I’ve written the occasional OAuth2 client application over the years but never really understood what was going on with client-ids, secrets, grants, scopes, and so forth. However I’m currently involved in a project to migrate a large IT system to using OAuth2 and OpenID Connect, so it is clearly time to learn this stuff properly.

After some long research, I have written an architectural introduction to OAuth2 and OpenID Connect summarizing what I have learned - mainly for myself, but maybe you will find it helpful too. Warning: it is pretty long (17,000 words)!

I’ve finally got around to learning Kotlin, a popular language best known for running on the JVM and competing with Java.

Not only is Kotlin a “better Java”, it is also the recommended language for writing programs for the Android platform. It can also be compiled to Javascript, ie can compete with things like Typescript as a “type-safe language for browser-hosted code”. Interestingly, it is also working on “native” support for compiling to various machine-codes (eg x86, ARM). Most interestingly of all, it is working on compiling to WebAssembly for high-performance cross-platform applications.

My personal notes on Kotlin are available, but they are probably not of interest to anyone but me.

What might be interesting is that I recently converted a demo Spring/JPA program from Java to Kotlin.

• Java SLOC: 1368
• Kotlin SLOC: 1075

Change: (1075 - 1368)/1368 = 21% fewer lines of code

That’s not world-changing, but definitely worth having.

In general, I found the Kotlin version of this app easier to read, and less likely to have bugs. Programming was also more fun. I’ll be using Kotlin where possible in the future.

It’s been a busy week or two for me. Here are several new articles whose only common point is that I worked on these topics recently:

• Docker Repos, Minikube and Authentication
• VPN Routing on Linux (and how to fix Cisco OpenConnect DNS problems)
• Unleash - a cool tool to implement the Feature Toggle pattern
• Integrate Thunderbird with Outlook email/calendar/contacts

A useful discovery I made recently: if you need a relational database for demo or testing purposes, then Postgres publishes a really convenient official Docker image. What it not immediately clear is that this image has a mechanism for running arbitrary SQL scripts on startup - which is great for defining tables.

It is therefore trivial to create an image that others (eg developers or sales) can quickly deploy, that contains not only a database server but also whatever initial schema you need.

Question: does the following Java/Spring-Data code actually throw a DuplicateAccount exception when a DB uniqueness constraint is violated?

public Account addAccount(..) throws DuplicateAccount {
  try {
    Account account = ...
    accountDao.save(account);
  } catch(DataIntegrityViolationException e) {
    throw new DuplicateAccount();
  }
}

The answer is - it depends.

I run my own email-server - and it is rather a complicated business. For those interested, I have recently documented my research on the topic of email validation using SPF, DKIM and DMARC - or in other words, how to block incoming spam and how to avoid having outgoing email be blocked by others.

There has recently been a strong trend towards forcing the use of a modern mobile phone for authenticating to online banking.

I’ve been rather cautious about this, and currently use a dedicated “tan generator” device which my bank reluctantly offers as an alternative. The principal problem I have with using an application on a phone as an authentication mechanism is:

• a phone typically has many other apps installed on it, and
• phone operating systems have security holes (eg android and iphone)

However it appears that things are improving in this area, at least with the Android mobile OS: Android’s Trusted Execution Environment, Strongbox API, and phones with embedded security chips (eg Google’s Pixel3) make rogue apps (even with root-level access) far less of a problem.

Update 2019-12-07: Android vulnerability used to drain bank accounts

Talend is a company that produces a suite of software for performing ETL (extract/transform/load) and related data transformation and management operations.

I was recently involved in a project whose design included Talend components, and therefore spent some time learning about the product.

In the end, I didn’t like it very much. However if you need to deal with Talend, you might find my overview of Talend’s features and architecture and installation tips useful.