Tag: authentication

Categories
Podcasts Security What I’m Up To

Ziti TV: Explaining OpenZiti to the new guy (and that’s me!)

“Ziggy,” OpenZiti’s anthropomorphic ziti mascot, wearing headphones and playing accordion.
Want to know more about my new job? Here’s the story.

Last week was my first week at NetFoundry, where I’m the Senior Developer Advocate. It was fun, and it was also like drinking from a high-tech, encrypted firehose!

To mark the occasion, I sat down with NetFoundry’s Head of Developer Experience (and also developer; he does a lot!) Clint Dovholuk for my first episode on Ziti TV. We spent an hour diving into the “meat” of Zero Trust, networking architecture, and why your traditional VPN might be the “castle and moat” that finally (and unintentionally) lets the invaders in.

If you’re a developer who has always viewed networking  infrastructure as someone else’s problem (and as a recovering mobile developer, I’m certainly guilty on that charge), here’s the deep-dive breakdown of what I learned in my first week on the job.

Notes from the video

Zero Trust

The term “Zero Trust” is everywhere. You can’t throw a rock on the tech internet without hitting a marketing department claiming they’ve “solved” it, and Clint and I joked about the “eye-roll” factor of the term.

Clint said that Zero Trust might be better understood if you called it Explicit Trust. In the old “Castle and Moat” model, if you’re in the castle, you’re trusted. In the OpenZiti model, we assume the network is already compromised. You have zero privileges until they are explicitly granted based on:

  • Authentication: “Who are you?”

  • Authorization: “What are you allowed to do?”

A lot of resources will authenticate and authorize you through some kind of sign-in process. Clint describes OpenZiti as moving the process out by one layer into the network so you can’t even connect to an OpenZiti-protected resource without being authenticated and authorized first.

Or, to quote Clint:

With OpenZiti and Zero Trust, if you have a service that’s protected by OpenZiti, you first need to authenticate to the OpenZiti overlay network, and then you need to have an authorization that permits the operation you’re trying to perform.

OpenZiti also uses a Zero Privilege approach. Once again, to quote Clint:

The whole idea is that you have no privileges until you are granted privileges, and only then are you able to take whatever operation you want.

“Jay double-you tee” vs. “Jawt”

Apparently we’re on different sides of this debate. Clint prefers referring to JWTs as “Jay double-U tees,” while I prefer to call them “Jawts.”

OpenZiti and NetFoundry: How are they related?

OpenZiti is the network overlay project, and NetFoundry is the company behind OpenZiti.

The “Open” in OpenZiti comes from the fact that it’s an open source project. This is in keeping with the philosophy that a cybersecurity product should be open source because making source code publicly visible enables a community of developers, analysts, and other experts to audit, test, and improve it.

If you have the time, tech skills, and inclination, you can use OpenZiti and run your own overlay network at zero cost — if you don’t count the cost of said time and tech skills. It’s all up for grabs here.

However, if you’d rather spend your time and technical expertise elsewhere, especially once your needs get up to scale, such as on your main line of business, NetFoundry is here to provide you with a managed OpenZiti platform.

It’s easy to run one controller and two routers on your laptop. But when you’re an enterprise managing a fleet of routers, handling upgrades, and monitoring metrics, you’re suddenly in the “overlay business” instead of your actual business. NetFoundry is the “Easy Button” that manages OpenZiti for you [19:10].

The quickstart

Clint then gave a quick demonstration of the OpenZiti quickstart, which creates a fully functional OpenZiti network overlay on your system in a couple of seconds. This overlay has both a router and a controller, and each has a specific job.

Controller

The OpenZiti controller [24:36] serves as the brain of the overlay network. It’s the authority responsible for managing the state of the environment and ensuring that all connections are secure and verified before traffic ever flows.

Its responsibilities can be broken down into several key functions:

1. API surface and management

The controller surfaces several critical APIs that different components of the network interact with. These include:

  • Edge Client API: Used by SDKs and tunnelers to authenticate and discover services.

  • Management API: The interface used by administrators (often via the Ziti CLI) to configure the network, such as creating new identities or defining service policies.

  • Fabric and OIDC APIs: Used for internal mesh communication and identity provider integration.

2. The authority on explicit trust

The controller is the primary decision-maker for the two pillars of Zero Trust security:

  • Authentication: It verifies the identity of any user, device, or “workload” attempting to connect (answering “Who are you?”).

  • Authorization: It checks configured policies to determine exactly what that identity is allowed to access (answering “What are you allowed to do?”).

Unlike a traditional network where a firewall might be open by default, the controller ensures the network is dark by default. No connection is permitted until the controller has explicitly authorized it.

3. Bootstrapping trust, a.k.a. enrollment

The controller is the starting point for bringing new devices into the fold through a process called “Bootstrapping Trust”.

  • It issues One-Time Tokens (OTTs) (essentially signed JSON Web Tokens) that are delivered to users.

  • When a client initiates enrollment, the controller validates the token and facilitates a Certificate Signing Request (CSR) exchange.

  • The end result is a strong, cryptographically verifiable identity that the client uses for all future secure communications.

4. Orchestrating the mesh

While the controller does not actually handle the data traffic (that is the job of the routers), it provides the “map.” It coordinates with the edge routers to broker data channels, ensuring that when a client “dials” a service, the routers know how to steer that traffic to the correct destination.

Router

The OpenZiti router [26:09] is the workhorse of the network. While the controller acts as the brain and makes policy decisions, routers constitute the data plane: the actual infrastructure that moves bits from point A to point B.

According to Clint, the router’s job can be broken down into these core functions:

1. Forming the mesh overlay

The routers are responsible for creating the “mesh overlay network”. Unlike a traditional hub-and-spoke networking model, these routers connect to one another to form an interconnected fabric. Even if you start with just one router, you can deploy many others to extend this mesh.

2. Brokering data channels

The primary job of a router is to broker data channels. When an application wants to send data, the router facilitates the creation of a secure path. It effectively “steers” the traffic through the mesh to ensure it reaches the intended destination router and, ultimately, the target service.

3. Serving as the entry point for clients

Everything in OpenZiti is technically an SDK client, whether it’s a standalone app or a “tunneler.” These clients connect directly to the routers to form the necessary channels for communication. The router acts as the listener that accepts these connections once the controller has given the “okay.”

4. Shuttling the actual data

The router is where the heavy lifting happens. It is the component that actually sends your data from one side to the other. While the controller handles the logic of authentication and authorization, it never touches the application data itself. That task is handled entirely by the routers.

5. Enforcing the “dark network”

By acting as the only point of entry into the mesh, routers help enforce the “dark by default” philosophy. Unless a client has been explicitly authorized by the controller, a router will not broker a channel for it, effectively keeping the protected services invisible to the public internet, and by extension, unauthorized and malicious parties.

The coolest part for a developer? You can spin this all up on your local machine in about seven seconds with a simple ziti edge quickstart [23:00].

Why not just use a VPN?

One of my questions was the one every developer asks: “Why can’t I just use a VPN?”

Clint insists that an OpenZiti overlay actually is a VPN [34:05] in the broadest sense, in that it’s a virtual network that’s closed off to unauthorized parties. It just functions much differently than the “one big mush” of traditional VPNs, which are open by default, and once you’re in, you can see everything.

On the other hand, OpenZiti is dark by default [35:45]. If you have a server on the open internet, it usually has an open port (such as port 22 for SSH or 443 for HTTPS). With Ziti, you close those ports entirely. The service becomes “dark,” and the ports are invisible, and you can’t attack what you can’t even find.

The “magic dance” of bootstrapping trust

I’ll admit, when I first tried to set up a client and server, I got a little lost in the “magic dance” of certificates. Clint called this process bootstrapping trust [38:47].

It starts with a One-Time Token (OTT), which is a signed JWT, and the process goes like this:

  1. The admin creates an identity on the controller [41:09].

  2. The client uses the token to find the Controller’s URL [43:11].

  3. The handshake takes place, where the client verifies the controller’s certificate, and they exchange a CSR (Certificate Signing Request) [44:43].

  4. Strong identity: The result is a JSON file containing a key that must be protected like a secret.

AI Agents and the MCP Gateway

We also took a detour into Agentic AI. Clint has been using MCP (Model Context Protocol) Gateways to let Claude interact with the Ziti CLI.

The breakthrough here is efficiency and security. By using an MCP Gateway, you don’t have to give your raw credentials to the AI [57:02]. Plus, by using a targeted MCP server, you can strip a massive 100k data object down to a 10k summary, saving a fortune in tokens [59:12].

Real-world use: From blue bubbles to drones

I asked Clint who is actually using this in the wild. The “Adopters” list is growing, including projects like Blue Bubbles (the tool that brings iMessage features to Android) [50:33].

But the stakes get higher. We discussed Zero Trust Drones and secure communications on the battlefield [52:12]. When you’re in a high-stakes environment like Ukraine, having secure, “dark” comms is a necessity, not a luxury.

More coming soon!

This was the first of many Ziti TV livestreams featuring Clint and Yours Truly. The next one’s scheduled for Friday, April 30th at 11:00 a.m. U.S. Eastern / 8:00 a.m. U.S. Pacific / 1500 UTC, and you can view past livestreams in the Live section of the OpenZiti YouTube channel.

Watch the full replay here: Ziti TV: Explaining OpenZiti to the New Guy

Categories
Artificial Intelligence What I’m Up To

Could ChatGPT do my job?

It’s been just over five weeks since the launch of ChatGPT (it happened on November 30, 2022). Since then, from casual conversations over the holidays to New York Times think pieces, people have been asking if ChatGPT could do their jobs.

Auth0 logo
Want to know how I landed my job at Auth0? I wrote about it back in 2020.

In case you’re wondering, I’m a Senior Developer Advocate at Okta for the Auth0 product. If that sounds confusing, it’s because Okta acquired Auth0 in May 2021, and while we’re one company, that company has two products named “Okta” and “Auth0”. It’s my job to show mobile developers how they can use the Auth0 product to authenticate and authorize users.

In the video above, I “had a conversation” with ChatGPT where I asked it some basic questions about OAuth2, OIDC, and Auth0, and it answered them correctly. However, when it got to questions about writing iOS and Android apps that used Auth0 for login, it got some details wrong — and in programming, it’s the details that get you. Watch the video to find out what happened!

Categories
Mobile Programming Video What I’m Up To

How to add Auth0 authentication to a SwiftUI app

Joey deVilla in his home office, holding an “Einstein” rubber duck up to the camera.
C’mon, how many programming tutorial videos have a scene like this?

If you’re making an iOS app, the odds are pretty good that sooner or later, you’re going to have to integrate authentication — login and logout — into it. I show you how to do that with Auth0 in both a video

…as well as a matching two-part article series that walks you through the process:

Both the video and article present how the final app will look and work:

Tap to view at full size.

And then they’ll get you started with a starter project:

Joey deVilla appears in the corner of the screen showing the starter project of Auth0’s iOS/SwiftUI authentication video.
Tap to view at full size.

I’ll walk you through the processes of getting Auth0 set up to recognize your app and creating a user with which to log in:

Joey deVilla appears in the corner of the screen showing the Auth0 dashboard in Auth0’s iOS/SwiftUI authentication video.
Tap to view at full size.

And then, I’ll show you how to add login and logout to the project’s app:

Joey deVilla appears in the corner of the screen, while adding login and logout to the starter project of Auth0’s iOS/SwiftUI authentication video.
Tap to view at full size.

And along the way, I’ll provide a brief intro to ID tokens, JWTs, and JWT.io:

Joey deVilla appears in the corner of the screen showing the JWT.io site in Auth0’s iOS/SwiftUI authentication video.
Tap to view at full size.

Of course the video ends with an accordion number!

Joey deVilla plays accordion at the end of an Auth0 tutorial video.
Again, I ask: how many programming tutorial videos have a scene like this?

Once again, the here’s the video, How to Integrate Auth0 in a SwiftUI App, and here are the articles:

Whether you prefer to learn by watching video, reading, or a little bit of both, I hope you find these useful!

Categories
Meetups Security Tampa Bay What I’m Up To

I’m presenting “The Secret History of Login” at InfraGard Tampa Bay next Tuesday!

Are you free next Tuesday, October 18th from 9:00 a.m. to noon, for an event you can attend either in person or online? If so, perhaps you might want to catch my talk at the upcoming InfraGard Tampa Bay Members Alliance meeting. It’s titled The Secret History of Login!

Here’s the description:

If you’re reading this, the chances are very good that you’ve logged into a system or resumed a session where you logged in earlier. It’s a common enough occurrence that most of us don’t think about it unless we’re in a hurry or if we can’t remember our username/password combination.

Logging in is new enough that there are still many people alive who knew the world before usernames and passwords, yet old enough that it’s developed some problems that will take time and effort to solve. This talk will tell the strange story of how login grew from a last-minute hack to become part of our daily experience. Along the way, you’ll get an overview of some of the ways it’s been implemented, the popular software movement it inspired, how it inspired both a software movement and a whole new category of crime, and some best guesses about its future.

What is InfraGard Tampa Bay Members Alliance?

First of all, they’re affiliated with the FBI! As their About page states:

Our mission is to mitigate criminal and terrorist threats, risks and losses for the purpose of protecting our region’s critical infrastructure and the American people. Founded in 2004, the Tampa Bay chapter has established itself as a leader nationwide, setting the highest standards for programs, training and education. For the last decade, we have proudly contributed to the safety and security of Tampa Bay via an all-threats, all-hazards approach. At the national level, the InfraGard National Members Alliance was founded in 1996 and now comprises over 80 regional chapters, each linked to an FBI Field Office.

InfraGard’s success can be attributed to the unprecedented communication, collaboration and coordination it has forged at the epicenter of America’s most critical resources. Our membership is comprised of individuals that represent private businesses; local, state and federal law enforcement agencies; academic institutions; first responders and more.

All members are vetted by the FBI and pass comprehensive background checks prior to being accepted to InfraGard. The trust inherent in those who have successfully passed these checks is unmatched in any other public-private partnership in the country, making InfraGard a unique and highly successful solution to engaging the private sector in the protection of our nation’s critical infrastructure.

What’s happening at this meeting?

There’s a lot going on at this meeting — in fact, I’m not the only speaker at this one! Here’s the agenda:

TimeItem
9:00 a.m.Welcome and speaker/topic introductions by Ebony Vaz
9:05 a.m.Opening remarks by Michael Ritchie, President
9:15 a.m.Speaker 1: Kate Whitaker, Director of Cyber Outreach, Cyber Florida
10:00 a.m.Break
10:15 a.m.Speaker 2: Joey deVilla, Senior Developer Advocate, Okta — The Secret History of Login
11:00 a.m.Break
11:15 a.m.Speaker 3: Billy Sasser, Supervisory Protective Security Advisor (SPSA) CISA Region 4 — CISA’s Physical and Cyber Security Resources
12:00 p.m.Closing remarks by Michael Ritchie, President

You can attend in person or online!

They’re streaming this event, so you have the option of attending online if you can’t make it to the in-person event. Here are the registration details:

Categories
Uncategorized

Colin Bowern at the Metro Toronto .NET User Group: Authentication Alternatives for ASP.NET

This article also appears in Canadian Developer Connection.

Slide: Passwords are like pants (with picture of boxer shorts): You shouldn't leave them out where people can see them, you should change them regularly and you shouldn't loan them out to strangers!Click the photo to see it at full size.
(And yes, he’s using the word “pants” in the British English sense, as in “underpants”.)

On Thursday evening, I caught Colin Bowern’s presentation, Authentication Alternatives for ASP.NET at the monthly gathering of the Metro Toronto .NET User Group. Here’s the abstract:

Asking someone to create another username and password is presents risk. Most people use the same password across sites, or worse yet they write it down! The good news is there are smart people thinking about how to solve this problem and for web developers there are easy ways to take advantage of their hard work. In this session we will take a look at the credential management from a user perspective. We will dig into the efforts made in Active Directory, Windows Live ID, OpenID, OAuth, and Facebook Connect and how you can take advantage of them in your application.

He covered Windows Live ID, OpenID and OAuth. Not only did he show the theory, but he also presented some reasonably easy-to-follow code and showed it in action. Colin’s got a good presentation style; perhaps he picked up a thing or two at the speaker’s workshop we had a week ago as part of EnergizeIT!

Here’s the “Call to Action” slide from his presentation:

Colin Bowern's "Call to Action" slide

…which says:

    1. Stop requiring users to create more identities
    2. Leverage OpenID for authentication – see the DotNetOpenID project at Google Code
    3. Investigate OAuth for delegated resource access
    4. For apps targeting corporate scenarios, read up on the Geneva product set – see items on Channel 9 tagged “identity”

Afterwards, I joined Colin, Metro Toronto .NET User Group President Graham Marko and a few others for some post-presentation Guinness at the nearby pub The Spotted Dick and told them I’d catch them at the Toronto Code Camp in a couple of weeks.

Next Presentation: Yours Truly on ASP.NET MVC

Metro Toronto .Net user Group logo I was invited to present at the Metro Toronto .NET User Group meeting. Graham said I could present on any topic I wanted, so I asked if anyone had done one on ASP.NET MVC yet. No one had, so I figured I’d cover it. I’ve been looking into it casually for the past little bit and I’ll be diving into it over the next month, with my experience using another MVC web framework, Ruby on Rails, as my guide. I promise I’ll be informative and entertaining! You might want to come even if you’re not a .NET developer.

The next meeting will take place on Thursday, May 28th from 6:00 p.m. to 9:00 p.m. at the North Tower of the Manulife Financial Offices (200 Bloor Street East, on the north side, between Church and Jarvis). Yes, the meetings take place around dinner, but they provide some pizza and pop, and there’s always an opportunity for post-session nachos at the nearby pub.