SSL OAuth JWT OpenID Odata GraphQL gRPC GoogleWorkspace - sgml/signature GitHub Wiki

openssl

• https://www.ibm.com/docs/en/hpvs/1.2.x?topic=reference-openssl-configuration-examples
• https://www.feistyduck.com/library/openssl-cookbook/online/openssl-command-line/creating-certificate-signing-requests.html
• https://www.openssl.org/docs/man1.0.2/man5/config.html
• https://www.openssl.org/docs/man3.0/man7/openssl-env.html
• https://www.openssl.org/blog/blog/2024/05/28/QUIC-Webinar/

Chrome SSL Flags

chrome://flags/#allow-insecure-localhost

Chrome Secure Cookie Implementation

• https://bugs.chromium.org/p/chromium/issues/detail?id=843371

Architecture

• https://www.youtube.com/watch?v=3zEZ6d9PVZ8&t=30s
• https://stackoverflow.com/questions/49518174/oauth2-difference-between-callback-url-and-redirect-url
• https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
• https://apps.dtic.mil/sti/pdfs/ADA602429.pdf
• https://apps.dtic.mil/sti/tr/pdf/ADA519567.pdf
• https://lms.au.af.edu/doc/api/file.oauth.html

Auth Headers

• https://blogs.oracle.com/enterprisetechtips/adding-authentication-mechanisms-to-the-glassfish-servlet-container
• https://buildmedia.readthedocs.org/media/pdf/requests/latest/requests.pdf
• https://docs.servicestack.net/authentication-and-authorization
• https://portal.liferay.dev/docs/7-1/deploy/-/knowledge_base/d/authentication-verifiers
• https://requests.kennethreitz.org/en/master/user/authentication/
• https://learning.getpostman.com/docs/postman/sending-api-requests/authorization/
• https://swagger.io/docs/specification/authentication/
• https://www.elastic.co/guide/en/elasticsearch/reference/6.7/trb-security-kerberos.html
• https://www.ateam-oracle.com/identity-propagation-from-oag-to-rest-apis-protected-by-owsm
• https://hc.apache.org/httpcomponents-client-4.5.x/tutorial/html/authentication.html
• https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.0/html-single/server_administration_guide/index
• https://www.codeproject.com/Articles/1090252/Token-Based-Authentication-using-Postman-as-Client
• http://blog.intothesymmetry.com/2014/02/oauth-2-attacks-and-bug-bounties.html

Porting

• https://developer.ibm.com/open/projects/openapi-to-graphql/
• https://jaxenter.com/openapi-to-graphql-v1-0-159822.html
• https://openapi.tools/
• https://metacpan.org/pod/GraphQL::Plugin::Convert::OpenAPI
• https://loopback.io/getting-started-openapi-to-graphql.html

JWT Best Practices

• https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html
• https://developer.atlassian.com/cloud/jira/software/user-impersonation-for-connect-apps/
• https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
• https://github.com/nuxt-community/auth-module/issues/281
• https://developers.google.com/web/fundamentals/push-notifications/web-push-protocol
• https://github.com/parse-community/parse-server/issues/6849

Keycloak

• https://www.keycloak.org/docs-api/21.0.1/javadocs/constant-values.html
• https://www.baeldung.com/java-keycloak-search-users
• https://www.keycloak.org/operator/advanced-configuration

Polyglot

• http://wildermuth.com/2019/12/07/Should-We-Be-Thinking-of-APIs-in-a-more-Polyglot-Way

Request Flows

• https://developers.gigya.com/display/GD/OIDC+Relying+Party+Flow+Diagram+Template
• https://www.nccoe.nist.gov/publication/1800-3/VolB/
• https://www.nccoe.nist.gov/publication/1800-13/VolB/index.html
• https://www.nccoe.nist.gov/publication/1800-13/VolC/index.html
• https://infosec.mozilla.org/guidelines/iam/openid_connect
• https://infosec.mozilla.org/guidelines/iam/saml
• https://github.com/mozilla/mozilla-django-oidc
• https://flask-oidc.readthedocs.io/en/latest/
• https://pythonhosted.org/Flask-OpenID/
• https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.0/html/server_administration_guide/sso_protocols
• http://docs.identityserver.io/en/release/quickstarts/3_interactive_login.html
• https://wikis.forgerock.org/confluence/display/openam/OpenID+Connect+-+Curl+Commands
• https://stackoverflow.com/questions/5462950/openid-via-curl

Oauth 1.0A

• https://blog.twitter.com/developer/en_us/a/2011/improved-oauth-10a-experience
• https://oauth.net/core/1.0a/

OAuth 2.0

• https://developers.googleblog.com/2019/09/get-smart-about-preparing-your-app-for-OAuth-verfication.html
• https://support.google.com/cloud/answer/6158849
• https://developers.google.com/identity/protocols/oauth2
• https://developer.yahoo.com/oauth2/guide/flows_authcode/
• https://www.oauth.com/oauth2-servers/map-oauth-2-0-specs/
• https://speakerdeck.com/aaronpk/oauth-when-things-go-wrong
• https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough
• https://api.slack.com/methods/oauth.token
• https://security.stackexchange.com/questions/127071/odd-history-of-oauth-2-device-flow
• https://security.stackexchange.com/questions/81285/oauth-confused-deputy-access-token-verification-state-parameter/81315
• https://github.com/IdentityModel/oidc-client-js/issues
• http://wiki.openid.net/w/page/12995200/OpenID%20Security%20Best%20Practices

Pairing

• https://docs.pingidentity.com/bundle/solution-guides/page/swp1564001124792.html
• https://help.salesforce.com/articleView?id=mobile_security_oauth.htm&type=5
• http://mobilecaddy.net/assets/MobileCaddy_Security_Overview_v2.2.pdf

Reverse Proxy

Traefik: https://www.codementor.io/@slavko/traefik-as-an-alternative-reverse-proxy-to-nginx-for-self-hosted-dockerized-applications-bm5tpcsmj

References

• https://www.hindawi.com/journals/misy/2018/6020461/
• https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/blackberry-access/latest/BlackBerry-Access-Administration-Guide-2.11.pdf
• https://docs.iot.blackberry.com/guides/authentication/
• https://openid.bitbucket.io/draft-native-application-agent-core-01.html
• https://www.npmjs.com/package/client-oauth2
• https://api2cart.com/api-technology/choosing-oauth-type-api/
• https://benohead.com/oauth-2-0-openid-connect-explained/
• https://developer.okta.com/docs/api/resources/oidc
• https://api.stackexchange.com/docs/render-question
• https://javascriptplayground.com/node-and-google-oauth/
• https://ping.force.com/Support/Topic-Detail/OAuth-Playground
• https://oauth.net/2/grant-types/device-code/
• https://www.pingidentity.com/content/developer/en/resources/oauth-2-0-developers-guide.html
• https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/oauth_concepts.html
• https://dev.freeagent.com/docs/quick_start
• https://medium.com/@turhan.oz/oauth2-and-google-oauth-playground-550757f9355f
• https://www.npmjs.com/package/react-native-oauth
• https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
• https://www.uml-diagrams.org/google-sign-on-uml-activity-diagram-example.html
• https://www.joyofdata.de/blog/talking-to-twitters-rest-api-v1-1-with-r/
• https://developer.atlassian.com/server/jira/platform/oauth/
• https://docs.microsoft.com/en-us/windows/desktop/winhttp/authentication-using-script
• https://www.w3.org/wiki/WebID
• https://www.reddit.com/r/Steam/comments/8a7gsu/steam_openid_broken_for_many_websites_fix_inside/
• https://github.com/omniauth/omniauth/wiki/List-of-Strategies
• https://pythonhosted.org/Flask-OpenID/
• https://help.salesforce.com/articleView?id=remoteaccess_authenticate_overview.htm
• https://www.oreilly.com/library/view/identity-and-data/9781491937006/ch04.html
• https://tools.ietf.org/id/draft-ietf-oauth-security-topics-05.html
• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13.html
• https://connect2id.com/learn/openid-connect
• https://connect2id.com/products/server/docs/guides/login-page
• https://www.oauth.com/oauth2-servers/authorization/the-authorization-response/
• https://ldapwiki.com/wiki/OAuth%202.0%20Vulnerabilities
• https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/
• https://auth0.com/docs/api/authentication
• https://lightstep.com/blog/everything-i-wish-i-knew-about-enterprise-sso/
• https://medium.com/@robert.broeckelmann/identity-broker-an-sso-protocol-transition-fromopenid-connect-to-ws-federation-4af854cf113b
• https://github.com/awslabs/aws-mobile-appsync-sdk-js/issues/122
• https://tyk.io/docs/integrate/open-id-connect/
• https://docs.mulesoft.com/access-management/conf-openid-connect-task
• https://trac.tools.ietf.org/html/rfc7521
• https://openidconnect.herokuapp.com/
• http://openid-connect.herokuapp.com/
• https://www.openstreetmap.org/login#
• https://indieweb.org/NASCAR_problem
• https://developers.google.com/identity/protocols/OpenIDConnect
• https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code
• https://www.w3.org/TR/indieauth/
• https://www.mediawiki.org/wiki/OAuth/For_Developers
• https://github.com/jaredhanson/passport/wiki/Strategies
• https://auth0.com/docs/protocols/oidc
• https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
• https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance.html
• https://blogs.msdn.microsoft.com/mlserver/2017/08/21/encrypting-communication-between-web-node-and-compute-node-in-linux/
• https://blogs.technet.microsoft.com/pki/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually/
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/enable-https
• https://support.google.com/a/answer/6342198?hl=en
• https://www.gnu.org/software/libmicrohttpd/tutorial.pdf
• https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
• https://www.pluralsight.com/guides/using-https-with-ruby-on-rails
• https://gemfury.com/help/could-not-verify-ssl-certificate/
• https://confluence.atlassian.com/hc/creating-or-obtaining-an-ssl-key-and-certificate-608731891.html
• https://www.phusionpassenger.com/library/dev/nginx/dev_ssl.html
• https://blog.botreetechnologies.com/enable-ssl-in-developement-using-thin-2a4bd1af500d
• https://www.devmynd.com/blog/rails-local-development-https-using-self-signed-ssl-certificate/
• https://devcenter.heroku.com/articles/ssl-certificate-self
• https://medium.com/carwow-product-engineering/https-ssl-in-your-local-rails-4-1-development-environment-cc82a2009502
• http://www.passportjs.org/packages/
• https://news.ycombinator.com/item?id=14290114
• https://accounts.google.com/.well-known/openid-configuration
• https://ldapwiki.com/wiki/Openid-configuration
• https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1

Google WorkSpace Marketplace

• https://workspace.google.com/marketplace/app/email_to_text_%E2%80%94_send_sms_messages_from_g/135822310631
• https://workspace.google.com/marketplace/app/butils/436756636448

Google APIs

• https://www.diva-portal.org/smash/get/diva2:1773681/FULLTEXT02.pdf
• https://github.com/googleapis/google-api-python-client/blob/main/tests/test_mocks.py
• https://github.com/googleapis/google-api-python-client/blob/main/docs/oauth-installed.md
• https://googleapis.github.io/google-api-python-client/docs/epy/googleapiclient.errors-module.html
• https://github.com/googleworkspace/python-samples/tree/main/sheets/snippets
• https://developers.google.com/sheets/api/samples/
• https://developers.google.com/sheets/api/reference/rest/v4/ValueInputOption
• https://googleapis.github.io/google-api-python-client/docs/dyn/sheets_v4.spreadsheets.html

Billing

• https://cloud.google.com/security/products/recaptcha

PowerBI

1. https://www.cloudfronts.com/salesforce-object-connecting-inside-powerbi/
2. http://blog.pragmaticworks.com/tales-from-sales-hurdles-with-salesforce-connectors-in-power-bi
3. http://community.powerbi.com/t5/Integrations-with-Files-and/Power-Bi-Integration-with-Custom-Salesforce-Objects-Not-Reports/m-p/289454#M13653
4. https://docs.microsoft.com/en-us/power-bi/service-connect-to-salesforce
5. https://powerbi.microsoft.com/en-us/blog/embedding-a-power-bi-report-into-salesforce/
6. http://angryanalyticsblog.azurewebsites.net/index.php/2016/05/16/api-strategies-with-power-bi/
7. https://chris.koester.io/index.php/2015/07/16/get-data-from-twitter-api-with-power-query/
8. http://www.excelandpowerbi.com/?p=86
9. https://jessedotnet.com/2016/06/24/power-bi-connect-to-your-secure-api/
10. https://blogs.msdn.microsoft.com/iwilliams/2016/08/31/partner-center-api-and-power-bi/
11. https://blog.kloud.com.au/2015/06/24/use-excel-powerquery-and-yahoo-finance-to-manage-your-portfolio/
12. https://whitepages.unlimitedviz.com/2017/01/analyzing-wordpress-site-power-bi-google-analytics/
13. https://www.kasperonbi.com/getting-data-into-power-query-with-the-twitter-search-api-how-to-hack-pq-to-use-oauth/
14. https://community.powerbi.com/t5/Desktop/Issue-with-getting-data-via-API-with-bearer-token/td-p/126232
15. https://github.com/Microsoft/DataConnectors/blob/master/samples/Github/README.md
16. https://docs.opendatasoft.com/api/explore/odata.html#converting-an-authorization-grant-to-a-bearer-token
17. https://www.thebiccountant.com/2017/09/24/custom-connector-import-google-sheets-oauth2-powerbi/
18. https://digitalborn.org/post-requests-excel-power-bi/
19. https://prathy.com/2017/09/calling-power-bi-api-using-power-bi-desktop-to-document-power-bi-service/
20. https://stackapps.com/apps/oauth/view/12623
21. https://planningcenter.github.io/api-docs/#personal-access-token
22. https://blog.crossjoin.co.uk/2017/10/15/exploring-the-new-ssrs-2017-api-in-power-bi/
23. https://stackoverflow.com/questions/33225590/
24. https://docs.microsoft.com/en-us/power-bi/desktop-connect-odata

Office 365

1. https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/extensions-rest-operations
2. https://support.office.com/en-us/article/access-odata-feeds-from-power-query-82bd48b9-6a2f-4f2a-83c9-6868ba1d30e2
3. https://www.microsoft.com/en-us/microsoft-365/blog/2015/05/08/11-updates-to-power-query/
4. https://support.office.com/en-us/article/import-data-from-external-data-sources-power-query-be4330b3-5356-486c-a168-b68e9e616f5a

Flows

• https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-using-the-implicit-flow-with-form-post
• https://www.irs.gov/pub/irs-pdf/p5718.pdf
• https://auth0.com/docs/customize/integrations/cms/wordpress-plugin/integrate-with-wordpress
• https://auth0.com/docs/secure/data-privacy-and-compliance/gdpr/gdpr-track-consent-with-custom-ui

OIDC

• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis

• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow

• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens

• https://www.smashingmagazine.com/2017/06/guide-switching-http-https/

• https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html

• https://cloud.google.com/identity-platform/docs/managing-providers-programmatically

• https://developers.cloudflare.com/access/configuring-identity-providers/generic-oidc/

• https://conferences.oreilly.com/velocity/vl-eu/cdn.oreillystatic.com/en/assets/1/event/302/Operating%20a%20global%20cloud%20native%20platform%20Presentation.pdf

• https://wiki.egi.eu/wiki/AAI_guide_for_IdPs

• https://medium.com/@sagarag/reloading-saml-idp-discovery-693b6bff45f0

• https://ldapwiki.com/wiki/Openid-configuration

• https://www.gilesorr.com/blog/ocsp-hsts.html

• https://security.stackexchange.com/questions/182873/why-isnt-pkce-encouraged-for-single-page-apps

• https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-connect-implementation/open-id-connect-implementation-details

• https://www.netiq.com/documentation/access-manager-44/admin/data/b1dj6b2f.html

• https://security.stackexchange.com/questions/146572/is-cors-ever-needed-during-any-aspect-of-oauth-openidconnect-authentication

• https://developer.okta.com/docs/api/resources/oidc

• https://www.gartner.com/reviews/market/access-management/compare/okta-vs-ping-identity

Browser Tooling

• https://samltool.io/
• https://jwt.io/
• https://developers.google.com/oauthplayground/
• https://auth0.com/docs/libraries

Comparisons

• https://stackoverflow.com/questions/50687332/odata-vs-graphql
• https://blog.logrocket.com/5-reasons-you-shouldnt-be-using-graphql-61c7846e7ed3/
• https://www.dyspatch.io/blog/building-a-scalable-graphql-server-with-lessons-from-odata/
• https://www.progress.com/blogs/rest-api-industry-debate-odata-vs-graphql-vs-ords
• https://www.jannikbuschke.de/blog/odata-getting-started/
• https://apifriends.com/api-management/api-is-dead/
• http://www.soa4u.co.uk/2019/02/a-brief-look-at-evolution-of-interface.html
• https://nordicapis.com/when-to-use-what-rest-graphql-webhooks-grpc/
• https://improbable.io/blog/grpc-web-moving-past-restjson-towards-type-safe-web-apis