Nordic APIs - Building a Secure API

5,305 views

Published on

Overview of techniques and technologies needed to launch a secure API

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,305
On SlideShare
0
From Embeds
0
Number of Embeds
4,014
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Nordic APIs - Building a Secure API

  1. 1. Building a Secure API Overview of techniques and technologies needed to launch a secure API By Travis Spencer, CEO @travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Crucial Security Concerns Enterprise API Mobile Security Security SecurityCopyright © 2013 Twobo Technologies AB. All rights reserved
  4. 4. Identity is Central Mobile Security MDM MAM Identity Enterprise A u API Security t Security h ZCopyright © 2013 Twobo Technologies AB. All rights reserved Venn diagram by Gunnar Peterson
  5. 5. Neo-security Stack OpenID Connect SCIM, SAML, OAuth, and JWT are the new standards-based cloud security stack OAuth 2 is the new meta-protocol defining how tokens are handled These address old requirements, solves new problems & are composed in useful ways Grandpa SAML & junior WS- again? YepCopyright © 2013 Twobo Technologies AB. All rights reserved
  6. 6. OAuth Actors Client AS Authorization Server (AS) Resource Server (RS) (i.e., API) Get a token Resource Owner (RO) User a token RS ClientCopyright © 2013 Twobo Technologies AB. All rights reserved
  7. 7. OAuth Web Server FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  8. 8. What OAuth is and is not for Not for authentication Not really for authorization For delegationCopyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. Push Tokens & Pull DataIdP & API Provider SaaS App Data Get Data Access token in federation message Browser Copyright © 2013 Twobo Technologies AB. All rights reserved
  11. 11. Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consent scenarios Adds identity-based inputs/outputs to core OAuth messages Tokens are JWTsCopyright © 2013 Twobo Technologies AB. All rights reserved
  12. 12. Overview of SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright © 2013 Twobo Technologies AB. All rights reserved
  13. 13. Overview of JSON Identity Suite Suite of JSON-based identity protocols  Tokens (JWT) ▪ Encryption (JWE)  Keys (JWK) ▪ Signatures (JWS)  Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright © 2013 Twobo Technologies AB. All rights reserved
  14. 14. Overview of JWT Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers & query strings Akin to SAML tokens  Less expressive  Less security options  More compact  Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to access APIs secured using OAuthCopyright © 2013 Twobo Technologies AB. All rights reserved
  16. 16. SCIM + SAML/OIC Carry SCIM attributes in SAML assertions (bindings for SCIM)  Enables JIT provisioning  Supplements SCIM API & schema Provisioning accounts using SCIM API to be updated before/after logonCopyright © 2013 Twobo Technologies AB. All rights reserved
  17. 17. Questions & Thanks @2botech @travisspencer www.2botech.com travisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved

×