SlideShare a Scribd company logo

Launching a Successful and Secure API

Nordic APIs
Nordic APIs

What secure standards are there when working with a new API? And why should you care? Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Trondheim, June 11 - 2013

Technology
1 of 34
Launching a Successful & Secure API Effectively launching secure, RESTful APIs using the “neo- security stack” By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda  The challenge in context  Examples of innovative opportunities  Neo-security stack  OAuth Basics  Overview of other layers  Using the stack Copyright © 2013 Twobo Technologies AB. All rights reserved
Disruptive Trends Cloud Computing Social Networks Mobile Big Data Copyright © 2013 Twobo Technologies AB. All rights reserved
Web apps have evolved from CGI to the cloud to APIs Progression to This Point Copyright © 2013 Twobo Technologies AB. All rights reserved HTTP, HTML, CGI COM & CORBA SOAP & SOA Web 2.0 & REST The Cloud Web APIs
Example: Pearson  Launched API to allow innovative uses of existing content  Turned sunk costs into new revenue stream  Started w/ one API and deployed others in time  Built community not just code Copyright © 2013 Pearson plc Copyright © 2008 Maja Dumat Copyright © 2013 Twobo Technologies AB sawdust / sågspån
Example: Salesforce.com  Providing Platform as a Service (PaaS)  Almost 200,000 customer & partner apps  Apps span industries and business functions  Attract new customers w/ lower costs and increased performance  60% of all traffic is to API; only 40% to site Copyright © 2000-2013 salesforce.com, Inc. Copyright © 2013 Twobo Technologies AB
Example: AT&T  The network is the platform  Examples of their APIs  SMS, MMS, location, speech  TV, healthcare, notary, advertising  Sponsor hackathons, events, blogs  Business benefits  Revenue ▪ Business agility  Time to market ▪ New customer value  Innovation ▪ Efficiency Copyright © 2013 Twobo Technologies AB. All rights reserved “[The API program] is an architectural choice one makes for speed.” — John Donovan, SEVP, AT&T
Example: Twilio  Twilio lets you use web languages to build voice, VoIP & SMS applications via a web API  Raised $70M series D in June  Example that shows the potential Copyright © 2013 Twobo Technologies AB. All rights reserved
Example: Cloud Brokerage Cloud Services MNO’s Cloud Services Legacy Services Cloud Service Aggregation Platform Support Tenant / User Pro- visioning Web SSOBilling Cloud Desktop, App Store, User Portal Admin Portal Copyright © 2013 Twobo Technologies AB. All rights reserved
Identity is Central Social Networks Cloud Computing Mobile Big Data Identity Copyright © 2013 Twobo Technologies AB. All rights reserved
SAML / OpenID Connect SCIM JSON Identity Suite OAuth The Neo-security Stack Copyright © 2013 Twobo Technologies AB. All rights reserved Federation Provisioning Identity Authorization
SAML  SAML: proven technology for identity federation and Web SSO  Profiles, bindings, protocols, assertions & metadata  V. 2.1 in the works Copyright © 2013 Twobo Technologies AB. All rights reserved Service Provider (SP) Identity Provider (IdP)
OpenID Connect  New federation protocol that builds on OAuth 2  Adds identity inputs/outputs to OAuth messages  Related to prior OpenID versions in name only  Compact messages for mobile scenerios  RP / client can determine info about end user  Tokens are JWTs  UserInfo endpoint to get user data Copyright © 2013 Twobo Technologies AB. All rights reserved Grandpa SAML & junior
SCIM  Defines RESTful API to manage users & groups  Specifies core user & group schemas  Supports bulk updates for ingest  Binding for SAML and eventually OpenID Connect Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth  OAuth 2 is the new protocol of protocols  Composed in useful ways  Like WS-Trust of old  Addresses old requirements and solves new ones  Delegated access  No password sharing  Revocation of access Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth Actors  Client  Authorization Server (AS)  Resource Server (RS) (i.e., API)  Resource Owner (RO) Copyright © 2013 Twobo Technologies AB. All rights reserved Getatoken User a token RS Client AS
Scopes  Like permissions  Scopes specify extent of tokens’ usefulness  Listed on consent UI (if shown)  Issued tokens may have narrower scope than requested  No standardized scopes Copyright © 2013 Twobo Technologies AB. All rights reserved
Access Tokens Refresh Tokens Kinds of Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved Like a Session Used to secure API calls Like a Password Used to get new access tokens
By Value By Reference Passing Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved 123XYZ 123XYZ User attributes are in the token User attributes are referenced by an identifier
Bearer Bearer tokens are like cash Holder of Key HoK tokens are like credit cards Profiles of Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved $
Types of Tokens  WS-Security  SAML  JWT  Custom  Home-grown  Oracle Access Manager  SiteMinder  Etc. Copyright © 2013 Twobo Technologies AB. All rights reserved
JSON Identity Protocol Suite  Suite of JSON-based identity protocols  Tokens (JWT) ▪ Encryption (JWE)  Keys (JWK) ▪ Signatures (JWS)  Algorithms (JWA)  Bearer Token spec explains how to use w/ OAuth  Being defined in IETF Copyright © 2013 Twobo Technologies AB. All rights reserved
JWT Tokens  Pronounced like the English word “jot”  Lightweight tokens passed in HTTP headers & query strings  Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XML Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth Web Server Flow Copyright © 2013 Twobo Technologies AB. All rights reserved
Usage of OAuth Copyright © 2013 Twobo Technologies AB. All rights reserved Not for authentication Not really for authorization For delegation
Stealing Bearer Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved $
OpenID Example Copyright © 2013 Twobo Technologies AB. All rights reserved OAuth AS / OpenID Provider RP / Client Browser Access code Get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes Get user info using access token User info
Authentication & Federation  How you authenticate to AS is undefined  Use SAML or OpenID Connect for SSO to AS  Relay OAuth token in SAML messages Copyright © 2013 Twobo Technologies AB. All rights reserved
SCIM + OAuth  Use OAuth to secure SCIM API calls  Use SCIM to create accounts needed to access APIs secured using OAuth Copyright © 2013 Twobo Technologies AB. All rights reserved
SCIM + SAML/OIDC  Carry SCIM attributes in SAML assertions (bindings for SCIM)  Enables JIT provisioning  Supplements SCIM API & schema  Provisioning accounts using SCIM API to be updated before/after logon Copyright © 2013 Twobo Technologies AB. All rights reserved
User Managed Access  Also extends OAuth 2  Allows users to centrally control distribution of their identity data  Used with Personal Data Stores (PDS) to create “identity data lockers” Copyright © 2013 Twobo Technologies AB. All rights reserved
SAML/SCIM Neo-security Stack for Brokerage Copyright © 2013, Twobo Technologies AB Identity Hub Telco etc.
Questions & Thanks @2botech @travisspencer www.2botech.com travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved
Launching a Successful and Secure API

Recommended

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 

Recommended

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identityNordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuthTwobo Technologies
 
Designing an API
Designing an APIDesigning an API
Designing an APITwobo Technologies
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Nordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...CA API Management
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...Nordic APIs
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 

More Related Content

What's hot

Criticality of identity
Criticality of identityCriticality of identity
Criticality of identityNordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Nordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...CA API Management
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...Nordic APIs
 

What's hot (20)

Criticality of identity
Criticality of identityCriticality of identity
Criticality of identity
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of Things
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
 
Designing an API
Designing an APIDesigning an API
Designing an API
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
 

Similar to Launching a Successful and Secure API

OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensForgeRock
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
GHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail QuestGHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail QuestPaulaPaulSlides
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)ForgeRock
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?Akana
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftJitendra Bafna
 
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018Amazon Web Services
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?Akana
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinSachin Agarwal
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 

Similar to Launching a Successful and Secure API (20)

OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
 
Webinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform AwakensWebinar: Identity Wars: The Unified Platform Awakens
Webinar: Identity Wars: The Unified Platform Awakens
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
GHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail QuestGHC18 Abstract - API Security, a Grail Quest
GHC18 Abstract - API Security, a Grail Quest
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?APIs and SOA: Two Sides of the Same Coin?
APIs and SOA: Two Sides of the Same Coin?
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
 
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
 
API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?API and SOA: Two Sides of the Same Coin?
API and SOA: Two Sides of the Same Coin?
 
API and SOA: Two sides of the same coin
API and SOA: Two sides of the same coinAPI and SOA: Two sides of the same coin
API and SOA: Two sides of the same coin
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Recently uploaded

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Launching a Successful and Secure API

  • 1. Launching a Successful & Secure API Effectively launching secure, RESTful APIs using the “neo- security stack” By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 2. Agenda  The challenge in context  Examples of innovative opportunities  Neo-security stack  OAuth Basics  Overview of other layers  Using the stack Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 4. Web apps have evolved from CGI to the cloud to APIs Progression to This Point Copyright © 2013 Twobo Technologies AB. All rights reserved HTTP, HTML, CGI COM & CORBA SOAP & SOA Web 2.0 & REST The Cloud Web APIs
  • 5. Example: Pearson  Launched API to allow innovative uses of existing content  Turned sunk costs into new revenue stream  Started w/ one API and deployed others in time  Built community not just code Copyright © 2013 Pearson plc Copyright © 2008 Maja Dumat Copyright © 2013 Twobo Technologies AB sawdust / sågspån
  • 6. Example: Salesforce.com  Providing Platform as a Service (PaaS)  Almost 200,000 customer & partner apps  Apps span industries and business functions  Attract new customers w/ lower costs and increased performance  60% of all traffic is to API; only 40% to site Copyright © 2000-2013 salesforce.com, Inc. Copyright © 2013 Twobo Technologies AB
  • 7. Example: AT&T  The network is the platform  Examples of their APIs  SMS, MMS, location, speech  TV, healthcare, notary, advertising  Sponsor hackathons, events, blogs  Business benefits  Revenue ▪ Business agility  Time to market ▪ New customer value  Innovation ▪ Efficiency Copyright © 2013 Twobo Technologies AB. All rights reserved “[The API program] is an architectural choice one makes for speed.” — John Donovan, SEVP, AT&T
  • 8. Example: Twilio  Twilio lets you use web languages to build voice, VoIP & SMS applications via a web API  Raised $70M series D in June  Example that shows the potential Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 9. Example: Cloud Brokerage Cloud Services MNO’s Cloud Services Legacy Services Cloud Service Aggregation Platform Support Tenant / User Pro- visioning Web SSOBilling Cloud Desktop, App Store, User Portal Admin Portal Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 10. Identity is Central Social Networks Cloud Computing Mobile Big Data Identity Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 11. SAML / OpenID Connect SCIM JSON Identity Suite OAuth The Neo-security Stack Copyright © 2013 Twobo Technologies AB. All rights reserved Federation Provisioning Identity Authorization
  • 12. SAML  SAML: proven technology for identity federation and Web SSO  Profiles, bindings, protocols, assertions & metadata  V. 2.1 in the works Copyright © 2013 Twobo Technologies AB. All rights reserved Service Provider (SP) Identity Provider (IdP)
  • 13. OpenID Connect  New federation protocol that builds on OAuth 2  Adds identity inputs/outputs to OAuth messages  Related to prior OpenID versions in name only  Compact messages for mobile scenerios  RP / client can determine info about end user  Tokens are JWTs  UserInfo endpoint to get user data Copyright © 2013 Twobo Technologies AB. All rights reserved Grandpa SAML & junior
  • 14. SCIM  Defines RESTful API to manage users & groups  Specifies core user & group schemas  Supports bulk updates for ingest  Binding for SAML and eventually OpenID Connect Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 15. OAuth  OAuth 2 is the new protocol of protocols  Composed in useful ways  Like WS-Trust of old  Addresses old requirements and solves new ones  Delegated access  No password sharing  Revocation of access Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 16. OAuth Actors  Client  Authorization Server (AS)  Resource Server (RS) (i.e., API)  Resource Owner (RO) Copyright © 2013 Twobo Technologies AB. All rights reserved Getatoken User a token RS Client AS
  • 17. Scopes  Like permissions  Scopes specify extent of tokens’ usefulness  Listed on consent UI (if shown)  Issued tokens may have narrower scope than requested  No standardized scopes Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 18. Access Tokens Refresh Tokens Kinds of Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved Like a Session Used to secure API calls Like a Password Used to get new access tokens
  • 19. By Value By Reference Passing Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved 123XYZ 123XYZ User attributes are in the token User attributes are referenced by an identifier
  • 20. Bearer Bearer tokens are like cash Holder of Key HoK tokens are like credit cards Profiles of Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved $
  • 21. Types of Tokens  WS-Security  SAML  JWT  Custom  Home-grown  Oracle Access Manager  SiteMinder  Etc. Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 22. JSON Identity Protocol Suite  Suite of JSON-based identity protocols  Tokens (JWT) ▪ Encryption (JWE)  Keys (JWK) ▪ Signatures (JWS)  Algorithms (JWA)  Bearer Token spec explains how to use w/ OAuth  Being defined in IETF Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 23. JWT Tokens  Pronounced like the English word “jot”  Lightweight tokens passed in HTTP headers & query strings  Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XML Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 24. OAuth Web Server Flow Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 25. Usage of OAuth Copyright © 2013 Twobo Technologies AB. All rights reserved Not for authentication Not really for authorization For delegation
  • 26. Stealing Bearer Tokens Copyright © 2013 Twobo Technologies AB. All rights reserved $
  • 27. OpenID Example Copyright © 2013 Twobo Technologies AB. All rights reserved OAuth AS / OpenID Provider RP / Client Browser Access code Get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes Get user info using access token User info
  • 28. Authentication & Federation  How you authenticate to AS is undefined  Use SAML or OpenID Connect for SSO to AS  Relay OAuth token in SAML messages Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 29. SCIM + OAuth  Use OAuth to secure SCIM API calls  Use SCIM to create accounts needed to access APIs secured using OAuth Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 30. SCIM + SAML/OIDC  Carry SCIM attributes in SAML assertions (bindings for SCIM)  Enables JIT provisioning  Supplements SCIM API & schema  Provisioning accounts using SCIM API to be updated before/after logon Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 31. User Managed Access  Also extends OAuth 2  Allows users to centrally control distribution of their identity data  Used with Personal Data Stores (PDS) to create “identity data lockers” Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 32. SAML/SCIM Neo-security Stack for Brokerage Copyright © 2013, Twobo Technologies AB Identity Hub Telco etc.