Robert BroeckelmannAPI Gateways and Multiple Consumer TypesSometimes at client sites, I see a separation of APIs advertised on an API Gateway based upon consumer type. Sometimes, this is…2 min read·May 24, 2024----
Robert BroeckelmannRFC 9068: A JWT-Based OAuth2 Access Token FormatFor anyone who has been paying attention, this blog post has been a long-time coming for multiple reasons. First, this is my first blog…10 min read·May 24, 2024----
Robert BroeckelmannMaking Authorization DecisionsThis blog post continues our discussion of Authorization in the API space. It will explore common authorization patterns with API Gateways…7 min read·Feb 6, 2021----
Robert BroeckelmannKerberos and Windows Security: DelegationIn this next post in the Kerberos and Windows Security Series, we are going to explore a very useful, but abstract feature of the Kerberos…11 min read·Feb 6, 2021----
Robert BroeckelmannHTTP POST vs GET: Is One More Secure For Use In REST APIs?The use of HTTP POST vs HTTP GET for read-only (or query) operations in REST APIs recently came up in a conversation. For this particular…16 min read·Feb 6, 2021----
Robert BroeckelmannOAuth2 Access Tokens vs API Keys — Using JWTsThere are several approaches to securing APIs. Every API Gateway vendor supports the same core set of API security mechanisms. API Keys…8 min read·Jul 15, 2020--4--4
Robert BroeckelmannIdentity Protocols, Hosted Login UIs, and Custom Login UIsThere are many ways to implement user authentication in a modern application (mobile, desktop, tablet, web, etc). I have previously…7 min read·Jul 13, 2020----
Robert BroeckelmannMore Single Page Application (SPA) and OAuth2 ThoughtsThis post continues where “SECURELY USING THE OIDC AUTHORIZATION CODE FLOW AND A PUBLIC CLIENT WITH SINGLE PAGE APPLICATIONS” left off on…4 min read·Sep 1, 2019--2--2
Robert BroeckelmannOAuth2 Access Tokens and Multiple Resources SeriesThis article is a place my other blog posts can point at when referencing this series.1 min read·Aug 31, 2019----