Neo-security Stack

2,405 views

Published on

Technologies that are being used together to secure RESTful APIs: SAML (and eventually OpenID Connect), OAuth, SCIM, and the JSON Identity Protocol Suite (esp. JWT).

Discussion how these technologies can be combined to provide enterprise grade security for APIs and put this need into the broader context.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,405
On SlideShare
0
From Embeds
0
Number of Embeds
516
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Neo-security Stack

  1. 1. The “Neo-security Stack”Securing APIs using the new stack of RESTful technologiesBy Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Crucial Security ConcernsCopyright © 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity
  4. 4. Identity is CentralCopyright © 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson
  5. 5. SAML /OpenIDConnectSCIMJSONIdentitySuiteOAuthThe Neo-security StackCopyright © 2013 Twobo Technologies AB. All rights reservedFederation ProvisioningIdentity Authorization
  6. 6. SAML SAML: proventechnology foridentity federationand Web SSO Profiles, bindings,protocols, assertions& metadata V. 2.1 inthe worksCopyright © 2013 Twobo Technologies AB. All rights reservedServiceProvider (SP)Identity Provider (IdP)
  7. 7. OpenID Connect New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user dataCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& junior
  8. 8. Overview of SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. OAuth OAuth 2 is the new protocol ofprotocols Composed in useful ways Like WS-Trust of old Addresses old requirements andsolves new ones Delegated access No password sharing Revocation of accessCopyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
  11. 11. Access Tokens Refresh TokensTypes of TokensCopyright © 2013 Twobo Technologies AB. All rights reservedLike a SessionUsed to secure API callsLike a PasswordUsed to get new accesstokens
  12. 12. By Value By ReferenceClasses of TokensCopyright © 2013 Twobo Technologies AB. All rights reserved123XYZ123XYZUser attributes are in thetokenUser attributes arereferenced by an identifier
  13. 13. Scopes Like permissions Scopes specify extent oftokens’ usefulness Listed on consent UI (if shown) Issued tokens may havenarrower scope than requested No standardized scopesCopyright © 2013 Twobo Technologies AB. All rights reserved
  14. 14. OAuth Web Server FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. Usage of OAuthCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
  16. 16. JSON Identity Protocol Suite Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright © 2013 Twobo Technologies AB. All rights reserved
  17. 17. JWT Tokens Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  18. 18. Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright © 2013 Twobo Technologies AB. All rights reserved
  19. 19. Push Tokens & Pull DataCopyright © 2013 Twobo Technologies AB. All rights reservedIdP & API Provider SaaS AppBrowserAccess token infederation messageGet DataData
  20. 20. SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to accessAPIs secured using OAuthCopyright © 2013 Twobo Technologies AB. All rights reserved
  21. 21. SCIM + SAML/OIDC Carry SCIM attributes in SAML assertions(bindings for SCIM) Enables JIT provisioning Supplements SCIM API & schema Provisioning accounts using SCIM API to beupdated before/after logonCopyright © 2013 Twobo Technologies AB. All rights reserved
  22. 22. User Managed Access Also extends OAuth 2 Allows users to centrally controldistribution of their identity data Used with Personal DataStores (PDS) to create “identitydata lockers”Copyright © 2013 Twobo Technologies AB. All rights reserved
  23. 23. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved

×