SlideShare a Scribd company logo

OpenID Connect Speculations and Applications

Nordic APIs
Nordic APIs

This document discusses potential applications and extensions of OpenID Connect and the OAuth 2.0 protocol. It speculates about how OpenID Connect could be used for native single sign-on, mobile information management to encrypt sensitive data on devices, and providing identity capabilities for internet of things devices to authenticate to APIs on behalf of users. The document also outlines proposals for standardizing an authorization agent concept to enable single sign-on across native apps and considers how OpenID Connect could define profiles for new domains like CoAP to support internet-connected devices.

1 of 31
Download to read offline
Copyright ©2012 Ping Identity Corporation. All rights reserved.1 OpenID Connect (and speculations about potential applications, some of which will almost certainly not come to fruition) Paul Madsen @paulmadsen
Copyright ©2012 Ping Identity Corporation. All rights reserved.2 The OAuth 2.0 stack 2 OAuth 2.0 JWT, JWS, JWE
Copyright ©2012 Ping Identity Corporation. All rights reserved.3 The OAuth 2.0 stack 3 OAuth 2.0 TVE Green Button UMA OpenID Connect JWT, JWS, JWE
Copyright ©2012 Ping Identity Corporation. All rights reserved.4 The OAuth 2.0 stack 4 OAuth 2.0 TVE Green Button UMA OpenID Connect Native SSO MIM IoT JWT, JWS, JWE
Copyright ©2012 Ping Identity Corporation. All rights reserved.5 To be clear Speculation Native SSO MIM IoT 1/Concreteness
Copyright ©2012 Ping Identity Corporation. All rights reserved.6 6
Copyright ©2012 Ping Identity Corporation. All rights reserved.7 7
Copyright ©2012 Ping Identity Corporation. All rights reserved.8 Connect's Key Identity Extensions •  UserInfo endpoint – OAuth protected endpoint that provides identity attributes about user – (Think of it as a distributed NSA server) •  ID Tokens – Provides information about authentication status of user – (Think of it as a SAML assertion with friends) 8
Copyright ©2012 Ping Identity Corporation. All rights reserved.9 The OAuth stack 9 OAuth 2.0 TVE Green Button UMA OpenID Connect Native SSO JWT, JWS, JWE
Copyright ©2012 Ping Identity Corporation. All rights reserved.10 Native SSO •  OAuth 2.0 enables native mobile applications to call their corresponding APIs •  But OAuth 2 presumes each app will individually obtain access tokens (for subsequent use) •  As the number of native apps grows for a typical user, usability burden of individually mediating this token retrieval will grow •  We need a model for 'Native SSO' as we have for web apps •  Introducing an 'Authorization Agent' (AZA) can do so 10
Copyright ©2012 Ping Identity Corporation. All rights reserved.11 AZA Pattern 11 App1 App2 AS AS RS RS Device Browser Native App1 Native App2 Client Client
Copyright ©2012 Ping Identity Corporation. All rights reserved.12 AZA Pattern 12 App1 App2 AS AS RS RS Device Browser Native App1 Native App2 Client ClientAZA
Copyright ©2012 Ping Identity Corporation. All rights reserved.13 AZA Pattern 13 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.14 AS AZA Pattern – AZA Authn 14 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA
Copyright ©2012 Ping Identity Corporation. All rights reserved.15 AZA Pattern – first application 15 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.16 AZA Pattern – first application 16 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.17 AZA Pattern – first application 17 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.18 AZA Pattern – second application 18 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.19 AZA Pattern – second application 19 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.20 AZA Pattern – second application 20 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
Copyright ©2012 Ping Identity Corporation. All rights reserved.21 portal • Native app • SSO for mix of web & native apps
Copyright ©2012 Ping Identity Corporation. All rights reserved.22 Standardization •  A number of companies are working to define a standardized framework to address the AZA use case •  Work will happen in the OpenID Foundation •  We'll profile/extend Connect to add the necessary AZA pieces •  For more information – http://openid.net/wg/napps/
Copyright ©2012 Ping Identity Corporation. All rights reserved.23 Framework Components AZA APP APIAS Device • OpenID Connect profile/extension • AppInfo API • Inter app messaging • Custom URL scheme etc • Token validation • Token wrapper
Copyright ©2012 Ping Identity Corporation. All rights reserved.24 The OAuth stack 24 OAuth 2.0 TVE Green Button UMA OpenID Connect MIM? JWT, JWS, JWE
Copyright ©2012 Ping Identity Corporation. All rights reserved.25 MIM •  Mobile Information Management is seen (by some) as the logical end game for enterprises wishing to secure their employee's device (BYOD or otherwise) •  Whereas MDM applies enterprise policy to the whole DEVICE, and MAM applies policy to the business APPLICATIONs, MIM applies policy to only the business INFORMATION on the device •  Everything else (Angry Birds, wedding photos, etc) is left alone and so MIM is seen as better compatible with BYOD •  And yes it feels like DRM ….. 25
Copyright ©2012 Ping Identity Corporation. All rights reserved.26 OpenID Connect for MIM? •  Connect provides the id_token & UserInfo API – are they relevant to MIM? •  MIM is really key management, ie ensuring that –  Biz data encrypted before delivery to mobile applications –  Decryption keys released to those apps only when appropriate •  We can use combination of Connect id_token & UserInfo to move those keys around 26
Copyright ©2012 Ping Identity Corporation. All rights reserved.27 Whiteboarding ….. AS RS Device App 1) AT 2) request + AT 3) validate (AT) 4) status + k 6) enc(data) 9) Use k to decrypt data 5) Encrypt data with k AT == access token k == symmetric key PS 7) License?+ AT 8) license(k)
Copyright ©2012 Ping Identity Corporation. All rights reserved.28 The OAuth stack 28 OAuth 2.0 TVE Green Button UMA OpenID Connect IoT?? JWT, JWS, JWE
Copyright ©2012 Ping Identity Corporation. All rights reserved.29 Identity of Things? •  Internet of Things proposes that every device (sensor, appliance, machine etc) will be connected •  Every thing will have it's own identity, but will often act on behalf of a given user •  So how –  Do we reconcile these multiple identities? –  Do things authenticate to their data sharing endpoints? –  Do we ensure that the user has desired level of control over how their things share data?
Copyright ©2012 Ping Identity Corporation. All rights reserved.30 •  Connect could provide identity layer for (some of) IoT –  Things obtain access & id_tokens and use them on API calls –  User controls issuance of those tokens, and so •  Tokens can be mapped to user identity •  User retains control of data sharing •  Standards like CoAP and MQTT define messaging protocols more optimized to things but so far have a relatively basic identity model (eg passwords over TLS) •  Can we imagine a CoAP binding for Connect? That defines how to –  Carry tokens on CoAP calls –  Proxying between CoAP & HTTP OpenID Connect?
Copyright ©2012 Ping Identity Corporation. All rights reserved.31 Thanks (for putting up my with speculation)

Recommended

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 

Recommended

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Importance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsImportance of APIs in the Internet of Things
Importance of APIs in the Internet of ThingsNordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identityNordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuthTwobo Technologies
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Midrise cropped cigarette cut(1)
Midrise cropped cigarette cut(1)Midrise cropped cigarette cut(1)
Midrise cropped cigarette cut(1)Parsons School for Fashion Design
 
Việt nam vs thái lan
Việt nam vs thái lanViệt nam vs thái lan
Việt nam vs thái lanĐặng Huy
 

More Related Content

What's hot

Criticality of identity
Criticality of identityCriticality of identity
Criticality of identityNordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Hitachi, Ltd. OSS Solution Center.
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Ioan Eugen Stan
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 

What's hot (20)

Criticality of identity
Criticality of identityCriticality of identity
Criticality of identity
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All Together
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 

Viewers also liked

Việt nam vs thái lan
Việt nam vs thái lanViệt nam vs thái lan
Việt nam vs thái lanĐặng Huy
 
NBTC: Getting Sales Incentive Compensation right
NBTC: Getting Sales Incentive Compensation rightNBTC: Getting Sales Incentive Compensation right
NBTC: Getting Sales Incentive Compensation rightSalubi Raymond
 
Question 4 evaluation
Question 4 evaluationQuestion 4 evaluation
Question 4 evaluationimogenchapman
 
Mission and Programs of the Wexner Heritage Foundation
Mission and Programs of the Wexner Heritage FoundationMission and Programs of the Wexner Heritage Foundation
Mission and Programs of the Wexner Heritage FoundationKathy Levinson
 
Build a Product From Vision To Destiny
Build a Product From Vision To Destiny Build a Product From Vision To Destiny
Build a Product From Vision To Destiny Oana Juncu
 
Change Your Voice in Paltalk
Change Your Voice in PaltalkChange Your Voice in Paltalk
Change Your Voice in Paltalkaudio4fun
 
аудит
аудитаудит
аудитokyykg
 
Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Nordic APIs
 
The State of Open Data in Denmark (NordicAPIS April 2014)
The State of Open Data in Denmark (NordicAPIS April 2014)The State of Open Data in Denmark (NordicAPIS April 2014)
The State of Open Data in Denmark (NordicAPIS April 2014)Nordic APIs
 
Уюштуруучулук,өндүрүштүк план 5 кадам
Уюштуруучулук,өндүрүштүк план 5 кадамУюштуруучулук,өндүрүштүк план 5 кадам
Уюштуруучулук,өндүрүштүк план 5 кадамokyykg
 

Viewers also liked (15)

Midrise cropped cigarette cut(1)
Midrise cropped cigarette cut(1)Midrise cropped cigarette cut(1)
Midrise cropped cigarette cut(1)
 
Việt nam vs thái lan
Việt nam vs thái lanViệt nam vs thái lan
Việt nam vs thái lan
 
Dslr Mekatronik
Dslr MekatronikDslr Mekatronik
Dslr Mekatronik
 
NBTC: Getting Sales Incentive Compensation right
NBTC: Getting Sales Incentive Compensation rightNBTC: Getting Sales Incentive Compensation right
NBTC: Getting Sales Incentive Compensation right
 
Question 4 evaluation
Question 4 evaluationQuestion 4 evaluation
Question 4 evaluation
 
Mission and Programs of the Wexner Heritage Foundation
Mission and Programs of the Wexner Heritage FoundationMission and Programs of the Wexner Heritage Foundation
Mission and Programs of the Wexner Heritage Foundation
 
Build a Product From Vision To Destiny
Build a Product From Vision To Destiny Build a Product From Vision To Destiny
Build a Product From Vision To Destiny
 
Change Your Voice in Paltalk
Change Your Voice in PaltalkChange Your Voice in Paltalk
Change Your Voice in Paltalk
 
аудит
аудитаудит
аудит
 
Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)
 
The State of Open Data in Denmark (NordicAPIS April 2014)
The State of Open Data in Denmark (NordicAPIS April 2014)The State of Open Data in Denmark (NordicAPIS April 2014)
The State of Open Data in Denmark (NordicAPIS April 2014)
 
Que Chinooo
Que ChinoooQue Chinooo
Que Chinooo
 
Уюштуруучулук,өндүрүштүк план 5 кадам
Уюштуруучулук,өндүрүштүк план 5 кадамУюштуруучулук,өндүрүштүк план 5 кадам
Уюштуруучулук,өндүрүштүк план 5 кадам
 
Laberinto Q igualdad
Laberinto Q igualdadLaberinto Q igualdad
Laberinto Q igualdad
 
Slide jne
Slide jneSlide jne
Slide jne
 

Similar to OpenID Connect Speculations and Applications

Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart BeatBalwinder Kaur
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Ping Identity
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of ThingsFIDO Alliance
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCloudIDSummit
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldPing Identity
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 

Similar to OpenID Connect Speculations and Applications (20)

Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
 
Webinar hiware
Webinar hiwareWebinar hiware
Webinar hiware
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open Standards
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

OpenID Connect Speculations and Applications

  • 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1 OpenID Connect (and speculations about potential applications, some of which will almost certainly not come to fruition) Paul Madsen @paulmadsen
  • 2. Copyright ©2012 Ping Identity Corporation. All rights reserved.2 The OAuth 2.0 stack 2 OAuth 2.0 JWT, JWS, JWE
  • 3. Copyright ©2012 Ping Identity Corporation. All rights reserved.3 The OAuth 2.0 stack 3 OAuth 2.0 TVE Green Button UMA OpenID Connect JWT, JWS, JWE
  • 4. Copyright ©2012 Ping Identity Corporation. All rights reserved.4 The OAuth 2.0 stack 4 OAuth 2.0 TVE Green Button UMA OpenID Connect Native SSO MIM IoT JWT, JWS, JWE
  • 5. Copyright ©2012 Ping Identity Corporation. All rights reserved.5 To be clear Speculation Native SSO MIM IoT 1/Concreteness
  • 6. Copyright ©2012 Ping Identity Corporation. All rights reserved.6 6
  • 7. Copyright ©2012 Ping Identity Corporation. All rights reserved.7 7
  • 8. Copyright ©2012 Ping Identity Corporation. All rights reserved.8 Connect's Key Identity Extensions •  UserInfo endpoint – OAuth protected endpoint that provides identity attributes about user – (Think of it as a distributed NSA server) •  ID Tokens – Provides information about authentication status of user – (Think of it as a SAML assertion with friends) 8
  • 9. Copyright ©2012 Ping Identity Corporation. All rights reserved.9 The OAuth stack 9 OAuth 2.0 TVE Green Button UMA OpenID Connect Native SSO JWT, JWS, JWE
  • 10. Copyright ©2012 Ping Identity Corporation. All rights reserved.10 Native SSO •  OAuth 2.0 enables native mobile applications to call their corresponding APIs •  But OAuth 2 presumes each app will individually obtain access tokens (for subsequent use) •  As the number of native apps grows for a typical user, usability burden of individually mediating this token retrieval will grow •  We need a model for 'Native SSO' as we have for web apps •  Introducing an 'Authorization Agent' (AZA) can do so 10
  • 11. Copyright ©2012 Ping Identity Corporation. All rights reserved.11 AZA Pattern 11 App1 App2 AS AS RS RS Device Browser Native App1 Native App2 Client Client
  • 12. Copyright ©2012 Ping Identity Corporation. All rights reserved.12 AZA Pattern 12 App1 App2 AS AS RS RS Device Browser Native App1 Native App2 Client ClientAZA
  • 13. Copyright ©2012 Ping Identity Corporation. All rights reserved.13 AZA Pattern 13 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 14. Copyright ©2012 Ping Identity Corporation. All rights reserved.14 AS AZA Pattern – AZA Authn 14 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA
  • 15. Copyright ©2012 Ping Identity Corporation. All rights reserved.15 AZA Pattern – first application 15 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 16. Copyright ©2012 Ping Identity Corporation. All rights reserved.16 AZA Pattern – first application 16 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 17. Copyright ©2012 Ping Identity Corporation. All rights reserved.17 AZA Pattern – first application 17 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 18. Copyright ©2012 Ping Identity Corporation. All rights reserved.18 AZA Pattern – second application 18 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 19. Copyright ©2012 Ping Identity Corporation. All rights reserved.19 AZA Pattern – second application 19 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 20. Copyright ©2012 Ping Identity Corporation. All rights reserved.20 AZA Pattern – second application 20 App1 App2 RS RS Device Browser Native App1 Native App2 Client ClientAZA AS
  • 21. Copyright ©2012 Ping Identity Corporation. All rights reserved.21 portal • Native app • SSO for mix of web & native apps
  • 22. Copyright ©2012 Ping Identity Corporation. All rights reserved.22 Standardization •  A number of companies are working to define a standardized framework to address the AZA use case •  Work will happen in the OpenID Foundation •  We'll profile/extend Connect to add the necessary AZA pieces •  For more information – http://openid.net/wg/napps/
  • 23. Copyright ©2012 Ping Identity Corporation. All rights reserved.23 Framework Components AZA APP APIAS Device • OpenID Connect profile/extension • AppInfo API • Inter app messaging • Custom URL scheme etc • Token validation • Token wrapper
  • 24. Copyright ©2012 Ping Identity Corporation. All rights reserved.24 The OAuth stack 24 OAuth 2.0 TVE Green Button UMA OpenID Connect MIM? JWT, JWS, JWE
  • 25. Copyright ©2012 Ping Identity Corporation. All rights reserved.25 MIM •  Mobile Information Management is seen (by some) as the logical end game for enterprises wishing to secure their employee's device (BYOD or otherwise) •  Whereas MDM applies enterprise policy to the whole DEVICE, and MAM applies policy to the business APPLICATIONs, MIM applies policy to only the business INFORMATION on the device •  Everything else (Angry Birds, wedding photos, etc) is left alone and so MIM is seen as better compatible with BYOD •  And yes it feels like DRM ….. 25
  • 26. Copyright ©2012 Ping Identity Corporation. All rights reserved.26 OpenID Connect for MIM? •  Connect provides the id_token & UserInfo API – are they relevant to MIM? •  MIM is really key management, ie ensuring that –  Biz data encrypted before delivery to mobile applications –  Decryption keys released to those apps only when appropriate •  We can use combination of Connect id_token & UserInfo to move those keys around 26
  • 27. Copyright ©2012 Ping Identity Corporation. All rights reserved.27 Whiteboarding ….. AS RS Device App 1) AT 2) request + AT 3) validate (AT) 4) status + k 6) enc(data) 9) Use k to decrypt data 5) Encrypt data with k AT == access token k == symmetric key PS 7) License?+ AT 8) license(k)
  • 28. Copyright ©2012 Ping Identity Corporation. All rights reserved.28 The OAuth stack 28 OAuth 2.0 TVE Green Button UMA OpenID Connect IoT?? JWT, JWS, JWE
  • 29. Copyright ©2012 Ping Identity Corporation. All rights reserved.29 Identity of Things? •  Internet of Things proposes that every device (sensor, appliance, machine etc) will be connected •  Every thing will have it's own identity, but will often act on behalf of a given user •  So how –  Do we reconcile these multiple identities? –  Do things authenticate to their data sharing endpoints? –  Do we ensure that the user has desired level of control over how their things share data?
  • 30. Copyright ©2012 Ping Identity Corporation. All rights reserved.30 •  Connect could provide identity layer for (some of) IoT –  Things obtain access & id_tokens and use them on API calls –  User controls issuance of those tokens, and so •  Tokens can be mapped to user identity •  User retains control of data sharing •  Standards like CoAP and MQTT define messaging protocols more optimized to things but so far have a relatively basic identity model (eg passwords over TLS) •  Can we imagine a CoAP binding for Connect? That defines how to –  Carry tokens on CoAP calls –  Proxying between CoAP & HTTP OpenID Connect?
  • 31. Copyright ©2012 Ping Identity Corporation. All rights reserved.31 Thanks (for putting up my with speculation)