Your SlideShare is downloading. ×
0
The API Gatekeeper
Dick Hardt

Monday, November 4, 13
Agenda

2
Monday, November 4, 13
Agenda
•Access Control Overview

2
Monday, November 4, 13
Agenda
•Access Control Overview
•OAuth History

2
Monday, November 4, 13
Agenda
•Access Control Overview
•OAuth History
•OAuth Flows

2
Monday, November 4, 13
Agenda
•Access Control Overview
•OAuth History
•OAuth Flows
•Implementation Steps

2
Monday, November 4, 13
Agenda
•Access Control Overview
•OAuth History
•OAuth Flows
•Implementation Steps
•What can go wrong?

2
Monday, November ...
Agenda
•Access Control Overview
•OAuth History
•OAuth Flows
•Implementation Steps
•What can go wrong?
•Q & A
2
Monday, Nov...
Authorization Code

3
Monday, November 4, 13
Authorization Code
•key into database

3
Monday, November 4, 13
Authorization Code
•key into database
–user, scope, app id, expiry (5 min)

3
Monday, November 4, 13
Authorization Code
•key into database
–user, scope, app id, expiry (5 min)
•token (self contained)

3
Monday, November 4, ...
Authorization Code
•key into database
–user, scope, app id, expiry (5 min)
•token (self contained)
–user, scope, app id, e...
Authorization Code
•key into database
–user, scope, app id, expiry (5 min)
•token (self contained)
–user, scope, app id, e...
Access Token Lifecycle

4
Monday, November 4, 13
Access Token Lifecycle
•key into database

4
Monday, November 4, 13
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status

4
Monday, November 4, 13
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)

4
Monday, November...
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app i...
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app i...
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app i...
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app i...
Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app i...
API Authorization Middleware
implementation dependent

Monday, November 4, 13
X-RateLimit-Limit: 500
X-RateLimit-Remaining: 432

Monday, November 4, 13
Developer Documentation /
Sandbox

Monday, November 4, 13
Developer Documentation /
Sandbox

Monday, November 4, 13
What can go wrong?

8
Monday, November 4, 13
What can go wrong?
•Compromise of client secret

8
Monday, November 4, 13
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)

8
Monday, November 4, 13
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret

8
Mo...
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret
–All ...
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret
–All ...
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret
–All ...
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret
–All ...
What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret
–All ...
Upcoming SlideShare
Loading in...5
×

OAuth: The API Gatekeeper

1,071

Published on

Now that you have built your API, how do you let the right people have access to the right API at the right time? This talk covers the basics of API access management and then does a deep dive into modern authorization architectures.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,071
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
43
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "OAuth: The API Gatekeeper"

  1. 1. The API Gatekeeper Dick Hardt Monday, November 4, 13
  2. 2. Agenda 2 Monday, November 4, 13
  3. 3. Agenda •Access Control Overview 2 Monday, November 4, 13
  4. 4. Agenda •Access Control Overview •OAuth History 2 Monday, November 4, 13
  5. 5. Agenda •Access Control Overview •OAuth History •OAuth Flows 2 Monday, November 4, 13
  6. 6. Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps 2 Monday, November 4, 13
  7. 7. Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps •What can go wrong? 2 Monday, November 4, 13
  8. 8. Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps •What can go wrong? •Q & A 2 Monday, November 4, 13
  9. 9. Authorization Code 3 Monday, November 4, 13
  10. 10. Authorization Code •key into database 3 Monday, November 4, 13
  11. 11. Authorization Code •key into database –user, scope, app id, expiry (5 min) 3 Monday, November 4, 13
  12. 12. Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) 3 Monday, November 4, 13
  13. 13. Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) –user, scope, app id, expiry (5 min) 3 Monday, November 4, 13
  14. 14. Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) –user, scope, app id, expiry (5 min) –JWT 3 Monday, November 4, 13
  15. 15. Access Token Lifecycle 4 Monday, November 4, 13
  16. 16. Access Token Lifecycle •key into database 4 Monday, November 4, 13
  17. 17. Access Token Lifecycle •key into database –user, scope, app id, expiry, status 4 Monday, November 4, 13
  18. 18. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) 4 Monday, November 4, 13
  19. 19. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) 4 Monday, November 4, 13
  20. 20. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT 4 Monday, November 4, 13
  21. 21. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token 4 Monday, November 4, 13
  22. 22. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token –user, scope, app id, expiry / status 4 Monday, November 4, 13
  23. 23. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token –user, scope, app id, expiry / status –JWT 4 Monday, November 4, 13
  24. 24. API Authorization Middleware implementation dependent Monday, November 4, 13
  25. 25. X-RateLimit-Limit: 500 X-RateLimit-Remaining: 432 Monday, November 4, 13
  26. 26. Developer Documentation / Sandbox Monday, November 4, 13
  27. 27. Developer Documentation / Sandbox Monday, November 4, 13
  28. 28. What can go wrong? 8 Monday, November 4, 13
  29. 29. What can go wrong? •Compromise of client secret 8 Monday, November 4, 13
  30. 30. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) 8 Monday, November 4, 13
  31. 31. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret 8 Monday, November 4, 13
  32. 32. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated 8 Monday, November 4, 13
  33. 33. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret 8 Monday, November 4, 13
  34. 34. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) 8 Monday, November 4, 13
  35. 35. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) –User revokes authorization 8 Monday, November 4, 13
  36. 36. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) –User revokes authorization •Resolution is self service 8 Monday, November 4, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×