Epizoda 1: Autentifikacija i autorizacija

4 maja, 2021 45:2244.1MB

TIMESTAMPS
00:00 Dobrodošli + Disclaimer
00:38 JWT fails
2:37 JWT security breach
5:20 JWT i autorizacija: sadržaj tokena
10:57 Local/Session Storage vs Cookie
12:19 Vadi pušku? Kraj podcasta?
12:58 Basic auth
14:21 Digest
15:03 SSO vs Same Sign On (distribuirani mega sistemi)
17:48 SSO ali stvarno
18:22 OAuth3
19:57 SSO i korporacije („megacorp“)
23:49 Kerberos, NTML, NT verzija SAML-a?
28:43 Autorizacione šeme, RBAC, CBAC, ABAC, PBAC, ŠBAK
30:18 Nikola prenosi istraživačko iskustvo
36:18 Divota 2FA na Slacku
37:00 Da li hešovati na klijentu?
38:45 Minifikacija req/res body-a, bandwidth? „security through obscurity“
41:50 Client-side nounce
45:02 Odjava

Reference, hronološki kako su spomenute:

OAuth3
https://oauth.net/3/

OpenID
https://openid.net/connect/

WSO2 OpenID (on-premise/hybrid kombinacija sa AWS IAM kao custom OpenID provider)
https://wso2.com/identity-and-access-management/

Kerberos
https://web.mit.edu/kerberos/

NTML
https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview

Role-Based Access Control (RBAC)
Claim-Based Access Control (CBAC)
Attribute-Based Access Control (ABAC)
Policy Based Access Control (PBAC)
ŠBAK (škk je ovo, izbaciti iz opisa?)

WET (Write Everything Twice)

Client Side Nounce
https://security.stackexchange.com/questions/3001/what-is-the-use-of-a-client-nonce