Nordic APIs - Building a Secure API
Upcoming SlideShare
Loading in...5
×
 

Nordic APIs - Building a Secure API

on

  • 1,889 views

Overview of techniques and technologies needed to launch a secure API

Overview of techniques and technologies needed to launch a secure API

Statistics

Views

Total Views
1,889
Views on SlideShare
599
Embed Views
1,290

Actions

Likes
0
Downloads
4
Comments
0

4 Embeds 1,290

http://nordicapis.com 1252
https://twitter.com 23
http://newsblur.com 13
http://www.newsblur.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Nordic APIs - Building a Secure API Nordic APIs - Building a Secure API Presentation Transcript

  • Building a Secure API Overview of techniques and technologies needed to launch a secure API By Travis Spencer, CEO @travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Crucial Security Concerns Enterprise API Mobile Security Security SecurityCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Identity is Central Mobile Security MDM MAM Identity Enterprise A u API Security t Security h ZCopyright © 2013 Twobo Technologies AB. All rights reserved Venn diagram by Gunnar Peterson
  • Neo-security Stack OpenID Connect SCIM, SAML, OAuth, and JWT are the new standards-based cloud security stack OAuth 2 is the new meta-protocol defining how tokens are handled These address old requirements, solves new problems & are composed in useful ways Grandpa SAML & junior WS- again? YepCopyright © 2013 Twobo Technologies AB. All rights reserved
  • OAuth Actors Client AS Authorization Server (AS) Resource Server (RS) (i.e., API) Get a token Resource Owner (RO) User a token RS ClientCopyright © 2013 Twobo Technologies AB. All rights reserved
  • OAuth Web Server FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  • What OAuth is and is not for Not for authentication Not really for authorization For delegationCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Push Tokens & Pull DataIdP & API Provider SaaS App Data Get Data Access token in federation message Browser Copyright © 2013 Twobo Technologies AB. All rights reserved
  • Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consent scenarios Adds identity-based inputs/outputs to core OAuth messages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Overview of SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Overview of JSON Identity Suite Suite of JSON-based identity protocols  Tokens (JWT) ▪ Encryption (JWE)  Keys (JWK) ▪ Signatures (JWS)  Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Overview of JWT Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers & query strings Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  • SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to access APIs secured using OAuthCopyright © 2013 Twobo Technologies AB. All rights reserved
  • SCIM + SAML/OIC Carry SCIM attributes in SAML assertions (bindings for SCIM)  Enables JIT provisioning  Supplements SCIM API & schema Provisioning accounts using SCIM API to be updated before/after logonCopyright © 2013 Twobo Technologies AB. All rights reserved
  • Questions & Thanks @2botech @travisspencer www.2botech.com travisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved