Tuesday Jan 15, 2013

A Look at OAuth2 - A Follow-Up to the Reader's Comments

Originally posted on Phil Hunt's blog IndependentID

On my last blog post on Oracle IDM, Marc asks some very good questions that deserve a longer response:


Here's where I get confused about OAuth2. I keep hearing you don't need crypto (which is often where developers get so tripped up on other federation protocols) but how do you securely have a self contained token without crypto? You mention signing a token, but isn't that crypto? If you are relying solely on transport security does that mean all connections need to be HTTPS mutual authentication to be viable?


Let me break this up into a couple of paraphrased pieces:

1. If you do not use crypto, how do you securely have a self-contained token without crypto (aka bearer token)?

In OAuth1, the algorithm, usage and signing instructions were narrowly defined (probably limiting the life of the spec). OAuth1, assumed all communication would be insecure and therefore the access token itself needed to be secure. This required each client developer to implement the specifications MAC token in order to access services.

In contrast, OAuth2 the assumptions are reversed. Communication are secure, so tokens do not need to be self-securing (as MAC tokens were in OAuth1). OAuth2 opens the door to using simple bearer tokens (RFC 6750) to access services. OAuth2 assumes that because the issuing process is secured by TLS, the mere possession of a valid token is sufficient to authenticate or rather maintain the session relationship with the client.

With that said, there are still many scenarios where stronger ongoing authentication of the client is important to improve security. For a larger discussion on this, check out the current OAuth2 WG Security draft which discusses these issues.

2. Does this mean all connections must be HTTPS mutual authentication to be viable?

TLS Mutual authentication is useful, but is not required. OAuth2 allows the client application to be authenticated through other means such as client secret, a JWT, or SAML assertion. One of the problems with TLS mutual authentication is when TLS terminates before the server (e.g. in a load balancer), the server may not be able to access the client's authentication with the load balancer.

Let me first qualify that not all communication needs to be secured in all cases. Let's look at the two main endpoints that are being communicated with. The Authorization Server (aka Token Server), does require that at least server-authenticated TLS be enabled for all communication. In the case of a Resource Server, server-authenticated TLS is not required but SHOULD be used when using tokens without crypto (aka bearer tokens).

Thanks for the questions. Please keep them coming!

Monday Oct 17, 2011

Rapid ROI with Oracle Enterprise Single Sign-On Suite

We live in interesting economic times. The housing market has been in a slump for several years now. If you are going into invest in a property today purely for rental purposes, then most likely you will look at how quickly you can break even. I recently read somewhere that the historical price to rent ratio for most housing markets in the continental states is around 15. The price to rent ratio is the price paid for a property divided by the annual rent on the property. So in other words, it takes about 15 years on a historical average basis to break even on an investment in rental property. That’s a long time I would say, don’t you agree?

However, our Oracle Identity Management solutions are designed to offer extremely quick Return on Investment (ROI) to our customers. Let’s take the example of Oracle Enterprise Single Sign-On (ESSO) Suite Plus. Oracle ESSO overcomes the huge burden of productivity losses and helpdesk costs incurred from forgotten passwords. In addition to that, we offer one more compelling reason for our customers to invest in Oracle ESSO. That is its rapid ROI.

Let’s take the example of an organization with about 7000 users where strong password policies are enforced. In many organizations, users are required to change their application passwords frequently (about once a quarter is not uncommon). An average helpdesk call associated with a password reset can cost $40. If such an organization deploys Oracle ESSO, they can eliminate their password headaches and overcome productivity losses that forgotten passwords can inflict. In addition to all that, Oracle ESSO delivers an ROI of 140% within the first 12 months of deployment. In other words, the organization can recover their investment and save additionally with the first year. And within the first five years, Oracle ESSO can save nearly $5 million in costs. Now that’s a very compelling investment.

You can find the Oracle Enterprise Single Sign-On ROI calculator here.

You can download a copy of the Enterprise Single Sign-On Buyer’s Guide here.

Join us on our live webcast Oct 19th to find out how Oracle ESSO Suite Plus can deliver quick wins for your organization. Register here for this webcast.

Thursday Sep 15, 2011

Security Inside Out Newsletter - September Edition

This month’s edition of the Oracle Security Inside Out newsletter is now available.

In this edition we look at some of the OpenWorld sessions that you just don't want to miss. We also discuss Oracle Unified Directory 11g, and reveal the latest in identity management webcasts, videos, events and more.

If you don’t have a subscription to this bi-monthly security information update, you can sign up here.

For a full listing of all the Identity Management sessions at this year's OpenWorld, check out the FocusOn document.

Friday Aug 12, 2011

Layering Enterprise Security with Access Management

As a security professional, one of the surveys I look forward to every year is the Data Breach Investigations Report published by Verizon. In the 2011 edition of the report, there were several glaring statistics. Verizon reports that 76% of all breaches compromised back end servers, 92% of attacks were not highly difficult and an alarming 96% of all security breaches were preventable through simple or intermediate controls. At Oracle, we could not agree more.

Across the enterprise security landscape there are several factors which are increasing risk for organizations. Traditional security has relied on defending the perimeter. But the proliferation of sophisticated attacks internally and externally demands sophisticated defense mechanisms that factor risk into the security equation. Secondly, the modern workforce is increasingly dynamic and mobile. When employees, partners, contractors, customers, suppliers etc all need access to critical applications, access to sensitive information should be restricted to authorized users. Finally, recent IT trends like cloud computing, and mobility have resulted in a proliferation of applications that employees need access to. Applications come in many different flavors (packaged, homegrown, SaaS, mobile apps etc) and when each app has its own notion of the user, how they connect and what they are authorized to do, this increases costs and complexity of integrating security for applications.

At Oracle, our Access Management solutions offer holistic security to help organizations safeguard against security threats, reduce risk, ensure compliance and security for applications, web services and data. In our upcoming webcast on Aug 23 sponsored by IOUG, Eric Leach from Oracle will discuss the latest innovations in Oracle Access Management solutions and how they can help you address your enterprise security and compliance goals.

Register here for the Aug 23 Webcast.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016