SSL OAuth JWT OpenID Odata GraphQL gRPC GoogleWorkspace - sgml/signature GitHub Wiki

XML Security

Vendor	Non-OAuth Specifications Supported	Key Focus	Documentation Reference
SiteMinder	SAML 2.0, WS-Federation, Proprietary policy overlays	Legacy enterprise-grade SSO & policy enforcement	SiteMinder Implementation (Broadcom)
Ping Identity	SAML 2.0, WS-Federation (via PingFederate)	Cloud-ready federated SSO	PingFederate Documentation
WSO2	SAML 2.0, WS-Federation, WS-Security, WS-Policy	Open source, comprehensive identity management	WSO2 Identity Server Documentation
CyberSafe	Kerberos (MIT Kerberos-based, KDC integration, Active Directory support)	Enterprise authentication solutions based on Kerberos	CyberSafe Kerberos
Axiomatics	XACML, Policy-based Access Control	Fine-grained authorization and enterprise policy management using XACML	Axiomatics XACML Reference

Oauth Flows

OAuth Type	Spec Section / Grant Type	Expected Redirect Count	Maximum Redirects (Poor Implementation)
Two-legged OAuth	Client Credentials Grant (RFC 6749, Section 4.4)	0	0
Three-legged OAuth	Authorization Code Grant (RFC 6749, Section 4.1)	2*	∞ (if a redirect loop is not properly terminated)
Four-legged OAuth	Extended delegation flow (non-standard, legacy term)	3*	∞ (if chained redirects are abused)
Token Exchange (RFC 8693)	OAuth 2.0 Token Exchange (RFC 8693)	0	∞ (if misconfigured redirects lead to loops)

Objections

Lack of granularity

• https://motorcycleguy.blogspot.com/2012/10/a-four-legged-oauth-for-abbi.html
• https://motorcycleguy.blogspot.com/2012/10/thousand-of-providers-and-apps-for-abbi.html
• https://www.xmlgrrl.com/2009/03/23/to-protect-and-to-serve/

Authorization Code

"While the Authorization Code Grant Flow is designed to improve upon less secure methods by keeping tokens off the front channel, its reliance on multiple redirections and the client-supplied 'state' parameter introduces real implementation challenges. In practice, weak enforcement of redirect URI validation and the absence of PKCE in older implementations have allowed attackers to exploit this complexity."

— OAuth 2.0 Security Best Current Practice (IETF OAuth Working Group)
OAuth 2.0 Security Best Current Practice Draft

"The theoretical strengths of the Authorization Code Grant Flow come at the cost of increased complexity; if the redirection endpoints and state parameters are not rigorously validated, the flow becomes susceptible to redirect manipulation and CSRF attacks. This has led many in the security community to caution that proper implementation is not optional, but absolutely critical."

— OAuth.com Editorial, discussing common pitfalls in OAuth implementations
OAuth 2.0 Authorization Code Grant – OAuth.com

Client Credentials

"One of the primary challenges with the Client Credentials Grant flow is its singular reliance on the client's own credentials, making it highly vulnerable if these credentials are leaked. Without any end-user context, a leaked client secret can enable an attacker to impersonate the application indefinitely, leading to unauthorized access that may persist until the credentials are explicitly rotated."

— Microsoft Identity Platform
OAuth 2.0 Client Credentials Grant Flow

"The Client Credentials Grant flow, while ideal for machine-to-machine communication, suffers from a lack of fine-grained access control because it never involves an end-user. This absence of user consent means that once an application is authorized, it gains broad access rights, which can be problematic if permissions are not tightly enforced."

— OAuth.com Editorial
OAuth 2.0 Client Credentials Grant Overview

Oauth 1.0a/b

Provider	OAuth Version Supported	Reference URL
Etsy	OAuth 1.0 (implemented as OAuth 1.0a/1.0b)	Etsy Developer Documentation
Flickr	OAuth 1.0 (typically known as OAuth 1.0a, incorporating 1.0b fixes)	Flickr API Documentation
Twitter	OAuth 1.0a (which reflects the OAuth 1.0b revisions)	Twitter OAuth 1.0a Documentation
Tumblr	OAuth 1.0 (commonly referred to as OAuth 1.0a/1.0b)	Tumblr API Documentation
MySpace	OAuth 1.0 (historically supported via OAuth 1.0a/1.0b)	MySpace API Archive (historical reference)
Netflix	OAuth 1.0 (historically implemented as OAuth 1.0a, reflecting 1.0b fixes)	Netflix API Archives (historical reference)
OpenStreetMap	OAuth 1.0 (using OAuth 1.0a mechanisms, reflective of OAuth 1.0b improvements)	OpenStreetMap API Wiki

Notes:

• Two-legged OAuth (Client Credentials Grant) involves direct client-to-server communication without user redirection.
• Three-legged OAuth (Authorization Code Grant) employs a redirection cycle to obtain user consent, typically resulting in two redirects.
• Four-legged OAuth is a legacy or extended term implying one extra redirection beyond the standard three-legged flow.
• Token Exchange (RFC 8693) is designed for direct, server-to-server token exchanges without redirection. However, if a poor implementation erroneously introduces redirection loops, it could theoretically allow an infinite number of redirects.

The asterisks next to the expected redirect counts for three- and four-legged OAuth indicate that these values represent typical scenarios rather than strict limits set by the specification.

openssl

• https://www.ibm.com/docs/en/hpvs/1.2.x?topic=reference-openssl-configuration-examples
• https://www.feistyduck.com/library/openssl-cookbook/online/openssl-command-line/creating-certificate-signing-requests.html
• https://www.openssl.org/docs/man1.0.2/man5/config.html
• https://www.openssl.org/docs/man3.0/man7/openssl-env.html
• https://www.openssl.org/blog/blog/2024/05/28/QUIC-Webinar/

Chrome SSL Flags

chrome://flags/#allow-insecure-localhost

Chrome Secure Cookie Implementation

• https://bugs.chromium.org/p/chromium/issues/detail?id=843371

Architecture

• https://www.youtube.com/watch?v=3zEZ6d9PVZ8&t=30s
• https://stackoverflow.com/questions/49518174/oauth2-difference-between-callback-url-and-redirect-url
• https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
• https://apps.dtic.mil/sti/pdfs/ADA602429.pdf
• https://apps.dtic.mil/sti/tr/pdf/ADA519567.pdf
• https://lms.au.af.edu/doc/api/file.oauth.html

Auth Headers

• https://blogs.oracle.com/enterprisetechtips/adding-authentication-mechanisms-to-the-glassfish-servlet-container
• https://buildmedia.readthedocs.org/media/pdf/requests/latest/requests.pdf
• https://docs.servicestack.net/authentication-and-authorization
• https://portal.liferay.dev/docs/7-1/deploy/-/knowledge_base/d/authentication-verifiers
• https://requests.kennethreitz.org/en/master/user/authentication/
• https://learning.getpostman.com/docs/postman/sending-api-requests/authorization/
• https://swagger.io/docs/specification/authentication/
• https://www.elastic.co/guide/en/elasticsearch/reference/6.7/trb-security-kerberos.html
• https://www.ateam-oracle.com/identity-propagation-from-oag-to-rest-apis-protected-by-owsm
• https://hc.apache.org/httpcomponents-client-4.5.x/tutorial/html/authentication.html
• https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.0/html-single/server_administration_guide/index
• https://www.codeproject.com/Articles/1090252/Token-Based-Authentication-using-Postman-as-Client
• http://blog.intothesymmetry.com/2014/02/oauth-2-attacks-and-bug-bounties.html

Porting

• https://developer.ibm.com/open/projects/openapi-to-graphql/
• https://jaxenter.com/openapi-to-graphql-v1-0-159822.html
• https://openapi.tools/
• https://metacpan.org/pod/GraphQL::Plugin::Convert::OpenAPI
• https://loopback.io/getting-started-openapi-to-graphql.html

JWT Best Practices

• https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html
• https://developer.atlassian.com/cloud/jira/software/user-impersonation-for-connect-apps/
• https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
• https://github.com/nuxt-community/auth-module/issues/281
• https://developers.google.com/web/fundamentals/push-notifications/web-push-protocol
• https://github.com/parse-community/parse-server/issues/6849

Keycloak

• https://www.keycloak.org/docs-api/21.0.1/javadocs/constant-values.html
• https://www.baeldung.com/java-keycloak-search-users
• https://www.keycloak.org/operator/advanced-configuration

Polyglot

• http://wildermuth.com/2019/12/07/Should-We-Be-Thinking-of-APIs-in-a-more-Polyglot-Way

Request Flows

• https://developers.gigya.com/display/GD/OIDC+Relying+Party+Flow+Diagram+Template
• https://www.nccoe.nist.gov/publication/1800-3/VolB/
• https://www.nccoe.nist.gov/publication/1800-13/VolB/index.html
• https://www.nccoe.nist.gov/publication/1800-13/VolC/index.html
• https://infosec.mozilla.org/guidelines/iam/openid_connect
• https://infosec.mozilla.org/guidelines/iam/saml
• https://github.com/mozilla/mozilla-django-oidc
• https://flask-oidc.readthedocs.io/en/latest/
• https://pythonhosted.org/Flask-OpenID/
• https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.0/html/server_administration_guide/sso_protocols
• http://docs.identityserver.io/en/release/quickstarts/3_interactive_login.html
• https://wikis.forgerock.org/confluence/display/openam/OpenID+Connect+-+Curl+Commands
• https://stackoverflow.com/questions/5462950/openid-via-curl

Oauth 1.0A

• https://blog.twitter.com/developer/en_us/a/2011/improved-oauth-10a-experience
• https://oauth.net/core/1.0a/

OAuth 2.0

• https://developers.googleblog.com/2019/09/get-smart-about-preparing-your-app-for-OAuth-verfication.html
• https://support.google.com/cloud/answer/6158849
• https://developers.google.com/identity/protocols/oauth2
• https://developer.yahoo.com/oauth2/guide/flows_authcode/
• https://www.oauth.com/oauth2-servers/map-oauth-2-0-specs/
• https://speakerdeck.com/aaronpk/oauth-when-things-go-wrong
• https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough
• https://api.slack.com/methods/oauth.token
• https://security.stackexchange.com/questions/127071/odd-history-of-oauth-2-device-flow
• https://security.stackexchange.com/questions/81285/oauth-confused-deputy-access-token-verification-state-parameter/81315
• https://github.com/IdentityModel/oidc-client-js/issues
• http://wiki.openid.net/w/page/12995200/OpenID%20Security%20Best%20Practices

Pairing

• https://docs.pingidentity.com/bundle/solution-guides/page/swp1564001124792.html
• https://help.salesforce.com/articleView?id=mobile_security_oauth.htm&type=5
• http://mobilecaddy.net/assets/MobileCaddy_Security_Overview_v2.2.pdf

Reverse Proxy

Traefik: https://www.codementor.io/@slavko/traefik-as-an-alternative-reverse-proxy-to-nginx-for-self-hosted-dockerized-applications-bm5tpcsmj

References

• https://www.hindawi.com/journals/misy/2018/6020461/
• https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/blackberry-access/latest/BlackBerry-Access-Administration-Guide-2.11.pdf
• https://docs.iot.blackberry.com/guides/authentication/
• https://openid.bitbucket.io/draft-native-application-agent-core-01.html
• https://www.npmjs.com/package/client-oauth2
• https://api2cart.com/api-technology/choosing-oauth-type-api/
• https://benohead.com/oauth-2-0-openid-connect-explained/
• https://developer.okta.com/docs/api/resources/oidc
• https://api.stackexchange.com/docs/render-question
• https://javascriptplayground.com/node-and-google-oauth/
• https://ping.force.com/Support/Topic-Detail/OAuth-Playground
• https://oauth.net/2/grant-types/device-code/
• https://www.pingidentity.com/content/developer/en/resources/oauth-2-0-developers-guide.html
• https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/oauth_concepts.html
• https://dev.freeagent.com/docs/quick_start
• https://medium.com/@turhan.oz/oauth2-and-google-oauth-playground-550757f9355f
• https://www.npmjs.com/package/react-native-oauth
• https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
• https://www.uml-diagrams.org/google-sign-on-uml-activity-diagram-example.html
• https://www.joyofdata.de/blog/talking-to-twitters-rest-api-v1-1-with-r/
• https://developer.atlassian.com/server/jira/platform/oauth/
• https://docs.microsoft.com/en-us/windows/desktop/winhttp/authentication-using-script
• https://www.w3.org/wiki/WebID
• https://www.reddit.com/r/Steam/comments/8a7gsu/steam_openid_broken_for_many_websites_fix_inside/
• https://github.com/omniauth/omniauth/wiki/List-of-Strategies
• https://pythonhosted.org/Flask-OpenID/
• https://help.salesforce.com/articleView?id=remoteaccess_authenticate_overview.htm
• https://www.oreilly.com/library/view/identity-and-data/9781491937006/ch04.html
• https://tools.ietf.org/id/draft-ietf-oauth-security-topics-05.html
• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13.html
• https://connect2id.com/learn/openid-connect
• https://connect2id.com/products/server/docs/guides/login-page
• https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
• https://ldapwiki.com/wiki/OAuth%202.0%20Vulnerabilities
• https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/
• https://auth0.com/docs/api/authentication
• https://lightstep.com/blog/everything-i-wish-i-knew-about-enterprise-sso/
• https://medium.com/@robert.broeckelmann/identity-broker-an-sso-protocol-transition-fromopenid-connect-to-ws-federation-4af854cf113b
• https://github.com/awslabs/aws-mobile-appsync-sdk-js/issues/122
• https://tyk.io/docs/integrate/open-id-connect/
• https://docs.mulesoft.com/access-management/conf-openid-connect-task
• https://trac.tools.ietf.org/html/rfc7521
• https://openidconnect.herokuapp.com/
• http://openid-connect.herokuapp.com/
• https://www.openstreetmap.org/login#
• https://indieweb.org/NASCAR_problem
• https://developers.google.com/identity/protocols/OpenIDConnect
• https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code
• https://www.w3.org/TR/indieauth/
• https://www.mediawiki.org/wiki/OAuth/For_Developers
• https://github.com/jaredhanson/passport/wiki/Strategies
• https://auth0.com/docs/protocols/oidc
• https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
• https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html
• https://blogs.msdn.microsoft.com/mlserver/2017/08/21/encrypting-communication-between-web-node-and-compute-node-in-linux/
• https://blogs.technet.microsoft.com/pki/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually/
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/enable-https
• https://support.google.com/a/answer/6342198?hl=en
• https://www.gnu.org/software/libmicrohttpd/tutorial.pdf
• https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
• https://www.pluralsight.com/guides/using-https-with-ruby-on-rails
• https://gemfury.com/help/could-not-verify-ssl-certificate/
• https://confluence.atlassian.com/hc/creating-or-obtaining-an-ssl-key-and-certificate-608731891.html
• https://www.phusionpassenger.com/library/dev/nginx/dev_ssl.html
• https://blog.botreetechnologies.com/enable-ssl-in-developement-using-thin-2a4bd1af500d
• https://www.devmynd.com/blog/rails-local-development-https-using-self-signed-ssl-certificate/
• https://devcenter.heroku.com/articles/ssl-certificate-self
• https://medium.com/carwow-product-engineering/https-ssl-in-your-local-rails-4-1-development-environment-cc82a2009502
• http://www.passportjs.org/packages/
• https://news.ycombinator.com/item?id=14290114
• https://accounts.google.com/.well-known/openid-configuration
• https://ldapwiki.com/wiki/Openid-configuration
• https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1

Google WorkSpace Marketplace

• https://workspace.google.com/marketplace/app/email_to_text_%E2%80%94_send_sms_messages_from_g/135822310631
• https://workspace.google.com/marketplace/app/butils/436756636448

Google APIs

• https://www.diva-portal.org/smash/get/diva2:1773681/FULLTEXT02.pdf
• https://github.com/googleapis/google-api-python-client/blob/main/tests/test_mocks.py
• https://github.com/googleapis/google-api-python-client/blob/main/docs/oauth-installed.md
• https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.errors-module.html
• https://github.com/googleworkspace/python-samples/tree/main/sheets/snippets
• https://developers.google.com/sheets/api/samples/
• https://developers.google.com/sheets/api/reference/rest/v4/ValueInputOption
• https://googleapis.github.io/google-api-python-client/docs/dyn/sheets_v4.spreadsheets.html

Billing

• https://cloud.google.com/security/products/recaptcha

PowerBI

1. https://www.cloudfronts.com/salesforce-object-connecting-inside-powerbi/
2. http://blog.pragmaticworks.com/tales-from-sales-hurdles-with-salesforce-connectors-in-power-bi
3. http://community.powerbi.com/t5/Integrations-with-Files-and/Power-Bi-Integration-with-Custom-Salesforce-Objects-Not-Reports/m-p/289454#M13653
4. https://docs.microsoft.com/en-us/power-bi/service-connect-to-salesforce
5. https://powerbi.microsoft.com/en-us/blog/embedding-a-power-bi-report-into-salesforce/
6. http://angryanalyticsblog.azurewebsites.net/index.php/2016/05/16/api-strategies-with-power-bi/
7. https://chris.koester.io/index.php/2015/07/16/get-data-from-twitter-api-with-power-query/
8. http://www.excelandpowerbi.com/?p=86
9. https://jessedotnet.com/2016/06/24/power-bi-connect-to-your-secure-api/
10. https://blogs.msdn.microsoft.com/iwilliams/2016/08/31/partner-center-api-and-power-bi/
11. https://blog.kloud.com.au/2015/06/24/use-excel-powerquery-and-yahoo-finance-to-manage-your-portfolio/
12. https://whitepages.unlimitedviz.com/2017/01/analyzing-wordpress-site-power-bi-google-analytics/
13. https://www.kasperonbi.com/getting-data-into-power-query-with-the-twitter-search-api-how-to-hack-pq-to-use-oauth/
14. https://community.powerbi.com/t5/Desktop/Issue-with-getting-data-via-API-with-bearer-token/td-p/126232
15. https://github.com/Microsoft/DataConnectors/blob/master/samples/Github/README.md
16. https://docs.opendatasoft.com/api/explore/odata.html#converting-an-authorization-grant-to-a-bearer-token
17. https://www.thebiccountant.com/2017/09/24/custom-connector-import-google-sheets-oauth2-powerbi/
18. https://digitalborn.org/post-requests-excel-power-bi/
19. https://prathy.com/2017/09/calling-power-bi-api-using-power-bi-desktop-to-document-power-bi-service/
20. https://stackapps.com/apps/oauth/view/12623
21. https://planningcenter.github.io/api-docs/#personal-access-token
22. https://blog.crossjoin.co.uk/2017/10/15/exploring-the-new-ssrs-2017-api-in-power-bi/
23. https://stackoverflow.com/questions/33225590/
24. https://docs.microsoft.com/en-us/power-bi/desktop-connect-odata

Office 365

1. https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/extensions-rest-operations
2. https://support.office.com/en-us/article/access-odata-feeds-from-power-query-82bd48b9-6a2f-4f2a-83c9-6868ba1d30e2
3. https://www.microsoft.com/en-us/microsoft-365/blog/2015/05/08/11-updates-to-power-query/
4. https://support.office.com/en-us/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5a

Flows

• https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-using-the-implicit-flow-with-form-post
• https://www.irs.gov/pub/irs-pdf/p5718.pdf
• https://auth0.com/docs/customize/integrations/cms/wordpress-plugin/integrate-with-wordpress
• https://auth0.com/docs/secure/data-privacy-and-compliance/gdpr/gdpr-track-consent-with-custom-ui

OIDC

• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis

• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow

• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens

• https://www.smashingmagazine.com/2017/06/guide-switching-http-https/

• https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html

• https://cloud.google.com/identity-platform/docs/managing-providers-programmatically

• https://developers.cloudflare.com/access/configuring-identity-providers/generic-oidc/

• https://conferences.oreilly.com/velocity/vl-eu/cdn.oreillystatic.com/en/assets/1/event/302/Operating%20a%20global%20cloud%20native%20platform%20Presentation.pdf

• https://wiki.egi.eu/wiki/AAI_guide_for_IdPs

• https://medium.com/@sagarag/reloading-saml-idp-discovery-693b6bff45f0

• https://ldapwiki.com/wiki/Openid-configuration

• https://www.gilesorr.com/blog/ocsp-hsts.html

• https://security.stackexchange.com/questions/182873/why-isnt-pkce-encouraged-for-single-page-apps

• https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-connect-implementation/open-id-connect-implementation-details

• https://www.netiq.com/documentation/access-manager-44/admin/data/b1dj6b2f.html

• https://security.stackexchange.com/questions/146572/is-cors-ever-needed-during-any-aspect-of-oauth-openidconnect-authentication

• https://developer.okta.com/docs/api/resources/oidc

• https://www.gartner.com/reviews/market/access-management/compare/okta-vs-ping-identity

Browser Tooling

• https://samltool.io/
• https://jwt.io/
• https://developers.google.com/oauthplayground/
• https://auth0.com/docs/libraries

Comparisons

• https://stackoverflow.com/questions/50687332/odata-vs-graphql
• https://blog.logrocket.com/5-reasons-you-shouldnt-be-using-graphql-61c7846e7ed3/
• https://www.dyspatch.io/blog/building-a-scalable-graphql-server-with-lessons-from-odata/
• https://www.progress.com/blogs/rest-api-industry-debate-odata-vs-graphql-vs-ords
• https://www.jannikbuschke.de/blog/odata-getting-started/
• https://apifriends.com/api-management/api-is-dead/
• http://www.soa4u.co.uk/2019/02/a-brief-look-at-evolution-of-interface.html
• https://nordicapis.com/when-to-use-what-rest-graphql-webhooks-grpc/
• https://improbable.io/blog/grpc-web-moving-past-restjson-towards-type-safe-web-apis