Ballerina Security

References

This section has a collection of important resources which were created/referred for the design and implementation of the current Ballerina Security architecture and its related components. All the resources are open source and publicly available.

Specifications

• Specification: Ballerina Auth Library
• Specification: Ballerina JWT Library
• Specification: Ballerina OAuth2 Library

IETF RFCs

• RFC 8693 - OAuth 2.0 Token Exchange
• RFC 7662 - OAuth 2.0 Token Introspection
• RFC 7519 - JSON Web Token (JWT)
• RFC 7518 - JSON Web Algorithms (JWA)
• RFC 7517 - JSON Web Key (JWK)
• RFC 7516 - JSON Web Encryption (JWE)
• RFC 7515 - JSON Web Signature (JWS)
• RFC 6749 - The OAuth 2.0 Authorization Framework
• RFC 7617 - The 'Basic' HTTP Authentication Scheme

Blogs

• 2022 Feb - Securing Microservices with OAuth2
• 2021 Oct - Securing Microservices with JWT
• 2021 Aug - Microservices Security with Ballerina
• 2021 Aug - HTTP Security in Ballerina

Research & Design

• 2021 Sep - [Design] Ballerina GraphQL Authentication and Authorization
• 2021 Apr - [Review] Ballerina Security APIs of StdLib Protocol Connector Module
• 2021 Feb - [Re-Design] Ballerina SecureSocket API
• 2020 Nov - [Design] Ballerina Authentication & Authorization Framework
• 2020 Oct - [Research] Comparison on Ballerina Security Features/APIs with Programming Languages

GitHub Pull Requests

• 2021 Aug - Add JWT bearer grant support for OAuth2
• 2021 Aug - Add HMAC signature support for JWT
• 2021 Jun - Implement declarative auth design for WebSocket upgrade service
• 2021 May - Implement declarative auth design for GraphQL service
• 2021 Mar - Redesign HTTP listener/client SecureSocket API
• 2021 Mar - Add cert file and mTLS support for JDK11 client of OAuth2 module
• 2021 Mar - Add cert file and mTLS support for JDK11 client of JWT module
• 2021 Feb - Extend private key/public cert support for JWT signature generation/validation
• 2021 Feb - Add support to decode private/public keys from key/cert files
• 2021 Jan - Implement Declarative Auth Design
• 2021 Jan - Implement Imperative Auth Design
• 2021 Jan - Read custom fields of OAuth2 introspection response
• 2021 Jan - Send optional parameters to introspection endpoint
• 2021 Jan - Send custom parameters to introspection endpoint
• 2020 Apr - Implement JWT signature validation with JWKs
• 2020 Apr - Add API to generate public key from JWKs parameters
• 2019 Aug - Remove redundant APIs and replace usages of Encoding module
• 2019 Jun - Refactor outbound authentication with custom providers and handlers
• 2019 Jun - Implement OAuth2 Inbound Authentication
• 2019 Jun - Refactor Modules for Inbound Authentication
• 2019 May - Introduce Configuration Pattern for Authn Handlers and Scopes
• 2019 May - Improve HTTP secure client for OAuth2 grant types
• 2019 May - Refactor inbound authentication with custom provider and handlers

YouTube Videos

• 2021 Mar - How Netflix Scales Its API with GraphQL Federation at QCon Plus 2021
• 2020 Aug - How to Auth: Secure a GraphQL API with Confidence at Apollo GraphQL Summit
• 2020 Apr - What's New With OAuth and OIDC? at OktaDev
• 2018 Feb - OAuth 2.0 and OpenID Connect at OktaDev
• 2017 Nov - Handling Authentication and Authorization in GraphQL at GraphQL Summit 2017

Books

• Advanced API Security: OAuth 2.0 and Beyond - 2nd Edition by Prabath Siriwardena
• Microservices Security in Action by Prabath Siriwardena and Nuwan Dias

Guides

• Ballerina HTTP Listener Auth
• Ballerina HTTP Client Auth
• How to obtain Google OAuth2.0 Credentials
• How to obtain Twilio Credentials
• How to Start OpenLDAP Server with User Data
• Cryptography

Policies

• Ballerina Security Policy
• Scope of the Ballerina Security Domain

[Internal]

• Security Vulnerability Management Process
• Open Issues/Tasks