 Hello, everyone. Welcome to the Meetup, our identity and security Meetup. This is June edition, 2023. So if you're online, if you're already here, please send me high in the chat and wait for two more minutes and then we get started. I see already 12 people waiting. I'll give one more minute. All right. Thanks, everyone. Thanks for joining. And this is our monthly Meetup, June edition, 2023. And I'll just go over some logistics and then some housekeeping. This Meetup is sponsored by Okta. We are using their cloud platform, their receiving platform to record this event. So we thank Okta for sponsoring this Meetup. And if you know me, if you all don't know me, I'm Pradipa. I'm a developer advocate at Okta. You can best reach me at Twitter at Pradipa and in LinkedIn, you can reach me at Pradipa as well. So if you have any questions or anything like identity and security, feel free to reach out to me. We observe code of contact. So if you are a subject or witness to any violations of the code of contact, you can contact me through my email or if you're already subscribed to Meetup, you can reach the organizer of any of your region. Please let us know. And the next thing is like we are, as always, like we're running every month, the Meetup. So we're always looking for speakers. So if you have something that you want to share, like a use case, workshop or your personal projects, which we have solved something. If you think like it's worth showcasing, feel free to reach out to me. It doesn't matter if it has to be a personal project or it's your professional problem you try to solve. If you wanted to broadcast to a larger audience, if you feel like this is worth mentioning, please feel free to reach out to me and I'll schedule your title or workshop in the next Meetup. And I also would like to introduce you to our all-zero ambassador program. This program enables developers to empower the developer community and meet the internet safer. If you think like you are an active community builder, if you write a blog or you write community posts and if you think you are an eligible candidate, please go here and then apply for your ambassador program. You have benefits. If you're an ambassador, I'm also wearing an ambassador t-shirt so you get one. So if you feel like you're eligible for it, please go ahead and apply. And also you can reach out to me so I can help you with your application and then I can reach out to the team and then tell them you're a good candidate for us. The other thing which I wanted to introduce is newsletter. Please feel free to scan the QR code and then subscribe to the newsletter. So any latest updates on all-zero product or anything on identity and security and any events that are being connected in the region, you'll get notified. So scan the QR code and then subscribe to this newsletter. The last and final housekeeping is like a live chat. So thanks for joining, thanks for leaving the comment. So if you have any questions then and there, you can like whenever there's a talk, feel free to put it in the live chat. We will take the questions at the end of the talk and then we'll consolidate it and then we answer the questions. So yeah, put it in the live chat. And if you are joining somewhere from different places, feel free to drop your name and then from your location so that we can know from where you're joining and then what you want to, you know, what you're going to take away from this data. But further ado, I'm just going to introduce our first talk, which is Increasing Authentication Resilience with Legacy Environments. I'm going to introduce you to our speaker, who is Melbrick. Hey Melbrick. Cool, hello guys. Yeah, nice to meet you all. Thanks for hosting us, Okta. Cool, you can hear me well, right? Yeah, I'm good. So yeah, release yourself. Yeah, so my name is Melbrick. I work at Ascender. We are actually a loyalty set. We work with quite a lot of banks, airlines and e-commerce companies around the world. So I thought today we'll be here to share a little bit about like what we've learned working with some legacy applications and environments. Feel free to heat me up anytime on LinkedIn or Twitter even. Just have a search for my name. Cool, nice to meet you guys. Thank you Melbrick, thanks for the introduction. So I'm going to disappear the phone with all yours, share the screen and then let's get started. Okay, cool. Just give us a second while we launch the presentation screener. But if I think I need help to screen the, there we go. Awesome. Okay, cool. So yeah, today I'm here to share a little bit about like some of our experiences working with legacy environments and a bit of the tension between increasing authentication resilience in a zero trust world today. So I think we'll do a bit of a polling here and there today. Feel free to scan the QR code on the left or right. I've got a little ice breaker just for everyone to share a little bit about what they're working on. And then later on for one or two other topics, we just would like to learn a little bit more about how you feel when you're thinking about the topics of like zero trust as well as legacy environments. Okay, so for the benefit of our international audience over here, I'm from Singapore. This is just a little bit of where we're based. It's a sweltering like 30, 35 degrees these days for us over here. And this is a quick look of the Ascender office. Yeah, so as you can see, we've got a pretty good view of the city skyline as well. Okay, so I think today we'll see how the timing goes, but I think our topics will be centered around some of our learnings and with challenges around the legacy environments. And what are some of our strategies that we take around data and authentication beyond perimeter defense. So just to give you a little bit of context around like what we are and what we were going because I think you will start to see like where some of the challenges appear. Essentially, Ascender is a loyalty-sets platform. If you have credit or debit cards that works with like rewards and earning of points, you provide the end-to-end solution to companies out there. And not just like you know, the point computation that you see over here but also allowing their customers to earn and redeem points by booking, let's say, hotels, flights, purchasing gift cards and so on. Now from a technical standpoint, this is how we sort of interface and interact. So I just went for like a roughly simplistic approach of like how our applications interact with companies out there. So you can imagine like we provide an end-to-end white label like loyalty solution. But this is integrated quite tightly with let's say our clients, purchase, banking and transaction systems. So you can imagine every time you spend on a card, you need to be able to earn some points or redeem some points. So there is quite a lot of back and forth between the systems. Now the challenge is of course, not all of our services are like the latest and greatest. In fact, some of this can be fairly outdated. So I think today we just want to focus on like some of the challenges as we integrate and how we manage that process. Yeah, so thanks for the feedback. I guess a lot of us over here are coding a lot these days. I love that comment on connecting magic and reality. I think if you're outside of the deaf community, sometimes it really does appear like magic. So I really like that. Okay, so what about zero trust today? So let me pull up the next poll. So I'm just curious like you can just share a little bit of like how we feel over here, like what zero trust means to you and like typically in the environment they're in, like, you know, what are some of the challenges that you identify the most with? So I mean, as we're polling, like generally speaking, like zero trust as you can see over here is based on the five corpillers around user, around data, around devices, network, traffic and applications, right? It's based on the core belief that trusting in itself is a vulnerability. Therefore, the idea is to pretty much like never trust but always verify, right? And how do we reconcile this, right? Like, for example, from a user and identity standpoint, we want to make sure that our employees, for example, always using enterprise managed identities. During our day-to-day work, when they work with, like, let's say, content in their internal tools, right? We want to make sure like they only have access to the information that they're supposed to have at, right? So for example, you want to make sure that you are able to enforce least privilege, right? Other things could include, for example, and this is a very challenging problem, right? You want to be able to authenticate on a fly, right? That is also a particular challenge. That in a lot of companies out there, this is not something that is fully matured yet. So these are like some of the basic challenges. Cool. And I think that took a while, but I think we can see that there was some, the most popular zero-trust challenge that we can see over here is, I guess, in a way, least privilege. This is a lot of a day-to-day challenge that we can definitely identify with. Similarly, we can see the next one, we have perimeter defense, monitoring of users, et cetera. Okay, so we'll keep the poll on for a while more and we'll continue. I think generally speaking, like as we advance the threats, as you can see from the options and everyone's opinion, as we advance, like threats are manifold and the way you execute your threats against systems are getting more and more sophisticated. So for example, the traditional measures of being very dependent on perimeter defense is no longer sufficient to protect data and processes, right? So over here on this graph, just an attribution to a study by Bovix just to secure the many interfaces from your infrastructure, the applications, the endpoints, devices, et cetera. There are many, many options, right? How to compromise, which is the vertical segment of the graph that you see over here. Again, that's multiplied, right? And adversary only needs one way to compromise our systems. So now we want to take a quick look at the legacy challenge, right? So I guess for my final poll today, I just wanted to get a sense from everyone, like, you know, what do you identify with when working with legacy environments? I'm sure a lot of us over here be day-to-day or maybe just like, you know, with the friends or when engaging your different clients, like everybody has their own challenges with legacy environments, right? So again over here, I'm keen to hear about some of the thoughts over here. And while we wait for the results to come in, in the meantime, this is just like a redacted representation of some of the common environments that we see out there as we work with our partners. So usually the way you deploy, the way you organize your information, there are many options over here. So here I'm just listing like a list of a few different options. So for example, you have on-premise deployments using OpenShift and TOS. Typically identity providers on top of Officer and Octa, of course, you've got Ping Identity, Foch Rock. And of course in a banking context, right? Usually there's plenty of services. Some of the most common includes like customer profile transactions, reporting deposits, right? And upstream, like in terms of what our customers or most customers see, obviously those services are served using a mix of internal and external orchestration services, right? So this usually these days includes the use of APIs as well as apps, but of course some of this content can be file based as well. So this gives you roughly a sense of a stack. To the right over here, the slide is not really huge and I don't want to like overload us with information but for example, some of the information sources could include like institutional services or like wealth management services and so on, right? But generally this covers more or less the sense of the space of the ecosystem that we're working with in a legacy environment. So I think results are kind of in. So yes, I think definitely difficulty upgrade is a huge challenge. Prioritization for sure as well. I think one thing from our experience also from the people that interact with like upgrading is definitely like one of the biggest difficulties not just because of priority, but sometimes you just work with like some really old systems, right? So for example, like for example, I know someone who works directly with Kobo based systems, right? That would be something that is like really, really difficult to upgrade. In fact, you probably have to re-platform the system itself. Okay, so thanks for tuning guys. I'm going to switch over to the presentation fully from now on. We'll keep the slides open. The voting open if you're interested to continue to check it out. We'll probably share the results at the end or meet up further on later. Okay, so yeah, I think this is a, I think one of the big things that is quite notable over the years. So this is a survey from a while back in 2017 by Kofaks on like where banks see themselves from a digital maturity standpoint. What is most notable is obviously everybody has to work with legacy systems, right? But investments as you can see has always gone towards the front office, right? Back office and middle office is a bit more of a challenge and from the same survey just very quickly you can see like where where they prioritize digitization internally. So the big ones, so at the top you can see over here from left to right in the legend, the darkest will be what is the highest priority rate. And you can see that the middle well actually the front middle and back office all have areas that are of high priority. You can see the key one is in sales but right next to that is call processing already. And today in today's session like the back office is one of the big areas that we work with. So yeah, as you can see like front office is where there's great emphasis. The back office is closed second and fast forward let's say around five years. So this is a late 21-22 survey by Selent. As you can see again, legacy systems transformation is still one of our priorities. It's still a key corp. But yet five years on how is it that this is still one of the key areas. But I think the reality is migrating is a monumental challenge from the survey just now we've also mentioned that upgrading is really very difficult. So many are in general patterning wise most banks are following a piecemeal effort towards like modernization to try and be riskless. Banks are looking at modularizing introducing more APIs to to try and like progressively upgrade their platforms over here. I'm not going to spend most of the talk talking about like modernization very soon to look at some of these challenges over here. So this is just a simple dependency diagram of one mortgage subsystem attributed a computer weekly obviously in a public space we can't really share this information but this is not uncommon. This diagram looks really crazy but it's not really a single systems diagram. This also documents down the individual processing components and their interdependencies including the people. So the boxes that you see over here are like applications databases and services. The lines that you see over here are calls to each other representing for example read write of data. And the little icons over here that you see over here represents the humans interacting. So what's the strategy for working with a behemoth? So we want to start with the basic building blocks which is the data. So one of the core challenges that we face is obviously data is the source of all your information which means that your resilience starts here. So how do we even if we cannot influence how do we support our clients to handle for example data privacy and data protection. One of the biggest challenges that we have over here is actually the myriad of data sources as well as streams. So one big challenge is how do we build a consistent representation of user context before we even start to authenticate. Obviously when you have multiple sources one of the key challenges again across multiple subsystems you have to work with inconsistent security practices across the board. So where do we start? Who has the latest information? What are some of the controls we can introduce? So let's say just to introduce multi-factor authentication something that we expect as default today and these days we are talking about moving over to FIDO. Already this is a challenge because we need to incorporate data points from multiple services. You need not just the user context you need to know what are the ways you can contact them is it email, is it phone? Are you even for example open to working with open source data services from Google or Twilio. So let's assume over here the starting point is just a single password base login. If I want to introduce MFA over here it does require aggregation and disparate data points. So this is one of the examples that we have where you don't just work with a customer profile but some of the information is not complete because over the years you've got systems overlapping and passing data around each other while some have degraded. So for example I want to work with the reporting system as well and before I can do that I need to merge that information in some way before I can start to offer some form of MFA. So one of the challenges is there's no easy way to build consistency and hunt down that single source of truth across the entire customer context. So therefore like rolling out additional protection such as MFA becomes complicated. Okay then but if you can get around that if you can start to put that together collecting phones, emails, the user profile and in fact building for them the interface in which even if you don't have the full set of information if you can provide for the customer say you know hey this is what we've detected that you have which is your latest identity and if you can prove that right we can start to build some really interesting capabilities right because now once I've aggregated this I can start to introduce more factors of identity right. One of the areas that we've been exploring maybe not so much for consumer banking yet but at least for like internal users is can we find ways to incorporate the use of FIDO by the use of ASCII for internal administration purposes this is expected as a standard in zero trust. Once we can start to combine this data we can start to introduce this with the support of our partners. So one catch for us over here is ultimately as a service provider we are still dependent on the core customer data downstream so unlike your pure play ASCII implementations we obviously don't allow our end users to directly enrol using the ASCII. This is only for ASCII that is already existing within the banks context. Okay can we add value back into the ecosystem the answer is yes once we provide the identity plane right for customers to interact and actually add in their verification to that information that we have across this data sources over here that unlocks us to actually solve that problem for our clients as well because now you now have a feedback loop that allows you to sync the user information back into our client systems. So this is for example one bonus way in which we can solve this problem. Okay hope I'm not running out of time but the second big aspect is around strong perimeter defense right so traditionally perimeter defense means we focus on firewalls, VPN packet filters, IDS right but what's after and this is actually one of the big questions that we have day to day which is okay we have strong perimeter defense now that we're integrating our services together to for example introduce continuous monitoring can we revalidate the user's contacts and challenge them with let's say an MFA challenge if we detect where the session is has suddenly changed locations IPs for example so just now we saw a redacted representation of potential legacy architectures in such a situation which is the gray zone over that you see over here you don't have first class support for controlling access across all services in most cases especially for example if the subsystem is let's say a unisys system from 20 years back right so the challenge is how do we create like a trusted plane right or a trusted environment from an untrusted segment of the ecosystem don't take that like literally but untrusted in the sense of like in a zero trust context like just perimeter defense this is a slightly more untrusted segment so actually the next best option is to then deploy like a trusted proxy that starts to allow us to introduce some of the zero trust practices on operating information i.e. as you've probably seen from the poll just now where after micro segmentation right can we establish a micro perimeter right and then after that you can start to introduce our own services around the data plane access control using policy plane as well as a fraud engine before we sit our customers sit facing like rewards APIs, applications and tools above so couple of things that we focus on so I think this are items that you guys are probably familiar with as like security and data experts already so just very quickly when it comes to data movement protection right so a lot of the system today are stored either if not on-prem they are probably in some form of a public-private cloud like surely the services or businesses have to move this information shared with partners so this is your typical SSL over TLS or even if possible you can have a direct VPN connection right or peer your VPC if that's possible the next one definitely is classification and reduction so actually this is one of our main functions as a service provider as well which is yes you can funnel us the data from a micro perimeter but we only want to work with what is necessary if it's not necessary then let's redact it or we'll work with you to help you redact it it's ultimately based on idea that all information is sensitive and if we can separate them out for each and every service as much as possible and redact that specific to that service then that allows us to segment the potential damage control that we need to enact on later on then there's role-based access so this one we or it describes for itself we already know the last one that's pretty key for us is tokenization not just in terms of tokenization from an authentication context but also from an information context as well namely stuff like your PI and especially your credit card information as well is that is it really necessary to have the raw information the answer is always never, you never ever need it right so that's where tokenization comes in so just very quickly our back simplified so again I think and also I think maybe Imano will take us through this later as well but this is very familiar to all of us already especially when it comes to zero trust which is we can work with JWTs or JWTs as a basis for supporting access control right you'll be surprised in both older systems again it's mostly like session base if you even have that so having a very basic basis of using a JWT for example to enforce access controls dynamically through the use of scopes that is like one of the fundamental constructs that we introduce so as you can see with this techniques all together quickly just now we talked about using JWTs and applying access control having continuous monitoring using a fraud engine and then treating your data right before we even extract and load it down from our core services we want to redact that information right then we talked about encryption, masking tokenization as well all in all you can see that this policy plane on top of the data processing layer over here allows us to enforce a form of like DMZ at the applications level right between the legacy environment and our new suite of services okay and what's really important in our toolkit is the ability to level the user and have like a dynamic access control to the customers session as they go through our user journeys right so this is an example of how we enforce this in the context of DMZ as well so you've got your upstream applications APIs, tooling that are more public facing over the internet then our identity layer over here that sits internally in its own network right and this is where we established as again quote unquote like a DMZ where any calls made by the APIs if they want to reach down to the underlying orchestration layers they need to go through our identity services over here right over here what do we focus on we focus on who is the request originator are you supposed to access what is the information that they are after and is the information requested for already on the list privilege access level right something that we find potentially challenges and not really thought about is also how long the upstream services should have access for right what are our mechanics for intercepting and reducing the time of access to the information downstream as well so this are the three to four different areas that our identity services focuses on right and if you look at it conceptually as an ecosystem we still acknowledge that in some sense this is still like perimeter level security but in terms of working the legacy environment it still gives us the benefits of continuous monitoring and as well as the re-leveling of access in a control environment I want to show this because I thought Azure demonstrates this concept much better than I can do so over here in Azure AD they've got the concept of continuous access evaluation which is again a core tenant of zero trust so over here you can see that as part of dynamic access control any access to a service is always continuously validated through the use of policies and you've got events for example if I think that maybe you're coming from an unexpected location or you're trying to perform a sensitive action like maybe changing a password or removing a MFA identity right then I can force a re-validation of your identity again before you can perform those critical actions so yeah so I think in general they do a pretty good job of presenting this context simply for us over here the key thing is being able to assess this events and factors over here then allows us to modify the customer access on an ongoing basis for us day to day the critical flows that we care about would obviously be stuff like purchases and redemptions that have direct impact on the customer's balance so here are some other critical change scenarios that we care a lot about day to day as well anything that has got to do with the account really removing it, disabling it enabling MFA removing those identities we also detect if there's elevated user risk so if that happens we treat this as a critical change scenario then we force a re-validation as well other things include like password changes as well as admin revocations okay yeah I'm almost out of time now so I guess in summary you've seen like two of the main challenges that we deal with at Ascender Day to Day one is like working the data and like organizing it for customers in the first place second one is how do we work with them to architect and segment access across multiple services okay lastly before I end off just wanted to say like we're hiring we're hiring for our off positions as well feel free to check out our website again this to access our career site we're hiring across other services as well and that's all for me today thanks for having me guys and thanks Okta for hosting this thank you so much that was an awesome talk really enjoyed it you actually painted all the the hassle of implementing the authentication the legacy system it was great if you have any questions please let us know in the live chats or we can take it up in the at the end of the next talk all I see was like the general comment no specific question per se so yeah and I would like to ask one question which is the whenever we think of the legacy system I work for a couple of banking and insurance applications before so I thought I'll ask this question what do you think how long is the duration of someone that's the most the first thing that comes to your mind right like when you say let's say there's a backing legacy application and then they wanted to like upgrade it or something like that how long does it take wow so I guess it depends we have some partners that we worked off on together in excess of three years and some of the upgrades and replatforming are still ongoing usually if it's something of a smaller scope let's say for system to system connection right where they are upgrading let's say even like the SSH client that they are using then that would definitely be much quicker so in those cases we expect usually this sort of upgrades to happen at our box but there are cases where for example they need to validate the source code go through multiple security validation so that can take up to six to nine months as well for I would say what's really key is the projects that really matter which is the upgrades like if let's say you're working on like a really old system that is maybe let's say cobalt base or your system in the first place does not have any integration to services like Octa or PingFat that allows you to sit like a user access control policy plane then usually those are in general multi-year projects because they need to re-platform and re-migrate all the information and rebuild a lot of the services on it the faster ones usually already have some sort of like an enterprise service bus or like an API layer that is linked to an API gateway that makes it easier and faster to perform this migration so those would definitely be faster because I know that it's not an easy task to achieve because whenever we work in any legacy environment even a normal change takes a lot of time change up to world mixture none of the other systems are breaking make sure like all the logistics are so just curious that it should be a really hard task to work on the logistics just to also be like super transparent like we don't help them do those migrations themselves they are the ones that's handling upgrades but we do work with them from architecture context just to make sure like okay your services and our services and any user information we're helping you to treat or manage when those migrations happen seamlessly thank you so much thanks Mel, thanks for the talk so so we are at the end of the first talk so I'm just going to introduce you to the next session which is how to use odd zero and dot net eight to login from any device even a toaster but that will look so interesting but this topic is going to be presented by our awesome ambassador Emmanuel gonna invite him over and let him introduce himself yeah yeah, thank you very much for having me first of all and Manuel I'm Italian matter living in Switzerland since six year right now and of course I'm zero ambassador as Prajipa before since two years right now more or less if I remember and I'm also a GitHub star and because I share a lot of contents around internet especially on my blog especially about odd zero I share a lot of stuff on my blog because I use odd zero production environment for my products as well two startups a lot of startups I use odd zero as an identity provider so this is why I share a lot of stuff because I use every day the product yeah so this is why I'm here today and yeah also the session is not common to find this kind of session because everyone talk about how to connect from a application and mobile application but no one think about a console application or just an IoT device is more or less the same so this is why the last maybe no six months ago five months ago I wrote two articles on my blog about the device flow connection because it's very common also if you want to use for instance you use maybe every day this authentication flow from visual studio code for instance if you want to connect github visual studio code they use the device flow because you receive a code and you can put the code in a web application and then the application is authenticated so it's very common but no one talk about it so this is why I'd like to talk about it sounds interesting so I'm just going to go over the screen to you and I'm going to leave and then this flow is all yours good okay so let's start to think about what we need to to start to create the device flow first of all we need a non-zero account a registered application and we will see how to register an application for this device flow in more specific for this device flow and you can also enable an offline access if you don't want to enter every time your credential you can also enable the offline access and of course you need c-sharp and if you want but it's not let's say requirement monthly to have rest sharp because you can also use the HTTP client from c-sharp it's up to you and of course you need a connection to internet because we need to connect to the website everyone knows what is our zero but I just put these slides on my slide decks and how it tours what it is what is a device flow application device flow application is a variant of O2.0 protocol and it's it's very easy because to understand how it tours because one device requests a device authorization another browser another device you can get that link, insert the link log it in with your account and then you come back with the device the authenticated device code and user code it's very easy to understand I put the diagram here in the slide to understand how it tours so if you see the first point the user start the authorization let's say path call it oath slash device code and you receive a code and a verification URL and then with this code and verification URL the user open a browser by itself insert the user code from the console application or a fridge a toaster an mover whatever you want and then the device receive back the authorization of course if your authorization flow will be complete successfully the device receive the authorization token and the access token it's very easy it's very similar to let's say the normal flow but the part that the change is the part between when you receive the access code the user code sorry and you insert this user code in the browser it's very similar and what you need to implement this device flow authentication without zero first of all you need to register an application without zero configure some settings you can get the client ID and with this client ID client ID you request the code and you can put the device code the user code and the verification user URL to the user as well and now this is the magic you have to pull the outzero authorization server to check if you have the authorized client code to be authenticated on the client application this is a trick you need to pull by yourself every one second but you receive when you request a device code a user code you receive an inspired time so you can easily calculate how much time the user to receive authenticated code but we will see everything in the code later this is the code example it's not complete because we will see the code in a new application in this case we use the same with the client so first of all you need to call your domain from outzero domain the device code URL with the post request of course and in the request you have to add the client ID your device scope and the audience ok and then when you receive this when you send this device code you receive in the request content the device code, the user code and the verification URL and then you can display in the console application or whatever you want this information and then you have to pull this access token in this case in the code let's say it's not complete because you don't have the pull action but just the code to receive the authorization token if you use this code it doesn't work because it's too fast ok so you don't have the time to insert everything inside and then you can add when you receive the let's say ok you receive the authenticated client as well with the access token and stuff like that ok so let's see what it means in terms of coding so first of all we need to register a new application on outzero outzero platform in the moment I have the screen and the switch sorry and so from here you can register an application and your application create an application Meet Secure Meetup Joom you can insert the name of the application and you have to select native and as you can see here you can also also in the description they use Electron, Apple TV apps or Star for Death without really interface ok and then here in the settings you can set a lot of stuff here but the most important thing to set up here is the allowance callback allowance web origin here I copy my link from here ok this is let's say the default settings for device flow nothing and then if you scroll down until the advanced settings here from here you have to go to the grand types and then from here you can add the device code because by default you don't have the device code back in the grand types so you have to add these checkbooks here and then you can save your application so from this point of view we are done and now we can start to open Visual Studio or whatever you want but I use Visual Studio but you can use everything you want so in the project you can create a console application console up ok then in the desktop it's perfect you can use desktop and we can use Secure desktop German French English 7 or 8 is the same ok I just click on 7 but you can also use the 8 is the same ok now if I have the mouse control ok here you can delete everything and now we can start to put some code here ok first of all insert some settings for your application in this case I put all the settings here as let's say are coded but of course you can create enough settings or whatever you want for your application then we need the tenant name is this one ok let's see if I am able to your tenant dot us ok this is our tenant and also the client ID ok we can get the client ID from the same screen ok and then we have our let's say settings to request our application ok ah ok I need only the let's say the tenant ok and then we can install the rest client here restsharp ok in the console application so I added the just I just added the new get package to use restsharp not because it's mandatory as I mentioned before but it's easier if you want to send parameters or receive parameters to an HTTP endpoint ok so now we are more or less ready because as you can see here we call the let's say this endpoint as I mentioned before in the slide and it's a form request ok and then in the form request you can add the client ID the scope ok as you can see it's just normal scope and let's say the parameters are ok and then we send this request but we are not done because when you receive the response from this application from this request sorry we receive sorry I have to import also Newtonsoft to parse the object ok and then as a response you receive a lot of information we don't use a lot all this information but I want to show you what we receive back from the first request so first of all we receive the device code the user code the verification where I the interval and the expires value ok and with all this information we can create in this moment a message to the user ok so as you can see I am using the code from my machine and it suggests me to use this code I think it's fine you can use the code from from the pilot as well it's fine and then we can insert because it's very common to insert a line here so in this case the console application if you want you can start to debug if it works let's see if it works I think it's open in other screen but I remove everything on this screen when it started ok now ok and now as you can see we have our request I hope it works I don't know if it works if I put everything in the in the right Agnolost Agnolost then should be should be fine because I use I take the information from our server but oh sorry the domain maybe I put something wrong here let me pass again the dev maybe this is the error that I have let's see if it works now a little bit let's see ok I just put the wrong domain name because we are in the dev environment and with the dev environment we have the prefix on your tenant name and this is why I did this error and then here as you can see we have the device code the user code the verification where I the interval value is 5 it means 5 seconds and then expire in 900 seconds and then in our console application oh sorry I was too much faster as well in our console application as you can see here we can go there click I'll zoom a little bit we can click in our console application in the link and we can open a browser if I click here as you can see I receive this screen of course you can customize also this screen with your logo, with your information and then you can click here with the code and continue ok so it's more or less everything that we need but we are not ready yet because we need to wait the information about the authentication flow and how we can do that as I mentioned before we need to wait we need to pull the server and in this case we can create a loop but you can use whatever you want oh I love this copilot because he wrote the code for us I don't know if it's good or not we try to it's good I think it's good so we can use this one let's see if it works I'm very curious about that ok so it's more or less what I would like to do in this case what we have here we receive we create a for each we miss an information here ok no and so in this loop we try to ask to the to this endpoint if we have an answer and this one ok and then you try to post with the client ID information and then by code information what we received before ok and we can ask if we have a a response from them if the answer but the answer is it's time to code 200 it means ok we have the access token and then we can use the access token I don't know to call your API or stuff like that but if not one second in this case it's one second until the interval is less than a spider seconds or minutes ok and then we start the game with the loop so in this case we don't have any other way to wait the the answer for the server ok we need to wait ok so if we launch again the application and maybe we can remove also the endpoint here and as you can see waiting 5 seconds ok and then you try again after 5 seconds as well ok and then we need to go again to this screen here we can copy this the device code then we can confirm if we want to activate this this let's say device ok and then of course after the code because this is the first step that we want to do because they want to be sure that are you and then they ask for an indication with one of your account for your application ok and if I click on continue congratulations your device is now connected and if I come back here of course now I don't have any other code below but maybe I can put another black point here I need now I think now it's more faster because I just authenticated from this browser let's see ok ok they don't ask my especially more because the browser is the same of course it saves the information and the access token is this ok so text visualizer and if we go to another browser jvpio ok and we can put our token here ok so as you can see we have all the information we don't have too much information but we have all the information about our token I don't know why it's bug but maybe it's my fault ok so we have all the information that we have in the token let's say activated ok and then of course with this access token you can call after this staff here you can call your api and then you can this is one of my api that I created just for testing my application is public so you can use also your you can use the API endpoint to test your application and you can call the api with your token ok you have to set this api of course on the 0 as well but it's very easy and then you can call your api as well ok so it's very easy but as you can see before I say every time he asked for a credential ok so this is very important because you don't want to ask with your it's not easy to authenticate every time I don't know your IoT device or stuff like that what you can do here you can change just a few things in your application so you can come back to the settings of the application give me a moment to find the browser page the right browser page and then from here from access from the api ok let's see if I find the api panel every time I don't remember application api sorry here every time I try to find application but easier you can open just this one and from the access settings you have to check these two checkbooks here and in the request you have to add the audience as well so if you want to add the browser here after this one this line of thought we ask also your audience and with your audience it means settings from here from the outzero portal let's see the identifier is your audience and then with all this information you can call your api in a very way and of course the application doesn't request anymore the authentication every time because we enable the offline application and the refresh token and of course we ask it to re-enter again your credentials after a while for security reason of course but it's more or less everything that you need for a device flow as you can see it's very easy to setup but at the same time there are a lot of steps to perform to set up everything in a correct way the benefits of course of this authentication type is because you can enable the authentication flow from everywhere and we didn't see today but you can also let's say customize your device code settings how much they are long, how much they are short and start from that and I put in the slides all my reference what we use today in the session and if you have questions this is my account that you can find me more or less everywhere especially on Instagram and so if you have questions the chat is open and also Pranipa I don't know if, let's say I think you don't have question because it's your job let's say you don't have any questions thanks Manuel for the talk I remember that my first experiment with OZERO is the device flow because I was working for a streaming company and then they wanted to use the login via TV and then the device flow my first attempt so whenever you're explaining about the device flow and the refreshing part I was just going through all the stuff in my mind like what I did because it's easy understand but if you don't follow the exact step it's more difficult to debug sometimes because you don't have an interface or web application you just have a console so if you don't know how to put the steps in the right order stuff like that at the beginning it's a little bit strange you painted it in a nice way it's very easy but I know it took I think three weeks I spent some time to sometimes the token expired and then the internet connection goes out the polling does not happen the things that we have to figure it out and then you also mentioned we have to keep polling until the code expires so there's no point in polling when the code is already expired yeah exactly this is one of the pain let's say for the device flow because you don't have too much time to at least the first and by default I was zero character device code so it's very easy to insert at the same time it's secure enough it's not having only three characters or four characters yeah that's better and also it's like not keeping the token very long lived because keeping the activation code like with a short expiry is one of the way that we can reduce the vulnerability that even if it gets stolen then it's better to ask for a new activation code yeah thank you so much I just have one question about the device flow I just thought so this access token whatever we got like whenever I saw the code is it only one token or do we refresh it keep refreshing the token or is it a long it's refreshing the token but you can also set it up with no flying access I don't remember exactly the name but you can reuse the same token every time you call your API or suffer that oh okay yeah I was wondering like if you have a long lived access token then we need to do the refresh token then it goes the device talks to the authorization server without there is no hassle of the user I have one question from Lucas I don't know whether I I don't know I think you can answer this question you know this better how is OAuth different from OAuth 0 let's say OAuth is a protocol to for say authenticate this is very let's say large description of OAuth and OAuth 0 is an identity provider and they because I'm not working at OAuth 0 but they use OAuth for let's say it's one of the provider that they provide for authenticate for authentication service but OAuth 0 is a protocol and OAuth 0 is sorry OAuth is a protocol and OAuth 0 is a company that use OAuth 0 it's very similar to the question what is the difference between Git and GitHub I receive a lot of time this question what's the difference between Git and GitHub Git is a kind of protocol to archive and explore so it's called and GitHub is a company that use Git for users I kind of anyway we are making a general anti-talk so thanks for staying yeah OpenAS has commented that you manually have an impressive GitHub propository just let's say I create a fancy profile but I see on my street that I did more or less 1K comment in the last year but it's not too much it's more or less fine but I use GitHub every day so this is why I and just for info if you create a good GitHub profile especially the first page it's also good if you want to find a job or something like that because it's like a credit card in 2023 it's like a business card because they see you taking care about GitHub profile they say ok this is a good developer or not it doesn't mean you are a good coder but they don't know that so it's fine I know people see the green checks and then how green it is I know people who do the documentation and then keep it green like it just looks at the comment but GitHub is a gateway to your job well I see your background is it a screen saver that's your office oh no that's our office I happen to change positions it looks like AI creates a background correct it looks good suddenly I was realizing oh that is it is it a screen saver oh yeah we've got a pretty commanding view of the area anybody have any questions or I think we can wind up leave a comment if you like this I think I have one question from any integration with dApp applications or project done from a side no but I know a lot of a guy from Italy he created a startup and he centralized it up with NFT collections after that and I think they use O0 because I remember the login process and they customize everything but they use let's say O0 so I think it's possible of course to use also for decentralized application of course I also saw some blog I can post in the comment or sometime later about how we can integrate O0 with NFT applications all right thanks everyone thank you so much for staying and then I hope you enjoyed the talk we'll come with the next edition and then maybe we'll create a part too of the device flow and then see maybe see the real toaster and then show yeah if you want to try it out with your toaster or you can always reach out to Emmanuel and then if you are working in any legacy applications you are stuck feel free to reach out to Melvin also we'll leave a comment here in this YouTube if you have any questions and then we will address it thank you so much thanks everyone thank you