Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nordic APIs - Building a Secure API

6,342 views

Published on

Overview of techniques and technologies needed to launch a secure API

Published in: Technology
  • Follow the link, new dating source: ♥♥♥ http://bit.ly/36cXjBY ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❶❶❶ http://bit.ly/36cXjBY ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Nordic APIs - Building a Secure API

  1. 1. Building a Secure API Overview of techniques and technologies needed to launch a secure API By Travis Spencer, CEO @travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Crucial Security Concerns Enterprise API Mobile Security Security SecurityCopyright © 2013 Twobo Technologies AB. All rights reserved
  4. 4. Identity is Central Mobile Security MDM MAM Identity Enterprise A u API Security t Security h ZCopyright © 2013 Twobo Technologies AB. All rights reserved Venn diagram by Gunnar Peterson
  5. 5. Neo-security Stack OpenID Connect SCIM, SAML, OAuth, and JWT are the new standards-based cloud security stack OAuth 2 is the new meta-protocol defining how tokens are handled These address old requirements, solves new problems & are composed in useful ways Grandpa SAML & junior WS- again? YepCopyright © 2013 Twobo Technologies AB. All rights reserved
  6. 6. OAuth Actors Client AS Authorization Server (AS) Resource Server (RS) (i.e., API) Get a token Resource Owner (RO) User a token RS ClientCopyright © 2013 Twobo Technologies AB. All rights reserved
  7. 7. OAuth Web Server FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  8. 8. What OAuth is and is not for Not for authentication Not really for authorization For delegationCopyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. Push Tokens & Pull DataIdP & API Provider SaaS App Data Get Data Access token in federation message Browser Copyright © 2013 Twobo Technologies AB. All rights reserved
  11. 11. Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consent scenarios Adds identity-based inputs/outputs to core OAuth messages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
  12. 12. Overview of SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright © 2013 Twobo Technologies AB. All rights reserved
  13. 13. Overview of JSON Identity Suite Suite of JSON-based identity protocols  Tokens (JWT) ▪ Encryption (JWE)  Keys (JWK) ▪ Signatures (JWS)  Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright © 2013 Twobo Technologies AB. All rights reserved
  14. 14. Overview of JWT Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers & query strings Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to access APIs secured using OAuthCopyright © 2013 Twobo Technologies AB. All rights reserved
  16. 16. SCIM + SAML/OIC Carry SCIM attributes in SAML assertions (bindings for SCIM)  Enables JIT provisioning  Supplements SCIM API & schema Provisioning accounts using SCIM API to be updated before/after logonCopyright © 2013 Twobo Technologies AB. All rights reserved
  17. 17. Questions & Thanks @2botech @travisspencer www.2botech.com travisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved

×