Securing the Perimeter

In general when I think about the Oauth I immediately start to think about my past and current book experience.

“Securing the perimeter” was interesting read, here is my opinion about:

The book authors in the first chapter explaining how LDAP works, they describe how to configure it in Gluu server (one of the book authors is the actual developer behind the Gluu server), for me LDAP wasn’t so important and in my opinion LDAP can be over engineered and add unnecessary complexity in authorization and authentication security layer.

Definitely this book concentrates on Gluu server as one actual practice example on managing authorization for the security layer.

Speaking about Oauth it looks like that it’s a feature in Gluu server, but the author don’t recommend using grant Oauth protocol and rather relying on auth token flow.
I found that description of Oauth in this book very abstract and don’t include any really good example how to implement it “right” , in particularly if you a java script developer and have urgent need to write js client which access the Gluu identify management server (this actually the whole reason why I read the book).

One thing is for sure Oauth was designed for authorization and for authentication purpose you need to use additional layer (which only make stuff even more complex).

I found this chart interesting, but still there no real good example in this book, how actually to implement it.

Furthermore the authors give advice and make strong suggestion to use the authorization code flow for web and mobile applications or implicit flow for pure java script clients.

In general terms Oauth2 based on tokens, you as user send password and receive the auth token as response from server , with that you can do some things, but each time this token must be verified by the identity access management server (Gluu server for example) and sure thing such tokens can be stolen and there no real protection (besides encrypting end to end connection).

The book does not provide solutions in code as example for really good Oauth2 implementation.
Setting 2FA in Gluu server was interesting , but I skipped that chapter, why?

Because it wasn’t my main interest and I looked particular Oauth2 solutions.
This book describe man in the middle attack, but I already knew that such thing is possible and to protect yourself from it depends not only on software solutions, but rather on general security policies of the given company.

Besides Oauth this book describe OpenID which is based on Oauth security framework.
In the last chapter authors go very deep into further security identification technologies, biometric etc.

Final opinion about this book: This book authors tried to cover many security topics, but in my opinion they failed on delivering good explanations why, when and how to use Oauth2. Sure in the book you will find a link to Github repo for OpendID example.
Still this book make good introduction to Gluu server which can be used for exactly this purpose.
Whom I would recommend this book?
To java script developer? Well, not really.
To a software architect? Probably , but there you need to ask yourself what you looking for.
For chief information security officer? Well at that point you actually already should know how all that security stuff work.
Anyone interested in Oauth2? Definitely not, there exist better books, stay tuned for more , because I would cover at least  2 or 3 Oauth2 books 😉