Robert BroeckelmannApplication Front-Ends Must Not Make Authorization DecisionsFirst, let’s get the usual introductions out of the way. For an in-depth discussion of what Authorization is, check out this post. For a…4d ago4d ago
Robert BroeckelmannAPI Gateways and Multiple Consumer TypesSometimes at client sites, I see a separation of APIs advertised on an API Gateway based upon consumer type. Sometimes, this is…May 24May 24
Robert BroeckelmannRFC 9068: A JWT-Based OAuth2 Access Token FormatFor anyone who has been paying attention, this blog post has been a long-time coming for multiple reasons. First, this is my first blog…May 24May 24
Robert BroeckelmannMaking Authorization DecisionsThis blog post continues our discussion of Authorization in the API space. It will explore common authorization patterns with API Gateways…Feb 6, 2021Feb 6, 2021
Robert BroeckelmannKerberos and Windows Security: DelegationIn this next post in the Kerberos and Windows Security Series, we are going to explore a very useful, but abstract feature of the Kerberos…Feb 6, 2021Feb 6, 2021
Robert BroeckelmannHTTP POST vs GET: Is One More Secure For Use In REST APIs?The use of HTTP POST vs HTTP GET for read-only (or query) operations in REST APIs recently came up in a conversation. For this particular…Feb 6, 2021Feb 6, 2021
Robert BroeckelmannOAuth2 Access Tokens vs API Keys — Using JWTsThere are several approaches to securing APIs. Every API Gateway vendor supports the same core set of API security mechanisms. API Keys…Jul 15, 20204Jul 15, 20204
Robert BroeckelmannIdentity Protocols, Hosted Login UIs, and Custom Login UIsThere are many ways to implement user authentication in a modern application (mobile, desktop, tablet, web, etc). I have previously…Jul 13, 2020Jul 13, 2020
Robert BroeckelmannMore Single Page Application (SPA) and OAuth2 ThoughtsThis post continues where “SECURELY USING THE OIDC AUTHORIZATION CODE FLOW AND A PUBLIC CLIENT WITH SINGLE PAGE APPLICATIONS” left off on…Sep 1, 20192Sep 1, 20192