Solving Identity Management In Modern Applications Demystifying OAuth 2.0, OpenID Connect and SAML
Once again I on some interesting journey https://bit.ly/3s6NMaR (My Gluu server experience), which is to implement a security layer for my Angular application “Job Manager 2020 Angular Version”
Why mentioning here?
Well my plan was to understand how exactly a security layer works in any SPA application.
First impression of reading the book , this book provides in deep descriptions about Oauth2 and others security protocols.
You can see here a really good example how Oauth2 flow works :
Are there any concrete details, about how exactly to implement such security protocol?
No, this book don’t present any real example which you can use as template for you app and I very disappointment by that, sure I know more about advantages and disadvantages of Oauth 2.0 , but really this book missing the point.
Probably the authors of this book would argue, and say that Oauth 2.0 has no template , that any app is special one and maybe they right, security is always “tough” topic , because you need to know what your identity details are, where they will stored (in my case on Gluu Server) and how do you store the identity keys. Then you should know in which environment your app would be run , what type of outside forces are potential attackers and how to deal in the case of active attack at your service!
This book gives kind of a security mindset, but still I am not really convinced I need proof of concepts, one particular topic of external security service providers was really mentioned, that you shouldn’t trust them, because you can’t verify how exactly secure those security provides are and with GDPR (which is mentioned in this book too) , there is more complexity as you think.
Can I recommend this book? As introduction to Oauth 2.0 I am not sure, I think not.
Software architect or security consultants or security specialists, which just don’t need details, but rather just get an idea in which direction Oauth 2.0 goes, well those specialist will be happy.
Summary: SPA with Oauth2 is huge, huge and complex domain, I am quite puzzled how most company handling this challenging technology, you have the tokens which authorize users to do the stuff, those security tokens can be stolen (even with SSL on) and can be used to impersonate a user.
I never imagined, that there so much complexity involved into features like login, does user authenticated if so , what this user allowed to do, what if user does not logout, how much time it should pass before user security token will be invalided. Reading this book did give me good intro to the whole domain of Oauth2 , but it dint answered the question how exactly it can be implemented, I will definitely read more books on this topic to get better idea and get the answer of how to do Oauth2 right.
If you in the same situation with your project, then you know that other developers struggle too and it’s reasonable to state that implementing a security layer would take more time then you actually expected.
Stay tuned for even more interesting Oauth2 book reviews 😉