Protecting web APIs with OAuth 2.0

•

3 likes•1,228 views

Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.

Software

Protecting web APIs with
OAuth 2.0
Vladimir Dzhuvinov

HTTPS request with a bearer token
GET /client-reg HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
type token value

Successful HTTP response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{ … }

On missing token
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer

On invalid / expired token
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error=”invalid_token”

On token with insufficient
privileges
HTTP/1.1 403 Forbidden
WWW-Authenticate: Bearer error=”insufficient_scope”

To learn more about
bearer token usage
See RFC 6750
[ http://tools.ietf.org/html/rfc6750 ]

How does your web API
decode the access tokens?
Your W eb API

Typical authorisation attributes
associated with an access token
● Scope: e.g. read,
write, admin...
● Expiration time
● User ID
● Client ID
● Issuer

The 2 possible token encodings
● Self-contained:
– Require RSA signature
verification, < 1 ms
– Scale extremely well
● Identifier-based:
– Require web API
lookup, ~100+ ms
– Don't scale well, avoid

JSON Web Tokens (JWT)
eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm
9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRw
OlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2l
kIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkw
mDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hop
e7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU
Syntax:
BASE64URL(header) +
“.” +
BASE64URL(JSON-claims) +
“.” +
BASE64URL(RSA-signature)

JSON Web Tokens (JWT)
Header
{ "alg": "RS256", "kid": "1" }
Claims
{ "sub": "alice",
"cid": "000123",
"iss": "https://connect2id.com",
"exp": 1414065134,
"iat": 1414064534,
"scp": [ "read", "write", "admin" ]
}
Signature (RSA)
fBZW6U9r7M53fwhoEtC9
Bxi8U1ytQvpy8pmHylvvvhEZimluNkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Cc

To learn more about JWT
See draft-ietf-oauth-json-web-token-29
[ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]

The ultimate Java library for JWT
http://connect2id.com/products/nimbus-jose-jwt
Thousands of deployments, tens of reviewers and
contributors
Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk,
CertiVox, Harvard Medical Schools, unnamed banks, etc.

Your authorisation server
Authenticates
users and clients,
issues tokens
OAuth 2.0
server
mobile app
web app
native app
Web API Web API Web API
Web APIs service requests, need only understand access tokens

The OAuth 2.0 grants
● Authorisation code – require browser for end-user
interaction
● Implicit – for browser (JS) based apps
● Password – for native apps
● Client credentials – for clients acting on their own
behalf
● Assertions:
– SAML 2.0 Bearer
– JWT Bearer

To learn more about OAuth 2.0
See RFC 6749
[ http://tools.ietf.org/html/rfc6749 ]

OpenID Connect
● Identity layer on top of the OAuth 2.0 framework
● The server issues an ID token in addition to the
access token:
– The ID token is a signed JWT with claims:
● Subject – the end-user ID
● Issuer – the authority
● Issue and expiration date
● Audience – the intended recipients
● Authentication strength and methods

$ID token claims { "sub" : "alice", "iss" : "https://connect2id.com", "iat" : 1414076589, "exp" : 1414077489, "aud" : [ "000123" ], "ip_address" : "10.20.30.40", "acr" : "1", "amr" : [ "ldap" ] }$

To learn more about
OpenID Connect
See
OpenID Connect 1.0 Core
OpenID Connect 1.0 Discovery
OpenID Connect 1.0 Dynamic Registration
OpenID Connect 1.0 Session Management
[ http://openid.net/connect/ ]

What's hot

CIS14: OAuth and OpenID Connect in Action

CloudIDSummit

JavaOne 2014 - Securing RESTful Resources with OAuth2

Rodrigo Cândido da Silva

Single-Page-Application & REST security

Igor Bossenko

This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)

OAuth 2.0

Uwe Friedrichsen

OpenID Connect - An Emperor or Just New Cloths?

Oliver Pfaff

Stateless Auth using OAuth2 & JWT

Gaurav Roy

Mit 2014 introduction to open id connect and o-auth 2

Justin Richer

Json web token api authorization

Giulio De Donato

An Introduction to OAuth2

Aaron Parecki

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit

JWT SSO Inbound Authenticator

MifrazMurthaja

2016 pycontw web api authentication

Micron Technology

As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.

Securing your APIs with OAuth, OpenID, and OpenID Connect

Manish Pandit

Spring security oauth2

axykim00

#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2

Profesia Srl, Lynx Group

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.

OpenID Connect and Single Sign-On for Beginners

Salesforce Developers

Save 10% off ANY FITC event with discount code 'slideshare' See our upcoming events at www.fitc.ca Yuri will discuss the challenges of authentication and authorization in the MEAN stack. Topics include architecture, best practices for determining client and server responsibilities, and the importance of sharing authorization context with the client logic in order to build an effective user experience. Angular and Node code samples will be used to illustrate. Presented live at FITC's Spotlight: MEAN Stack event held on March 28th, 2014 More info at FITC.ca

Authentication and Authorization Architecture in the MEAN Stack

FITC

CIS 2012 - Going Mobile with PingFederate and OAuth 2

scotttomilson

OAuth2 + API Security

Amila Paranawithana

What's hot (20)

CIS14: OAuth and OpenID Connect in Action

JavaOne 2014 - Securing RESTful Resources with OAuth2

Single-Page-Application & REST security

OAuth 2.0

OpenID Connect - An Emperor or Just New Cloths?

Stateless Auth using OAuth2 & JWT

Mit 2014 introduction to open id connect and o-auth 2

Json web token api authorization

An Introduction to OAuth2

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

JWT SSO Inbound Authenticator

2016 pycontw web api authentication

Securing your APIs with OAuth, OpenID, and OpenID Connect

Spring security oauth2

#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2

An Authentication and Authorization Architecture for a Microservices World

OpenID Connect and Single Sign-On for Beginners

Authentication and Authorization Architecture in the MEAN Stack

CIS 2012 - Going Mobile with PingFederate and OAuth 2

OAuth2 + API Security

Similar to Protecting web APIs with OAuth 2.0

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...

Vladimir Bychkov

Protecting your APIs with Doorkeeper and OAuth 2.0

Mads Toustrup-Lønne

OpenID Connect Explained

Vladimir Dzhuvinov

Oauth2 and OWSM OAuth2 support

Gaurav Sharma

OAuth2

SPARK MEDIA

https://www.hackmiami.com/hmc5-speakers-day-2 OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.

Oauth Nightmares Abstract OAuth Nightmares

Nino Ho

OAuth 2.0

Alex Bilbie

Accessing APIs using OAuth on the federated (WordPress) web

Felix Arntz

Microsoft Graph API Delegated Permissions

Stefan Weber

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect

Vinay Manglani

OAuth 2

ChrisWood262

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...

Good Dog Labs, Inc.

Web API 2 Token Based Authentication

jeremysbrown

.NET Core, ASP.NET Core Course, Session 19

aminmesbahi

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

Nilanjan Roy

It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication. During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.

Demystifying OAuth 2.0

Karl McGuinness

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core

Vladimir Bychkov

OAuth2 Introduction

Arpit Suthar

Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures. The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC). In this talk, you will get a concise introduction into OAuth 2.0 and OIDC. We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group. So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"

Andreas Falk

(1) OAuth 2.0 Overview

anikristo

Similar to Protecting web APIs with OAuth 2.0 (20)

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...

Protecting your APIs with Doorkeeper and OAuth 2.0

OpenID Connect Explained

Oauth2 and OWSM OAuth2 support

OAuth2

Oauth Nightmares Abstract OAuth Nightmares

OAuth 2.0

Accessing APIs using OAuth on the federated (WordPress) web

Microsoft Graph API Delegated Permissions

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect

OAuth 2

OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...

Web API 2 Token Based Authentication

.NET Core, ASP.NET Core Course, Session 19

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

Demystifying OAuth 2.0

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core

OAuth2 Introduction

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"

(1) OAuth 2.0 Overview

More from Vladimir Dzhuvinov

Полезна криптография за уеб и мобилни разработчици - това ще бъде една от темите на ТърновоКонф утре. Без да се задълбаваме в теория, ще разгледаме основните крипто инструменти - хеш, HMAC, подпис и (а)симетричен тайнопис и техни практични приложения като верификация на потребители, single-sign on, CSRF защита, автентикация към уеб интерфейси и прочие :)

Криптография за уеб и мобилни разработчици

Vladimir Dzhuvinov

New money

Vladimir Dzhuvinov

Mind patterns and anti-patterns

Vladimir Dzhuvinov

Cross-domain requests with CORS

Vladimir Dzhuvinov

JSON Web Tokens (JWT)

Vladimir Dzhuvinov

Plovdev 2013: How to be a better programmer, beyond programming

Vladimir Dzhuvinov

Binding components, events + data sources in HTML + JS

Vladimir Dzhuvinov

More from Vladimir Dzhuvinov (7)

Криптография за уеб и мобилни разработчици

New money

Mind patterns and anti-patterns

Cross-domain requests with CORS

JSON Web Tokens (JWT)

Plovdev 2013: How to be a better programmer, beyond programming

Binding components, events + data sources in HTML + JS

Recently uploaded

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal.

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

masabamasaba

%in Soweto+277-882-255-28 abortion pills for sale in soweto

masabamasaba

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...

WSO2

8257 interfacing 2 in microprocessor for btech students

HimanshiGarg82

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

masabamasaba

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

Model Call Girl Services in Delhi reach out to us at 🔝 9953056974 🔝✔️✔️ Our agency presents a selection of young, charming call girls available for bookings at Oyo Hotels. Experience high-class escort services at pocket-friendly rates, with our female escorts exuding both beauty and a delightful personality, ready to meet your desires. Whether it's Housewives, College girls, Russian girls, Muslim girls, or any other preference, we offer a diverse range of options to cater to your tastes. We provide both in-call and out-call services for your convenience. Our in-call location in Delhi ensures cleanliness, hygiene, and 100% safety, while our out-call services offer doorstep delivery for added ease. We value your time and money, hence we kindly request pic collectors, time-passers, and bargain hunters to refrain from contacting us. Our services feature various packages at competitive rates: One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Full night for more than 1 person: Contact us at 🔝 9953056974 🔝. for details Operating 24/7, we serve various locations in Delhi, including Green Park, Lajpat Nagar, Saket, and Hauz Khas near metro stations. For premium call girl services in Delhi 🔝 9953056974 🔝. Thank you for considering us!

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

9953056974 Low Rate Call Girls In Saket, Delhi NCR

In today's dynamic e-commerce landscape, the payment gateway emerges as a linchpin, ensuring smooth and secure transactions between buyers and sellers. In this discourse, we delve into the meticulous process of devising test cases tailored for scrutinizing payment gateways. Crafting precise test cases for payment gateways is a quintessential responsibility for testers operating within the service industry. This article meticulously explores pivotal scenarios integral to how to test payment gateways, coupled with essential guidelines for drafting effective test cases.

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

kalichargn70th171

The title is not connected to what is inside

shinachiaurasa2

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

Recently uploaded (20)

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

%in Soweto+277-882-255-28 abortion pills for sale in soweto

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...

8257 interfacing 2 in microprocessor for btech students

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

The title is not connected to what is inside

Right Money Management App For Your Financial Goals

%in Midrand+277-882-255-28 abortion pills for sale in midrand

AI & Machine Learning Presentation Template

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

Protecting web APIs with OAuth 2.0

1. Protecting web APIs with OAuth 2.0 Vladimir Dzhuvinov

2. Bearer Token Your cool web API

3. HTTPS request with a bearer token GET /client-reg HTTP/1.1 Host: c2id.com Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6 type token value

4. Successful HTTP response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { … }

5. On missing token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

6. On invalid / expired token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error=”invalid_token”

7. On token with insufficient privileges HTTP/1.1 403 Forbidden WWW-Authenticate: Bearer error=”insufficient_scope”

8. To learn more about bearer token usage See RFC 6750 [ http://tools.ietf.org/html/rfc6750 ]

9. How does your web API decode the access tokens? Your W eb API

10. Typical authorisation attributes associated with an access token ● Scope: e.g. read, write, admin... ● Expiration time ● User ID ● Client ID ● Issuer

11. The 2 possible token encodings ● Self-contained: – Require RSA signature verification, < 1 ms – Scale extremely well ● Identifier-based: – Require web API lookup, ~100+ ms – Don't scale well, avoid

12. JSON Web Tokens (JWT) eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm 9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRw OlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2l kIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkw mDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hop e7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU Syntax: BASE64URL(header) + “.” + BASE64URL(JSON-claims) + “.” + BASE64URL(RSA-signature)

13. JSON Web Tokens (JWT) Header { "alg": "RS256", "kid": "1" } Claims { "sub": "alice", "cid": "000123", "iss": "https://connect2id.com", "exp": 1414065134, "iat": 1414064534, "scp": [ "read", "write", "admin" ] } Signature (RSA) fBZW6U9r7M53fwhoEtC9 Bxi8U1ytQvpy8pmHylvvvhEZimluNkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Cc

14. To learn more about JWT See draft-ietf-oauth-json-web-token-29 [ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]

15. The ultimate Java library for JWT http://connect2id.com/products/nimbus-jose-jwt Thousands of deployments, tens of reviewers and contributors Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk, CertiVox, Harvard Medical Schools, unnamed banks, etc.

16. Who issues the access tokens?

17. Your authorisation server Authenticates users and clients, issues tokens OAuth 2.0 server mobile app web app native app Web API Web API Web API Web APIs service requests, need only understand access tokens

18. The OAuth 2.0 grants ● Authorisation code – require browser for end-user interaction ● Implicit – for browser (JS) based apps ● Password – for native apps ● Client credentials – for clients acting on their own behalf ● Assertions: – SAML 2.0 Bearer – JWT Bearer

19. To learn more about OAuth 2.0 See RFC 6749 [ http://tools.ietf.org/html/rfc6749 ]

20. OpenID Connect ● Identity layer on top of the OAuth 2.0 framework ● The server issues an ID token in addition to the access token: – The ID token is a signed JWT with claims: ● Subject – the end-user ID ● Issuer – the authority ● Issue and expiration date ● Audience – the intended recipients ● Authentication strength and methods

21. ID token claims { "sub" : "alice", "iss" : "https://connect2id.com", "iat" : 1414076589, "exp" : 1414077489, "aud" : [ "000123" ], "ip_address" : "10.20.30.40", "acr" : "1", "amr" : [ "ldap" ] }

22. To learn more about OpenID Connect See OpenID Connect 1.0 Core OpenID Connect 1.0 Discovery OpenID Connect 1.0 Dynamic Registration OpenID Connect 1.0 Session Management [ http://openid.net/connect/ ]

Protecting web APIs with OAuth 2.0

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Protecting web APIs with OAuth 2.0

Similar to Protecting web APIs with OAuth 2.0 (20)

More from Vladimir Dzhuvinov

More from Vladimir Dzhuvinov (7)

Recently uploaded

Recently uploaded (20)

Protecting web APIs with OAuth 2.0