- Видео 58
- Просмотров 141 642
Michael Bissell
Добавлен 13 окт 2006
CloudFront Prerequisite -- Get a Secure Certificate
Part 3 in the Bullet Proof Website series... well part 2.9.... A big reason we use AWS Cloudfront in front of our S3 bucket is to have security, so before we go and configure the CloudFront distribution we need to set up a free certificate from Amazon. There are a couple hidden roadblocks that I lead you through in this quick video.
Просмотров: 13
Видео
Building a Website on S3 -- setting up the bucket
Просмотров 29Месяц назад
To set up a purely serverless website that is pretty much bulletproof, you start with a simple S3 bucket configured as a website. This tutorial walks you through how to set up S3 as a website you'll need some HTML and an AWS policy which you can find on my webstie at www.michaelbissell.com/3edc6b16-475b-466a-ab2a-4b8a60b65bca/Tutorial:-Setting-up-S3-as-a-web-host Post your questions or comments...
Building a Bullet Proof Website -- Introduction
Просмотров 460Месяц назад
I finally rewrote my website at www.michaelbissell.com using what I'm calling my Bulletproof architecture. There’s no server-side code, and there’s no database. There's nothing to patch or update. Just post content and it's out there. Most personal and small business websites are running on huge stacks of code and data systems (with more code) that you don’t even know is there. It doesn’t matte...
What is Really in Full Stack Development
Просмотров 128Год назад
What does it really mean hen we hear "Full Stack Developer?" Building a modern internet application that can scale and be secure and change over time means you have a LOT of moving pieces. Let's dive in and take a look at all the skills and resources that are really in a full stack application.
OpenAPI to Webform
Просмотров 1952 года назад
The OpenAPI Contract describes your API, and if you add formats to your schemas, that is, describe what kind of data you're going to accept in each field of your API, you can automatically generate a web form. This 2 minute video gives a quick look at where you can look for formats in your OpenAPI contract to inform your UI development. See my more detailed article at michaelbissell.com/a4f5784...
Filtering API Responses
Просмотров 2,1 тыс.2 года назад
Working with an API is all about getting the right data back, which means filtering the response. Unfortunately there aren't a lot of standards for what you get to filter on and how you filter it... so here's my quick review of what I feel are the basics (size, page, order and field filters)
Decoding a JWT
Просмотров 9 тыс.2 года назад
JWTs are the modern security tokens used by the API to enforce security, but did you know you can often take a look at what's in that JWT and even use that data in your UX frontend? This 2 minute video shows you how to break apart a JWT and decode the Header and Body and what you can expect to see in there. If you'd like to use my very simple JWT decoder, take a peek at the live demo at uxapi.i...
A Very Simple API Call
Просмотров 3,5 тыс.2 года назад
If you've never worked with APIs they can seem a bit complicated and confusing. In this 2 minute tutorial I walk you through the basics of a very simple GET call in a RESTful API. Be sure to pop over to uxapi.io/howto/make-an-API-call.html where you can play with the live console I mention in this video. There are basically three things you need to read data from an API Method: The "method" whi...
Client Credentials Grant Flow is REALLY BAD
Просмотров 4,4 тыс.2 года назад
The simplest way to get an access_token in a RESTful API is to use the client_credentials grant... it's also the least secure, and really shouldn't be used in modern apps...
Authorization Code Grant Flow Overview
Просмотров 16 тыс.2 года назад
We use APIs rather than raw databases so we can control who gets to see what data when and where. The OAuth Authorization Code Grant allows us to combine the security allowed for an App with the security rules allowed for a User. This video gives a quick look at how a person, app, API and Identity service all interact together in that flow. You can try a live walkthrough with some quick JavaScr...
App Development 101: Separating your Concerns
Просмотров 2352 года назад
This is a kind of rough overview of a really basic issue while we like to talk about "full stack development" the reality is that the front end tools and the back end tools are very different. This "napkin sketch" is a 4 minute look at the moving pieces in your app stack and how to separate them into different pieces.
Turning a CSV file into a Secure RESTful API in 4 minutes
Просмотров 2 тыс.2 года назад
In this 4 minute video I upload a CSV file, add some data security rules, deploy the API all in about 4 minutes on my API as a Service/SaaS product to make it easy to build and deploy data APIs. If you're interested in using the platform please contact me or visit uxapi.io to learn more
API First (and always)
Просмотров 2494 года назад
#apifirst is a great hashtag, but API First doesn't mean you think about it first and move on API design thinking needs to be part of the service, the contract, the security, the network the... well everything
The Importance of an API
Просмотров 2004 года назад
Okay, let's step away from the tech for a minute... A consistent, industry standard, Enterprise API is just what you need to be in business
Slow Response Times
Просмотров 5834 года назад
People like to complain the API is slow, but where exactly does it slow down? How do we identify bottlenecks? Here's a super high level peek at data flow and the need for Opentracing context.
Ecosystem of Breaches -- #7 People and Social Engineering
Просмотров 584 года назад
Ecosystem of Breaches #7 People and Social Engineering
Ecosystem of Breaches -- #6 Devices and Hardware
Просмотров 374 года назад
Ecosystem of Breaches #6 Devices and Hardware
Ecosystem of Breaches -- #5 User Interfaces
Просмотров 354 года назад
Ecosystem of Breaches #5 User Interfaces
Why Do People Get Stuck Setting Up Wordpress
Просмотров 284 года назад
Why Do People Get Stuck Setting Up Wordpress
Remote Workforce During Social Distancing
Просмотров 264 года назад
Remote Workforce During Social Distancing
Looks great. Looking forward to it
Dragging my feet a little on the next video because of the holiday season, but it's on it's way soon!
great video
Watching your video on my YT feed after a long time, hope you are doing good. And yes, an effective CDN strategy would really help along with other modern SRE tactics :)
Thanks for this, easiest and most practical way to remember how to do a call when you didn't for years! 🙏
It's so cool! I've been trying to use jwt-decode npm package, and it's been giving me errors, unable to even recognise it's own .decode() function. Can you recommend a way out?
my issue with this now is that for our automation scripts, which obviously uses service accounts they will not work because it's not an actual user/person that has access to a UI/Browser, how to go about this? Seems like it defeats our automation purpose if everything we have to execute them we have to first get the Auth Code via browser.
You should use client credentials Flow
Very clear. Thanks.
link not working
can I decode a JWT token with MS Power Automate?
So far as I know, not directly because Power Automate doesn't support base64 decoding. You can split the JWT into the three components, but you would need to do an HTTP callout to a service that can base64 decode it for you at that point. If you have any local compute you could, in theory, run a node app that could take the string and return the JSON, but at that point you might as well write a full jwt decoder...
It depends a lot on the system's requirements. For instance, if you need to make this query on the front end, you leave the client ID and secret on the backend. After receiving the token, you can then use it securely on the front end. However, it's essential to restrict the token's lifespan; otherwise, it won't be effective.
can you confirm, token call is happening at backend or frontend via browser?
I little simplistic to just say client credentials bad
They're simply unsecure.
what to use instead then@@bissellator
@@bissellator I kind of agree with the comment. Bad for what? What is the better approach? And in what situation?
very helpful ❤ thank you for your effort! helped me a lot
Fantastic explanation, Michael! Absolutely right in this age.
these videos are awesome! big potential to blow up on youtube shorts
Thanks Mr Michael
Hi Michael, thanks for great videos about grant flows. I think you should have specified that the auth service grants tokens which you use to consume resources from an API. It's alot better than using API keys. Still learning, so please correct me if im wrong here (anyone, not just Michael).
What should be done instead? How would you handle an automated request from another backend service?
so this flow is good for backend to backend since there's no exposure
Thank you
tuuutft
Your beard is truly majestic. Perfectly fits the calming voice.
Thank you Sir!
I had to watch three ads (one that was four minutes long) to view this 2 minute short that gave me barely any useful information about SLAs. To save you the hassle the gist is “SLAs are necessary commitments to build Trust with the customer “.
I get nothing from RUclips -- I'm surprised they ran so many ads. Which reminds me that I have a video I think I'm going to make called "Yes, tech really is getting worse" in part because monetization gets in the way of actually providing a service...
Thank for this video !
I am still fairly new to OAuth so I'm still wrapping my head around the concept of oauth clients. In your diagram, would the App be considered the oauth client or would it be the API server? I'm confused because the App would be the one consuming the token and making requests to access protected resources for the user, but the API server here is the one exchanging the auth code for tokens.
Yes, the client is sometimes called app. For example, a user (resource owner) can authorize a third party app (client) to access their data via a API server (resource service). The authorization services powers the flow by knowing the relationships (scopes) between clients and resource owners.
thanks for the video
Excellent explanation
I am confused. What is the API here ? Is it part of the Identity/Authorization setup? Or is it the server counterpart of the App.
The API is the resource server. No, it uses the authorization services to verify access tokens against scopes protecting their endpoints/resources. No, the app (client) is an untrusted party that the user (resource owner) can grant access to their data via API (resource server).
Hi, Great Explanation. I was really clear and was on point! It would be great if you could make a similar one for implicit grant and resource owner credentials grant. Thank you.
Hi Michael, this is great. Though I believe, looking at fast ui building requirements nowadays, it's beneficial in creating skeletons. As to create complex hierarchical json schema would also require effort. It's easy to imagine/draw ui widgets in 2D plane than writing a tree. But this would certainly set the track to begin with a nice skeleton though. 👏
On my side project I have a tool that builds an OpenAPI contract and then deploys it to an API gateway. In order to let people then explore the data in their brand-new API, I use the model I describe in this video -- it's spiffy because I really don't have any idea what data people are creating, but they can *immediately* start interacting with it. So it makes a great admin/inspection tool, but I agree that if you're building a website or app, you're going to want to put more control on how you present the data than simply relying on the details of the contract.
thank you so much!!!!!!
MUITO BOM!
So happy you are uploading new video again! Love your content, really help in my work
About a purpose of IdP: as I understand in a minimal schema it should only verify the entity identity (authentication) and authorization can be on the service provider side. But in the video IdP does both: authentication and authorization, which looks strange: imagine that we have 10 applications and they have different roles, in such case IdP needs to manage that all, then more, what if I decide to add a new role to one of my applications? Please comment, thanks in advance!
Actually the IDP does not do authorization. I know the video makes it look like it does but what happens is the Gateway or the application itself asks the IDP for the information that it needs to make that assertion. You can't do authorization without Authentication, and authentication provides the information, the actual details required for authorization
Got it!! Thanks
short and simple
05:33 and every single time that web application makes a call to that API the API will verify that key against the IDP against the keystore and see if it's still valid and it should get scopes back with that... the whole point of a token is that you don't have to communicate with 3rd party each time API call is made.
In OIDC you can validate the JWT locally, but in traditional OAuth the bearer token is just a key that needs to be verified by the API gateway.
This is concise and easy to understand! Thank you!
gold mind here
Thanks a lot very well explained
With basics cleared by you, I can explore more...
ok
Nice thankyou
I am speechless, that was a masterpiece. Thank you very much, I definitely gonna watch it again and again.
That was very well explained, thank you.
Very good and funny videos bring a great sense of entertainment!
java code for SSO setup
Nice clear into. Thanks for putting this together. Do you have a play list on each of these?
Too much overload of crapped up Hollyweird entertainment 24/7/365 flooding the country.
Best! Best!! Best!!! Explanation!!!! Thanks a lot for this!!!