All news with #oauth 2.0 tag

AWS ALB Adds JWT Verification for Service-to-Service Auth

🔐 Amazon Web Services added JWT Verification to the Application Load Balancer (ALB), enabling ALB to validate token signatures, expirations, and claims in request headers. The capability supports OAuth 2.0 flows including Client Credentials, letting teams offload M2M/S2S token validation to the ALB without changing application code. The feature is available in all ALB-supported AWS Regions.

OAuth Device Code Phishing: Azure vs Google Compared

🔐 Matt Kiely of Huntress examines how the OAuth 2.0 device code flow enables phishing and highlights stark differences between Microsoft and Google. He walks through the device-code attack chain — generating a device code, social-engineering a user to enter it on a legitimate site, and polling the token endpoint to harvest access and refresh tokens. The analysis shows Azure’s implementation lets attackers control client_id and resource parameters to obtain powerful tokens, while Google’s implementation restricts device-code scopes and requires app controls that significantly limit abuse. Practical examples, cURL/Python snippets, and mitigation advice are included for defenders.

Amazon MQ Adds OAuth 2.0 Support for RabbitMQ Brokers

🔐 Amazon MQ now supports OAuth 2.0 authentication and authorization for RabbitMQ brokers, allowing client and user authentication via JWT-encoded access tokens in single-instance and Multi-AZ cluster deployments. You can enable OAuth 2.0 through the AWS Console, CloudFormation, CLI, or CDK, and the feature is available in all regions where Amazon MQ is offered. Compatibility with standard RabbitMQ OAuth 2.0 implementations helps ensure a smooth migration for existing deployments.