Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Scan Container Images for Vulnerabilities with Docker Scout
May 20th 2023 6:00am, by Jack Wallen
Container or VM? How to Choose the Right Option in 2023
May 17th 2023 8:42am, by Andrew Sullivan and Alex Handy
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
How to Optimize Queries for Time Series Data
Apr 27th 2023 12:00pm, by Robert Kimani
Calyptia Core 2.0 Tackles Fleet Management for Observability
Apr 26th 2023 6:49am, by Jelani Harper
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Boost DevOps Maturity with a Data Lakehouse
May 17th 2023 10:20am, by Guido Deinhammer
Vercel Offers Postgres, Redis Options for Frontend Developers
May 1st 2023 9:00am, by Loraine Lawson
Why We Need an Inter-Cloud Data Standard
Apr 27th 2023 8:19am, by Aaron Schneider
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
4 Anti-Patterns That Microsoft Recommends Web Devs Avoid
May 26th 2023 6:56am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Microsoft One-ups Google with Copilot Stack for Developers
May 24th 2023 11:45am, by
How to Start a Software Project: A Guide for Junior Devs
May 20th 2023 7:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Data Dignity: Developers Must Solve the AI Attribution Problem
May 27th 2023 4:00am, by
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by
Developer Guide: A New Way to Build on the Slack Platform
May 26th 2023 8:30am, by
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by
Dev News: Dart 3 Meets Wasm, Flutter 3.10, and Qwik ‘Streamable JavaScript’
May 13th 2023 9:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by
Alteryx Announces AiDIN for AI-Powered Features
May 26th 2023 8:06am, by
Proprietary AI Models Are Dead. Long Live Proprietary AI Models 
May 26th 2023 6:13am, by
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
Alteryx Announces AiDIN for AI-Powered Features
May 26th 2023 8:06am, by
Proprietary AI Models Are Dead. Long Live Proprietary AI Models 
May 26th 2023 6:13am, by
AI Talk at KubeCon
May 24th 2023 1:36pm, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by
Better Security with ChatGPT: Using AI's Defensive Strengths
May 26th 2023 6:00am, by
Bitwarden Moves into Passwordless Security
May 25th 2023 7:11am, by
Detect and Mitigate Common Attack Techniques for Containers
May 24th 2023 10:55am, by
Lineaje Unveils SBOM360 Hub for Software Bills of Materials
May 24th 2023 8:46am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
Developer Platforms: Key Findings from a Forrester Snapshot
May 19th 2023 10:52am, by Aeris Stewart
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
IBM Cloud CTO: Pros Outweigh the Cons with Platform Engineering
May 5th 2023 6:00am, by Loraine Lawson
Infrastructure as Code or Cloud Platforms — You Decide!
May 2nd 2023 9:34am, by Venkat Thiruvengadam
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by Jeff Martens
AI Talk at KubeCon
May 24th 2023 1:36pm, by Alex Williams
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by Michael Tanenbaum
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by Ariel Russo
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Is Open Source the Original Product-Led Growth?
May 25th 2023 7:32am, by Kim McMahon
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by Taylor Armerding
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
Economists Show AI Bringing Positive Impact to Workplaces
May 21st 2023 6:00am, by David Cassel
Take a Platform Engineering Deep Dive at PlatformCon 2023
May 26th 2023 10:00am, by Carrie Tang
Developer Guide: A New Way to Build on the Slack Platform
May 26th 2023 8:30am, by Lauren Gil
Better Security with ChatGPT: Using AI's Defensive Strengths
May 26th 2023 6:00am, by Jeff Goldman
Is Open Source the Original Product-Led Growth?
May 25th 2023 7:32am, by Kim McMahon
How to Start a Software Project: A Guide for Junior Devs
May 20th 2023 7:00am, by David Eastman
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by Loraine Lawson
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Security / Storage

Okta Wants to Be an Identity Service for Developers

Sep 20th, 2017 2:00am by
Featued image for: Okta Wants to Be an Identity Service for Developers

If you’ve come across the Okta set of cloud identity services, you’ve probably thought about it as an IT tool. Administrators can use it to manage logins to multiple cloud services like Office 365 and Google Cloud and Salesforce through a single interface, complete with policy on password strength and who can get access.

But Okta is also making more of its authentication and user management available through APIs so developers too can build these services into their apps, much like they would with API-driven identity services like Twilio’s Authy, Auth0, and Microsoft’s Azure Active Directory B2C.

With data security so important (and data breaches caused by poorly managed credentials so ubiquitous), it’s time to stop building poorly encrypted user and password systems (or copy and pasting code from Stack Overflow that does nothing more than base64-encode the password). Get a password reset system wrong and millions of account details can be lost. Just as Twilio APIs for messaging and communications and Stripe or Braintree APIs for payment, identity management is becoming a commodity it’s better not to write yourself.

“The urgency of everyone having to build customer web applications and take their products and services online mean there’s a big push to deliver and there just aren’t enough developers to do it,” Okta’s vice president for the developer platform Alex Salazar told the New Stack. They go for the path of least resistance and that is not always the best, most secure, most maintainable option; we’re trying to change that by having a good developer experience.”

That’s not just about the technology in Okta’s service, he maintained, but also the APIs and documentation for them. “We see documentation as product; we can’t announce [something new] until there’s documentation. It’s the same with SDKs; if something isn’t in the SDK and framework, it doesn’t exist,” Salazar said.

More Factors, More Complications

Passwords and usernames aren’t enough for security and user management for your apps these days. Increasingly, users require multi-factor authentication, which, for an increasing range of devices can be quite complicated to deploy. Even developers who turn to open source software such as the OAuth specification and the OpenID Connect protocol to simplify secure connections face an uphill task, Salazar said.

“If you know anything about identity, you probably know about OAuth. The problem is that implementing standard OAuth is actually not the best path. Even if you’re using fully compliant libraries that are maintained by a major vendor, you’re still missing out on security best practices most developers don’t know about,” Salazar said.

OAuth uses tokens to make it harder to intercept and replay credentials, and those must be used correctly; like not using an identity token as a session token because it might contain personal information, or not using an embedded web view in a native app to authenticate users because then they have to re-authenticate every time they use the app, because that embedded flow runs in a sandbox that doesn’t know they’re already logged in.

Developers also need to know how to handle flows like an assurance about how users have authenticated, and token revocation, he pointed out. “If your app is using tokens and you’ve got a delinquent or malicious user, you want to turn them off. The OAuth spec doesn’t talk about that so now you have to build out your own custom scheme of token revocation,” Salazar suggested.

Often, developers don’t even know this is a problem until it rears its head in production and then many don’t really have standard patterns on how to remediate the issue.

To help with that, when a developer signs into Okta they can pick what kind of app they’re developing and get templates and quickstarts that show what steps are involved for secure registration, email verification and password reset (and there, workflows are being added).

“We try to put you on the right path to make the best choices without you having to do too much extra work,” Salazar told us. “We’re targeting the most popular backend and front-end languages.” Libraries for Node/Express, Java/Spring, and ASP.NET to support developers building applications that run on the server, as well as for Angular and React on the front end side, and for iOS and Android as well. For other technologies, Okta offers documentation on using the APIs.

Okta has also created an embeddable, customizable JavaScript sign-in widget using its APIs that you can use to get an end-to-end sign in code flow, including multifactor authentication, password expiry and self-service account recovery that supports social authentication providers.

 

Another big move is that Okta is no longer just for user management in first-party apps; it can be used for customers as well as internal users, and it will soon support developers writing third-party apps. So if, say, a solar roof installer that uses Okta for customer identity has so many users that other developers want to write an app for them to use, they’ll be able to use those Okta identities in their app. Okta is also integrating with a wide range of cloud email services and OpenID Connect providers.

Multifactor authentication is now included in all Okta subscriptions, with one-time passwords delivered by email or along with detecting common passwords and blacklisting of IP addresses known to be malicious. A service like Okta lets you offer multifactor authentication without having to have your own infrastructure, and the quick starts are designed to make it easy for developers to implement as well.

“The problem with multifactor authentication is that it’s complicated,” Salazar said. “It needs to be more convenient; if you don’t make it easy for people to implement, it’s not going to get used. It also needs to be a good experience. If it’s not a good experience no one turns it on, and you need users to adopt multifactor authentication. Too many developers grab something insecure and don’t make it easy for end users.”

The next step is “passwordless” authentication, which services like Yahoo and Google already offer. One Australian insurance company is already using Okta to do that; because customers don’t log in enough to remember a password, they just use their email address to login — triggering a test message with a one-time token. Okta is working on a workflow for developers to deliver that. “Over the next 13 months, we will deliver a solid passwordless experience to customers, and also make sure it’s secure,” Salazar told us.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Detect and Mitigate Common Attack Techniques for Containers HashiCorp Vault Operator Manages Kubernetes Secrets Infrastructure as Code in Any Programming Language Better Security with ChatGPT: Using AI's Defensive Strengths 3 Frameworks for Role-Based Access Control
RELATED STORIES
Bitwarden Moves into Passwordless Security Layoffs and Access Control: How to Avoid Mass Misconfigurations Lineaje Unveils SBOM360 Hub for Software Bills of Materials Amazon Web Services Open Sources a KVM-Based Fuzzing Framework Scan Container Images for Vulnerabilities with Docker Scout
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.