# OAuth Replay Attack Mitigation

When working with developers on authentication and authorization, I find that the `nonce` and `state` parameters are two of the more difficult parts of the OAuth 2.0 and OpenID Connect specifications to understand. It’s clear from the specs that these parameters are for security, but what specific attacks do these parameters help to prevent? Well, these two parameters work in tandem to thwart replay attacks and cross-site request forgery (CSRF). …

# OpenGL and CUDA Applications in Docker

Trying to run an OpenGL application in a Docker container? Want to containerize a program that uses CUDA or Tensorflow and has a graphical aspect to it? Well thanks to the NVIDIA Container Toolkit and the GL Vendor-Neutral Dispatch Library (glvnd), this is now possible. OpenGL code can be compiled and run directly in a container, taking full advantage of an NVIDIA GPU. And by connecting to the host’s X server, the display can be seen on the host machine.

This is a brief get-you-up-and-running article, and I assume familiarity with Docker and Linux. (Oh, and if you’re using Windows…

# Implementing an Optimal Rubik’s Cube Solver using Korf’s Algorithm

## And a Quick Solver Using Thistlethwaite’s Algorithm

The Rubik’s Cube is a fascinating, timeless puzzle with quintillions of possible states. As a cube-geek turned AI-enthusiast, and armed with a handful of human-centric algorithms for solving the cube, I decided to try my hands at programming a Rubik’s Cube solver. Perhaps a bit naively, I didn’t outright realize that solving a cube optimally or proving that any cube is solvable in 20 or fewer moves would involve a decent understanding of mathematics, combinatorics, optimization, and group theory. Fun stuff. So I waded through a bunch of papers, brushed off some old math and AI books, and went to…

# Mirroring Drawings: Symmetry with Affine Transformations

In graphical applications flipping is common and useful. A flip transform can be used to show a mirror image, like a character in a 3D scene peering into a pond or a reflection on the fender of a chopper. Flips can also be used to change between orthonormal coordinate systems. For example, OpenGL uses a right-handed coordinate system whereas DirectX uses a left-, and a flip transform can convert between the two. Likewise, a JavaScript canvas has a y-axis that grows downward, causing programmers to turn their heads upside-down or contort their hands to figure out the right-hand rule. (Thumb…

# Rotating and Orbiting with Affine Transformations

In this article I’ll go over some algorithms for rotating and orbiting objects in a scene using affine transformations. I’ll provide some JavaScript code that shows the algorithms in action, rotating and orbiting squares in a 2D canvas. These algorithms of course translate to 3D space, but I’ve used a canvas for simplicity and because the demos can be viewed in a browser. Note that when rendering in a 2D canvas, the origin is at the top-left corner of the canvas, with the x-axis growing to the right, the y-axis growing down, and the z-axis growing into the screen. …

# Zooming at the Mouse Coordinates with Affine Transformations

Providing zoom functionality in a graphical application is as simple as applying a scale matrix. If, however, the scale operation should occur at a specific point — about the user’s mouse location or about the center of the scene, for example — then some linear algebra and a handful of affine transformations can get the job done. In this article I’ll go over an algorithm for zooming at a point with some graphics for visual aid. There’s also some example JavaScript code that shows how to zoom using a 2D scene rendered in a canvas. …

In my last article I went over some reasons for keeping access tokens out of the browser and presented a few attack vectors. In this article I’ll go over an approach for secure token storage with single-page applications. The storage solution needs to fulfill the following goals:

1. An API server that’s sessionless. Authorization should be handled by adding a bearer token to an Authorization header. By avoiding session, the API server can be consumed by first- and third-party applications across origins (CORS support).
2. A single-page application that can communicate with the API server but does not store access tokens in…

We developers often have access tokens and other sensitive information flowing through our applications. Access tokens are needed so that we can consume APIs on behalf of our users, and the tokens have to be stored somewhere. With single-page applications, it’s tempting to store access tokens directly in the browser. Doing so is convenient because it makes it easy to intercept API hits and add the token to an Authorization header. But here’s the problem: major identity providers explicitly warn against keeping access tokens in the browser, as does OWASP, and the authors of the OAuth 2.0

# Sequentially Indexing Permutations: A Linear Algorithm for Computing Lexicographic Rank

Recently I wrote an optimal solver for the Rubik’s Cube that can solve any scrambled cube in 20 moves or fewer. Check it out if you’re interested. Anyway, solving the puzzle programmatically involves creating pattern databases that hold hundreds of millions of values, namely the number of twists required to solve subsets of the cube, like the number of twists necessary to solve the eight corners. Because such large datasets can easily exhaust system resources, the values in the databases are stored sequentially in plain arrays. …

## What a Cluster: Deployment using Kubernetes and Helm

Here at Benningfield Group, the systems that we develop have slowly migrated from monoliths to microsystems in the past decade or so. Our typical systems are composed of many small, constituent pieces. An application may be made of a public website, an API server or two, a handful of databases, lions and tigers and bears, oh my! Each of these pieces is baked into a Docker image and then moved through development, QA, UAT, and finally to production. That’s great because each service is immutable: if an image passes QA, the identical image is deployed to UAT; if it passes…

## Ben Botto

Get the Medium app