Launching a Successful and Secure API

Launching a Successful & Secure API
Effectively launching secure, RESTful APIs using the “neo-
security stack”
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved

Agenda
 The challenge in context
 Examples of innovative opportunities
 Neo-security stack
 OAuth Basics
 Overview of other layers
 Using the stack

Disruptive Trends
Cloud
Computing
Social
Networks
Mobile
Big
Data

Web apps have evolved
from CGI to
the cloud to
APIs
Progression to This Point
HTTP, HTML, CGI
COM & CORBA
SOAP & SOA
Web 2.0 & REST
The Cloud
Web APIs

Example: Pearson
 Launched API to allow
innovative uses of existing
content
 Turned sunk costs into new
revenue stream
 Started w/ one API and
deployed others in time
 Built community not just code
Copyright © 2013 Pearson plc
Copyright © 2008 Maja Dumat
Copyright © 2013 Twobo Technologies AB
sawdust / sågspån

Example: Salesforce.com
 Providing Platform as a Service (PaaS)
 Almost 200,000 customer & partner apps
 Apps span industries and business functions
 Attract new customers w/ lower costs and
increased performance
 60% of all traffic is to API; only 40% to site
Copyright © 2000-2013 salesforce.com, Inc.
Copyright © 2013 Twobo Technologies AB

Example: AT&T
 The network is the platform
 Examples of their APIs
 SMS, MMS, location, speech
 TV, healthcare, notary, advertising
 Sponsor hackathons, events, blogs
 Business benefits
 Revenue ▪ Business agility
 Time to market ▪ New customer value
 Innovation ▪ Efficiency
“[The API program]
is an architectural
choice one makes
for speed.”
— John Donovan,
SEVP, AT&T

Example: Twilio
 Twilio lets you use
web languages to
build voice, VoIP &
SMS applications via
a web API
 Raised $70M series
D in June
 Example that shows
the potential

Example: Cloud Brokerage
Cloud
Services
MNO’s
Cloud
Services
Legacy
Services
Cloud Service Aggregation Platform
Support
Tenant /
User Pro-
visioning
Web SSOBilling
Cloud Desktop, App
Store, User Portal
Admin
Portal

Identity is Central
Social
Networks
Cloud
Computing
Mobile Big
Data
Identity

SAML /
OpenID
Connect
SCIM
JSON
Identity
Suite
OAuth
The Neo-security Stack
Federation Provisioning
Identity Authorization

SAML
 SAML: proven
technology for
identity federation
and Web SSO
 Profiles, bindings,
protocols, assertions
& metadata
 V. 2.1 in
the works
Service
Provider (SP)
Identity Provider (IdP)

OpenID Connect
 New federation protocol that builds on OAuth 2
 Adds identity inputs/outputs to OAuth messages
 Related to prior OpenID versions in name only
 Compact messages for mobile scenerios
 RP / client can determine info about end user
 Tokens are JWTs
 UserInfo endpoint to get user data
Grandpa SAML
& junior

SCIM
 Defines RESTful API to manage users & groups
 Specifies core user & group schemas
 Supports bulk updates for ingest
 Binding for SAML and eventually OpenID Connect

OAuth
 OAuth 2 is the new protocol of
protocols
 Composed in useful ways
 Like WS-Trust of old
 Addresses old requirements and
solves new ones
 Delegated access
 No password sharing
 Revocation of access

OAuth Actors
 Client
 Authorization Server (AS)
 Resource Server (RS) (i.e., API)
 Resource Owner (RO)
Getatoken
User a token
RS Client
AS

Scopes
 Like permissions
 Scopes specify extent of
tokens’ usefulness
 Listed on consent UI (if shown)
 Issued tokens may have
narrower scope than requested
 No standardized scopes

Access Tokens Refresh Tokens
Kinds of Tokens
Like a Session
Used to secure API calls
Like a Password
Used to get new access
tokens

By Value By Reference
Passing Tokens
123XYZ
123XYZ
User attributes are in the
token
User attributes are
referenced by an identifier

Bearer
Bearer tokens are like
cash
Holder of Key
HoK tokens are like
credit cards
Profiles of Tokens
$

Types of Tokens
 WS-Security
 SAML
 JWT
 Custom
 Home-grown
 Oracle Access Manager
 SiteMinder
 Etc.

JSON Identity Protocol Suite
 Suite of JSON-based identity protocols
 Tokens (JWT) ▪ Encryption (JWE)
 Keys (JWK) ▪ Signatures (JWS)
 Algorithms (JWA)
 Bearer Token spec explains how to use w/ OAuth
 Being defined in IETF

JWT Tokens
 Pronounced like the English word “jot”
 Lightweight tokens passed in HTTP headers &
query strings
 Akin to SAML tokens
 Less expressive
 Less security options
 More compact
 Encoded w/ JSON not XML

OAuth Web Server Flow

Usage of OAuth
Not for authentication
Not really for authorization
For delegation

Stealing Bearer Tokens
$

OpenID Example
OAuth AS /
OpenID Provider
RP / Client
Browser
Access code
Get access token
Access token & ID token
Check audience
restriction of ID token
Request login,
providing “openid”
scope & user info
scopes
Get user info using
access token
User info

Authentication & Federation
 How you authenticate to AS is undefined
 Use SAML or OpenID Connect for SSO to AS
 Relay OAuth token in SAML messages

SCIM + OAuth
 Use OAuth to secure SCIM API calls
 Use SCIM to create accounts needed to access
APIs secured using OAuth

SCIM + SAML/OIDC
 Carry SCIM attributes in SAML assertions
(bindings for SCIM)
 Enables JIT provisioning
 Supplements SCIM API & schema
 Provisioning accounts using SCIM API to be
updated before/after logon

User Managed Access
 Also extends OAuth 2
 Allows users to centrally control
distribution of their identity data
 Used with Personal Data
Stores (PDS) to create “identity
data lockers”

Questions & Thanks
@2botech
@travisspencer
www.2botech.com
travisspencer.com

Launching a Successful and Secure API

Launching a Successful and Secure API

More Related Content

What's hot

Similar to Launching a Successful and Secure API

More from Nordic APIs

Recently uploaded

Launching a Successful and Secure API