owners understand identity management and the value it provides when building applications. This book takes you from account provisioning to authentication to authorization, and covers troubleshooting and common problems to avoid. The authors include predictions about why this will be even more important in the future. Application best practices with coding samples are provided. Solving Identity and Access Management in Modern Applications gives you what you need to design identity and access management for your applications and to describe it to stakeholders with confidence. You will be able to explain account creation, session and access management, account termination, and more. This expanded edition has been revised to provide an overview of the new version of OAuth (2.1)--the primary changes in this version, including features that were removed from 2.1 that were in 2.0 and why they were removed. The discussion of the book's accompanying sample application has been revised to cover in more depth the approach for developing the application (also revised). A new section has been added on the OAuth 2.0 Device Authorization Grant (RFC 8628) specification, which is useful for devices with limited UI capability. Minor additions include the topics of identity proofing, the need to capture and organize consent information, the impact of tracking prevention technology on certain identity protocols, and the availability of additional options for authorization requests such as OAuth 2.0 Rich Authorization Requests and JWT-Secured Authorization Requests (RFC 9101). What You'll Learn ⁰́Ø Understand key identity management concepts ⁰́Ø Incorporate essential design principles ⁰́Ø Design authentication and access control for a modern application ⁰́Ø Know the identity management frameworks and protocols used today (OIDC/OAuth 2.0/2.1, SAML 2.0) ⁰́Ø Review historical failures and know how to avoid them Who This Book Is For Developers, enterprise or application architects, business application or product owners, and anyone involved in an application's identity management solution Table of Contents About the Authors About the Technical Reviewers Acknowledgments Introduction Chapter 1: The Hydra of Modern Identity Identity Challenges Who Are Your Users? And Will They Authenticate? Level of Authentication Strength Simplifying Access for Users Migrating Users from Legacy Applications Regulatory Requirements User Experience Constraints Objective Sample Application Design Questions Summary Key Points Notes Chapter 2: The Life of an Identity Terminology Events in the Life of an Identity Provisioning Authorization Authentication Access Policy Enforcement Sessions Single Sign-On (SSO) Stronger Authentication Logout Account Management and Recovery Deprovisioning Summary Key Points Chapter 3: Evolution of Identity Identity Management Approaches Per-Application Identity Silo Centralized User Repository Early SSO Servers Federated Identity and SAML 2 WS-Fed OpenID OAuth 2 OpenID Connect (OIDC) OAuth 2.1 Standard Protocols Summary Key Points Notes Chapter 4: Identity Provisioning Provisioning Options Self-Registration Progressive Profiling Invite-Only Registration Identity Migration Support Legacy Hashing Algorithm Bulk Identity Migration Gradual Migration of Users Administrative Account Creation Manual Account Creation Automated Account Creation Cross-Domain Account Creation Leverage Existing Identity Service Selecting an External Identity Service Self-Registered Identities Organization Identities Government Identities Industry Consortium Identities Identity Provider Selection Identity Proofing Choosing and Validating Identity Attributes Attribute Usage Validating Critical Attributes Consent Management Summary Key Points Notes Chapter 5: OAuth 2 and API Authorization API Authorization OAuth 2 Terminology Roles Confidential and Public Clients Client Profiles Tokens and Authorization Code How It Works Authorization Code Grant Authorization Code Grant Type + PKCE The Authorization Request Response Calling the Token Endpoint Client Credentials Grant The Authorization Request Implicit Grant (Removed in OAuth 2.1) Resource Owner Password Credentials Grant (Removed from OAuth 2.1) Device Authorization Grant The Authorization Request Authorization Response Polling the Authorization Server Calling an API Refresh Tokens Token Usage Guidance Access Tokens Refresh Tokens Confidentiality and Integrity Token Revocation Further Learning Advanced Use Cases Summary Key Points Notes Chapter 6: OpenID Connect Problem to Solve Terminology Roles Client Types Tokens and Authorization Code Endpoints ID Token How It Works OIDC Flows OIDC Authorization Code Flow Authentication Request Authentication Response Token Request OIDC Implicit Flow Authentication Request Authentication Response OIDC Hybrid Flow Authentication Request Authentication Response UserInfo Endpoint Further Learning Summary Key Points Notes Chapter 7: SAML 2 Problem to Solve Terminology How It Works SP-Initiated SSO Single Sign-On IdP-Initiated Flow Identity Federation Authentication Brokers Configuration Summary Key Points Notes Chapter 8: Authorization and Policy Enforcement Authorization vs. Policy Enforcement Levels of Authorization and Access Policy Enforcement Level 1 – Application or API Access Level 2 – Functional Access Level 3 – Data Access User vs. Application Authorization User Authorization User Profile Attributes Transactional User Attributes Delivery Enforcement Application Authorization Application Attributes Authorization Delivery Enforcement Authorization and Enforcement Extensions Summary Key Points Notes Chapter 9: Sessions Application Sessions Identity Provider Sessions Multiple Sessions Session Duration Session Renewal Token Renewal Reconstituted Sessions Summary Key Points Notes Chapter 10: Using Modern Identity to Build Applications Sample Application: Collaborative Text Editor Discovery Who Are Your Users: Employees or Consumers? How Will Users Authenticate? Can Your App Be Used Anonymously? Web-Based or Native App Format or Both? Does Your Application Call APIs? Does Your Application Store Sensitive Data? What Access Control Requirements Exist? How Long Should a User Session Last? Will Users Need Single Sign-On (If More Than One Application)? What Should Happen When a User Logs Out? Are There Any Compliance Requirements? Platform, Framework, and Identity Provider Design Buy vs. Build Industry Standard Protocols Architecture Implementation: Front End login() and handleCallback() getToken() and getProfile() A Detailed Note on Token Management in SPAs .logout() Closing Note Implementation: Back-End API .getUserId() .canPerform() Using OAuth 2 Scopes – for API Authorization Linking Accounts Anonymous Access Granting Access Based on Domains Other Applications Additional Note on Sessions Browsers, Trackers, and OAuth 2 Summary Key Points Notes Chapter 11: Single Sign-On What Is SSO? How SSO Works SSO Configuration SSO Session Duration Authentication Mechanisms Login Page Branding Multiple Identity Providers Summary Key Points Notes Chapter 12: Stronger Authentication The Problem with Passwords Stronger Forms of Authentication Multi-factor Authentication Step-Up Authentication Multi-factor Authentication and SSO Session Timeouts Requesting Authentication Mechanisms SAML 2 OIDC Step-Down Authentication Deployment Summary Key Points Notes Chapter 13: Logout Multiple Sessions Logout Triggers Logout Options Application Logout OAuth 2 OIDC SAML 2 Session Termination Logout and Multilevel Authentication Redirect After Logout Summary Key Points Notes Chapter 14: Account Management Identity Attributes User Profile Attributes Update Process Cached Identity Attributes Updated Identifiers Credential Reset Account Recovery Password Guidance Helpdesk Reset Notification Summary Key Points Notes Chapter 15: Deprovisioning Account Termination Best Practices Just Do It Provide a Soft Delete Technique Reserve Deprovisioned Identities Preserve Account Record Data Transfer Privacy Right to Erasure Certificate of Deletion Secure Delete Consider Reprovisioning Requirements Summary Key Points Notes Chapter 16: Troubleshooting Get Familiar with the Protocols Prepare Your Tools Test Environment Independent Browser Windows Capture HTTP Traces View HTTP Traces Make API Calls View API Calls View JWT and SAML 2 Tokens Check the Simple Things Gather Information How Many Users Impacted? Contributing Environmental Factors? Which Applications Impacted? Consistent or Intermittent Issue? Worked Previously? Where Does Failure Occur? Replicate the Problem Analyzing an HTTP/Network Trace Capture a Trace Check Sequence of Interaction Check Parameters in Requests Check HTTP Status Codes Check Security Token Contents Check for Security Token Validation Errors Collaborating with Others Summary Key Points Note Chapter 17: Exceptions Accounts Data Restore Account Decommission Orphaned Account Account Takeover Phone Lost, Damaged, or Stolen Identity Providers Account Recovery Requests Brute Force Attacks Breached Passwords System Outages Authentication System Outage Admin Access Provisioning Systems Cybersecurity Threats Compromised Personal Data Compromised Credentials Compromised Secrets Summary Key Points Notes Chapter 18: Less Common Requirements People Family Accounts Temporary Positions Status Transition No Email Address Identity Defederation Accounts Mergers and Acquisitions Account Linking Progressive Profiling Impersonation Delegation Environment Shared Workstations Identity Provider Discovery Multitenant Applications Summary Key Points Chapter 19: Failures Pay Attention to Process Beware of Phishy Emails Use Multi-factor Authentication Stay on Top of Patches Secure Your Cloud Storage Encrypt Sensitive Data Do Not Store Cleartext Passwords Provide Security Training to Developers Vet Your Partners Insider Threat Summary Key Points Notes Chapter 20: Compliance What Is Compliance? Government-Mandated Compliance Industry Compliance Elective Compliance Frameworks Why Compliance Data Protection Competitive Advantage Reduce Penalties Efficiency Compliance Landscape Security Compliance Privacy Compliance Assessment and Certification How to Proceed Summary Key Points Notes Chapter 21: Looking into the Crystal Ball Continued Security Challenges Ongoing Breaches Evolving Targets Increasing Complexity Diversifying Motives More Targets Homes and Businesses Cars Medical Implants and Monitoring Robots Erosion of Perimeter Protection Identity – Not Just for Humans Personal Agents Autonomous Vehicles IoT Devices Robots On the Horizon e-Identity Stronger Authentication Solutions for Smaller Devices Asynchronous Online Interaction Easier Adoption Lessons Learned Always Look Forward Usability Is Important Validation Is Critical Logout Takes Time Monitor Trends and Vulnerabilities Summary Key Points Notes Chapter 22: Conclusion Appendix A: Glossary Appendix B: Resources for Further Learning B.1. OAuth 2 – Related Specifications B.2. JWT B.3. OIDC B.4. SAML B.5. Multi-factor Authentication B.6. Background Information B.7. Privacy Appendix C: SAML 2 Authentication Request and Response C.1. SAML 2 Authentication Request C.2. SAML 2 Authentication Response C.2.1. Response C.2.1.1. Authentication Assertion (Beginning) C.2.1.2. Digital Signature for Authentication Assertion C.2.1.3. Subject C.2.1.4. Conditions C.2.1.5. Authentication Statement C.2.1.6. Attribute Statements C.3. Validation Appendix D: Public Key Cryptography Appendix E: Troubleshooting Tools E.1. Capture an HTTP Trace E.2. View a HAR File E.3. Capture a Network Trace E.4. View Security Tokens E.5. Test APIs Appendix F: Privacy Legislation F.1. European Union F.2. United States F.3. Other Countries F.4. Notes Appendix G: Security Compliance Frameworks G.1. General Security Frameworks G.1.1. Center for Internet Security – Top 20 Controls G.1.2. Cloud Security Alliance G.1.3. ISO 27000 G.1.4. PCI DSS G.2. US Frameworks G.2.1. CJIS Security Policyv – Criminal Justice Information Services Security Policy G.2.2. FFIEC Information Technology Examination Handbook and Cybersecurity Assessment Toolvi G.2.3. FISMA – Federal Information Security Management Actvii G.2.4. FedRAMP – Federal Risk and Authorization Management Programviii G.2.5. GLBA Safeguards Ruleix G.2.6. HIPAAx G.2.7. HITECH Actxi G.2.8. NISTxii G.3. SOC(Service Organization Control) G.3.1. SOC1 G.3.2. SOC2 G.4. Notes Index Know how to design and use identity management to protect your application and the data it manages. At a time when security breaches result in increasingly onerous penalties, it is paramount that application developers and owners understand identity management and the value it provides when building applications. This book takes you from account provisioning to authentication to authorization, and covers troubleshooting and common problems to avoid. The authors include predictions about why this will be even more important in the future. Application best practices with coding samples are provided. Solving Identity and Access Management in Modern Applications gives you what you need to design identity and access management for your applications and to describe it to stakeholders with confidence. You will be able to explain account creation, session and access management, account termination, and more. This expanded edition has been revised to provide an overview of the new version of OAuth (2.1)--the primary changes in this version, including features that were removed from 2.1 that were in 2.0 and why they were removed. The discussion of the book's accompanying sample application has been revised to cover in more depth the approach for developing the application (also revised). A new section has been added on the OAuth 2.0 Device Authorization Grant (RFC 8628) specification, which is useful for devices with limited UI capability. Minor additions include the topics of identity proofing, the need to capture and organize consent information, the impact of tracking prevention technology on certain identity protocols, and the availability of additional options for authorization requests such as OAuth 2.0 Rich Authorization Requests and JWT-Secured Authorization Requests (RFC 9101). What You'll Learn 0́Ø Understand key identity management concepts 0́Ø Incorporate essential design principles 0́Ø Design authentication and access control for a modern application 0́Ø Know the identity management frameworks and protocols used today (OIDC/OAuth 2.0/2.1, SAML 2.0) 0́Ø Review historical failures and know how to avoid them Who This Book Is For Developers, enterprise or application architects, business application or product owners, and anyone involved in an application's identity management solution
دانلود کتاب SOLVING IDENTITY MANAGEMENT IN MODERN APPLICATIONS : demystifying oauth 2.0, openid connect, and... saml 2.0