OAuth2 and OIDC

I’ve written the occasional OAuth2 client application over the years but never really understood what was going on with client-ids, secrets, grants, scopes, and so forth. However I’m currently involved in a project to migrate a large IT system to using OAuth2 and OpenID Connect, so it is clearly time to learn this stuff properly.

After some long research, I have written an architectural introduction to OAuth2 and OpenID Connect summarizing what I have learned - mainly for myself, but maybe you will find it helpful too. Warning: it is pretty long (17,000 words)!

Learning Kotlin

I’ve finally got around to learning Kotlin, a popular language best known for running on the JVM and competing with Java.

Not only is Kotlin a “better Java”, it is also the recommended language for writing programs for the Android platform. It can also be compiled to Javascript, ie can compete with things like Typescript as a “type-safe language for browser-hosted code”. Interestingly, it is also working on “native” support for compiling to various machine-codes (eg x86, ARM). Most interestingly of all, it is working on compiling to WebAssembly for high-performance cross-platform applications.

My personal notes on Kotlin are available, but they are probably not of interest to anyone but me.

What might be interesting is that I recently converted a demo Spring/JPA program from Java to Kotlin.

  • Java SLOC: 1368
  • Kotlin SLOC: 1075

Change: (1075 - 1368)/1368 = 21% fewer lines of code

That’s not world-changing, but definitely worth having.

In general, I found the Kotlin version of this app easier to read, and less likely to have bugs. Programming was also more fun. I’ll be using Kotlin where possible in the future.

A bunch of stuff - Docker Repos, VPNs, Feature Toggles and Thunderbird

Creating a Demo Database with Postgresql and Docker

A useful discovery I made recently: if you need a relational database for demo or testing purposes, then Postgres publishes a really convenient official Docker image. What it not immediately clear is that this image has a mechanism for running arbitrary SQL scripts on startup - which is great for defining tables.

It is therefore trivial to create an image that others (eg developers or sales) can quickly deploy, that contains not only a database server but also whatever initial schema you need.

Spring Transactions and Exceptions

Question: does the following Java/Spring-Data code actually throw a DuplicateAccount exception when a DB uniqueness constraint is violated?

public Account addAccount(..) throws DuplicateAccount {
  try {
    Account account = ...
  } catch(DataIntegrityViolationException e) {
    throw new DuplicateAccount();

The answer is - it depends.

Email Validation - SPF, DKIM and DMARC

I run my own email-server - and it is rather a complicated business. For those interested, I have recently documented my research on the topic of email validation using SPF, DKIM and DMARC - or in other words, how to block incoming spam and how to avoid having outgoing email be blocked by others.

Online Banking and Mobile Security

There has recently been a strong trend towards forcing the use of a modern mobile phone for authenticating to online banking.

I’ve been rather cautious about this, and currently use a dedicated “tan generator” device which my bank reluctantly offers as an alternative. The principal problem I have with using an application on a phone as an authentication mechanism is:

  • a phone typically has many other apps installed on it, and
  • phone operating systems have security holes (eg android and iphone)

However it appears that things are improving in this area, at least with the Android mobile OS: Android’s Trusted Execution Environment, Strongbox API, and phones with embedded security chips (eg Google’s Pixel3) make rogue apps (even with root-level access) far less of a problem.

Update 2019-12-07: Android vulnerability used to drain bank accounts

Talend Software Suite

Talend is a company that produces a suite of software for performing ETL (extract/transform/load) and related data transformation and management operations.

I was recently involved in a project whose design included Talend components, and therefore spent some time learning about the product.

In the end, I didn’t like it very much. However if you need to deal with Talend, you might find my overview of Talend’s features and architecture and installation tips useful.