Big step forward in security for Azure DevOps! Skip the service principle and make it a just-in-time connection using OIDC!

Public preview of Workload identity federation for Azure Pipelines - Azure DevOps Blog https://devblogs.microsoft.com/devops/public-preview-of-workload-identity-federation-for-azure-pipelines/

#AzureDevOps #OIDC

Great news for Azure Pipelines 👉https://devblogs.microsoft.com/devops/public-preview-of-workload-identity-federation-for-azure-pipelines/

It should not be very different to configure from what I did for provisioning an Azure Ready GitHub Repository 👉 https://www.techwatching.dev/posts/azure-ready-github-repository

#azure #azuredevops #cicd #oidc

@deadsuperhero @dansup I could be mistaken, but it really seems like #OAuth2 and #OIDC are very similar... insomuch that when creating a single SSO plugin for one, I also created one for the latter.

Lastly the apps of the #HomeLab

* #HomeAssistant (which is doing quite a bit, worthy of its own topic)
* Nextcloud (did some custom stuff with the deploy)
* Matrix/Element
* Guacamole
* Tandoor (recipe app)
* Jellyfin/Emby + supporting apps
* Adguard-DNS (because the pi-hole container is a mess)
* Unifi Controller
* Cluster Monitoring via Grafana/Prometheus
* Keycloak for #OIDC for the above apps with #passkey support
* Esphome dashboard

Adding cameras soon via frigate

With @wildflyas 29, it’s now possible to secure the WildFly Management Console with #OIDC using the #Elytron OIDC Client subsystem. Want to learn more? Check out this blog post:

https://wildfly-security.github.io/wildfly-elytron/blog/securing-management-console-oidc/

KEYCLOAK "2+1" Starterpaket:
https://www.linkedin.com/feed/update/urn:li:share:7088129182034993152/

#keycloak #authentifzierung #oidc

@firefish Is there a way with #Firefish to delegate authentication to an #SSO like Authentik (https://goauthentik.io/integrations/services/mastodon/) via #OIDC, #SAML, #LDAP or similar?

👋 In this post, you will learn 𝐡𝐨𝐰 𝐭𝐨 𝐚𝐝𝐝 𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐭𝐨 𝐲𝐨𝐮𝐫 𝐉𝐚𝐯𝐚 𝐒𝐩𝐫𝐢𝐧𝐠 𝐁𝐨𝐨𝐭 using OAuth2 with Authgear as the Identity Provider (IdP).

https://www.authgear.com/post/authentication-for-spring-boot-app-with-authgear-and-oauth2

#authentication #java #springboot #oauth2 #openid #OIDC

So, there are formal security considerations on how to implement "OAuth 2.0 for Browser-Based Apps" using Service Workers.

But if you actually decide to go down this rabbit hole, you definitely would want to functional test your solution THOROUGHLY for ALL browsers. 🫠

#OAuth #OIDC #SSO #AppSec #webdevelopment

(4/4)

[Blog Post] Unauthenticated #XSS to ATO using #SSO Gadget Chain

Just blogged about a vulnerability chain I recently discovered in a private bug bounty program:
https://security.lauritz-holtmann.de/post/csti-xss-sso-gadget-chain/

TL;DR: If you encounter an SSO implementation, make sure to test the /callback endpoint for XSS within the OAuth/OIDC "error_description" parameter.

Always try to escalate "non-exploitable" XSS-vulns (Self-XSS, only possible when user has no active session, …) using SSO gadgets.

#BugBounty #VueJS #OIDC #OAuth

Suddenly having issues authenticating your GitHub Workflows to AWS using OIDC? This might be why...

https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

#github #aws #oidc

In Agile n00b world: we need azure devops to develop the AAD #OIDC sso connection
😵‍💫

https://docs.rs/axum-util/0.1.0/axum_util/oidc/struct.OidcConfig.html

i found this in `axum-util` and now i'm wondering how hard it is to use this to secure endpoints with a set of expected claims from a token. are there maybe any examples using axum-util? so far i found https://crates.io/crates/jwt-authorizer which looks good but not sure if it is the right thing.
#rust #oidc

Resharing from Nov 2022: I put together a basic proof of concept for using existing #Mastodon installations as SSO for #Matrix, using #Synapse. Here's what the authentication and authorization flow for that looks like!

While Mastodon doesn't support #OpenlDConnect, #OIDC is just #OpenlD on top of #OAuth2.0. If your app allows configuring all URLS for your ldP you can use nearly any OAuth2.0 provider.

Avatars currently aren't supported via this (| added one) but can be!

https://blimps.xyz/@ceralor/109400447635352242

#TIL that you don’t need an #auth library like #Laravel’s fortify. Just host an AuthN provider and implement #oidc or #ldap.

If you ship a desktop app, you don’t need #AuthN because the user is authenticated through their login into their computer.

If you ship to a business, they will have an LDAP or OIDC server or will host one when needed.

If you ship an app with online account, you can just host #Keycloak or #Authentic or pay #auth0.

More below:

https://www.reddit.com/r/golang/comments/ykel0b/simple_web_app_how_to_do_auth/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

next up, tailscale login.

Use Google, Microsoft, Github, Apple, Okta, Onelogin, custom #OIDC

new: passkeys, tied to device or keychain, based on #WebAuthN in browser

use "second factor" as primary factor.

demo ensues. "Sign in with passkey". Demo 1 fails. Demo 2 succeeds. Demo 3 uses hardware security key, works the first time.

"If you have enough demos, one of them has to work."

Replace passwords!

[ @tailscale #tailscaleup #tailscale ]

Dead SaaS providers:

Please stop making SSO part of your enterprise plans! We're a small group and would love to get started with your free or low cost options but not being able to use our auth system is a _problem_. Security is not an optional extra!

#security #sso #oauth #oidc

New #Video on my YouTube channel: #KEYCLOAK Update #Email Feature | Niko Köbler (@dasniko)

https://www.youtube.com/watch?v=KmwgQiL6kMc

#oidc #authentication

New #Video on my YouTube channel: #KEYCLOAK Update #Email Feature | Niko Köbler (@dasniko)
https://www.youtube.com/watch?v=KmwgQiL6kMc
#oidc #authentication

"From GitHub to Account Takeover: Misconfigured Actions Place GCP & AWS Accounts at Risk "

https://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/

#security #cloud #oidc #github