SlideShare a Scribd company logo

OAuth for your API - The Big Picture

OAuth is taking off as a standard way for apps and websites to handle authentication. But OAuth is a fast moving spec that can be hard to pin down. Why should you use OAuth and what are the business and operational benefits? What's the story with all of the different versions and which one should you choose? Watch this webinar with Apigee's CTO Gregory Brail and Sr. Architect Brian Pagano for 'big picture straight talk' on these OAuth questions and more.

1 of 49
Download to read offline
OAuth:	
  The	
  Big	
  Picture	
  

8.11.11	
  @	
  11:05	
  PST	
  
VOIP	
  or	
  Dial-­‐in	
  (see	
  chat)	
  


Greg	
  Brail 	
           	
  @gbrail	
  
Brian	
  Pagano            	
  @brianpagano	
  
@gbrail   @brianpagano
API Workshop Webinar Series
   (videos & slides at http://blog.apigee.com/taglist/webinar)


Mapping	
  out	
  your	
  API	
  Strategy	
                 	
             	
     	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
PragmaHc	
  REST:	
  API	
  Design	
  Fu                    	
             	
     	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
10	
  PaLerns	
  in	
  Successful	
  API	
  Programs	
  
What	
  to	
  Measure:	
  API	
  AnalyHcs	
  
Is	
  your	
  API	
  Naked?	
  	
  API	
  Tech	
  &	
  	
  OperaHons	
  
Does	
  your	
  API	
  need	
  PCI?	
  (Compliance)	
  
Developers	
  Hate	
  MarkeHng:	
  Driving	
  API	
  AdopHon	
  
OAuth:	
  	
  The	
  Big	
  Picture	
  	
  
“Boss,	
  we	
  need	
  an	
  API”	
  (coming	
  Sep	
  14)	
  
Topics	
  


A	
  Brief	
  IntroducHon	
  to	
  OAuth	
  
Why	
  OAuth	
  is	
  good	
  for	
  API	
  consumers	
  (really!)	
  	
  
Why	
  OAuth	
  is	
  good	
  for	
  API	
  providers	
  
ImplementaHon	
  challenges	
  for	
  the	
  provider	
  
RecommendaHons	
  
A	
  Brief	
  IntroducHon	
  to	
  OAuth	
  
Mo;va;ons	
  Behind	
  OAuth	
  




 We	
  all	
  understand	
  the	
  idea	
  of	
  a	
  service	
  
     APIs,	
  web	
  sites	
  that	
  support	
  mobile	
  apps	
  …	
  
     	
  
 We	
  all	
  understand	
  password-­‐based	
  security:	
  
      Provide	
  your	
  creden:als	
  in	
  a	
  secure	
  way	
  to	
  gain	
  access	
  
Ad

Recommended

OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 

More Related Content

What's hot

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 AuthenticationIsmael Costa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 

What's hot (20)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0  - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
OAuth2 Authentication
OAuth2 AuthenticationOAuth2 Authentication
OAuth2 Authentication
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Oauth 2.0
Oauth 2.0Oauth 2.0
Oauth 2.0
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 

Viewers also liked

Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
"Протокол авторизации OAuth"
"Протокол авторизации OAuth""Протокол авторизации OAuth"
"Протокол авторизации OAuth"Olga Lavrentieva
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Spring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave SyerSpring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave SyerJAX London
 
(2) OAuth 2.0 Client Registration
(2) OAuth 2.0 Client Registration(2) OAuth 2.0 Client Registration
(2) OAuth 2.0 Client Registrationanikristo
 
(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Tokenanikristo
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Would you use this? UX South Africa 2016
Would you use this? UX South Africa 2016Would you use this? UX South Africa 2016
Would you use this? UX South Africa 2016Phil Barrett
 
OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...
OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...
OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...Joao Alves
 
OAuth 2.0 - Because API
OAuth 2.0 - Because APIOAuth 2.0 - Because API
OAuth 2.0 - Because APITheodor Tonum
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingKelly Grizzle
 
OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsVaibhav Gupta
 
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...CA API Management
 
Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)
Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)
Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)Ontico
 
Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Chris Bailey
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 

Viewers also liked (20)

Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
OAuth 1.0
OAuth 1.0OAuth 1.0
OAuth 1.0
 
"Протокол авторизации OAuth"
"Протокол авторизации OAuth""Протокол авторизации OAuth"
"Протокол авторизации OAuth"
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Spring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave SyerSpring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave Syer
 
(2) OAuth 2.0 Client Registration
(2) OAuth 2.0 Client Registration(2) OAuth 2.0 Client Registration
(2) OAuth 2.0 Client Registration
 
(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Would you use this? UX South Africa 2016
Would you use this? UX South Africa 2016Would you use this? UX South Africa 2016
Would you use this? UX South Africa 2016
 
OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...
OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...
OAuth 1.0 vs OAuth 2.0 - Principais diferenças e as razões para a criação de ...
 
OAuth 2.0 - Because API
OAuth 2.0 - Because APIOAuth 2.0 - Because API
OAuth 2.0 - Because API
 
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is GrowingSCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
 
OAuth 2.0 & Security Considerations
OAuth 2.0 & Security ConsiderationsOAuth 2.0 & Security Considerations
OAuth 2.0 & Security Considerations
 
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
 
Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)
Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)
Управление релизами, как оно есть / Рыжкин Андрей Яковлевич (AGIMA)
 
OAuth: The API Gatekeeper
OAuth: The API GatekeeperOAuth: The API Gatekeeper
OAuth: The API Gatekeeper
 
Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 

Similar to OAuth for your API - The Big Picture

Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0  - Part 1Introduction to OAuth 2.0  - Part 1
Introduction to OAuth 2.0 - Part 1Nabeel Yoosuf
 
api_slides.pptx
api_slides.pptxapi_slides.pptx
api_slides.pptxadewad
 
Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Twilio Inc
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
OAuth you said
OAuth you saidOAuth you said
OAuth you saidOAuth.io
 
Twitter Streaming API
Twitter Streaming APITwitter Streaming API
Twitter Streaming APIGareth Lloyd
 
Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryCory Forsyth
 
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...apidays
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkBrent Shaffer
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeperSergio Marin
 
Twitter oauth #idcon7
Twitter oauth #idcon7Twitter oauth #idcon7
Twitter oauth #idcon7Nov Matake
 
Webapp security (with notes)
Webapp security (with notes)Webapp security (with notes)
Webapp security (with notes)Igor Bossenko
 
Introduction to Twilio.pptx
Introduction to Twilio.pptxIntroduction to Twilio.pptx
Introduction to Twilio.pptxSuvin Nimnaka
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Nom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsNom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsTessa Mero
 
How to get data from twitter (by hnnrrhm)
How to get data from twitter (by hnnrrhm)How to get data from twitter (by hnnrrhm)
How to get data from twitter (by hnnrrhm)Hani Nurrahmi
 

Similar to OAuth for your API - The Big Picture (20)

Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0 - Part 1
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
Introduction to OAuth 2.0 - Part 1
Introduction to OAuth 2.0  - Part 1Introduction to OAuth 2.0  - Part 1
Introduction to OAuth 2.0 - Part 1
 
Jordan Kay's Twitter API tour
Jordan Kay's Twitter API tourJordan Kay's Twitter API tour
Jordan Kay's Twitter API tour
 
api_slides.pptx
api_slides.pptxapi_slides.pptx
api_slides.pptx
 
Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010Building A Great API - Evan Cooke, Cloudstock, December 2010
Building A Great API - Evan Cooke, Cloudstock, December 2010
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
OAuth you said
OAuth you saidOAuth you said
OAuth you said
 
Twitter Streaming API
Twitter Streaming APITwitter Streaming API
Twitter Streaming API
 
Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication Library
 
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
 
Twitter oauth #idcon7
Twitter oauth #idcon7Twitter oauth #idcon7
Twitter oauth #idcon7
 
Webapp security (with notes)
Webapp security (with notes)Webapp security (with notes)
Webapp security (with notes)
 
Introduction to Twilio.pptx
Introduction to Twilio.pptxIntroduction to Twilio.pptx
Introduction to Twilio.pptx
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
 
Nom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIsNom Nom: Consuming REST APIs
Nom Nom: Consuming REST APIs
 
How to get data from twitter (by hnnrrhm)
How to get data from twitter (by hnnrrhm)How to get data from twitter (by hnnrrhm)
How to get data from twitter (by hnnrrhm)
 

More from Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 

More from Apigee | Google Cloud (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 

Recently uploaded

"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...Fwdays
 
Apex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxApex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxmohayyudin7826
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro KozhevinFwdays
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxInfosec
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...Neo4j
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
10 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 202410 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 2024Thijs Feryn
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewAshraf Fouad
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...ISPMAIndia
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Product School
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 

Recently uploaded (20)

"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
 
Apex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxApex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptx
 
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
"DevOps Practisting Platform on EKS with Karpenter autoscaling", Dmytro Kozhevin
 
How AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptxHow AI and ChatGPT are changing cybersecurity forever.pptx
How AI and ChatGPT are changing cybersecurity forever.pptx
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
10 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 202410 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 2024
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book Review
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
AI MODELS USAGE IN FINTECH PRODUCTS: PM APPROACH & BEST PRACTICES by Kasthuri...
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 

OAuth for your API - The Big Picture

  • 1. OAuth:  The  Big  Picture   8.11.11  @  11:05  PST   VOIP  or  Dial-­‐in  (see  chat)   Greg  Brail    @gbrail   Brian  Pagano  @brianpagano  
  • 2. @gbrail @brianpagano
  • 3. API Workshop Webinar Series (videos & slides at http://blog.apigee.com/taglist/webinar) Mapping  out  your  API  Strategy                             PragmaHc  REST:  API  Design  Fu                           10  PaLerns  in  Successful  API  Programs   What  to  Measure:  API  AnalyHcs   Is  your  API  Naked?    API  Tech  &    OperaHons   Does  your  API  need  PCI?  (Compliance)   Developers  Hate  MarkeHng:  Driving  API  AdopHon   OAuth:    The  Big  Picture     “Boss,  we  need  an  API”  (coming  Sep  14)  
  • 4. Topics   A  Brief  IntroducHon  to  OAuth   Why  OAuth  is  good  for  API  consumers  (really!)     Why  OAuth  is  good  for  API  providers   ImplementaHon  challenges  for  the  provider   RecommendaHons  
  • 5. A  Brief  IntroducHon  to  OAuth  
  • 6. Mo;va;ons  Behind  OAuth   We  all  understand  the  idea  of  a  service   APIs,  web  sites  that  support  mobile  apps  …     We  all  understand  password-­‐based  security:   Provide  your  creden:als  in  a  secure  way  to  gain  access  
  • 7. Mo;va;ons  Behind  OAuth   Services  are  used  by  applica;ons   Your  web  browser  is  merely  one  applica:on     Services  and  passwords  don’t  mix  well   How  many  applica:ons  have  your  password?   Do  you  trust  them  all?  Are  you  sure?  
  • 8. What  is  OAuth?   OAuth  is  another  way  to  authenHcate  to  a  service.   .  
  • 9. Imagine  ....   …you  had  a  different  password  for  every  service   Already  do?  You  are  in  a  :ny  minority.     …you  had  a  different  password  for  every  applicaHon   A  compromised  applica:on  can’t  wreak  as  much  havoc     …You  can’t  possibly  remember  it  or  write  it  down              Instead,  it  is  stored  by  the  applica:on  that  needs  it  
  • 11. See Eran Hammer-Lehav’s writeup on the history of OAuth: http://hueniverse.com/oauth/guide/history/
  • 12. Terminology  (simplified)   App used to access service CLIENT Sometimes called “consumer” USER Person using the service! Where the service runs Sometimes called “resource SERVER owner” Sometimes called “service provider”
  • 13. Example  OAuth  Flow   1.  Bob  visits  bit.ly,  which  uses  a  service  provided  by  TwiLer.    Bob  already  has   logins  for  bit.ly  and  TwiLer.   2.  Behind  the  scenes,  bit.ly  uses  its  OAuth  credenHals  to  begin  the   authenHcaHon  process  for  Bob   3.  bit.ly  redirects  Bob  temporarily  to  twiLer.com  to  log  in.  bit.ly  never  sees   Bob’s  TwiIer  password   4.  If  and  only  if  this  is  successful,  bit.ly  uses  its  own  OAuth  creden;als  to   retrieve  credenHals  for  Bob   5.  bit.ly  stores  Bob’s  new  credenHals  along  with  Bob’s  account.  They  allow   him  to  use  bit.ly,  and  only  bit.ly,  to  access  TwiLer  
  • 14. Let’s  see  that  again   Bob’s bit.ly password BIT.LY (CLIENT) Bob’s OAuth credentials for Twitter API a BOB cc (USER) ess Bob’s Twitter TWITTER password (SERVER)
  • 16. What  if...   bit.ly  is  hacked  and  the  password  database  is  leaked?   TwiDer  revokes  bit.ly’s  OAuth  creden:als   All  creden:als  stored  by  bit.ly  are  immediately  rejected     TwiLer  users  don’t  have  to  change  their  passwords  
  • 17. What  if...   Hackers  phish  Bob  and  get  his  TwiLer  password?   He  changes  his  TwiDer  password  as  soon  as  he  knows.     Bob  doesn’t  have  to  do  anything  at  bit.ly  because  it   never  had  the  password  
  • 18. Next  Example:    OAuth  Flow  for  Mobile  Apps   1.  Bob  launches  FooApp,  which  uses  a  service  provided  by  TwiLer.         2.  Bob  already  has  a  TwiLer  username  and  password.       3.  Behind  the  scenes,  FooApp  uses  its  OAuth  credenHals  to  begin  the   authenHcaHon  process  for  Bob   4.  FooApp  opens  a  browser  window  and  directs  Bob  to  TwiLer  to  log  in.   FooApp  never  sees  Bob’s  TwiLer  password   5.  If  and  only  if  this  is  successful,  FooApp  uses  its  OAuth  credenHals  to   retrieve  credenHals  for  Bob   6.  FooApp  stores  these  locally.  They  allow  Bob  to  use  FooApp,  and  only   FooApp  to  access  TwiLer  
  • 19. Another  Example  OAuth  Flow   Bob’s OAuth token for Twitter FOOAPP (CLIENT) API a BOB cc (USER) ess Bob’s Twitter TWITTER (SERVER) password
  • 20. What  if...   Bob  loses  his  phone,  and  he  didn’t  set  a  phone  password?   He  immediately  logs  in  to  TwiDer   He  revokes  the  creden:als  that  TwiDer  gave  FooApp  on  his   phone     He  doesn’t  have  to  change  his  TwiLer  password  because  his   phone  never  had  it.  
  • 21. For  Web  Apps  that  Expose  APIs   OAuth  means  that  web  apps  don’t  have  to  share   passwords  
  • 22. For  Web  Apps  that  Expose  APIs   The  alternaHve  to  OAuth  is  an  unacceptable  security   risk  for  modern  web  apps.     The  other  alternaHve  is  some  sort  of  universal  single-­‐ sign-­‐on  mechanism.  
  • 23. Recommenda;on   We  believe  that  all  web  applica:ons  that  expose  APIs  to   other  web  applica:ons  must  support  OAuth.  
  • 24. For  APIs  Designed  for  Mobile  and  Na;ve  Apps:   OAuth  eliminates  the  need  to  store  a  password  on  a  mobile  device.     An  OAuth  token..     ..is  harder  to  guess   ..is  :ed  to  a  par:cular  applica:on  and  device   ..may  be  revoked  without  affec:ng  other  devices  and  apps  
  • 25. For  APIs  Designed  for  Mobile  and  Na;ve  Apps   OAuth  makes  the  authenHcaHon  process  future-­‐proof     It’s  under  the  control  of  the  API  team         SSL,  mul:-­‐factor  authen:ca:on,  terms  of  service,  you  name  it   –  there  is  a  place  to  plug  it  in  without  touching  the  client  
  • 26. Recommenda;on   We  believe  that  all  APIs  that  support  mobile  and  na:ve   apps  should  support  OAuth  …     ..and  encourage  or  require  it  for  mobile  and  na:ve  apps    
  • 27. For  Server-­‐to-­‐Server  APIs   Having  a  separate  set  of  authenHcaHon  credenHals  for  each   applicaHon  is  a  nice  feature  of  OAuth…     But  for  server-­‐to-­‐server  use,  the  need  to  log  in  securely  using  a   browser  gets  in  the  way     Simply  assigning  a  unique  password  to  each  applicaHon  is  sufficient   (or  two-­‐way  SSL  is  another  good  but  cumbersome  approach)    
  • 28. Recommenda;on   We  believe  that  OAuth  is  not  necessary  for  APIs  that  are   only  used  by  other  servers…     …but  once  those  APIs  are  useful  for  other  types  of   clients  –  and  they  usually  do  –  then  you  are  back  in   the  OAuth  game!    
  • 29. But  I  Hate  OAuth!   p   Picture by g-mikee
  • 30. OAuth  is  more  cumbersome  for  developers  than  plain   passwords.  
  • 31. But  OAuth  is  a  lot  beLer  for  the  end  user.   No  password  sharing  between  web  apps   No  passwords  stored  on  mobile  devices     Using  OAuth  is  worth  the  effort.  
  • 32. What  version   p   should  I  use?    
  • 33. What  Version  of  OAuth  Should  I  Use?   1.0 Had  a  security  flaw.  No  one  should  be  using  it  now!       Stable  and  well-­‐understood.   1.0a Uses  a  signature  to  exchange  credenHals  between  client  and  server.   So…SSL  is  not  necessary,  but  geing  the  signature  right  is  tricky.       AcHvely  under  development  in  the  IETF   2.0 Slowly  but  surely  geing  stable  –  core  flows  unlikely  to  change  much   Supports  a  “bearer  token,”  which  is  easier  to  code  but  requires  SSL   OpHonal  specs  to  support  signatures,  SAML,  etc.  but  specs  not  yet  stable  
  • 34. “Fl-­‐OAuth  Chart”  for  the  API  Team   Use OAuth 2.0 with bearer tokens Can your API require HTTPS? Use OAuth 1.0a
  • 35. How  Should  I  Use  OAuth  2.0?   Just  a  big  random  number   BEARER TOKEN Requires  SSL   By  far  the  simplest  to  implement  –  USE  IT!         Like  OAuth  1.0a,  uses  signature  instead  of  SSL   MAC TOKEN SHll  changing      -­‐  WAIT!       Makes  sense  if  the  API  team  and  developers   SAML really  want  SAML   But  sHll  changing    -­‐  WAIT!  
  • 36. How  Should  I  Use  OAuth  2.0?   Different  ways  to  get  the  token:     “Authoriza:on  Code”  –  designed  for  use  by  web  apps  <-­‐  important!   “Implicit  Grant”  –  designed  for  JavaScript-­‐rich  web  apps  <-­‐  also  important!       “Resource  Owner  Password  Creden:als”   “Client  Creden:als”   Bypass  many  parts  of  the  OAuth  flow   Re-­‐introduces  password  sharing   Basically  ways  to  make  “OAuth”  work  when  you  don’t  really  want  OAuth  
  • 37. What  Version  of  OAuth  2.0  Should  I  Use?   I’m  not  sure  why  this  is  even  a  quesHon.       You  should  use  the  latest  one.  
  • 39. What  are  Legs  and  How  Many  Does  OAuth  Have?   Since  there  is  a  user,  a  client,  and  a  server  in  OAuth,  some   3-LEGGED people  call  it  “three-­‐legged  OAuth”         Some  APIs  idenHfy  just  the  “client”  and  not  the  “user”   2-LEGGED Omen  this  is  done  using  SSL   But  an  OAuth  1.0  signature  may  be  used  instead   Technically,  “two-­‐legged  OAuth”  is  not  OAuth  at  all  
  • 40. Why  is  OAuth  so   Hard  for   p   Developers?    
  • 41. Why  is  OAuth  so  Hard  for  Developers?   The  “authenHcaHon  dance”  is  painful.     Signatures  are  painful.   They  are  now  op:onal  (and  up  to  the  discre:on  of  the  provider)  in  2.0   There  are  a  lot  of  libraries  –  use  them   Ge]ng  the  signature  algorithm  right  is  harder  than  it  looks  at  first!  
  • 42. Why  is  OAuth  so  Hard  for  Developers?   Where  do  you  store  the  credenHals  on  the  client?   They  must  be  available  in  clear  text   Mobile  devices  can  break  them  into  pieces  ..  but  in  the  end   :me  and  physical  access  will  eventually  wear  down  anything     At  any  rate  storing  the  original  password  directly  is  worse!  
  • 44. When  OAuth  is  a  Bad  Idea   Anything  that  is  not  done  on  behalf  of  a  human   Admin  tools,  server-­‐to-­‐server  communica:on,  …     Anything  that  requires  “commercial”  levels  of  trust   If  you  require  the  capabili:es  of  a  PKI  then  OAuth  is  not  that     One-­‐;me  tokens   OAuth  is  a  lot  of  machinery  to  make  one  API  call  
  • 45. Other  Bad  Ideas   “We  have  our  own  version  of  OAuth”    
  • 46. Other  Bad  Ideas   “We  invented  something  that’s  kind  of  like  Oauth”  
  • 47. More  Recommenda;ons       DEVELOPERS Use  a  library   Think  about  using  a  proxy       Use  OAuth  2.0   Use  Bearer  Tokens   Use  “AuthorizaHon  code”  and  “implicit  grant”  only   API TEAM Use  the  latest  dram!   Default  to  SSL   Think  about  using  a  product   At  least  use  a  library  for  signatures  
  • 48. Next Time Mapping  out  your  API  Strategy                             PragmaHc  REST:  API  Design  Fu                           10  PaLerns  in  Successful  API  Programs   What  to  Measure:  API  AnalyHcs   Is  your  API  Naked?    API  Tech  &    OperaHons   Does  your  API  need  PCI?  (Compliance)   Developers  Hate  MarkeHng:  Driving  API  AdopHon   OAuth:    The  Big  Picture     “Boss,  we  need  an  API”  (Sep  14)  
  • 49. THANK  YOU       Ques:ons  and  ideas  to: @gbrail   @brianpagano