The authentication or login process is similar to the registration process. Using the JavaScript libraries, the authenticator passes identifying information to the relying party. The relying party returns a challenge, which should be validated by the user, processed by the authenticator, and finally validated by the relying party. User verification is checked from the options, but a majority of the options have been reduced as no credentials are generated or saved on either end.
\nSetting up WebAuthn for your Application
\nWhen setting up WebAuthn as an authentication method for your application, two considerations are to use the standard as a primary registration and authentication method or as a second-factor authentication method.
\nAs a primary authentication method, the authenticator identification and credentials are stored by the server at the same time the user account is created.
\nTo begin, use the Web Authentication API to initiate the flow:
\nLet publicKeyCredentialCreationOptions = {\n user: {\n id: “1234”,\n name: "example@example.com",\n displayName: "example",\n },\n authenticatorSelection: {\n authenticatorAttachment: "platform",\n },\n attestation: "direct"\n};\n\nconst credential = await navigator.credentials.create({\n publicKey: publicKeyCredentialCreationOptions\n});For this section, the creation options are generated by the client. In other scenarios, including this blog's example, the options are generated from the relying party by retrieving them via an API call.
\nAfter the browser triggers this code, the authenticator will be prompted for validation. Since the authenticatorAttachment is set to 'platform', it would use the device's authenticator, like Windows Hello or an Android fingerprint scan.
\nThe data returned from the creation of the credentials will have a structure like this:
\nPublicKeyCredential {\n id: 'ADSUllKQmbqdGtpu4sjseh4cg2TxSvrbcHDTBsv4NSSX9...',\n rawId: ArrayBuffer(59),\n response: AuthenticatorAttestationResponse {\n clientDataJSON: ArrayBuffer(121),\n attestationObject: ArrayBuffer(306),\n },\n type: 'public-key'\n}This object should be passed to the relying party to complete the registration. The relying party verifies that the credentials passed in are correct and stores the identifier and credentials in the data store. In addition to storing the credentials object, any other registration variables should be passed in this step to register on your data store.
\nTo use this flow as part of a second-factor authentication process, the user account should be created before initiating this process with an already existing authentication method, like a password system. After the user account is created, running this flow should update the current user in the data store with the credential data. This will allow the second-factor authentication credentials to be configured and triggered after a password login.
\nMost programming languages have a library built that supports WebAuthn for a relying party server. For example, Duo has created them for Python and Go. Using one of these libraries during the development of the relying party server will simplify the process. These resources also provide demos on how to implement their libraries to handle the credential data generated by the JavaScript Web Authentication APIs.
Conclusion
\nAlthough the usage of WebAuthn is not widespread at the moment, the potential to authenticate a user passwordless or with the extra security of an authenticator allows it to be a strong contender in the future over regular password authentication flows. Hopefully, this blog helps you get started on your authentication apps with WebAuthn.
\n","frontmatter":{"date":"December 09, 2020","updated_date":null,"description":"Web authentication, or WebAuthn in short. A go-to guide for developers to learn more about WebAuthn API, and how to set it up in their services..","title":"WebAuthn: A Guide To Authenticate Your Application","tags":["WebAuthn","FIDO","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/07ab3c5a163821d532aedbc23c7a48be/ee604/webauthn-logo.png","srcSet":"/static/07ab3c5a163821d532aedbc23c7a48be/69585/webauthn-logo.png 200w,\n/static/07ab3c5a163821d532aedbc23c7a48be/497c6/webauthn-logo.png 400w,\n/static/07ab3c5a163821d532aedbc23c7a48be/ee604/webauthn-logo.png 800w,\n/static/07ab3c5a163821d532aedbc23c7a48be/f3583/webauthn-logo.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Chris Yee","github":null,"avatar":null}}}},{"node":{"excerpt":"Introduction You need to stay on guard and ensure that your company's data is safe. Confining data security best practices to the…","fields":{"slug":"/identity/data-security-best-practices/"},"html":"Introduction
\nYou need to stay on guard and ensure that your company's data is safe. Confining data security best practices to the organization's size never helped in the past, nor will it work in the future.
\nYou should be everywhere, from the server to the endpoint, across the web, at the office, and your consumer's system—blocking every loophole that's possibly out there.
\nWhy? Because the risk is real—and growing. It is no secret that though cybercriminals often target large businesses, smaller organizations are also attractive to them. The logic is simple. Small businesses usually follow a common \"not much to steal\" mindset by using fewer controls and easy-to-breach data protection strategies.
\nHackers accumulate consumer information with the clear intent of financially abusing organizations and consumers at large. In fact, according to Verizon's breach report, 71 percent of breaches are usually financially motivated.
\nClearly, what cybercriminals gain is what consumers lose, and those losses add up.
\nWhat is Data Security?
\nData security refers to the protective measures taken to safeguard digital information from unauthorized access, corruption, or theft throughout its lifecycle. It encompasses various technologies, processes, and practices designed to ensure the confidentiality, integrity, and availability of data. In the digital age, where information is a valuable asset, data security has become paramount for organizations to protect sensitive information from cyber threats.
\nData security involves implementing controls and procedures to prevent unauthorized access, modification, or destruction of data. This includes encryption to encode data into an unreadable format, access controls to restrict who can view or modify data, and authentication mechanisms to verify the identity of users accessing the data.
\nThe Importance of Data Security for Enterprises
\nIn today's interconnected and data-driven world, enterprises rely heavily on digital data for their operations, decision-making, and competitive advantage. This reliance on data also brings significant risks, as cyber threats continue to evolve and become more sophisticated.
\nEnterprises often store vast amounts of sensitive data, including customer information, financial records, intellectual property, and strategic plans. Data breaches can lead to severe consequences such as financial loss, reputational damage, legal repercussions, and loss of customer trust.
\nWhere Does Your Data Go and Who Uses It
\nIt is impossible to protect something that you do not know exists. Therefore, you need to recognize your data and its sensitivity with a high degree of accuracy.
\nYou should know exactly how your data is used, who is using it, and where it is shared. Dig out data from everywhere, including the multiple devices and cloud services, and categorize those according to their sensitivity and accessibility.
\nNext, build data security best practices, programs, and protocols around it.
\nCommon Database Security Threats
\n- \n
- SQL Injection: Malicious code is inserted into web inputs, exploiting vulnerabilities to access and manipulate databases. \n
- Data Breaches: Unauthorized access to sensitive data, often due to weak passwords or software vulnerabilities, leads to theft and misuse. \n
- Unauthorized Access: Weak access controls or misconfigurations allow unauthorized users to view, modify, or delete data. \n
- Malware: Viruses and ransomware infect databases, causing data corruption, theft, or encryption for ransom. \n
- Insider Threats: Employees with access misuse privileges, intentionally or not, compromising data security. \n
9 Data Security Best Practices to Prevent Breaches in 2024
\nSo, how do you avoid becoming a victim of cyberattacks? Here's our data security best practices checklist for 2024.
\n1. Identify sensitive data and classify it.
\nYou need to know precisely what types of data you have in order to protect them effectively. For starters, let your security team scan your data repositories and prepare reports on the findings. Later, they can organize the data into categories based on their value to your organization.
\nThe classification can be updated as data is created, changed, processed, or transmitted. It would help if you also came up with policies to prevent users from falsifying the degree of classification. Only privileged users should, for instance, be allowed to upgrade or downgrade the data classification.
\n2. Data usage policy is a must-have.
\nOf course, data classification on its own is not adequate; you need to develop a policy that defines the types of access, the classification-based criteria for data access, who has access to data, what constitutes proper data use, and so on. Restrict user access to certain areas and deactivate when they finish the job.
\nDon't forget that there should be strong repercussions for all policy breaches.
\n3. Monitor access to sensitive data.
\nYou need to offer the right access control to the right user. Limit access to information based on the concept of least privilege—that means only those privileges necessary for performing the intended purpose should be offered. This will ensure that the right user is using data. Here's are a few necessary permissions that you can define:
\n- \n
- Full control: The user can take total ownership of the data. This includes storing, accessing, modifying, deleting data, assigning permissions, and more. \n
- Modify: The user can access, modify, and delete data. \n
- Access: The user can access but cannot modify or delete data. \n
- Access and modify: The user can access and modify data but cannot delete it. \n
4. Safeguard data physically.
\nPhysical security is often overlooked when discussing data security best practices. You can start by locking down your workstations when not in use so that no devices are physically removed from your location. This will safeguard your hard drives or other sensitive components where you store data.
\nAnother useful data security practice is to set up a BIOS password to prevent cybercriminals from booting into your operating systems. Devices like USB flash drives, Bluetooth devices, smartphones, tablets, and laptops, also require attention.
\n5. Use endpoint security systems to protect your data.
\nYour network's endpoints are constantly under threat. Therefore, it is important that you set up a robust endpoint security infrastructure to negate the chances of possible data breaches. You can start by implementing the following measures:
\n- \n
- Antivirus software: Make sure to install antivirus software on all servers and workstations. Conduct regular scans to maintain the health status of your system and fish infections such as ransomware, if any. \n
- Antispyware: Spyware is a kind of malicious computer software that usually gets installed without the user's knowledge. Its purpose is typically to find details about user behavior and collect personal information. Anti-spyware and anti-adware tools can help you remove or block those. Install them. \n
- Pop-up blockers: Pop-ups are unwanted programs that run on your system for no apparent reason other than jeopardizing the system's well-being. Install pop-up blockers to keep safe. \n
- Firewalls: Firewalls provide a barrier between your data and cybercriminals, which is why it is one of the highly recommended data security best practices by most experts. You can also install internal firewalls to provide additional protection. \n
6. Document your cybersecurity policies.
\nWord of mouth and intuitional knowledge isn't the right choice when it comes to cybersecurity. Document your cybersecurity best practices, policies, and protocols carefully, so it's easier to provide online training, checklists, and information-specific knowledge transfer to your employees and stakeholders.
\n7. Implement a risk-based approach to security.
\nPay attention to minute details like what risks your company may face and how they may affect employee and consumer data. This is where proper risk assessment comes into play. Here are a few things risk assessment allows you to take up:
\n- \n
- Identify what and where your assets are. \n
- Identify the state of cybersecurity you are in. \n
- Manage your security strategy accurately. \n
A risk-based approach allows you to comply with regulations and protect your organization from potential leaks and breaches.
\n8. Train your employees.
\nEducate all employees on your organization's cybersecurity best practices and policies. Conduct regular training to keep them updated on new protocols and changes that the world is adhering to. Show them examples of real-life security breaches and ask for feedback regarding your current security system.
\n9. Use multi-factor authentication.
\nMulti-factor authentication (MFA) is considered one of the most advanced and proven forms of data protection strategies. MFA works by adding an extra layer of security before authenticating an account. This means even if the hacker has your password, they will still need to produce a second or third factor of authentication, such as a security token, fingerprint, voice recognition, or confirmation on your mobile phone.
\nConclusion
\nData security best practices aren't just confined to the list of precautionary steps above. There's more to it, including conducting regular backups for all data, encryption in transit and at rest, enforcing safe password practices, and the likes.
\nBut then, you need to understand that cybersecurity is not about eliminating all threats—that's not achievable. It also is something that you should not ignore. By taking the right security measure, you can at least mitigate risks to a large extent.
\nFAQs
\n1. What are the five practices to ensure security for enterprise networks?
\nUse strong passwords, implement firewalls, update software regularly, monitor network traffic, and conduct regular security audits.
\n2. What is the best practice for data security?
\nThe best practice is a combination of encryption, access control, regular backups, and employee training.
\n3. How to secure data in an enterprise?
\nSecure data by encrypting sensitive information, using access controls, implementing multi-factor authentication, and maintaining physical security of devices.
\n4. What is the security of data used in an enterprise?
\nData security in an enterprise involves protecting sensitive information through various measures such as encryption, access controls, and monitoring.
\n\n","frontmatter":{"date":"December 09, 2020","updated_date":null,"description":"Confining data security best practices to the organization's size never helped in the past, nor will it work in the future. What cybercriminals gain is what consumers lose, and those losses add up.","title":"9 Data Security Best Practices For your Business","tags":["data security","cybersecurity","cx"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.3986013986013985,"src":"/static/c00584cc6ade1c166e9cdb0b9a7ab61f/9a31d/9-data-security-best-practices-for-2021.jpg","srcSet":"/static/c00584cc6ade1c166e9cdb0b9a7ab61f/f836f/9-data-security-best-practices-for-2021.jpg 200w,\n/static/c00584cc6ade1c166e9cdb0b9a7ab61f/2244e/9-data-security-best-practices-for-2021.jpg 400w,\n/static/c00584cc6ade1c166e9cdb0b9a7ab61f/9a31d/9-data-security-best-practices-for-2021.jpg 767w","sizes":"(max-width: 767px) 100vw, 767px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},{"node":{"excerpt":"Today, smartphones have become a mini replica of a fully functional computer. A smartphone has wifi connectivity, web browsing capabilities…","fields":{"slug":"/identity/how-to-stop-phone-hacking/"},"html":"Today, smartphones have become a mini replica of a fully functional computer. A smartphone has wifi connectivity, web browsing capabilities and the ability to run applications that provide a wide range of functions. That's great news for consumers who have active online lifestyles.
\nBut there's bad news too—smartphones have become a data treasure for hackers. It's a target that's hard for them to ignore. For example, hackers use smartphones as “entry points” to attack banks or other organizations for data. They send malicious messages from the victim’s phone - making the user accountable for the theft.
\nHackers do not even have to steal the victim's phone to download malware. They just have to plant viruses on websites designed to infect the smartphones and wait for the user to simply click a link on their phone. Such hidden mobile applications accounted for half of consumer mobile threats in 2019.
\n6 Signs That Confirm Your Smartphone Has Already Been Hacked
\nIf your smartphone is displaying one or more of the following unusual behavior, there is a possibility that your device has already been hacked.
\n1. Noticeable decrease in battery life
\nIf your phone has been compromised by malware, the battery will drain faster than usual. This is because the malware uses the phone's resources to transmit sensitive information back to the hackers' server. So, if the phone usage habits have remained the same, but a noticeable and constant decrease in battery life is seen, then hacking may be the reason.
\n2. Sluggish performance
\nMalware and other hacking tools work in the background while using the smartphone's resources and battery power. This reduces performance significantly. Unexpected freezing of apps or crashes, phone restarting, or device heating up are also the signs that you need to keep an eye out for.
\n3. High data usage
\nUnusually high data usage by a smartphone can be a sign of hacking. Malicious software might be using data in the background to record activities and send information to the hacker.
\n4. Outgoing calls or texts you didn’t send
\nStrange behavior like outgoing calls or texts, which have not been sent by the smartphone user, can be hackers tapping into the phone. These calls or texts could be premium-rate numbers that malware is forcing your smartphone to contact. The earnings would be directed to the hacker’s account.
\n5. Mystery pop-ups
\nConstant pop-up alerts could indicate that the smartphone has been infected with adware, a form of malware. Hackers use adware to force users into viewing web pages that drive revenue through clicks. While all pop-ups are not necessarily malware attacks, some may also be phishing for identity attempts to attract users to give away sensitive information.
\n6. Unusual activity on any accounts linked to the device
\nIf the phone has been hacked, hackers would be able to access social media, email, or apps, putting you at risk for identity fraud. Activities such as resetting passwords, emails being sent or read without the users' knowledge, or new account sign-ups are all signals which indicate that the phone is in the wrong hands.
\nWhat to Do if Your Phone Is Hacked
\nIf you witness any of the above signs on your smartphone, there is a high possibility that your phone has been hacked. You need to take the appropriate steps to eliminate the malware that has attacked your phone. Some of the steps which you can follow are:
\n- \n
- Download a mobile security app from a trusted site, which not only scans for malware but offers additional features like a call blocker, firewall, VPN and a feature to request Pin Based Authentication for accessing sensitive apps like online banking. \n
- Change passwords as soon as possible. \n
- Remove suspicious apps. \n
- Inform friends and contacts that you have been hacked. This warning would help your contacts ignore suspicious messages sent by the malware to their phones. \n
- Carry out an in-depth maintenance check from your smartphone store. \n
- If everything fails, a factory reset will help to sort the problems. \n
8 Ways To Stop Someone From Hacking Your Phone Again
\nMany smartphone users believe that their mobile service providers should deploy cyber-protection. However, it is also the responsibility of the users to protect themselves from hackers. There are many different ways a hacker can get into your phone and steal personal and critical information.
\nHere are a few safety tips to ensure that you do not become a victim of phone hacking:
\n1. Keep up to date – and don’t dig in holes yourself.
\nPhones work on the same principle as a computer operating system. Whenever software updates for phone operating systems are available, users need to get their phones updated directly from the manufacturer's website. Hackers exploit vulnerabilities in out-of-date operating systems. Therefore, downloading the latest patches would be of great help in keeping your phone safe.
\n2. Be careful of what you install.
\nInstallation of any smartphone app requires users to grant permissions, including reading files, access the camera, or listening to the microphone. There are legitimate uses for these capabilities, but they're potentially open to misuse. Users need to be careful before approving such requests. Always download apps from a trusted source.
\n3. Review what’s already on your phone.
\nUsers need to keep track of the apps already downloaded on their smartphones. It may have been safe when installed the first time, but subsequent updates could have infected the smartphone. Always keep track of what permissions have been given to the apps while accessing the operating system of the smartphone. Various security apps would have helped provide an overview of the permissions, but users need to download such apps from trusted sites.
\n4. Make it hard for intruders to get in.
\nUsers should ensure that they keep their phone locked when not in use and also set a strong passcode. Smartphones are basically like computers, and hence, need antivirus and malware protection. Install a good antivirus package onto your smartphones to make it difficult for hackers to get in. Use lock patterns, facial recognition or voice recognition to add an extra level of access security for your smartphone.
\n5. Be prepared to track and lock your phone.
\nServices like ‘find my device’ are provided by smartphone manufacturers to help users locate their stolen phone on a map and remotely erase their data. All users need to do is set their phone to automatically erase itself after a certain number of incorrect access attempts. It is also possible to make a phone ring even if it is kept on silent. It is helpful in tracking down phone that was just stolen.
\n\n6. Don’t leave online services unlocked.
\nAuto-login is a convenient feature that automatically logs in without entering the password as they are already saved in the browser. It is a huge security risk because hackers simply need to open the browser to access all the online accounts. Instead of using auto-login features, users should use a password manager app that requires them to re-enter a master password regularly.
\n7. Beware of open wifi.
\nUsing an open wireless network allows anyone in the vicinity to snoop on what you are doing online. At times, hackers open their own free wireless \"hotspots\" to attract users to access their wifi. Once connected, they can easily hack into phones.
\nSo, whenever you are not sure about the security of the wireless network, use your phone’s mobile internet connection. It will be a much safer and secure option. Users can also opt for VPN tools which route the traffic through a private encrypted channel. Turning on two-factor authentication for online accounts will also help protect your privacy on public wifi. Users should turn off bluetooth and personal hotspot functions when not required.
\n8. Lock individual apps.
\nLocking your phone is important but as a secondary security measure, lock individual apps too. This capability can be implemented by using apps from a trusted source as they are not an inbuilt feature of the operating system.
\nConclusion
\nSmartphones have become an essential part of our daily lives. Once you know about how your phone can be hacked, you can take various safety precautions to protect it from data theft. Furthermore, it will also keep your data secure from opportunist thieves or state-sponsored spies!
\n\n","frontmatter":{"date":"December 09, 2020","updated_date":null,"description":"Hacking your smartphone may feel like someone has stolen your home. Go through this checklist to protect your phone from being hacked.","title":"How To Make Sure Your Phone Isn’t Hacked","tags":["data security","cybersecurity","authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/a1b502e626c8edfb38f83cf0ff4c4903/33aa5/stop-phone-hacking.jpg","srcSet":"/static/a1b502e626c8edfb38f83cf0ff4c4903/f836f/stop-phone-hacking.jpg 200w,\n/static/a1b502e626c8edfb38f83cf0ff4c4903/2244e/stop-phone-hacking.jpg 400w,\n/static/a1b502e626c8edfb38f83cf0ff4c4903/33aa5/stop-phone-hacking.jpg 768w","sizes":"(max-width: 768px) 100vw, 768px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},{"node":{"excerpt":"Let's walk through how to build and push Docker images programmatically using Go. To do this, we need to talk to the Docker daemon via the…","fields":{"slug":"/engineering/build-push-docker-images-golang/"},"html":"Let's walk through how to build and push Docker images programmatically using Go. To do this, we need to talk to the Docker daemon via the Docker Engine API. This is similar to how the Docker CLI works, but instead of entering commands through a CLI, we'll be writing code with Docker's Go SDK.
\nAt the time of writing, the official Docker Go SDK docs provide great examples of running basic Docker commands with Go. However, it's missing examples on building and pushing Docker images, so we'll go over those in this blog.
\nBefore we begin, this blog assumes you have a working knowledge of Docker and Go. We'll go over the following:
\n- \n
- Building an image from local source code \n
- Pushing an image to a remote registry \n
Environment Setup
\nFirst, we need to set up the environment. Create a project and include the app we want to containerize:
\nmkdir docker-go-tutorial && cd docker-go-tutorial && mkdir node-helloWe'll add a simple Node.js app:
\n// node-hello/app.js\nconsole.log("Hello From LoginRadius");with the Dockerfile:
\n// node-hello/Dockerfile\nFROM node:12\nWORKDIR /src\nCOPY . .\nCMD [ "node", "app.js" ]Next, install the Go SDK. These are the Docker related imports we will be using:
\n"github.com/docker/docker/api/types"\n"github.com/docker/docker/client"\n"github.com/docker/docker/pkg/archive"Build Docker Image
\nOne way to build a Docker image from our local files is to compress those files into a tar archive first.
\nWe use the archive package provided by Docker:
\n"github.com/docker/docker/pkg/archive"tar, err := archive.TarWithOptions("node-hello/", &archive.TarOptions{})\nif err != nil {\n return err\n}Now, we can call the ImageBuild function using the Go SDK:
\n- \n
- \n
Note that the image tag includes our Docker registry user ID, so we can push this image to our registry later.
\n
\nopts := types.ImageBuildOptions{\nDockerfile: "Dockerfile",\nTags: []string{dockerRegistryUserID + "/node-hello"},\nRemove: true,\n}\nres, err := dockerClient.ImageBuild(ctx, tar, opts)\nif err != nil {\nreturn err\n}\n
To print the response, we use a scanner to go through line by line:
\nscanner := bufio.NewScanner(res.Body)\nfor scanner.Scan() {\n lastLine = scanner.Text()\n fmt.Println(scanner.Text())\n}This prints the following:
\n{"stream":"Step 1/4 : FROM node:12"}\n{"stream":"\\n"}\n{"stream":" ---\\u003e e4f1e16b3633\\n"}\n{"stream":"Step 2/4 : WORKDIR /src"}\n{"stream":"\\n"}\n{"stream":" ---\\u003e Using cache\\n"}\n{"stream":" ---\\u003e b298b8519669\\n"}\n{"stream":"Step 3/4 : COPY . ."}\n{"stream":"\\n"}\n{"stream":" ---\\u003e Using cache\\n"}\n{"stream":" ---\\u003e 1ff6a87e79d9\\n"}\n{"stream":"Step 4/4 : CMD [ \\"node\\", \\"app.js\\" ]"}\n{"stream":"\\n"}\n{"stream":" ---\\u003e Using cache\\n"}\n{"stream":" ---\\u003e 6ca44f72b68d\\n"}\n{"aux":{"ID":"sha256:238a923459uf28h80103eb089804a2ff2c1f68f8c"}}\n{"stream":"Successfully built 6ca44f72b68d\\n"}\n{"stream":"Successfully tagged lrblake/node-hello:latest\\n"}The last step would be checking the response for errors, so if something went wrong during the build, we could handle it.
\nerrLine := &ErrorLine{}\njson.Unmarshal([]byte(lastLine), errLine)\nif errLine.Error != "" {\n return errors.New(errLine.Error)\n}For example, the following error can occur during build:
\n{"errorDetail":{"message":"COPY failed: stat /var/lib/docker/tmp/docker-builder887191115/z: no such file or directory"},"error":"COPY failed: stat /var/lib/docker/tmp/docker-builder887191115/z: no such file or directory"}All together, the file looks like this:
\npackage main\n\nimport (\n\t"bufio"\n\t"context"\n\t"encoding/json"\n\t"errors"\n\t"fmt"\n\t"io"\n\t"time"\n\n\t"github.com/docker/docker/api/types"\n\t"github.com/docker/docker/client"\n\t"github.com/docker/docker/pkg/archive"\n)\n\nvar dockerRegistryUserID = ""\n\ntype ErrorLine struct {\n\tError string `json:"error"`\n\tErrorDetail ErrorDetail `json:"errorDetail"`\n}\n\ntype ErrorDetail struct {\n\tMessage string `json:"message"`\n}\n\nfunc main() {\n\tcli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())\n\tif err != nil {\n\t\tfmt.Println(err.Error())\n\t\treturn\n\t}\n\n\terr = imageBuild(cli)\n\tif err != nil {\n\t\tfmt.Println(err.Error())\n\t\treturn\n\t}\n}\n\nfunc imageBuild(dockerClient *client.Client) error {\n\tctx, cancel := context.WithTimeout(context.Background(), time.Second*120)\n\tdefer cancel()\n\n\ttar, err := archive.TarWithOptions("node-hello/", &archive.TarOptions{})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\topts := types.ImageBuildOptions{\n\t\tDockerfile: "Dockerfile",\n\t\tTags: []string{dockerRegistryUserID + "/node-hello"},\n\t\tRemove: true,\n\t}\n\tres, err := dockerClient.ImageBuild(ctx, tar, opts)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdefer res.Body.Close()\n\n\terr = print(res.Body)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc print(rd io.Reader) error {\n\tvar lastLine string\n\n\tscanner := bufio.NewScanner(rd)\n\tfor scanner.Scan() {\n\t\tlastLine = scanner.Text()\n\t\tfmt.Println(scanner.Text())\n\t}\n\n\terrLine := &ErrorLine{}\n\tjson.Unmarshal([]byte(lastLine), errLine)\n\tif errLine.Error != "" {\n\t\treturn errors.New(errLine.Error)\n\t}\n\n\tif err := scanner.Err(); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}The equivalent Docker CLI command would be:
\ndocker build -t <dockerRegistryUserID>/node-hello .Push Docker Image
\nWe'll push the Docker image we created to Docker Hub. But, we need to authenticate with Docker Hub by providing credentials encoded in base64.
\n- \n
- In practice, don't hardcode your credentials in your source code. \n
- \n
If you don't want to use your Docker Hub password, you can set up an access token and provide that in the Password field instead.
\n
\nvar authConfig = types.AuthConfig{\nUsername: "Your Docker Hub Username",\nPassword: "Your Docker Hub Password or Access Token",\nServerAddress: "https://index.docker.io/v1/",\n}\nauthConfigBytes, _ := json.Marshal(authConfig)\nauthConfigEncoded := base64.URLEncoding.EncodeToString(authConfigBytes)\n
Now, call the ImagePush function in the Go SDK, along with your encoded credentials:
\nopts := types.ImagePushOptions{RegistryAuth: authConfigEncoded}\nrd, err := dockerClient.ImagePush(ctx, dockerRegistryUserID + "/node-hello", opts)Together, this looks like:
\nfunc imagePush(dockerClient *client.Client) error {\n\tctx, cancel := context.WithTimeout(context.Background(), time.Second*120)\n\tdefer cancel()\n\n\tauthConfigBytes, _ := json.Marshal(authConfig)\n\tauthConfigEncoded := base64.URLEncoding.EncodeToString(authConfigBytes)\n\n\ttag := dockerRegistryUserID + "/node-hello"\n\topts := types.ImagePushOptions{RegistryAuth: authConfigEncoded}\n\trd, err := dockerClient.ImagePush(ctx, tag, opts)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdefer rd.Close()\n\n\terr = print(rd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}The equivalent Docker CLI command (after docker login) would be:
\ndocker push <dockerRegistryUserID>/node-helloWhat is Istio?
\nIstio is an Open Source service mesh (developed in partnership between teams from Google, IBM, and Lyft), providing a dedicated infrastructure layer for creating service-to-service communication that is safe, fast, and reliable. Having such a fanatical communication layer can provide various advantages, like providing observability into communications, providing secure connections, or automating retries and backoff for failed requests.
\nA service mesh also often has more complex operational requirements, like A/B testing, canary rollouts, rate limiting, access control, and end-to-end authentication.
\nIstio does this by adding a sidecar proxy which intercepts all network communication between microservices, then configures and manages Istio using its control plane functionality, which incorporates:
\n- \n
- Granular control over the service-to-service communication and its routing with the additional functionality of retries, fault injection, circuit breakers. \n
- Providing secure mTLS without any changes in the application code. \n
- Cluster to cluster communication using ingress and egress gateways. \n
Istio Architecture
\nAn Istio service mesh is logically split into a data plane and a control plane.
\nThe data plane is composed of Envoy proxy deployed as sidecars. Envoy itself is an L7 proxy and communication bus designed for modern microservices-based architecture. These proxies intercept and control all network communication between microservices. They also collect and report telemetry on all mesh traffic.
\nThe control plane manages and configures the proxies to route traffic.
\n![\"Istio](\"https://istio.io/latest/docs/ops/deployment/architecture/arch.svg\")
Istio Core Components
\nPilot
\nIstio Pilot manages and configures all the Envoy proxy instances deployed. It takes the rules for traffic behavior provided by the control plane and converts them into configurations applied by Envoy.
\nCitadel
\nResponsible for controlling the authentication and identity management between services. Allow developers to build a zero-trust network based on service identity.
\nMixer
\nResponsible for enforcing access control and usage policies across the service mesh and collects telemetry data from the Envoy proxy and other services.
\nIstio Features
\nTraffic Management
\nIt is the basic feature of Istio, which facilitates the routing between services. Istio simplifies the configuration of service-level properties like circuit breakers, timeouts, and retries.\nAll traffic that your mesh services send and receive (data plane traffic) is proxied through Envoy, making it easy to direct and control traffic around your mesh without making any changes to your services.
\nFor discovering all the services in the ecosystem, Istio connects to the Service discovery System and populates its service registry. The Envoy sidecar proxy then uses this registry to route traffic to the correct service.
\nHere are a few resources you can add for your deployment apart from the basic service discovery and load balancing:
\nVirtual Services
\nVirtual services play a key role in making Istio's traffic management flexible and powerful. They do this by strongly decoupling where clients send their requests from the destination workloads that actually implement them.
\nSo, instead of sending requests directly to a service data plane, you send traffic through this virtual service. Using virtual service, you can route requests to different versions of the same service or different hostnames based on particular endpoints. This helps us to do various other things like A/B testing or doing canary rollouts.
A typical example:
\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n name: bookinfo\nspec:\n hosts:\n - bookinfo.com\n http:\n - match:\n - uri:\n prefix: /reviews\n route:\n - destination:\n host: reviews <-- Resolves to reviews.<namespace>.svc.cluster.local\n - match:\n - uri:\n prefix: /ratings\n route:\n - destination:\n host: ratingsDestination Rule
\nWe use destination rules to configure what happens to traffic for that destination. Destination rules are applied after virtual service routing rules are evaluated, so they apply to the traffic's real destination.
\nUsing destination rules, we specify the subsets of the service using labels, which are then used by the virtual service to route requests to a particular subset. In addition to that, we can also customize traffic policy, load balancing policy, connection pool settings, mTLS, etc.
apiVersion: networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n name: my-destination-rule\nspec:\n host: my-svc\n trafficPolicy:\n loadBalancer:\n simple: RANDOM\n subsets:\n #### This will work only if we have defined version label in the deployment\n - name: v1\n labels:\n version: v1\n - name: v2\n labels:\n version: v2\n trafficPolicy:\n loadBalancer:\n simple: ROUND_ROBIN\n - name: v3\n labels:\n version: v3Here we have defined destination rule for service my-svc and defined subsets and traffic policy global and per subset.
\nGateway
\nIt is used to manage inbound and outbound traffic for your mesh, letting you specify which traffic you want to enter or leave the mesh. Gateway configurations are applied to standalone Envoy proxies running at the edge of the mesh, rather than sidecar Envoy proxies running alongside your service workloads. Using this, we can expose our services to the internet.
\nA typical example would be:
\napiVersion: networking.istio.io/v1alpha3\nkind: Gateway\nmetadata:\n name: my-svc-gateway\n namespace: test\nspec:\n selector:\n istio: ingressgateway\n servers:\n - port:\n number: 80\n name: http\n protocol: HTTP\n hosts:\n - my-svc.example.comistio: ingressgateway is the gateway which is enabled by default after installation. We can create our custom gateway. Here, the hosts my-svc.example.com will resolve to the load balancer provided by the Istio by default. To use this gateway, one has to add config in the virtual service like for example:
\napiVersion: networking.istio.io/v1alpha3\nkind: VirtualService\nmetadata:\n name: my-svc\nspec:\n hosts:\n - my-svc\n - my-svc.example.com <-- The host should match\n gateways: <--- gateway config\n - my-svc-gateway\n http:\n - route:\n - destination:\n host: my-svc.test.svc.cluster.local\n port:\n number: 80 Network Resilience
\nThis feature provides network configuration dynamically at runtime, which includes retries, fault injection, circuit breakers, and timeouts.
\nService Entries
\nThis object is used to add an external service as part of the service mesh, including a service running in a VM or other K8s cluster in case of multi-cluster installation.
\nA typical example would be connecting a service to a database cluster that is not part of the mesh.
\napiVersion: networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n name: elasticsearch\n namespace: test\nspec:\n hosts:\n - elasticsearch.elasticsearch.svc.cluster.local\n location: MESH_INTERNAL\n ports:\n - name: https\n number: 9200\n protocol: TCP\n resolution: DNSThe Service Entry should be in the same namespace as that of the calling service. This is helpful, especially in the case where the service is not exposed to a public endpoint and can be accessed using internal service DNS like the above example.
\nSecurity
\nIstio provides security features that will help us to establish a zero-trust network. Istio enables security by default and provides various authentication and authorization policy to regulate security.
\nFor example:
\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n name: dsl-es\n namespace: pdp-test\nspec:\n selector:\n matchLabels:\n app: dsl-es\n mtls:\n mode: STRICTHere we define a peer authentication object for a service labeled my-svc, which tells that any service that needs to talk to my-svc will communicate using mtls. The service will accept only TLS connection. By default, Istio enables PERMISSIVE mode, which accepts both plaintext and encrypted communication.
\nWe can define peer authentication on the mesh, namespace, and pod level.
\nThat is all for the introduction to Istio. In the next part, we will look at installing Istio and configuring services to use Istio.
\n","frontmatter":{"date":"December 07, 2020","updated_date":null,"description":"This post will give a high-level introduction to Istio and its related concepts and terminologies.","title":"Istio Service Mesh: A Beginners Guide","tags":["Istio","Service Mesh"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/452f4d9f7cb358e3d6224ed3aba3d5d6/ee604/Istio.png","srcSet":"/static/452f4d9f7cb358e3d6224ed3aba3d5d6/69585/Istio.png 200w,\n/static/452f4d9f7cb358e3d6224ed3aba3d5d6/497c6/Istio.png 400w,\n/static/452f4d9f7cb358e3d6224ed3aba3d5d6/ee604/Istio.png 800w,\n/static/452f4d9f7cb358e3d6224ed3aba3d5d6/db955/Istio.png 900w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Piyush Kumar","github":"kpiyush17","avatar":null}}}}]},"markdownRemark":{"excerpt":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards…","fields":{"slug":"/identity/developer-first-identity-provider-loginradius/"},"html":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences.
\nWe’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way.
\nThe goal? Having them spend less time searching and more time building.
\nWhat’s New and Improved on the LoginRadius Website?
\nLoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible.
\nHere’s a closer look at what’s new and why it’s important:
\nA Developer-Friendly Dark Theme
\n![\"This](\"/f46881583c7518a93bb24e94c32320de/a-developer-friendly-dark-theme.webp\")
Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference.
\nThe new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter.
\nSo, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient.
\nClear Categorization for LoginRadius Capabilities
\n![\"This](\"/e5358b82be414940f3fb146013845933/capabilities.webp\")
We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need:
\n- \n
- Authentication: Easily understand how to choose the right login method, from traditional passwords and OTPs to social login, federated SSO, and passkeys with few lines of code. \n
- Security: Implement no-code security features like bot detection, IP throttling, breached password alerts, DDoS protection, and adaptive MFA to safeguard user accounts. \n
- User Experience: Leverage AI builder, hosted pages, and drag-and-drop workflows to create smooth, branded sign-up and login experiences. \n
- High Performance & Scalability: Confidently scale with sub-100ms API response times, 100% uptime, 240K+ RPS, and 28+ global data center regions. \n
- Multi-Brand Management: Efficiently manage multiple identity apps, choosing isolated or shared data stores based on your brand’s unique needs. \n
This structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem.
\nDeveloper-First Navigation
\n![\"This](\"/a8c155c2b6faf3d5f4b4de4e2b14d763/developers-menu.webp\")
We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available.
\nThe new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions.
\nQuick Understanding of Integration Benefits
\n![\"This](\"/b2f9a964a2da0ea83e2f8596b833bba7/we-support-your-tech-stack.webp\")
Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs.
\nOur platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks.
\nOver to You Now!
\nCheck out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications.
\nDo not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!
\n","frontmatter":{"date":"February 21, 2025","updated_date":null,"description":"LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve redesigned our website interface, making navigation more intuitive and reassuring that essential resources are easily accessible.","title":"Revamped & Ready: Introducing the New Developer-First LoginRadius Website","tags":["Developer tools","API","Identity Management","User Authentication"],"pinned":true,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7857142857142858,"src":"/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp","srcSet":"/static/80b4e4fbe176a10a327d273504607f32/61e93/hero-section.webp 200w,\n/static/80b4e4fbe176a10a327d273504607f32/1f5c5/hero-section.webp 400w,\n/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp 800w,\n/static/80b4e4fbe176a10a327d273504607f32/99238/hero-section.webp 1200w,\n/static/80b4e4fbe176a10a327d273504607f32/7c22d/hero-section.webp 1600w,\n/static/80b4e4fbe176a10a327d273504607f32/1258b/hero-section.webp 2732w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},"pageContext":{"limit":6,"skip":636,"currentPage":107,"type":"///","numPages":161,"pinned":"ee8a4479-3471-53b1-bf62-d0d8dc3faaeb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}