chrome release schedule link
https://chromestatus.com/roadmap
Credentitals Stealing mechanisms
https://attack.mitre.org/versions/v10/tactics/TA0006/
Security updates link
pflags pldd pmap pstack -- Linux core analysis commands
1) Get the process ID of the suspect process:
# ps -eaf | grep -i suspect_process, this gives process ID
#pstack core.<proc_id>
pstack proc_id > pstack_core.out : its gives call stack of a process
pmap proc_id > pmap_core.out
pmap lists
Address: start address of map
Kbytes: size of map in kilobytes
RSS: resident set size in kilobytes
Dirty: dirty pages (both shared and private) in kilobytes
Mode: permissions on map: read, write, execute, shared, private (copy on write)
Mapping: '[ anon ]' for allocated memory, or '[ stack ]' for the program stack
Offset: offset into the file
Device: device name (major:minor)
pflags proc_id > pflags_core.out : prints process flags
pldd proc_id > pldd_core.out : lists of the library loaded of the process.
OpenID Connect Flows and Endpoints
Basic OpenID Connect Flow with major endpoints
| OIDC EndPoint | Description | Output | General EndPoint(Subject to custamization) |
|---|---|---|---|
| Issuer Endpoint/Base URL | Its the parent URL, which forms as base url for other endpoints to access | NA | http://hostname/default |
| Authorization Endpoint | used for authetication by resource owner | az code | /authorize |
| Token Endpoint | used for retrieving access token | access token | /token |
| User Info Endpoint | used for retrieving claims about user information | user identity infomration | /userinfo |
| Introspection Endpoint | Rturns a current status by consuming access token or refresh token or ID token | true/false | /introspect |
| Revocation endpoint | acts like termintion point for access token/ refresh token | 200 OK, no tokens returned back | /revoke |
| Logout endpoint | logout underlying session of server. | redirects to configured sign-in or output page | /logout |
| Discovery endpoint | List supported endpoints, signing algo suppoted, locale information | Provider Metadata Endpoint | /.well-known/openid-configuration |
Sample Example
| OIDC EndPoint | Input Request | Output Request |
|---|---|---|
| Authorize EndPoint | https://server.provider.com/authorize?response_type=code &client_id=222334 &redirect_uri=https%3A%2F%2Fclient.test.org%2Fcb &scope=openid%20profile &state=statedata |
HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj |
| Token EndPoint | POST /token HTTP/1.1 Host: server.provider.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb |
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store Pragma: no-cache { "access_token":"SlAV32hkKG", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":"eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso" } |
UserInfo EndPoint | GET /userinfo HTTP/1.1 Host: server.provider.com Authorization: Bearer SlAV32hkKG |
custom claims based on scopes
{
"sub": "222222", "name": "test User", "given_name": "test", "preferred_username": "zelensky", "email": "testUser@provider.com", } |
AMR values
AMR and values
Open ID Connect supports AMR values for continuous authentication flows
Following questions will answered in the blog:
What is the AMR value in OpenID Connect?
What are the values supported
AMR stands for Authentication Methods References.
AMR is claim as part of JWT claims.
It is registered IANA "JSON Web Token Claims"
https://www.iana.org/assignments/jwt/jwt.xhtml#claims
As per https://openid.net/specs/openid-connect-core-1_0.html. AMR is optional claim.
Example for a amr in jwt claim
amr: [ PWD,OPT]
amr: [POP]
amr value is an array of case sensitive strings.
AMR Values and description
AMR is OAuth AMR values.
| AMR | Description |
|---|---|
| PWD | Password-based authentication |
| OTP |
ne-time password, could be SMS OTP |
| wia | Windows integrated authentication includes kerberos or ntlm |
| retina | Biometric authentication based on retina |
| pop | proof of possession, parent category for software and hardware keys |
| swk | software key like certiifcte/td> |
| hwk | hardware key like swipe card |
| sms | Confirmation using SMS |
| tel | Confirmation by telephone call |
| face | facial bio metric authentication |
| fpt | finger based bio metric authentication |
| geo | geolocation information for authentication |
| kba | Knowledge-based authentication |
| PIN | pattern or pin number type of authentication |
| rba | Risk based authentication |
Authentication & Session Management practices for browser based flows.
Following are some guidelines that allow authentication process to be secure
For User Authentication
- Credentials must not be stored in browsers or insensitive locations.
- Application logs must not record sensitive data like password
- Perform Two Factor Authentication
- Login Request must happen using POST request over HTTPS.
- Password reset must ask old password.
- Password must mandate minimum character set and special characters.
Once the user logs in, session needs management.
For Session Management
Prefer Host based cookies over domain based cookies.
- Mandate Secure, HTTPS and SameSite Flags for Cookies.
- Do not log Cookie information in logs.
- Session Must have idle and MaxTime outs
- Must support logout feature.
- Must validate User on every cookie request
- Allow Server level termination of session to allow blocking a already login user.
- Option to cap on current sessions.
- Cookie created needs needs hold client IP or any user machine specific infomration to avoid replay attack.
Subscribe to:
Posts (Atom)