/ Conference / Identiverse 2018 - Day 1: A recap with a Graph DB lens

Identiverse 2018 - Day 1: A recap with a Graph DB lens

Published on 09 July 2018 in Conference

Tweet Graph

What is great with @Identiverse is that you keep digesting everything you learn (and re-learn) during 4 crazy days of first class, deep, and detailed materials on Digital Identity, Trust, and Privacy. This year was once again no exception for sure. The planning was packed with food for the thoughts and for the bodies too thanks to the traditional bootcamp.

Thanks to Brian Campbell aka @__b_c for all the photos ! @Identiverse Bootcampers

So the schedule was intense and it was a dilemma to choose between all the tracks at some point. So find the recaps of any attendee, consolidate them, watch the Youtube channel for the session recordings, and next year contribute to the pot by attending. For my part, I used my notes and some analytics I ran on the #identiverse hashtag through a GraphDB. I will explain the how in a latter post for the one interested.

So my day #1 started with a 3 hours class on OAuth 2.0 Masterclass by @justin__richer‏. Impossible to miss. OAuth 2.0 should be at the heart of the Digital Identity strategy of any serious Micro-Services, DevOps, and Digital Identity strategy as it paves the road to other core topics of @Identiverse such as:

I take a small break to make some advertisement for the OpenID Foundation. For 25$, you can join it, deep dive within today protocols' RFCs by asking the Pros behind it, contribute to workgroups for corrections/precisions/details on current protocols' flows, and vote for tomorrow protocols' specifications.

OpenID Logo The OpenID Foundation (OIDF) promotes, protects and nurtures the OpenID community and technologies. The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. OIDF assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

My takeways from this session are partial as I had to left early to catch some other talks:

  • The client in OAuth is any piece of software that needs to access to the resource... it is not necessarily running in the browser. I can be an applicative backend.
  • Sealing the session cookie of a client and replaying it in the backend is just bad
  • Sealing your 3rd party credentials for scraping the 3rd party service in your name is ... even worse

This is the core of Financial grade API or FAPI, PSD/2, and the OpenBanking movement in the UK

  • API Keys don't allow to understand the user a client acts on behalf of... for example: do you think Google will give a key to one client to access all the resources of Amazon?

This session was core the next sessions of @justin__richer‏ on everything that is bad with OAuth and the presentations on protecting the API by @bertrandcarlier‏ and @prabath.

And as someone noted:

did @justin__richer‏ really do a three full hours on OAuth 2 today at #identiverse? https://t.co/Tic5RZ8CCy

My next session was with @alexb_imagina the leader in the Graph for Identity and especially Identity Relationship Management or IRM. He described how GraphQL looks into solving the API explosion. For that he described the basics for a Graph Project:

  1. The Schema representing the objects to manipulate
  2. The Mutators representing what can change with the objects
  3. The Resolvers to get/pull the according data in the different backends to process the change requested

In this example, the Resolver will implement the Authorization logic based on the OAuth and the relationships between the clients, the resources, etc.

Graph mutators Graph resolvers

The best way to start with development around Graph technologies is by using grandstack.io.

More tweets:

So #RBAC explosion can be solved with #ABAC and #API explosion can be solved with #Graph representation… https://t.co/vsmndtkr8

After that, I joined Nat Sakimura aka @_nat_en, the chairman of the OpenID Foundation in a deep dive within Financial grade API or FAPI.

FAPI is now extending from UK and Japan to Australia.


FAPI tries to solve problems with OAuth 2.0 Flows as TLS can be terminated at the UA and token can then be changed, read, disclosed... Bearer token can be stolen and reissued at another client


FAPI introduces Sender Constrained Token that can be bound a token to a specific User Agent for which it has been issued. There is also another scenario with Client initiated Backchannel Authentication or CIBA that solves use cases where authentication is happening through another channel... I will need to deep dive more in that in a following post.

The idea is trying to reflect the payment options in the Digital World with an Intent Flow:

  • I intent to do an action A
  • I Get an ID for this intent
  • I do an authorization on this Intent ID

Then I went to the sessions for API protection best practices by @bertrandcarlier‏ and @prabath. @bertrandcarlier‏ can be seen on his SlideShare.

The main issue is that the monolithic sub components do not fear from where the request came from and share a session store... this does not apply to microservices architecture... leading to greater attack surface.

Overall, I learn the notion of micro-gateway / micro-PDP. This is a change from the usual architecture as the decision is always taken locally preventing latency. Stress is now on the replications of policies from a central point (PIP?). From we must try to propagate the identity of all the tokens the request relied on during the components to components micro-exchanges.

API Protection takeways thanks to @bertrandcarlier‏

To ensure that the identity of the components is correctly bootstrapped @prabath presented the SPIFFE/SPIRE framework. I will need to deep dive more in that in a following post.


More tweets:

Interesting parallel between #microservices architecture and #IoT in terms of the identity challenges. @Identiversehttps://t.co/RVj3AoPbNO

microservice increases the risks and the needs for secret rotation #identiverse @prabath

Ooh! Very clever use of message broking to update decentralized PDPs! #identiverse https://t.co/rc4Mlhlm8M

A quite comprehensive list of security challenges when it comes to micro-services by @prabath #identiverse https://t.co/kwmQjpdjXY

#Token exchange at the heart of your token strategy for #microservices architecture #identiverse @prabath https://t.co/viVe6LPmWj

While microservices brings agility and focus on what are building and allows devs to just worry about their process… https://t.co/Su55hzL3G3

APIs on APIs on apis#identiverse - https://t.co/8CL4i2iSbX https://t.co/8hsQaJPKra

A clever mix of by-value and by-reference tokens in this architecture by @prabath #identiverse https://t.co/Pjizypu70a

#identiverse presenter #wavestone says "Main difficulties remain: Define/maintain/centralize five-grained Access policies https://t.co/1U8bvmXo2

This more or less summarized my first day at @Identiverse while there were a lot more of sessions going on. So I decided to harness the power of Twitter and to feed a Graph DB to learn what happen the first day in the track I did not attend. So let's run:

Match ()-[0..15]->(t:Tweet)-[1..5]->(s) WHERE exists((t)-[:RELATES_TO]->(:Time {name:"Day #1"})) and t.marketing is null RETURN DISTINCT t

From the @IDmachines session:

@IDmachines walking through the GDPR Venn was very useful in understanding the shift from Privacy 1.0 to 2.0… https://t.co/a7ND2UlNr1

Identity Relationship Management for Privacy 2.0 with @IDmachines @smartopian [@xmlgrrl](https://twitter.com/xmlgrrl #identiverse https://t.co/o9MUgPk3UA

Privacy 2.0 presentation by @smartopian #identiverse https://t.co/qSz8zFx8uj

Information security and privacy relationship #identiverse https://t.co/PDxBoAQeAn

From the @IDIMAndrew session:

NIST working model for system privacy risk #identiverse https://t.co/oFokujYA3N

“Levels of assurance are going away” -.@IDIMAndrew cuz by def LoA changes as each party changes. And what is fed but many point to point connections with diff parties, thus distinct LoAs #identiverse https://t.co/MfDS4q1JRM

From the @jonlehtinen session:

Should Whistleblowing become the response to corporate negligence? @jonlehtinen attempts to answer at #identiversehttps://t.co/maHA3RVk3a

We have missed our SOX moment in CyberSecurity , per @jonlehtinen at #identiverse Enron begat Sarbannes-Oxley, why didn’t Equifax result in similar regulator reactions for consumers? #identiverse > YES https://t.co/hgZ83nYDUm

some misc.:

Canadian Identity Space acquires @id_eco_system through @KantaraNews #identiverse >> WoW @GuruAllan @KantaraColin https://t.co/4nkepxYDmQ

Basic set of rules for 0 #Trust #identiverse https://t.co/Mqm4LmQ0bw

What 7 Creepy Patents Reveal About Facebook - The New York Times https://t.co/Ld1wQ4zwNX #identiverse #privacy

Bravo @chicagoben CTO @obsidiansec speaking at #identiverse hashtag for reintroducing #dynamicaccess to user accounts to control #Identitycreep. Empower ServiceDesk teams to receive automated approval from LOB application managers with @IdentityMaestro https://t.co/F8rQZARPoA

Don't want to write your own OpenID client? Check out these web server plugins! @hanszandbelt #identiverse https://t.co/jG7WEMfPoB

And a reminder that @Identiverse is more international than ever:

The #identiverse has not started and I already met with 5 French guys! Not counting French speaking guys... Looking forward to a lot of insightful discussions in many languages (actually 2) https://t.co/pjHuxs9S8P

AUTHOR: JF Lombardo