SlideShare a Scribd company logo
So you want to use standards to secure your APIs?
Do you? really?
Bertrand CARLIER
bertrand.carlier@wavestone.com
@bertrandcarlier
confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017
Tier one clients
leaders in their industry
2,500 professionals
across 4 continents
Among the leading independent
consultancies in Europe,
n°1 in France
Paris | London | New York | Hong Kong | Singapore* | Dubai*
Brussels | Luxembourg | Geneva | Casablanca
Lyon | Marseille | Nantes
In a world where permanent evolution is key to success,
we enlighten and partner our clients in making their most critical business decisions
confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017
Win the digital race
with digital trust
PROVEN EXPERTISE
/ Digital Risk Strategy & Compliance
/ Safe Business Transformation
/ Security Design & Program Management
/ Identity, Fraud & Trust Services
/ Penetration Testing & Incident Response
/ Business Continuity & Resilience
/ Industrial Control Systems
ACTIONABLE INSIGHTS
/ Industry-specific risk mapping
/ AMT Master plan methodology
/ Startups & Innovation Radars
/ ICS-Attacks demonstrator
/ CERT-W & Bug Bounty
Digital trust is a key business enabler that will
put you ahead to win the digital transformation race
Wavestone Cybersecurity & Digital Trust
500+
Consultants & Experts
in Paris, London, New York
& Hong Kong
1,000+
Engagements per year
in 20+ countries
Our clients
Board, Business,
CDO, CIO, CISO, BCM
confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017
Obligatory XKCD
confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017
What I do 1/2
User companies (my clients)
Other vendors
My mom
People who use standards
but don’t really care
Me
You?
Fellow colleagues & competitors
People who (try to) understand
standards and build things
The “industry”
Research scientists
Vendors I like
People who make standards
confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017
What I do 2/2
Gather
requirements
Benchmark
market
Design target
solutions
Deliver solutions
1. Oauth 101
confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017
Implicit and Client Credentials
YOU’VE GOT MAIL
Comparator
website
Airline API
Airline API
Airline API
Client
Authorization
server
Resource
server
Access token
Flight comparator
Economy
Direct
Two stops
Business class
Boat
You’ve been
accepted!
confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017
Authorization code
ARE YOU AUTHORIZED?
Airline
website
Airline API
Client
Authorization
server
Resource
server
Access token
Resource
owner
confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017
Proof Key for Code Exchange
PIXIES
Airline
website
Client
Authorization
server
Resource
server
Access token
Resource
owner
PKCE (RFC 7636)
confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017
Refresh token
(RE)FRESH
Refresh token
Client
Authorization
server
Resource
server
Access token
Resource
owner
PKCE (RFC 7636)
Airline
website
confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017
20
17
18
76
OAuth2.0 : it’s quite simple
Who’s up for a 130-pages RFC read?
And if you want security, feel free to read the 71 pages
« OAuth2 Threat Model and Security Considerations »
Refresh token
Client
Authorization
server
Resource
server
Access token
Resource
owner
Proof Key for Code Exchange
2. OAuth Advanced
confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017
OAuth2.0 : Real Life requirements
Adaptive authentication
Application initiated (acr request)
or Authorization Server mandated (adaptive authentication)
APIs federation
REST friendly
Scalable
Modern Web Single Sign-On
Beyond the enterprise perimeter
Browser and mobile friendly
confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017
OpenID Connect
FRENCH CONNECTION
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
PKCE (RFC 7636)
Town’s
website
Tax
department
API
France
Connect
hub
ID token
confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017
Authentication Context Reference (acr)
SMS, I KNOW…
Bank API
Bank
authorization
server
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
OpenID
Connect
provider
PKCE (RFC 7636)
confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017
JWT Bearer profile
ONE RING TOKEN TO RULE THEM ALL
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
OpenID
Connect
provider
PKCE (RFC 7636)
Bank
website
Bank & Insurance
discount
White label
insurance
Bank
website
Insurance’s
Authorization
server
Insurance’s
API
1
2
confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017
Oauth2.0 for Native Applications
SSO ON THE GO
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Mobile phone
Bank’s
authorization
server
OpenID
Connect
provider
3. OAuth & Beyond
confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017
OAuth : Today’s challenges
Pair with devices Protect from token hijacking Share and Consent Transmit Identity
These are the current use cases that we need to solve now with only draft standards!
confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017
OAuth2 Device Flow
2 MINUTES TWICE A DAY
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
OpenID
Connect
provider
Connected
toothbrush
Toothbrush’s
cloud services
Toothbrush’s
app
2 1 3 4
confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017
Token Binding
LATER AGGREGATOR
Bank API
Multi-account
aggregator
Bank API
Bank API
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Token
Binding
& Mutual TLS profiles
The “Personal
Finance
Manager”
usecase
OpenID
Connect
provider
confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017
User Managed Access
RUN BABY RUN
Token
Binding
& Mutual TLS profiles
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Requesting
party
Doctor Receptionist
OpenID
Connect
provider
Receptionist Doctor
Some
medical
software
Personal
health
records
Me Authorization
server
confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017
Token Exchange
WALL STREET
( )
Customer
support
Customer
API
Token
Binding
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Requesting
party
Token
Exchange
OpenID
Connect
provider
Micro
services
confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017
Not to mention
/ Dynamic Client Registration & Management
/ OIDC/Oauth Discovery
/ Signed request
/ Mobile Connect
/ OIDC Session Management
/ Token revocation
/ …
The big picture
AT LAST
Token
Binding
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)Requesting
party
Token
Exchange
OpenID
Connect
provider
confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017
“Just saying #OAuth does not do the job”
ONE LAST WORD
/ OAuth is a very rich ecosystem
 Choose the right specifications
 Integrate them carefully within a well-
designed architecture
 Don’t end up with a flawed API security or a
false sense of security
wavestone.com
@wavestone_
riskinsight-wavestone.com
@Risk_Insight
securityinsider-solucom.fr
@SecuInsider
Bertrand CARLIER
Senior Manager
M +33 6 18 64 42 52
bertrand.carlier@wavestone.com
PARIS
LONDON
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
BRUSSELS
LUXEMBOURG
GENEVA
CASABLANCA
LYON
MARSEILLE
NANTES
* Partenaires stratégiques
PARIS
LONDRES
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
SAO PAULO *
LUXEMBOURG
MADRID *
MILAN *
BRUXELLES
GENEVE
CASABLANCA
ISTAMBUL *
LYON
MARSEILLE
NANTES
* Partenariats

More Related Content

Similar to CIS 2017 - So you want to use standards to secure your APIs?

Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
Twistlock
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
JacksonMorgan9
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
PolarSeven Pty Ltd
 
SECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMSECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORM
iQHub
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
CA Technologies
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
Vignesh Ganesan I Microsoft MVP
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Codit
 
Open Banking APIs on AWS
Open Banking APIs on AWSOpen Banking APIs on AWS
Open Banking APIs on AWS
Amazon Web Services
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
Prabath Siriwardena
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
CA API Management
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
indragantiSaiHiranma
 
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
Enable and Secure Business Growth in the New Application Economy
 Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
CA Technologies
 

Similar to CIS 2017 - So you want to use standards to secure your APIs? (20)

Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
SECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMSECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORM
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
Open Banking APIs on AWS
Open Banking APIs on AWSOpen Banking APIs on AWS
Open Banking APIs on AWS
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
 
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
 
Enable and Secure Business Growth in the New Application Economy
 Enable and Secure Business Growth in the New Application Economy Enable and Secure Business Growth in the New Application Economy
Enable and Secure Business Growth in the New Application Economy
 

More from Bertrand Carlier

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
Bertrand Carlier
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier
 
OAuth2 stands overview
OAuth2 stands overviewOAuth2 stands overview
OAuth2 stands overview
Bertrand Carlier
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
Bertrand Carlier
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
Bertrand Carlier
 
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Bertrand Carlier
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts   wavestoneDSP2 standards, sécurité, quels impacts   wavestone
DSP2 standards, sécurité, quels impacts wavestone
Bertrand Carlier
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
Bertrand Carlier
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
Bertrand Carlier
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoT
Bertrand Carlier
 

More from Bertrand Carlier (10)

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
 
OAuth2 stands overview
OAuth2 stands overviewOAuth2 stands overview
OAuth2 stands overview
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
 
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts   wavestoneDSP2 standards, sécurité, quels impacts   wavestone
DSP2 standards, sécurité, quels impacts wavestone
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoT
 

Recently uploaded

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 

Recently uploaded (20)

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 

CIS 2017 - So you want to use standards to secure your APIs?

  • 1. So you want to use standards to secure your APIs? Do you? really? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
  • 2. confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017 Tier one clients leaders in their industry 2,500 professionals across 4 continents Among the leading independent consultancies in Europe, n°1 in France Paris | London | New York | Hong Kong | Singapore* | Dubai* Brussels | Luxembourg | Geneva | Casablanca Lyon | Marseille | Nantes In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
  • 3. confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017 Win the digital race with digital trust PROVEN EXPERTISE / Digital Risk Strategy & Compliance / Safe Business Transformation / Security Design & Program Management / Identity, Fraud & Trust Services / Penetration Testing & Incident Response / Business Continuity & Resilience / Industrial Control Systems ACTIONABLE INSIGHTS / Industry-specific risk mapping / AMT Master plan methodology / Startups & Innovation Radars / ICS-Attacks demonstrator / CERT-W & Bug Bounty Digital trust is a key business enabler that will put you ahead to win the digital transformation race Wavestone Cybersecurity & Digital Trust 500+ Consultants & Experts in Paris, London, New York & Hong Kong 1,000+ Engagements per year in 20+ countries Our clients Board, Business, CDO, CIO, CISO, BCM
  • 4. confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017 Obligatory XKCD
  • 5. confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017 What I do 1/2 User companies (my clients) Other vendors My mom People who use standards but don’t really care Me You? Fellow colleagues & competitors People who (try to) understand standards and build things The “industry” Research scientists Vendors I like People who make standards
  • 6. confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017 What I do 2/2 Gather requirements Benchmark market Design target solutions Deliver solutions
  • 8. confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017 Implicit and Client Credentials YOU’VE GOT MAIL Comparator website Airline API Airline API Airline API Client Authorization server Resource server Access token Flight comparator Economy Direct Two stops Business class Boat You’ve been accepted!
  • 9. confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017 Authorization code ARE YOU AUTHORIZED? Airline website Airline API Client Authorization server Resource server Access token Resource owner
  • 10. confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017 Proof Key for Code Exchange PIXIES Airline website Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636)
  • 11. confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017 Refresh token (RE)FRESH Refresh token Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636) Airline website
  • 12. confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017 20 17 18 76 OAuth2.0 : it’s quite simple Who’s up for a 130-pages RFC read? And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations » Refresh token Client Authorization server Resource server Access token Resource owner Proof Key for Code Exchange
  • 14. confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017 OAuth2.0 : Real Life requirements Adaptive authentication Application initiated (acr request) or Authorization Server mandated (adaptive authentication) APIs federation REST friendly Scalable Modern Web Single Sign-On Beyond the enterprise perimeter Browser and mobile friendly
  • 15. confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017 OpenID Connect FRENCH CONNECTION Client Authorization server Resource server Access token Resource owner Refresh token PKCE (RFC 7636) Town’s website Tax department API France Connect hub ID token
  • 16. confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017 Authentication Context Reference (acr) SMS, I KNOW… Bank API Bank authorization server Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636)
  • 17. confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017 JWT Bearer profile ONE RING TOKEN TO RULE THEM ALL Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636) Bank website Bank & Insurance discount White label insurance Bank website Insurance’s Authorization server Insurance’s API 1 2
  • 18. confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017 Oauth2.0 for Native Applications SSO ON THE GO app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Mobile phone Bank’s authorization server OpenID Connect provider
  • 19. 3. OAuth & Beyond
  • 20. confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017 OAuth : Today’s challenges Pair with devices Protect from token hijacking Share and Consent Transmit Identity These are the current use cases that we need to solve now with only draft standards!
  • 21. confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017 OAuth2 Device Flow 2 MINUTES TWICE A DAY app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) OpenID Connect provider Connected toothbrush Toothbrush’s cloud services Toothbrush’s app 2 1 3 4
  • 22. confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017 Token Binding LATER AGGREGATOR Bank API Multi-account aggregator Bank API Bank API app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Token Binding & Mutual TLS profiles The “Personal Finance Manager” usecase OpenID Connect provider
  • 23. confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017 User Managed Access RUN BABY RUN Token Binding & Mutual TLS profiles app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Doctor Receptionist OpenID Connect provider Receptionist Doctor Some medical software Personal health records Me Authorization server
  • 24. confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017 Token Exchange WALL STREET ( ) Customer support Customer API Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Token Exchange OpenID Connect provider Micro services
  • 25. confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017 Not to mention / Dynamic Client Registration & Management / OIDC/Oauth Discovery / Signed request / Mobile Connect / OIDC Session Management / Token revocation / … The big picture AT LAST Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636)Requesting party Token Exchange OpenID Connect provider
  • 26. confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017 “Just saying #OAuth does not do the job” ONE LAST WORD / OAuth is a very rich ecosystem  Choose the right specifications  Integrate them carefully within a well- designed architecture  Don’t end up with a flawed API security or a false sense of security
  • 28. PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * BRUSSELS LUXEMBOURG GENEVA CASABLANCA LYON MARSEILLE NANTES * Partenaires stratégiques PARIS LONDRES NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILAN * BRUXELLES GENEVE CASABLANCA ISTAMBUL * LYON MARSEILLE NANTES * Partenariats