Challenges 2-6: Caesar and Vigenère Ciphers

11 February 2019 Cryptopals

The next few challenges cover implementing and then breaking the Caesar and Vigenère ciphers. These ciphers usually serve as the introduction to most cryptography books, as a history lesson of what we used to use and how easy they are to break. However, with cryptopals, we take this academic knowledge and turn it into practice.

Peter Paul Rubens - Julius Caesar
Peter Paul Rubens Julius Caesar. Photo taken by Ralf Roletschek
Read more

Ktor using OAuth 2.0 and IdentityServer4

01 February 2019 Kotlin

This article will show you how to configure a Kotlin Ktor application to get access tokens from IdentityServer4 using OAuth 2.0. These tokens can then be used to access an API on behalf of a user. We’ll be using JWTs as our access tokens. To find out how to authorize access to a Ktor API using JWTs, check out my past article “JSON Web Token Verification in Ktor using Kotlin and Java-JWT”.

Kotlin logo
Ktor logo
IdentityServer logo

Ktor OAuth Support

Currently, Ktor only supports OAuth which means our Ktor application can receive access tokens to talk to an API on behalf of the user, but it cannot find out who the user is. If we wanted to find out who the user is and to receive identity tokens, we would need OpenID Connect, which is currently unsupported...

Read more

Why Developers Do Care About OAuth and OpenID Connect

27 January 2019 OAuth

Recently, Okta released an article titled “Nobody Cares About OAuth or OpenID Connect” that authoritatively stated that “Developers don’t care about OAuth or OpenID Connect". I strongly disagree.

I recommend you give the article a read before reading my rebuttal below (although you might want to skip to “Why Nobody Cares About OAuth and OpenID Connect” and onwards).

Their key takeaways are:

  • The security community needs to keep developers safe
  • Developers using OAuth and OpenID Connect client libraries is similar to them rolling their own crypto
  • Client libraries should handle all of the authentication and authorization for developers, not just OAuth and OpenID Connect
Read more

ASP.NET Core using Proof Key for Code Exchange (PKCE)

22 January 2019 OpenID Connect Last Updated: 13 October 2019

Proof Key for Code Exchange (PKCE) was initially designed for native/mobile client applications when using OAuth; however, as a happy accident, it’s also handy for all other kinds of applications. Because of this, new specifications and BCP documents are starting to encourage the use of PKCE across the board.

PKCE allows us to ensure that the client application swapping an authorization code for tokens, is the same application that initially requested the authorization code. It protects us from bad actors from stealing authorization codes and using them.

In this article, we’re going to see how we can add PKCE support to an existing ASP.NET Core OpenID Connect client application (with some IdentityServer4 config thrown in for good measure).

Read more

Cheat Sheet: OAuth for Browser-Based Applications (e.g. a JavaScript SPA)

22 January 2019 OAuth

Confused how to properly authenticate access an API when using a browser-based application? Then use the below cheat sheet to choose the right approach for your needs.

The Scenario

I have an application running within the context of the browser (e.g. a React or Angular Single Page Application (SPA)) that wants to access an API on behalf of a user. This authenticated API call will be made directly from the user’s browser, and only our application should be able to call it on behalf of our authenticated user (i.e. we’re not vulnerable to Cross-Site Request Forgery (CSRF/XSRF).

Angular Logo
React Logo
Vue Logo
Aurelia Logo
Read more