Erik Wahlström
Technology Strategist
9/19/2013
1
Erik Wahlström
Technology Strategist
9/19/2013
2
Protecting your Applications and
APIs with Nordic e-IDs
Erik Wahlström
Technology Strategist
9/19/2013
3
Todays topics
 eIDs is in the news.
 What is an eID?
 What are the Nor...
Erik Wahlström
Technology Strategist
9/19/2013
4
What is a eID?
 Digital passport to authenticate and sign.
 Issued or t...
Erik Wahlström
Technology Strategist
9/19/2013
5
Erik Wahlström
Technology Strategist
9/19/2013
6
Smartcards or eIDs on file
Erik Wahlström
Technology Strategist
9/19/2013
7
Software based OTPs.
Erik Wahlström
Technology Strategist
9/19/2013
8
Tupas.
Erik Wahlström
Technology Strategist
9/19/2013
9
API based.
Erik Wahlström
Technology Strategist
9/19/2013
10
What’s up next?
 New platform for Swedish BankID.
 SAML based identity...
Erik Wahlström
Technology Strategist
9/19/2013
11
How to protect an API using eID?
 Web based APIs.
 Protocol handlers.
...
Erik Wahlström
Technology Strategist
9/19/2013
12
Alternative one – Swedish Mobile BankID
Erik Wahlström
Technology Strategist
9/19/2013
13
Erik Wahlström
Technology Strategist
9/19/2013
14
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Erik Wahlström
Technology Strategist
9/19/2013
15
Erik Wahlström
Technology Strategist
9/19/2013
16
nexus://state=xyz
Erik Wahlström
Technology Strategist
9/19/2013
17
Erik Wahlström
Technology Strategist
9/19/2013
18
Swedish Mobile BankID
Deep dive
Erik Wahlström
Technology Strategist
9/19/2013
19
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
20
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
21
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
22
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
23
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Personal number
Authenticati...
Erik Wahlström
Technology Strategist
9/19/2013
24
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
25
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
26
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
27
nexus://state=xyz
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
28
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
29
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
30
Alternative two – Others eIDs
Erik Wahlström
Technology Strategist
9/19/2013
31
Use your browser to authenticate
using any eID
 OAuth2 industry standar...
Erik Wahlström
Technology Strategist
9/19/2013
32
Erik Wahlström
Technology Strategist
9/19/2013
33
https://example.com/oauth2?
response_type=code&client_id=nexus&redirect_...
Erik Wahlström
Technology Strategist
9/19/2013
34
Erik Wahlström
Technology Strategist
9/19/2013
35
nexus://authorization?code=oauth2grant&stat
e=xyz
Erik Wahlström
Technology Strategist
9/19/2013
36
Other eIDs
Deep dive
Erik Wahlström
Technology Strategist
9/19/2013
37
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
38
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
39
Token
Question
Erik Wahlström
Technology Strategist
9/19/2013
40
Alternative three – eID on other device
Erik Wahlström
Technology Strategist
9/19/2013
41
Use an eID on another device
 Put the rather sad user to work.
 Connec...
Erik Wahlström
Technology Strategist
9/19/2013
42
Erik Wahlström
Technology Strategist
9/19/2013
43
Erik Wahlström
Technology Strategist
9/19/2013
44
Erik Wahlström
Technology Strategist
9/19/2013
45
Final words
Erik Wahlström
Technology Strategist
9/19/2013
46
Final words
 BYOD and consumerization.
 eIDaaS and OAuth2 for best cov...
Erik Wahlström
Technology Strategist
9/19/2013
47
Thanks!
 @erik_wahlstrom
 erik.wahlstrom@nexusgroup.com
Upcoming SlideShare
Loading in …5
×

Protecting apps and APIs using Nordic eIDs

665 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
665
On SlideShare
0
From Embeds
0
Number of Embeds
68
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Protecting apps and APIs using Nordic eIDs

  1. 1. Erik Wahlström Technology Strategist 9/19/2013 1
  2. 2. Erik Wahlström Technology Strategist 9/19/2013 2 Protecting your Applications and APIs with Nordic e-IDs
  3. 3. Erik Wahlström Technology Strategist 9/19/2013 3 Todays topics  eIDs is in the news.  What is an eID?  What are the Nordic eID?  Three ways to use your eIDs to protect apps and APIs.
  4. 4. Erik Wahlström Technology Strategist 9/19/2013 4 What is a eID?  Digital passport to authenticate and sign.  Issued or trusted by governments.  Legally binding.
  5. 5. Erik Wahlström Technology Strategist 9/19/2013 5
  6. 6. Erik Wahlström Technology Strategist 9/19/2013 6 Smartcards or eIDs on file
  7. 7. Erik Wahlström Technology Strategist 9/19/2013 7 Software based OTPs.
  8. 8. Erik Wahlström Technology Strategist 9/19/2013 8 Tupas.
  9. 9. Erik Wahlström Technology Strategist 9/19/2013 9 API based.
  10. 10. Erik Wahlström Technology Strategist 9/19/2013 10 What’s up next?  New platform for Swedish BankID.  SAML based identity federations like eID2.  New projects in Norway and Finland.
  11. 11. Erik Wahlström Technology Strategist 9/19/2013 11 How to protect an API using eID?  Web based APIs.  Protocol handlers.  Use browsers and OAuth2.  A token can be anything.  Alternatives to call an API:  Swedish Mobile BankID.  OAuth2 to authenticate using any other type of eID.  Bind two devices together to use smartcards on smartphones.
  12. 12. Erik Wahlström Technology Strategist 9/19/2013 12 Alternative one – Swedish Mobile BankID
  13. 13. Erik Wahlström Technology Strategist 9/19/2013 13
  14. 14. Erik Wahlström Technology Strategist 9/19/2013 14 bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
  15. 15. Erik Wahlström Technology Strategist 9/19/2013 15
  16. 16. Erik Wahlström Technology Strategist 9/19/2013 16 nexus://state=xyz
  17. 17. Erik Wahlström Technology Strategist 9/19/2013 17
  18. 18. Erik Wahlström Technology Strategist 9/19/2013 18 Swedish Mobile BankID Deep dive
  19. 19. Erik Wahlström Technology Strategist 9/19/2013 19 Personal number Authentication Collect Token Question
  20. 20. Erik Wahlström Technology Strategist 9/19/2013 20 Personal number Authentication Collect Token Question
  21. 21. Erik Wahlström Technology Strategist 9/19/2013 21 Personal number Authentication Collect Token Question
  22. 22. Erik Wahlström Technology Strategist 9/19/2013 22 Personal number Authentication Collect Token Question
  23. 23. Erik Wahlström Technology Strategist 9/19/2013 23 bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz Personal number Authentication Collect Token Question
  24. 24. Erik Wahlström Technology Strategist 9/19/2013 24 Personal number Authentication Collect Token Question
  25. 25. Erik Wahlström Technology Strategist 9/19/2013 25 Personal number Authentication Collect Token Question
  26. 26. Erik Wahlström Technology Strategist 9/19/2013 26 Personal number Authentication Collect Token Question
  27. 27. Erik Wahlström Technology Strategist 9/19/2013 27 nexus://state=xyz Personal number Authentication Collect Token Question
  28. 28. Erik Wahlström Technology Strategist 9/19/2013 28 Personal number Authentication Collect Token Question
  29. 29. Erik Wahlström Technology Strategist 9/19/2013 29 Personal number Authentication Collect Token Question
  30. 30. Erik Wahlström Technology Strategist 9/19/2013 30 Alternative two – Others eIDs
  31. 31. Erik Wahlström Technology Strategist 9/19/2013 31 Use your browser to authenticate using any eID  OAuth2 industry standard to protect APIs.  Define a way to get a authorization to use an API.  A token or two is good.  Use the token to access the API.  Use OAuth2 and a browser dance to authenticate.  Enables any method and eIDaaS.
  32. 32. Erik Wahlström Technology Strategist 9/19/2013 32
  33. 33. Erik Wahlström Technology Strategist 9/19/2013 33 https://example.com/oauth2? response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F% 2Fauthorization&scope=api&state=xyz
  34. 34. Erik Wahlström Technology Strategist 9/19/2013 34
  35. 35. Erik Wahlström Technology Strategist 9/19/2013 35 nexus://authorization?code=oauth2grant&stat e=xyz
  36. 36. Erik Wahlström Technology Strategist 9/19/2013 36 Other eIDs Deep dive
  37. 37. Erik Wahlström Technology Strategist 9/19/2013 37 Token Question
  38. 38. Erik Wahlström Technology Strategist 9/19/2013 38 Token Question
  39. 39. Erik Wahlström Technology Strategist 9/19/2013 39 Token Question
  40. 40. Erik Wahlström Technology Strategist 9/19/2013 40 Alternative three – eID on other device
  41. 41. Erik Wahlström Technology Strategist 9/19/2013 41 Use an eID on another device  Put the rather sad user to work.  Connect two devices.  Refresh tokens makes it usable.
  42. 42. Erik Wahlström Technology Strategist 9/19/2013 42
  43. 43. Erik Wahlström Technology Strategist 9/19/2013 43
  44. 44. Erik Wahlström Technology Strategist 9/19/2013 44
  45. 45. Erik Wahlström Technology Strategist 9/19/2013 45 Final words
  46. 46. Erik Wahlström Technology Strategist 9/19/2013 46 Final words  BYOD and consumerization.  eIDaaS and OAuth2 for best coverage.  Refresh tokens is not always ok.  WebCrypto is cool.
  47. 47. Erik Wahlström Technology Strategist 9/19/2013 47 Thanks!  @erik_wahlstrom  erik.wahlstrom@nexusgroup.com

×