What even is an OIDC CLI? oidc --issuer=https://issuer.example.com \ --port=5432 \ --client_id=some-client-id \ --client_secret=some-client-secret \ --profile \ --email \ --roles # Browser launches https://issuer.example.com, using the authorization_endpoint returned by https://issuer.example.com/.well-known/openid-configuration # User logs in, approves scopes `openid`, `profile`, and `email`, and a code is returned to the CLI listening at http://localhost:5432

This is the second article in the series. For the first article, visit here. Multiple Okta SAML Identity Providers What’s the best way to register multiple Okta instances in a Spring Boot application as potential sources of identity and authorization? spring: security: saml2: relyingparty: registration: okta1: identityprovider: metadata-uri: https://dev-#######.okta.com/app/XXXXXXXXXXXXXXXXXXXX/sso/saml/metadata …

PHAAS? What acronyms you get when everything is as a service Can’t I hash my own passwords? Companies have a vested interest in ensuring passwords in their care are handled securely. A centralized PHAAS could help by ensuring that passwords are encoded and verified according to company standards and best practices. Centralizing password hashing also removes…

Use Case: I want to prevent creation of a resource that does not meet standard. Possible Solution: Validating Webhook How do you make this? Register a validating webhook with a resource definition that looks like the below example (see the K8s 1.19 API reference). …

If you have a Spring Boot app, chances are you want to allow users to easily login to that app. Here I’ll show you how to use Okta as a SAML Identity Provider to allow your users in Okta to login to your app and preserve their identity. Create a Dev Account on Okta To start…

During the past few months I’ve been fortunate to spend a good deal of time with my family. I’ve noticed a few patterns with the kids — patterns I’ve also seen while leading agile software teams and doing technical consulting for seven companies. Here’s a few scenarios that I found…

In part 1 [1] I discussed a strategy that we call “online validation” of tokens, by calling the UAA’s /introspect [2] endpoint and passing in a token for validation. Here I’d like to discuss an alternative strategy known as “offline validation” of tokens. …

Let’s say you’re an application developer, crafting an application that will be secured by the UAA OAuth 2.0 server. You expose an HTTP endpoint that requires consumers to have an OAuth scope called app-x-read-only. An HTTP client has called your endpoint, and handed you a token! …

It’s important that your Cloud Foundry Oauth2 Clients are able to continually interact with the UAA, for example to verify the validity of opaque tokens. But if the client secret needs to be rotated, it’s hard to get the timing just right. …