Image for post
Image for post

Originally published at http://everything1know.wordpress.com on September 25, 2019.

What’s up, folks?

WSO2 Identity Server team is quite busy these days writing REST APIs for all of its functions and old SOAP APIs. Accordingly, I myself got to write a REST API for an old SOAP service we had, and today I’m going to tell you what I learned in that effort.

This article will cover the most common concepts of REST APIs and writing an API definition using Swagger. Then you can convert that definition into code using a language you prefer.

Please note that you need a basic understanding of HTTP protocol and API s. …


Image for post
Image for post

Originally published at http://everything1know.wordpress.com on September 10, 2019.

Hi all,

Here I am with another article that can get you a little bit higher on your IAM ladder. In my previous articles, I talked about what OAuth is, it’s grant types and what OpenID Connect is. Today I intend to give you hands-on experience with a real-life OAuth and OIDC implementation that is used by more than 100 companies around the world, and it’s the WSO2 Identity Server’s OAuth/OIDC implementation.

Let’s see a 10,000-foot view of what we’re going do to, first. The following is the user story.

  1. Imagine we represent a company with several hundred employees and the user base is secured with the WSO2 Identity Server. …


Image for post
Image for post

Originally published at http://everything1know.wordpress.com on August 1, 2019.

What’s up, folks?

Today I’m going to talk about the eventing framework of the WSO2 Identity Server. There are numerous operations you can do with the WSO2 Identity Server such as user operations, and the eventing framework is designed to trigger events when each of those operations are executed.

We can write Handlers that can be subscribed to these events and do whatever the use case we need to get done.

This is just one example, and we can do a lot using the WSO2 Identity Server eventing framework. …


Image for post
Image for post

Hello everyone!

This post is originally published at http://everything1know.wordpress.com on July 2, 2019.

In my previous posts, I talked about the basic OAuth concept ( IAM for dummies: How does OAuth work) and OAuth Grant types ( IAM for dummies: OAuth 2 Grant Types). Today, I’m going to give you an understanding of OpenID Connect.

What is OIDC?


Image for post
Image for post

Originally published at http://everything1know.wordpress.com on June 1, 2019.

I talked about the concept of OAuth in my previous post. Today I’m going to dive a bit too deep and talk about the implementation details provided by the OAuth 2.0 specification. The first specific of OAuth was OAuth 1.0 and after a few years of the use, people identified some problems with it and created OAuth 2.0, the improved version.


Image for post
Image for post

What’s up, guys?

Today I’m going to talk about OAuth. I’ve been delivering OAuth presentations for a while now and I can’t believe it didn’t cross my mind to write something up on it. So here goes nothing!

OAuth is THE industry-standard protocol for authorization. It is used by a majority of software service providers including WSO2 Identity Server, which is known for it’s fully functional OAuth features as an Identity Provider. OK, cool. Why should I care? Well, let me give you a practical real-life example of OAuth before going into details.

Have you heard about SoundCloud? If not, great! Let’s go and see what it is.


Image for post
Image for post

Introduction

When you use WSO2 Identity Server with OAuth functionalities, issued access tokens are likely to be accumulated in the database, due to expiration, inactivation or revocation. In order to address this issue, the server ships with token clean-up methods, that allows you to keep your deployment free from growing token tables and decreasing performance on token flows due to data growth.

There are two main methods we can use for token cleanup as,

  1. Token cleanup feature. — When a new token request comes or a revocation request comes, matching old token will be removed from the database.
  2. Token cleanup stored procedure. — Instead of using the feature, you can manually set up a stored procedure to clean the tokens. …

Image for post
Image for post
1234 is not a secure password!

The world password day was just two days ago (first Thursday of May, which was the 2nd for this year) and I saw a lot of articles and events all around the world. Personally to me, passwords are nothing but problems. Why? Well, you have to think of a lot of things before choosing a password. The first and obvious question would be, is it secure enough? And once you crack that one, will that secure password easily remembered? These are not simple problems and we have to face them for each and every digital account we have.


Hi folks,

Today I’m going to talk about Artifact Binding specification of SAML 2.0. Before we being, I’ll give you a brief understanding of SAML.

SAML 2.0 stands for Security Assertion Markup Language version 2.0. This is an XML-based protocol which is recognized by the OASIS Standard and it’s widely used in the software industry for enabling cross-domain single sign-on (SSO). SAML 2.0 uses security tokens containing assertions to pass information about an end user between an identity provider, and a service provider. This article written by Sagara Gunathunga has more on SAML if you wish to read.

SAML 2.0 Bindings.

There are several bindings or methods introduced with the SAML Specification such as HTTP Redirect Binding, HTTP POST Binding, and HTTP Artifact Biding. What’s special about Artifact Binding is that it uses a special token to transport sensitive information between two parties. In order to understand the importance of this, we must have an idea about other bindings of the SAML Spec. …

Vihanga Liyanage

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store