Everything You Ever Wanted to Know About OAuth and OIDC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi i'm aaron pirecki a developer advocate at octa i'm here to talk to you today about everything you ever wanted to know about oauth and openld connect so we've got a lot of stuff to cover today so let's just jump right in this is the spec and it turns out specs are actually not good at bing tutorials specs are more like a reference guide and there's a lot of terminology used in them that's often defined in other specs and one of the worst parts about oauth is that it's not actually just one spec so it can often feel like trying to wind your way through a maze trying to understand how all these pieces fit together so we're not going to talk about the specs themselves it'd be very boring i promise and so we're going to do is we're going to focus on a couple of high-level questions about why oauth exists what problems it solves and we'll cover some specific mechanisms about how oauth works so we're going to start by asking a series of questions and then diving into the answers to each question starting with why do we even need oauth in the first place so to answer this question i want to take you back in time to a time before oauth was widespread in common we used to see this kind of screen all the time an application would launch and it would ask you to enter your google password or your email password it would then take that password go over to the service and then download data from the service as if it were you we look at this now we're like we would never do that we know better than that now but it was very common at the time and people were happily giving their password to these apps because they wanted what the app was promising in a lot of cases that was to find their friend or they were just trying to upload a file somewhere or use a third-party twitter client so people were doing this people were giving their passwords away which means as developers and security experts we need to find a way to let applications accomplish the goal they're trying to accomplish which is in this case to access data in google contacts but also make sure that the application can't access other parts of the user's account like their email so this is really the problem statement that owa set out to solve which was how do we let apps access data without sharing passwords with those apps so in the old days we used to do things like this where we would have the user type in their password into the app the app would take that password and go to the service and request data obviously that's not a good solution which we clearly understand now what we would like to do is find some solution which lets the user type in their password into only the place the password came from the actual service that has the password turn that into something else that can be given to the app where the app can then go request data so oauth started off primarily as a way for third-party apps to get access to data so you'd have yelp accessing data from google contacts or last fm pulling data from spotify buffer posting to twitter it started out primarily for this third party case of one company's app wants to get data from another company's api and in that case it's clear why sharing passwords with those apps is a bad idea what's a little bit less obvious is why sharing passwords with your own first party apps is still a bad idea and in that case oauth actually solves this in a couple of really elegant ways if you imagine you have a mobile app that you are building talking to your own api and you put up a password dialog when the user first signs in they enter their password into that app and then it can maybe exchange it for some sort of session token or whatever you want to call it this is still actually problematic for a couple of reasons one you are still exposing the username password to the application in this case now i know there isn't necessarily the same trust issue that you get with third party apps but even for your own first party apps or trusted clients if you want to call it that that does still increase the attack surface of your system as a whole the more places that you have password dialogs the more places attackers can try to steal passwords from one of the much more subtle problems though is that it's training users it's okay to enter the password in dialogues that look drastically different from each other if they go enter their password on your website one day and then in your mobile app the next day how do they know that the next time something asks them for that password is actually valid i think one of the worst offenders of this is actually apple how many times a day do you see your phone ask you for your icloud password it always looks different too it's not always in the same dialogue but even more one of the more practical disadvantages of asking for passwords in apps is that it's difficult or sometimes impossible to add support for multi-factor or passwordless authentication things like web webauthn are there to create a second factor that is not possible to be phished whereas it is easy to have a user give an sms two-factor auth to a phishing attack if you imagine trying to extend your native apps password dialog to support web authent or any form of second factor you're going to have to start doing a lot of work within that app itself now let's compare this to using a proper redirect based oauth flow in the case of google for example gmail doesn't actually ask you to enter your google password when you go log into gmail gmail doesn't put up a password dialogue and asks for your google password even though it is their own app instead gmail says go over there go log into the oauth server accounts.google.com put your password in there sign in there do any sort of second factor off over on that website and then eventually you get redirected back to gmail and now you're logged in there's a couple of really cool advantages of this one it just removes all of the complexity and all the logic of dealing with second factor password resets all of that is no longer the business of the application that logic is all focused on your authorization server and if you're using for example octa as your authorization server it's entirely octave's problem to deal with and you don't have to worry about it when you're building apps another really important aspect is if you want to add a new second factor auth mechanism to the list of supported options if every app we're building second factor auth natively you have to go around to every app developer team and get them to slot that into the development schedule whereas when it's all at your oauth server you do it in that one place you turn on the feature there and all of your apps benefit can you imagine if google had to go around to every google app team and ask them to add support for the brand new web authent api that just launched it would never get done so by consolidating that at your oauth server you have one place to turn on these switches to change all these policies and all of your apps benefit okay that's a high level of why oauth is important but a very common next question is what's the difference between oauth and openid connect we often hear those used interchangeably or together so what exactly is the difference here well in order to describe this difference i want to use a real world analogy to kind of illustrate the differences here when you go to a hotel and check in you show the person at the hotel front desk your id and credit card they give you back a key card you take that key card and you go up to the room and then you swipe the key on the door and the door opens up and lets you in now this believe it or not is actually analogous to an oauth exchange the person at the front desk is the authorization server handing out these key cards which are in oauth would be the access token and then the door is the resource or the api that is trying to be accessed with that access token now in order for this system to work the door doesn't actually need to know anything about you the user or any user identity at all all it needs to know is does this key card have access right now so that key card represents delegated access to data and of course that key card might let you into other rooms in the hotel other apis it might let you access the gym or the pool but maybe not the executive lounge because that wasn't part of your access and of course when your hotel say is over the key card gets revoked and it no longer works on those doors so there's actually nowhere in oauth that talks about user identity because it's not necessary for access to data so just think about oauth as the way that applications can access data whereas open id connect talks about users open id connect is what you'll use to learn about the user their name their id their email address things like that so oauth is about accessing apis openid connect is about identifying users now the way these two work are actually very similar because openid connect is actually built on top of the oauth framework but the main thing openid connect adds is this concept of an id token so now we've got access tokens and we've got id tokens there are two different tokens and they do totally different things and importantly we say that they have different audiences that just means that the audience is the one that is meant to read or understand the token so the audience of an access token is the resource server or the api whereas the audience of an id token is the client application so client applications are never going to try to read or understand access tokens that's not their business their business is understanding id tokens and similarly you should never end up sending an id token to a resource server because that's not the intended audience of that token okay we're about ready to get into some of how oauth and open connect actually work what's the difference between public and confidential clients this is a term you'll find in oauth that talks about different security properties of different kind of applications confidential clients mean applications that are essentially running on a server basically means that it has the ability to keep a secret the application can be configured with credentials like a client secret or a certificate and it can hold on to that and keep it secret whereas public clients can't do that for example a javascript app there is no way to put in an api key or any form of credential into a javascript app and have it remain secret as soon as a user downloads that app runs it in their browser they could just view source and poke around and see anything you put into it so why is this important well when you go register an application to start a flow you'll get back a client id and possibly also a client secret the client id is a public identifier for the app the client secret is actually the application's password it is meant to authenticate that app at the oauth server so as you go create an app in octa you'll see that octa actually asks you what kind of app you're building and then based on what you choose it will then issue a client id and maybe a client secret if you if you choose native apps or single page apps you won't get a client secret because it knows there would be no way for you to keep that safe okay so what exactly is the job of the oauth client well we're going to learn a few more terms here these are the roles defined in oauth and these are importantly roles not necessarily actual pieces of software as in one piece of software may play multiple roles and depending on how your system is architected they might look totally different depending on exactly how things are laid out for example you might have a situation where github is playing the role of both an oauth server and an api github is one piece of software deployed by one company and it's playing two roles in oauth and then the application might be a third-party app like travis ci which is which is going to be accessing data from that resource server now it doesn't matter that one piece of software is playing two roles we still talk about the two roles that it plays independently similarly you might be building an iphone app that is then going to be running on the user's device not accessed over a web browser that iphone apps can talk to your own api but then octa might be the oauth server in the middle so again it looks totally different but we still always talk about the same roles that these pieces of software play so the oauth client or the application is the one that's going to be getting the access token and then making api requests that's the main job of the client it's to get an access token and then use that access token to make api requests to get or modify data the way we'll use the access token is by putting it in an http header and making that request so we know that the oauth client wants to get an access token how exactly can it do that well that's where we use one of the oauth flows that are defined so there are a few different kinds of flows in oauth depending on what kind of application it is and where the application is running the authorization code flow is the most common where it's the most used in the most different kinds of environments everything from web apps to native apps to single page apps you could even use it on the command line in some cases then there's the device flow when the application's running on a device that doesn't have a browser so that's things like your apple tv or smart devices or iot things like that the client credentials grant is used when there is no user involved in the flow when the app's not trying to access a user's data it's just trying to act on behalf of itself you will also see references to the implicit flow and password flow and those are not recommended anymore and we will talk about exactly why so i want to start by talking about how the front channel is like sending a letter in the mail well what exactly is the front channel the front channel is the idea of moving data between two pieces of software by sending that data through the browser's address bar that's in contrast to the back channel which is making an http request of course over https you can think of the back channel as a secure mechanism for communication whereas the front channel is actually sort of handing it off to the browser to deliver there's a whole bunch of benefits to using the back channel so many that we often take it for granted because that's the sort of default way we send data in web systems for example by using the back channel the application knows it's talking to the right server because we have https and certificate validation that connection is then encrypted which means we know that the data can't be modified in transit and the response that comes back can be trusted because it's again part of the same connection i like to think of the back channel as hand delivering a message where you can walk up to somebody give them a thing you can see who they are you can see that they took the message you can see that nobody came in and stole it it's generally considered a secure transaction sending data via the browser's address bar is like putting the message in an envelope sending it in the mail and just kind of hoping that it gets there and there's a problem on both sides of this transaction when you send something in the mail you don't actually know whether it got there it probably did but you can't prove it and there's no guarantee you might get a tracking number but that's also not any proof that's just a claim by the delivery company that it was delivered so just remember that when you're sending anything in the front channel you don't actually know if it got there you don't know if it was stolen or copied along the way and there's a similar problem on the receiving end when you receive something in the mail you can't actually tell where it came from sure there's a return address but that's again something that can be easily faked you have no guarantee of where it came from so you can't actually trust if the thing you're receiving is legitimate okay so if there's any problems with the front channel why do we use it at all well it turns out that it actually is a very critical part of the flow which is it's how we make sure the user was involved in the flow and gave their consent and actually logged in it's also how we of course can add two-factor auth into the mix and another important aspect is it means that the receiver doesn't actually need a publicly writable ip address as in it can work on a phone or in a single page app that doesn't have a remote endpoint that can be pushed into so now that we understand the front channel let's look at the implicit flow and see exactly what the problem with this flow is so across the top we have our roles and the goal is for this application to get an access token so they can make api requests so it starts off by the user saying hey i'm trying to use this app and they click the login button the app says great don't give me your password instead go over to the oauth server that's where the user will enter their password they might get prompted for permission and then the os server says great i'm ready to send the access token back to the app well it doesn't have a way to push the access token directly into the app instead it sends it via the front channel through the user's browser so what this means is the implicit flow sends the access token in the front channel and again it's like sending it in the mail the oauth server packaged it up handed it to the browser for the browser to deliver to the app which means the oauth server doesn't actually know if it was received or if it was stolen and the application doesn't actually know if it's from the oauth server because it's actually getting it from the browser so ideally we could do better than this we should really not be sending access tokens around in the front channel ideally we would be delivering access tokens only in the back channel so that there's a lot better security so why did the implicit flow exist it turns out it's actually for legacy reasons at this point back before cross-origin resource sharing was possible in browsers because if your token endpoints on a different domain then your application is running in order to use the back channel you have to make a cross-domain post request so let's look at a better solution to the implicit flow and that is the authorization code flow specifically the authorization code flow with pixi so what exactly is pixi well pixi is an extension to the authorization code flow that adds a couple of really important security properties to it and it is now the recommended flow for all kinds of applications so let's again walk through our sequence diagram this time showing how pixy works so again the user starts the flow by saying hey i'm trying to use the app and i click log in the app says okay hang on i'm going to generate a new secret right now and i'm going to hash that secret now a hash is a one-way operation so for example if i told you to pick 10 random numbers and add them together and tell me the sum i would not be able to reverse engineer that and tell you the 10 numbers you chose so in practice we use a much better hashing algorithm but that's the general idea so what the app is going to send in the front channel is actually now the request it makes for the user's data including that hashed value this is of course a front channel request meaning the app doesn't actually know if it's going to make it to the oauth server and the app can't tell if it's been stolen either but it's okay it's just a hash you can't reverse engineer it the os server again gets the user to log in approve the request and now the oauth server is ready to issue the access token but instead of sending the access token back what it's going to do instead is generate a temporary code and it's going to send that back in the front channel that temporary code is short-lived and valid for only one use that's what it sends in the mail so instead of sending back the token it now creates a temporary credential which it can send in the front channel where it doesn't really matter if it's stolen and the reason it doesn't matter if it's stolen is because that temporary authorization code actually can't be used unless you prove that you control that hash that you created in the first request so the application can now make a back channel request with that temporary code as well as the plain text secret to generate at the beginning the oauth server can say okay well i remember when i generated that code i saw this hash so let me calculate the hash of this seeker coming in this request and that's how it can link up the front channel request with the back channel request and then it can send the access token back in the response in the secure back channel so that's the high level of how the authorization code flow with pixy works we don't have time to go into the details but you can go to oauth.com playground and see a step-by-step walkthrough of every step of the flow so the app now has an access token but as we saw that flow involved launching a browser getting the user to log in and having the access token be delivered in the back channel which means if you're doing this on a mobile phone the user experience cost of that flow is actually quite high because if that access token expires then the user would have to start the flow over again and in mobile the user would at the very least see a pop-up dialogue in the app so ideally we'd like to have a better user experience where the user feels like they have logged in once and then they're always logged in but we don't want our access tokens to last forever because that would also be dangerous and that's where we can use refresh tokens so what exactly is a refresh token well it's basically a special type of token and its only job is to get new access tokens so using refresh tokens the idea is that when the application gets the first access token it will also get back a refresh token then when the access token expires it can take the refresh token go back to the oauth server and say hey i would like a new access token please that request will look something like this where it's a post request in the back channel of course with the refresh token and then the response will be a new access token and a new refresh token so the way you can use this especially in a mobile app let's walk through a sample flow so the user launches the app they click sign in and the app will launch a regular oauth flow so the user will sign in get redirected back to the application and the application will then get the access token and refresh token at this point the app can actually store that refresh token in the secure storage apis available on the phone user will use the app for an hour put put it away come back the next week the app knows the access token is expired so it puts up the sign in prompt this time when the user clicks it the app can say oh hang on i know that i have a refresh token i just can't access it yet so it'll prompt the user for face id unlocking that secure storage api then it can make that back channel request for the access token and get back new access tokens and new refresh tokens and the user doesn't see a password prompt or even a browser it looks like passwordless login but this is actually accomplished using refresh tokens all right the next question we're going to talk about is where is the best place for a single page app to store tokens i get this question a lot because it's not entirely obvious so single page apps have a few apis available to them to store data there is local storage session storage and cookies they all have slightly different properties but they all work fundamentally the same javascript code can write data to them and then read that data local storage is more or less permanent session storage is designed to be only active when the current window is open and then cookies are kind of the old way of doing it that are just awkward but all of these apis have the same problem which is that they are vulnerable to cross-site scripting attacks in other words if your javascript can read that access token out of that storage so can an attacker if they have cross-site scripting access so i'm not saying never store them in local storage but i am saying if you do store tokens in local storage you run the risk of an attacker who has a cross-site scripting vulnerability being able to read that those tokens as well so there's a couple alternatives to get around this limitation of having your storage be accessible via a cross-site scripting attack all of these alternatives do have trade-offs and other downsides too though one of the options is to actually use a service worker as your oauth client the reason being that service workers are a special api that are kind of isolated from your main javascript app so your main javascript code on the page actually can't access the storage available to the service worker it can send messages to the service worker it can tell it to do things but it can't read in that storage so if you make your service worker an oauth client the service worker can be the one that gets the access tokens delivered in the back channel and then when you want to make an api request your browser code tells the service worker to go make the api request and returns the data the nice thing about this is it means that if your javascript code that you're writing in the browser can't access that token then neither can an attacker it doesn't mean that you've solved all cross-site scripting vulnerabilities entirely but what it does do is it does mean that a cross-site scripting vulnerability only means that the attacker can tell your service worker to do things it can't actually get the access token itself there's another option totally different architecture here which is basically to use a back end for your front end and we do see this pattern very often because it turns out a lot of people are using front-end single-page app frameworks only as the ui layer on top of a web server based application so if you have a web server that is running code on a server that's where you can do the oauth flow from what that looks like is the single page app will kick off the flow by doing a redirect but the app server is the one in the back end that is actually doing the token request meaning the token is delivered in the back channel to the app server and in that model the access token never makes it to the single page app so when the app is ready to go and make an api request it actually tells the app server to make the api request for it and then returns the data so again you haven't solved all cross-site scripting but what you've done is it means that an attacker who finds a cross-site scripting vulnerability can only tell your app server to go make api requests it can't actually get the access token so of course all these three patterns have different trade-offs and different security properties so you do want to evaluate those to see which one makes the most sense for your architecture but that should give you some general ideas of things to look for all right that's enough about oauth i mentioned that oauth doesn't talk about users because again as we've seen everything that we've done so far has resulted in the application getting an access token or a refresh token which does not talk about users access tokens don't necessarily talk about users and there may not be any user information in them so how does the client learn who logged in that's where openid connect comes into play again oauth is always about getting an access token to access data whereas openid connect is about learning about the user so the main thing opendconnect adds is this concept of an id token and the id token might look like an access token if your access tokens are json web tokens but they are not the same thing so how do you get one well all it takes is you take an existing oauth request and you add in the scope open id you can also add in the scope profile or email if you want the user's name or email address if you start the open connect flow like this with the authorization code flow and pixie adding in the scope open id eventually you get back the authorization code and you exchange that for the access token but this time you'll also get back an id token so where is the user data well it's actually inside that id token the id token is a special encoding of json data representing the user's information it's a json web token which means it's a three-part token you've got a header a payload and a signature the header and the payload are base64 encoded json data so if you basically four decode those you'll see that it's actually just a bunch of short property names key value pairs of the user's information it's going to be things like your user id or their name or their email address and if you get this over the back channel you can basically just forget it's adjacent web token and just base64 decode the token this is my favorite way to do it because it means i don't need to bring in a json web token library i can just basically for decode the id token okay now we're going to move on to the api side of things again only apis are going to validate access tokens so your client applications if you've just done an oauth flow your client application is never going to look at the access token it's just going to use it but you're going to send that access token to an api and now we're focusing on the api side so if you are an api what is the best way to validate access tokens if your access tokens are json web tokens or some sort of structured token format you have two options to validate them the fast way or the strong way the fast way is local validation the idea is that because that token is signed you can actually check the signature using just math and determine whether it's valid because it's signed the contents can't be tampered with and it'll have expiration dates telling you if it's current or not the strong way which is also slower is the idea of actually going and asking the oauth server going over the network asking the oauth server hey is this token still valid and the os server will tell you yes or no in order to demonstrate why i call this the fast way or the strong way i want to give you an example of what happens let's say for example your tokens last eight hours and you have two different ways of validating tokens at time zero when the token is brand new your api gets a request with a token and it does local validation which is very fast and it says yes it's valid if it does remote introspection the slow but strong way it will also say the oil server will say yes it's valid great an hour goes by same thing two hours goes by and now something changes whether that's the user revoking the app or the user having one of their roles removed or these are being deleted or the app being deleted something about the system changes but because it's a json web token the token itself can't change to reflect that which means an hour later when the client brings back that access token in the api request it still looks valid because the token can't reflect the change in the system but if you were to do remote introspection the oauth server can keep track of that and can tell you that the token is no longer valid the answer to whether the token is valid is then different for the rest of the lifetime of the token until finally the token expires and then the they agree again so what does this mean for you well you don't want to always do local validation because you might always be getting the wrong answer and you also don't want to do always remote introspection because then it would just slow down your api so in practice you probably want to take a hybrid approach to get the best of both worlds and one way to do that is by using an api gateway so let's put an api gateway out in front of our apis and that's going to be handling all the traffic from the internet it's gonna be handling attackers real tokens revoke tokens just junk requests and the gateway is gonna do only the fast local validation it can then very quickly reject all the junk and just throw it out only letting through valid tokens but also those revoked tokens because there's no about revoked tokens it's going to pass those to the back end apis the backend apis will then say okay i know that i'm behind the gateway so i know that this request at least was valid when the token was issued so is that good enough or should i double check and in some cases it's good enough for example low security or low risk apis maybe don't need another check like an api that's just going to return the user's points balance that's not terribly sensitive information it also doesn't change very often so it's probably fine to skip the additional check and just return data speeding up that call however an api is going to go and charge a user's credit card or move money around definitely does not want to run with revoke tokens so that particular method will go and do the slower token introspection to go ask the oauth server if the token is valid where it can then reject that request so what you've done here is you've basically made it so that the part of the system handling the most traffic can very quickly reject and validate things but the parts that are more sensitive that require additional security can do the slower introspection and that way you've kind of balanced things out and you get the best of both worlds another aspect closely related to this is how long access tokens and refresh tokens should last i'm not going to tell you the answer because it turns out there's actually many different answers but i do want to give you some tools to think about this for yourself the main consideration here is that the longer access tokens last the longer that window in which local validation might be giving you the wrong answer so the shorter the access token lifetime the higher the security because you've reduced the window in which it might be giving you the wrong answer but shorter access tokens means more network traffic and potentially a worse user experience refresh tokens can help balance out the short access token lifetime but refresh tokens are adding a new variable here of do you trust the application to hold onto refresh tokens how much risk you want to take there so it turns out that it's actually a lot of complicated things to balance and the good news is you don't have to make only one decision for example you might decide that you're admin users who have more privileges in the system who are higher risk you might want to go higher on the security spectrum for them so you give them shorter access token lifetimes and refresh tokens that are capped at one day and basically forces the user to be at the computer once a day and the application can't keep using refresh tokens without the user being there that would be very annoying for your consumer users who don't want to have to log into the app every day like if you had to log into your amazon account every day you would stop browsing it because it would just be frustrating so for your consumer users you might want longer access tokens to reduce network traffic because they're also higher volume and you actually might want refresh tokens that last forever that way you can give them the best user experience of having them log in once and feel like they've logged in forever but even though they're consumer users they can still do higher risk things like making a purchase so you actually then may want to dial up the security for particular operations so you can make a scope on your server that is required in order to use the checkout operation and if that scope is requested change the token lifetime to something a lot shorter and these are all things you can do with an octa by changing these policies around token lifetimes you can say depending on the application depending on the flow depending on the user group so using all these different criteria you can actually change your token lifetimes to match your security requirements one of my favorite parts about this is actually the one at the bottom that says refresh tokens are unlimited only if used every seven days so if an application is actually active every week then the user never has to log in again but as soon as the user puts their phone away for a week and stops using the app when they come back a month later they will have to log in and that's a nice way to balance out again the risk of unlimited refresh tokens without having to bother the user to actually log in every week last we're going to answer the question how you can learn more i've got a whole bunch of great resources for you and i'm going to leave you with all of these links first oauth.com playground if you want to see a step-by-step walkthrough of a bunch of the oauth flows this will simulate all the flows by letting you see step by step how they work oath.net is the community website of oauth that's where you'll find a lot of good links out to blog posts videos sample code sample libraries a lot of good information there about all the different aspects of oauth myself and our team we write a lot of blog posts on the octa developer blog and you'll find things like tutorials for different languages and frameworks also just general oauth concepts general security concepts it's also a great resource you can find a bunch of our videos on our youtube channel we make a lot of videos again some of them are tutorials some of them are happy hours or we just do live q a there's a lot of great resources there so please subscribe to us on youtube the octan developer account is another great resource for you it will give you your own little playground where you can try stuff out try these policies try changing things around see how it works mess it up make mistakes whatever it doesn't matter because it will only affect you in your own little development environment if you're interested in learning more about oauth and also trying out some hands-on exercises i actually have an entire video course available so go check out this link this course goes way more into depth on everything we talked about in the session and more and there's a whole bunch of hands-on exercises for you to do to actually try out some oauth flows on your own i also have a book about oauth at oauth2simplify.com you can find print version as well as epub or pdf versions there it's also available online at oauth.com for free as a website so again go check that out a lot of great information there and i will end there thank you all so much for coming to the session i'll be here answering questions so make sure to stick around or find me on youtube on the octa developer channel and come ask questions during our next live q a thanks so much

Info

Channel: OktaDev

Views: 28,752

Rating: undefined out of 5

Keywords: API security, IAM, Okta, Oktane, Oktane21, SaaS, Zero Trust, access management, authentication, cloud identity, customer identity, cybersecurity, developer, digital identity, identity, identity and access management, identity management, remote event, security, technology, virtual conference, virtual event, workforce identity

Id: 8aCyojTIW6U

Channel Id: undefined

Length: 33min 21sec (2001 seconds)

Published: Fri Apr 09 2021