Who’s Knocking? Identity for APIs, Web and Mobile

3,066 views

Published on

Presented by Hans Zandbelt from Ping Identity at Nordic APIs in Copenhagen, 21st of May 2013

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total views
3,066
On SlideShare
0
From Embeds
0
Number of Embeds
580
Actions
Shares
0
Downloads
38
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide

Who’s Knocking? Identity for APIs, Web and Mobile

  1. 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1Who’s Knocking?Identity for APIs, Web and MobileHans Zandbelt - @hanszandbeltCTO Office - Ping Identity
  2. 2. Copyright ©2012 Ping Identity Corporation. All rights reserved.2OverviewCloud & APIs: The Trends- History, state-of-the-art, trendsIdentity and APIs- What, why, howRecommendations- API strategy124OAuth 2.0- Not for Authentication!3
  3. 3. Copyright ©2012 Ping Identity Corporation. All rights reserved.3CLOUD & APIS: THE TRENDS[section lead-in]
  4. 4. Copyright ©2012 Ping Identity Corporation. All rights reserved.4Cloud/Mobile Moves: 3 Dimensions of Change• Users– Workforce– Customers/consumers– Partners– Social• Devices– Mobile/fixed– Browser/app– BYOD/E-owned• Location– Services– UsersUsersLocation(s)Devices
  5. 5. Copyright ©2012 Ping Identity Corporation. All rights reserved.5Traditional firewall and enterprise domain-basedsecurity cannot deal with Cloud Apps and Mobiledevices and applications.IDENTITY IS THE NEW PERIMETERConsequencesFIREWALL
  6. 6. Copyright ©2012 Ping Identity Corporation. All rights reserved.6How it could/should be: Cloud 2.0 (web or mobile)firewallAPPAPPdatabasedirectorySaaSSaaSSaaSdatabase
  7. 7. Copyright ©2012 Ping Identity Corporation. All rights reserved.7The API Economy Drivers• SaaS– API access todata/services vs.browser access– Cloud, Mobile/BigData, BYOD– Salesforce.com >60%• APIs of PaaSofferings– Expose own cloudservices• Clear trend for APIstowards REST
  8. 8. Copyright ©2012 Ping Identity Corporation. All rights reserved.8IDENTITY & APIS
  9. 9. Copyright ©2012 Ping Identity Corporation. All rights reserved.9The Internet Scale Identity Concept• Identity Provider– Authoritative– Scale– Manageability• UNIFORM acrossWeb SSO & APIAccess• Security ANDConvenience• How to extendenterprise securitypolicies to the cloud:a MUST haveverify
  10. 10. Copyright ©2012 Ping Identity Corporation. All rights reserved.10Web SSO and API Access PlayfieldUser ProvisioningWeb SSO API Access
  11. 11. Copyright ©2012 Ping Identity Corporation. All rights reserved.11API Access• HTTP• SOAP– WS-Security/WS-Trust• REST– ?• TOKEN– Obtain– Use– Validate• Passwords??CLIENTSERVICESOAP / RESTToken
  12. 12. Copyright ©2012 Ping Identity Corporation. All rights reserved.12Password anti-pattern• 3rd party clientstore userpasswords• Teaches users tobe indiscriminatewith passwords• No multi-factor orfederatedauthentication• No granularity• No differentiation• No revocation
  13. 13. Copyright ©2012 Ping Identity Corporation. All rights reserved.13DriversLackOfStandardsPasswordAntiPatternNativeMobileAppsRESTCloudAPIs
  14. 14. Copyright ©2012 Ping Identity Corporation. All rights reserved.14OAUTH 2.0
  15. 15. Copyright ©2012 Ping Identity Corporation. All rights reserved.15OAuth 2.0• Secure APIauthorization– simple & standard– desktop, mobile web• Auth & Authz forRESTful APIs• Delegatedauthorization– mitigates passwordanti-pattern• Issue tokens forgranular access– Without divulgingyour credentials
  16. 16. Copyright ©2012 Ping Identity Corporation. All rights reserved.16OAuth 2.0 Terminology: Roles• Authorization Server (AS)A server capable of issuingtokens, obtaining authorization,and authenticating resourceowners.• Resource OwnerAn entity (usually an end-user/person) capable of grantingaccess to a protected resource.• ClientAn application(!) obtainingauthorization and makingprotected resource requests (onbehalf of the resource owner).• Resource Server (RS)The server hosting protectedresources.verify
  17. 17. Copyright ©2012 Ping Identity Corporation. All rights reserved.17A. Client sends Authorization Request"GET /as/authorization.oauth2?client_id=TunesPartner-OT&state=TunesPartner-OT&response_type=code&scope=onetime-a HTTP/1.1” 302 0B. Service Provider grants Authorizationhttps://www.tunespartner.com:9031/Partner/callback.jsp?state=TunesPartner-OT&code=IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7C. Client Request Access TokenPOST https://idp.idtel.com:9031/as/token.oauth2---PARAMETERS---client_id: TunesPartner-OT&grant_type: authorization_code&Code: IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7D. Service Provider grants Access TokenThis resulted in the following JSON response containing ourOAuth access_token:{"token_type":"Bearer","expires_in":300,"access_token":"ivBOdwGpGb3pY3gvPaK6D8W5Ldey”}Protocol Workflow
  18. 18. Copyright ©2012 Ping Identity Corporation. All rights reserved.18OAuth 2.0 Benefits• Security & Usability– Bearer Tokens• Revocation• Granularity• Use Cases*• Passwords vs.OAuth ===creditcard vs.checksScopes
  19. 19. Copyright ©2012 Ping Identity Corporation. All rights reserved.19OAuth 2.0 is Not for Authentication !!• Bearer token is aboutdelegated rights, notabout the user authn• Bearer token has noaudience restriction– can’t check if it wasreally meant for you– Not bound to the client• No guarantee that theuser is present– no “authn statement”semantics• Redirect is notauthenticated orintegrity protected inany way– bearer = bearer andnothing morevalidateclient rs + asuser agentget a token redirectTTuser info
  20. 20. Copyright ©2012 Ping Identity Corporation. All rights reserved.20OpenID Connect• OAuth: generalmechanism toauthorize API access• OpenID Connect:profile for sharingprofile information• Uses the authz code &implicit grant types –the pieces of OAuthoptimized for user-consent scenarios• Leverages theauthorization & tokenendpoints & addsidentity-based paramsto core OAuthmessagesClient(RP)UserAgentAS/OPResourceServerUserInfoab13aa2
  21. 21. Copyright ©2012 Ping Identity Corporation. All rights reserved.21SSO for Mobile Apps: Authorization Agent (AZA)• Aggregate OAuthflows and logins• Bootstrap throughWebSSO withOpenID Connect orSAML• Oauth-as-a-Service+ SAML-as-a-ServiceOAUTH SSO
  22. 22. Copyright ©2012 Ping Identity Corporation. All rights reserved.22RECOMMENDATIONS[section lead-in]
  23. 23. Copyright ©2012 Ping Identity Corporation. All rights reserved.23Something to think about: Cloud IAM strategy• Multi-use case,multi-device, multi-channel, multiprotocol…– Identity is theconnector• Interoperability andstandards• IAM not just aninternal technicalissue: also astrategic businessenabler• Architect for agility
  24. 24. Copyright ©2012 Ping Identity Corporation. All rights reserved.24• Implement your API for:– externalized authentication and authorization– tokens instead of passwords– consumer identity AND enterprise identity• By leveraging identity we can:– address API access (server2server, mobile) in thesame way as Web SSO– reuse existing security and identity policies– connect your existing identity store• Possibly implement this in a single system(!)– And be prepared for OAuth 2.0, OpenID Connect,SCIM, SAML, …Identity for APIs strategy
  25. 25. Copyright ©2012 Ping Identity Corporation. All rights reserved.25COME AND SEE US!Hans ZandbeltTwitter: @hanszandbeltwww.pingidentity.com

×