Hackathon: Authenticating header-based apps
2024-4-12 05:40:24 Author: securityboulevard.com(查看原文) 阅读量:0 收藏

One of the most exciting things about working at a startup is influencing how the company grows over time. Strata’s CEO loves it when people tell him something is impossible, and that “challenge, accepted” mentality has clearly filtered through. So, when our Engineering, Product, and Design (EPD) suggested a hackathon, everyone was on board. 

Like the rest of the team, my hunger for new ways to solve big problems is insatiable. 

As soon as I learned about it, I was excited to participate. This excitement manifested slowly over the past two years while I was working on the Orchestrator team, building out the core technology that is used to create our identity fabric. 

I really wanted to use the hackathon as an opportunity to create an approachable project that would showcase key features and functionalities of the identity fabric that our team has spent the last few years defining and refining.

Solving the unsolvable 

Our customers often come to us with huge identity and access management challenges that no other vendor has been able to solve. These challenges can be gnarly, but because our EPD has the experience, creativity, and background to see how to solve big, bad IAM problems, even the worst ones are usually “just another day at the office.”    

However, we’ve often seen problems that require extra creative thinking because the functionality was not inherently part of the product — yet! 

Step 1: Defining the problem

The core problem our enterprise customers face can be summarized in three parts:  

  1. Our users must authenticate to our systems using single sign-on (SSO) backed by modern protocols and technologies like SAML, OIDC, and MFA.
  2. However, our internal ecosystem contains fleets of bespoke applications that do not know or understand those protocols.
  3. We need to expediently bridge this gap without breaking the bank.

Taking that problem into account, we defined a project that would:  

  1. Showcase and solve this use case using a single orchestrator.
  2. Ensure the project can be described, demoed, and showcased in 3 minutes or less.
  3. Keep the interaction short but engaging for the end user.

The legacy app we chose to emulate used header-based authentication. The practice of header-based apps was established many years ago, and due to all the realities of running and maintaining technical systems, many of these applications remain in place today at organizations. They’re old but not likely to go away any time soon.

Let’s go! Putting our hackathon ideas into action

With all of the above context in mind, my hackathon partner and I ensured the work we were taking on was appropriately sized, and in less than a day of work, we were able to use a single instance of Maverics in five unique ways: 

  1. Host a localhost website (facsimile of legacy header-based app)
  2. Act as a SAML identity provider (SAML IDP)
  3. Act as a proxy gateway to access the localhost site from the internet
  4. Restrict certain pages to authenticated users
  5. Provide a modified user experience (UX) based on that authentication

The project: Orchestration of ephemeral tomfoolery

ephemeral: something that lasts for a very short time: something ephemeral
tomfoolery: playful or foolish behavior
arcade: an amusement center having coin-operated games

Project concept

Goal: To create a fun atmosphere that draws attention and encourages engagement. 

The site will serve “coin” operated games/novelties/experiences. Overall, we desire to build a fun and engaging client that highlights the harmony, customizability, and innovativeness of Strata’s available technologies.

Project results

At the end of the hackathon, we had built an interactive site with a simple game:

  1. In this project, we solely used the orchestrator to serve content, authenticate, and authorize sites/areas on https://ephemeral.fun.
  2. Users log in with a custom user ID and start with a set amount of coins upon initial login.
  3. From there, they can spend them on short game sessions/sites within the site or trade them with other active players.
  4. The coin-operated game could be anything technically; it is a redirect and unique session with limited time that eventually redirects you back to your previous location and session.
  5. We make use of service extensions to serve and protect content in innovative ways.

Watch a brief demo

A hackathon in retrospective

During the last two years working at Strata, I have learned a lot about identity and access management (IAM) practices used by the modern enterprise. Along that journey, we have solved some very interesting and challenging problems previously considered unsolvable. This experience has helped me stay curious at all times, which often leads to the most creative solutions. 

The hackathon project was a hands-on way to do just that. It was fun to use our identity fabric in such a multifaceted and innovative way. Also, this marked the first time I had personally gotten a public website online, accessible via HTTPS. It was rewarding to see the telemetry data being generated live during the demo as people were using it. Creating something myself using the orchestrator technology we always provide for others was a great perspective and overall fulfilling project. 

The post Hackathon: Authenticating header-based apps appeared first on Strata.io.

*** This is a Security Bloggers Network syndicated blog from Strata.io authored by Heidi King. Read the original post at: https://www.strata.io/uncategorized/hackathon-authenticating-header-based-apps/


文章来源: https://securityboulevard.com/2024/04/hackathon-authenticating-header-based-apps/
如有侵权请联系:admin#unsafe.sh