Authlete is a silver sponsor of European Identity and Cloud Conference 2023 (EIC 2023), from 9th to 12th May 2023.
We will have a booth and sessions at the hybrid conference (on-site and virtual). DPG Media, one of our customers, will also give a presentation introducing their experience in building and managing a large scale CIAM infrastructure using Authlete. Please stop by our booth and join the following sessions.
You often think service providers should build identity and API security infrastructure by themselves to have full control and flexibility so that it can fit into their business and technology stack. But it tends to be time consuming and costly due to lack of expertise to do so. Buying a heavy-weight solution is another considerable option, but it reluctantly leads dependency on the particular vendor of the solution, which may have redundant features and may not accommodate to customize in a cost-effective and timely manner. In this session, we will discuss a third option to “buy and build” that can combine the best of both worlds and give you control by building from scratch, as well as minimize the time and resource by leveraging “Identity Components as a Service.”
As an international media company we’ve been dealing with rapid digital transformation for a bunch of years now. One of the corner stones of our strategy is identity & access management for millions of users and customers. Over the last 6 years we’ve gone through many iterations of our Identity platform; from a fully managed SaaS platform to our own custom built solution. In this talk we’ll share our journey with you and highlight some of the challenges we’ve faced, how we’ve dealt with them and why we believe our homegrown platform has been the right choice for the company.
OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.
There are challenges when trying to achieve high security and interoperability with OAuth 2: Many potential threats need to be addressed, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions used.
Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.
We will introduce these specifications and help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and high security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. We highlight the benefits for implementers and the role of conformance testing tools.
There’s a lot of foundational work happening in the space of Selective Disclosure (SD) right now. Selective Disclosure enables you to have a token with many claims (say, an ISO Mobile Drivers’ License (mDL)), and only release the claims necessary to the interaction – for instance, your birthdate but not your home address. Selective Disclosure enables Minimal Disclosure. This is sometimes realized using Zero Knowledge Proofs (ZKPs) but that’s not always necessary.
In decentralized identity ecosystems, users hold their own credentials to share them with others when needed. One key requirement for these credentials is selective disclosure: instead of sharing the entire credential, users should be able to share only the minimal amount of information necessary for a given use case. This is where SD-JWT comes in. SD-JWT (Selective Disclosure JWT) is a new format for enabling selective disclosure in JWTs. It is based on the JOSE family of standards for signing and encryption, making it easy to understand and implement. Developed by the IETF OAuth Working Group, SD-JWT is not limited to verifiable credentials, but can be used universally to provide selective disclosure for any JWT.
Due to its simplicity, SD-JWT has quickly gained traction, with several implementations already available and ongoing adoption as an important building block in both commercial and public projects. In this talk, we will introduce the concepts behind SD-JWT and provide a detailed overview of its capabilities and benefits. We will also discuss the current state of SD-JWT adoption and future directions for its development.
See the EIC 2023 Website for details and registration of the conference.