Launching a Successful and Secure API

1,106 views

Published on

What secure standards are there when working with a new API? And why should you care?

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Trondheim, June 11 - 2013

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,106
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Launching a Successful and Secure API

  1. 1. Launching a Successful & Secure APIEffectively launching secure, RESTful APIs using the “neo-security stack”By Travis Spencer, CEO@travisspencer, @2botechCopyright © 2013 Twobo Technologies AB. All rights reserved
  2. 2. Agenda The challenge in context Examples of innovative opportunities Neo-security stack OAuth Basics Overview of other layers Using the stackCopyright © 2013 Twobo Technologies AB. All rights reserved
  3. 3. Disruptive TrendsCloudComputingSocialNetworksMobileBigDataCopyright © 2013 Twobo Technologies AB. All rights reserved
  4. 4. Web apps have evolvedfrom CGI tothe cloud toAPIsProgression to This PointCopyright © 2013 Twobo Technologies AB. All rights reservedHTTP, HTML, CGICOM & CORBASOAP & SOAWeb 2.0 & RESTThe CloudWeb APIs
  5. 5. Example: Pearson Launched API to allowinnovative uses of existingcontent Turned sunk costs into newrevenue stream Started w/ one API anddeployed others in time Built community not just codeCopyright © 2013 Pearson plcCopyright © 2008 Maja DumatCopyright © 2013 Twobo Technologies ABsawdust / sågspån
  6. 6. Example: Salesforce.com Providing Platform as a Service (PaaS) Almost 200,000 customer & partner apps Apps span industries and business functions Attract new customers w/ lower costs andincreased performance 60% of all traffic is to API; only 40% to siteCopyright © 2000-2013 salesforce.com, Inc.Copyright © 2013 Twobo Technologies AB
  7. 7. Example: AT&T The network is the platform Examples of their APIs SMS, MMS, location, speech TV, healthcare, notary, advertising Sponsor hackathons, events, blogs Business benefits Revenue ▪ Business agility Time to market ▪ New customer value Innovation ▪ EfficiencyCopyright © 2013 Twobo Technologies AB. All rights reserved“[The API program]is an architecturalchoice one makesfor speed.”— John Donovan,SEVP, AT&T
  8. 8. Example: Twilio Twilio lets you useweb languages tobuild voice, VoIP &SMS applications viaa web API Raised $70M seriesD in June Example that showsthe potentialCopyright © 2013 Twobo Technologies AB. All rights reserved
  9. 9. Example: Cloud BrokerageCloudServicesMNO’sCloudServicesLegacyServicesCloud Service Aggregation PlatformSupportTenant /User Pro-visioningWeb SSOBillingCloud Desktop, AppStore, User PortalAdminPortalCopyright © 2013 Twobo Technologies AB. All rights reserved
  10. 10. Identity is CentralSocialNetworksCloudComputingMobile BigDataIdentityCopyright © 2013 Twobo Technologies AB. All rights reserved
  11. 11. SAML /OpenIDConnectSCIMJSONIdentitySuiteOAuthThe Neo-security StackCopyright © 2013 Twobo Technologies AB. All rights reservedFederation ProvisioningIdentity Authorization
  12. 12. SAML SAML: proventechnology foridentity federationand Web SSO Profiles, bindings,protocols, assertions& metadata V. 2.1 inthe worksCopyright © 2013 Twobo Technologies AB. All rights reservedServiceProvider (SP)Identity Provider (IdP)
  13. 13. OpenID Connect New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user dataCopyright © 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& junior
  14. 14. SCIM Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID ConnectCopyright © 2013 Twobo Technologies AB. All rights reserved
  15. 15. OAuth OAuth 2 is the new protocol ofprotocols Composed in useful ways Like WS-Trust of old Addresses old requirements andsolves new ones Delegated access No password sharing Revocation of accessCopyright © 2013 Twobo Technologies AB. All rights reserved
  16. 16. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright © 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS
  17. 17. Scopes Like permissions Scopes specify extent oftokens’ usefulness Listed on consent UI (if shown) Issued tokens may havenarrower scope than requested No standardized scopesCopyright © 2013 Twobo Technologies AB. All rights reserved
  18. 18. Access Tokens Refresh TokensKinds of TokensCopyright © 2013 Twobo Technologies AB. All rights reservedLike a SessionUsed to secure API callsLike a PasswordUsed to get new accesstokens
  19. 19. By Value By ReferencePassing TokensCopyright © 2013 Twobo Technologies AB. All rights reserved123XYZ123XYZUser attributes are in thetokenUser attributes arereferenced by an identifier
  20. 20. BearerBearer tokens are likecashHolder of KeyHoK tokens are likecredit cardsProfiles of TokensCopyright © 2013 Twobo Technologies AB. All rights reserved$
  21. 21. Types of Tokens WS-Security SAML JWT Custom Home-grown Oracle Access Manager SiteMinder Etc.Copyright © 2013 Twobo Technologies AB. All rights reserved
  22. 22. JSON Identity Protocol Suite Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA) Bearer Token spec explains how to use w/ OAuth Being defined in IETFCopyright © 2013 Twobo Technologies AB. All rights reserved
  23. 23. JWT Tokens Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright © 2013 Twobo Technologies AB. All rights reserved
  24. 24. OAuth Web Server FlowCopyright © 2013 Twobo Technologies AB. All rights reserved
  25. 25. Usage of OAuthCopyright © 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation
  26. 26. Stealing Bearer TokensCopyright © 2013 Twobo Technologies AB. All rights reserved$
  27. 27. OpenID ExampleCopyright © 2013 Twobo Technologies AB. All rights reservedOAuth AS /OpenID ProviderRP / ClientBrowserAccess codeGet access tokenAccess token & ID tokenCheck audiencerestriction of ID tokenRequest login,providing “openid”scope & user infoscopesGet user info usingaccess tokenUser info
  28. 28. Authentication & Federation How you authenticate to AS is undefined Use SAML or OpenID Connect for SSO to AS Relay OAuth token in SAML messagesCopyright © 2013 Twobo Technologies AB. All rights reserved
  29. 29. SCIM + OAuth Use OAuth to secure SCIM API calls Use SCIM to create accounts needed to accessAPIs secured using OAuthCopyright © 2013 Twobo Technologies AB. All rights reserved
  30. 30. SCIM + SAML/OIDC Carry SCIM attributes in SAML assertions(bindings for SCIM) Enables JIT provisioning Supplements SCIM API & schema Provisioning accounts using SCIM API to beupdated before/after logonCopyright © 2013 Twobo Technologies AB. All rights reserved
  31. 31. User Managed Access Also extends OAuth 2 Allows users to centrally controldistribution of their identity data Used with Personal DataStores (PDS) to create “identitydata lockers”Copyright © 2013 Twobo Technologies AB. All rights reserved
  32. 32. SAML/SCIMNeo-security Stack for BrokerageCopyright © 2013, Twobo Technologies ABIdentityHubTelcoetc.
  33. 33. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright © 2013 Twobo Technologies AB. All rights reserved

×