-
Notifications
You must be signed in to change notification settings - Fork 4
Security and other notes
Jinlian(Sunny) Wang edited this page Apr 24, 2022
·
41 revisions
- 3-Legged OAuth flow step by step
- Authorization Code Flow (3-legged OAuth) with LinkedIn
- Client Credential Flow (2-legged OAuth) with LinkedIn
- oAuth 2.0 Grant Types
- OAuth 2.0 Single Sign On Authentication in Chrome Extension
- JSON Web Token Structure
- How to create a Json Web Token (JWT) using OpenSSL shell commands?
- Validate JSON Web Tokens
- node-jsonwebtoken library - git repo
- Navigating RS256 and JWKS
- Locate JSON Web Key Sets
- CapitalOne OIDC WellKnown Endpoints
- ITEF: JSON Web Token (JWT)
- Using Auth0 as an Identity Provider for GraphQL APIs with AWS AppSync
- ID Token and Access Token: What's the Difference? It contains a valid ID Token/JWT Token which can be used to play on JWT Debugger
- How to Explain Public-Key Cryptography and Digital Signatures to Anyone
- User Management Encounter: OIDC vs OAuth2
- How SAML Authentication Works
- SAML Authentication XML-Signature Verification
- Part 1 : Single Sign-On (SSO) between AWS SSO and SAML Application
- MASTERCLASS: SECURE YOUR WEBSITE WITH SSL ENCRYPTION
- SSL in Dot NET – Volume 1 – Hypothesis
- SSL Checker: knows your cert
- Certificate and Public Key Pinning
- Security with HTTPS and SSL
- TrustKit-Android Git Repo
- SSL Utils - Git Repo and related article - Trust specific certificate on JVM-based platforms.
- CRL - Cert Revokation List- Wiki
- How certificate revocation (doesn’t) work in practice
- The Basics of Web Application Security
- Java Cryptography We can use AWS KMS to hold a master key which encrypt an AES key to encrypt other sensitive information, for example to generate an auth token on the server side before passing it to the client.
- Using the Android Keystore system to store and retrieve sensitive information Android M and above provides native key store to store sensitive information like auth token; we shall encrypt the token and then save it to SharePref, see also Android: Is it a good idea to store Authentication Token in Shared Preferences?
- Security Code Warrior Contains code practices for security matters.
- Defending Against CSRF Attacks, XSRF, or Sea-Surf It talks about cross site request forgery and how to defend against it, in particular, how does Anti-CSRF Tokens work.
- Build Secure Microservices in Your Spring REST API
- Simple Token Authentication for Java Apps
- OAuth2.0: Complete Guide
- What the Heck is OAuth?
- Simple Guide to SAML vs OIDC
- SAML Introduction: Okta
- Base64 encoding and decoding in Java 8
- Public Keys, Private Keys, and Certificates, Certificates Chain A great article explains these concepts in plain english.
- The Most Common Java Keytool Keystore Commands
- Difference between trustStore vs keyStore in Java SSL
- Creating Java TrustStores and KeyStores from Environment Variables
- Brute Forcing HS256 is Possible: The Importance of Using Strong Keys in Signing JWTs A good article talking about what JWT is and how different ways of signing/encrypting messages between parties.
Notes:
- Create an ssh keypair using the “ssh-keygen” command on a Unix box. This generates two files (private key & public key). Public key is the file ending with extension “.pub”
- Copy the public key to the target machine (the one you want to authenticate to) under $HOME/.ssh/authorized_keys file ($HOME – refers to the home directory of the target user, which is generally “/home/”)
- Set appropriate permissions (if not already set) for $HOME, $HOME/.ssh and the authorized_keys file on the target server
chown -R ec2-user:ec2-user /home/ec2-user/.ssh
chmod 700 /home/ec2-user/.ssh
chmod 600 /home/ec2-user/.ssh/authorized_keys
- Connect to the target server from the source machine using ssh and offering the private key with the “-i ” option
ssh -i <Path to private key file> <system account name>@<Target Server>