Your SlideShare is downloading. ×
Launching a Successful and Secure API
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Launching a Successful and Secure API

719
views

Published on

What secure standards are there when working with a new API? And why should you care? …

What secure standards are there when working with a new API? And why should you care?

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Trondheim, June 11 - 2013

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
719
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Launching a Successful & Secure APIEffectively launching secure, RESTful APIs using the “neo-security stack”By Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 2. Agenda The challenge in context Examples of innovative opportunities Neo-security stack OAuth Basics Overview of other layers Using the stackCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 3. Disruptive TrendsCloudComputingSocialNetworksMobileBigDataCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 4. Web apps have evolvedfrom CGI tothe cloud toAPIsProgression to This PointCopyright © 2013 Twobo Technologies AB. All rights reservedHTTP, HTML, CGICOM & CORBASOAP & SOAWeb 2.0 & RESTThe CloudWeb APIs
  • 5. Example: Pearson Launched API to allowinnovative uses of existingcontent Turned sunk costs into newrevenue stream Started w/ one API anddeployed others in time Built community not just codeCopyright © 2013 Pearson plcCopyright © 2008 Maja DumatCopyright © 2013 Twobo Technologies ABsawdust / sågspån
  • 6. Example: Salesforce.com Providing Platform as a Service (PaaS) Almost 200,000 customer & partner apps Apps span industries and business functions Attract new customers w/ lower costs andincreased performance 60% of all traffic is to API; only 40% to siteCopyright © 2000-2013 salesforce.com, Inc.Copyright © 2013 Twobo Technologies AB
  • 7. Example: AT&T The network is the platform Examples of their APIs SMS, MMS, location, speech TV, healthcare, notary, advertising Sponsor hackathons, events, blogs Business benefits Revenue ▪ Business agility Time to market ▪ New customer value Innovation ▪ EfficiencyCopyright © 2013 Twobo Technologies AB. All rights reserved“[The API program]is an architecturalchoice one makesfor speed.”— John Donovan,SEVP, AT&T
  • 8. Example: Twilio Twilio lets you useweb languages tobuild voice, VoIP &SMS applications viaa web API Raised $70M seriesD in June Example that showsthe potentialCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 9. Example: Cloud BrokerageCloudServicesMNO’sCloudServicesLegacyServicesCloud Service Aggregation PlatformSupportTenant /User Pro-visioningWeb SSOBillingCloud Desktop, AppStore, User PortalAdminPortalCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 10. Identity is CentralSocialNetworksCloudComputingMobile BigDataIdentityCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 11. SAML /OpenIDConnectSCIMJSONIdentitySuiteOAuthThe Neo-security StackCopyright © 2013 Twobo Technologies AB. All rights reservedFederation ProvisioningIdentity Authorization
  • 12. SAML SAML: proventechnology foridentity federationand Web SSO Profiles, bindings,protocols, assertions& metadata V. 2.1 inthe worksCopyright © 2013 Twobo Technologies AB. All rights reservedServiceProvider (SP)Identity Provider (IdP)
  • 13. OpenID Connect New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user dataCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& junior
  • 14. SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 15. OAuth OAuth 2 is the new protocol ofprotocols Composed in useful ways Like WS-Trust of old Addresses old requirements andsolves new ones Delegated access No password sharing Revocation of accessCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 16. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
  • 17. Scopes Like permissions Scopes specify extent oftokens’ usefulness Listed on consent UI (if shown) Issued tokens may havenarrower scope than requested No standardized scopesCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 18. Access Tokens Refresh TokensKinds of TokensCopyright © 2013 Twobo Technologies AB. All rights reservedLike a SessionUsed to secure API callsLike a PasswordUsed to get new accesstokens
  • 19. By Value By ReferencePassing TokensCopyright © 2013 Twobo Technologies AB. All rights reserved123XYZ123XYZUser attributes are in thetokenUser attributes arereferenced by an identifier
  • 20. BearerBearer tokens are likecashHolder of KeyHoK tokens are likecredit cardsProfiles of TokensCopyright © 2013 Twobo Technologies AB. All rights reserved$
  • 21. Types of Tokens WS-Security SAML JWT Custom Home-grown Oracle Access Manager SiteMinder Etc.Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 22. JSON Identity Protocol Suite Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 23. JWT Tokens Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 24. OAuth Web Server FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 25. Usage of OAuthCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
  • 26. Stealing Bearer TokensCopyright © 2013 Twobo Technologies AB. All rights reserved$
  • 27. OpenID ExampleCopyright © 2013 Twobo Technologies AB. All rights reservedOAuth AS /OpenID ProviderRP / ClientBrowserAccess codeGet access tokenAccess token & ID tokenCheck audiencerestriction of ID tokenRequest login,providing “openid”scope & user infoscopesGet user info usingaccess tokenUser info
  • 28. Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 29. SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to accessAPIs secured using OAuthCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 30. SCIM + SAML/OIDC Carry SCIM attributes in SAML assertions(bindings for SCIM) Enables JIT provisioning Supplements SCIM API & schema Provisioning accounts using SCIM API to beupdated before/after logonCopyright © 2013 Twobo Technologies AB. All rights reserved
  • 31. User Managed Access Also extends OAuth 2 Allows users to centrally controldistribution of their identity data Used with Personal DataStores (PDS) to create “identitydata lockers”Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 32. SAML/SCIMNeo-security Stack for BrokerageCopyright © 2013, Twobo Technologies ABIdentityHubTelcoetc.
  • 33. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved