SlideShare a Scribd company logo

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

Download as PPTX, PDF
Apigee | Google Cloud
Apigee | Google Cloud

The document discusses JSON Web Tokens (JWT), JSON Web Signature (JWS), and JSON Web Encryption (JWE). It provides an overview of each specification and how they relate. It also describes how JWT can be used for authentication in Apigee Edge using custom Java callout policies to generate, parse, and verify JWT without additional coding. Examples of generating signed and encrypted JWT are shown using these callout policies.

Technology
1 of 29
©2016 Apigee Corp. All Rights Reserved.
Dino Chiesa Apigee dchiesa@apigee.com Vinit Mehta Apigee vmehta@apigee.com Today’s presenters
Slideshare slideshare.com/apigee Apigee Community https://community.apigee.com YouTube youtube.com/apigee
4 What do these companies have in common?
All are supporting OpenID Connect and JWT. 5
Authentication and Authorization is hard. Many systems do it poorly. (Do YOU provide 2FA ?) JWT and OpenID Connect will help solve that problem. You need to get JWT, now. 6
JWT, JWE, JWS 7
JWS, JWE, JWT are all part of JOSE: “JSON Object Signing and Encryption” 8
JWT Enables Federated Identity 9©2015 Apigee. All Rights Reserved. Internal Client Application Authentication Server (aka Identity Provider, IdP) API Proxy User store Login Create JWT (Signed) JWT Data Public Key Internal Systems JWT Data JWT Data Data JWT Validate Validate Validate Validate
JWT Integrates with external Identity Providers 10©2015 Apigee. All Rights Reserved. Partner Application’s Authentication Server (aka Identity Provider, IdP) API Proxy User store Login JWT (Signed) JWT JWT Data JWT Data Data Public Key Validat e 1 2 3 4 5 6 7 Internal or Partner Systems
• JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 11 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
• JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 12 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
Demo: Azure AD JWT and JWT.io 13
Apigee Edge includes standard policies for many security tasks. Oauth1.0a generation and verification, Oauth2 generation and verification, SAML generation and verification… 14
Apigee Edge does not yet include standard policies for JWT, JWE, JWS 15
But … Code + Configure ! 16
• Embed your Java code as a policy in Apigee Edge • One Interface, one method, 2 parameters • Can read policy configuration • Can read and write context variables • …anchor anywhere in Edge policy flow • One of the ways to extend Edge with custom code. Also JavaScript, Python, nodejs. • RTFM: http://apigee.com/docs/api- services/reference/java-callout-policy What are Java Callouts? 17©2015 Apigee. All Rights Reserved.
• Re-usable now in any of your Proxies • Configure it with XML as any other policy • Make decisions based on embedded claims • Can read JWT generated by third parties, such as Google or Windows Azure Java Callout for JWT Parse/Verification 18©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
• Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWT for use by others • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWT Generation 19©2015 Apigee. All Rights Reserved.
JWT Code walkthrough & Demo 20
Some comments • This JWT policy handles Signed, not Encrypted JWT • RS256 and HS256 are supported • We have a different policy that produces Encrypted JWT (JWE) using RS256 • JWT cannot be “revoked” – so limit your lifetimes • Exercise for the reader: –ES256, other algorithms 21©2015 Apigee. All Rights Reserved.
When to use JWT vs Oauth 2.0 tokens? 22
When to use JWT vs Oauth 2.0 tokens? • Trick Question! JWT are OAuth2.0 tokens • Better phrased as: When to use JWT vs Opaque Oauth 2.0 tokens? • Federation • When you want the client to know everything that is being claimed • JWT implies minimal impact to client and server apps • JWT do not work well with revocation 23©2015 Apigee. All Rights Reserved.
• Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWE for use by others • Configurable Key strength and key derivation • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWE Generation 24©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
Java Callout for JWE Decryption 25©2015 Apigee. All Rights Reserved.
When to use JWS and JWE? • Trick Question! Don’t ever use them! • No, seriously. • JWS and JWE imply some change to client apps • More limited scope of usage than JWT • There are already ways to sign and encrypt arbitrary data • My opinion: JWE and JWS are mostly interesting in support of JWT 26©2015 Apigee. All Rights Reserved.
What did we learn? 27 APIs Apps Users ©2015 Apigee. All Rights Reserved. • YOU NEED to handle JWT • You can use JWT, JWS, JWE in Apigee Edge today via custom policies • No coding needed ! • These policies complement the existing built-in policies in Apigee Edgehttps://github.com/apigee/iloveapis2015-jwt-jwe-jws
©2016 Apigee Corp. All Rights Reserved. Questions? 28
Thank you

Recommended

API Governance
API Governance API Governance
API Governance Sunil Kuchipudi
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 
Okta docs
Okta docsOkta docs
Okta docsSam Bauch
 
Api presentation
Api presentationApi presentation
Api presentationTiago Cardoso
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Cloudhub 2.0
Cloudhub 2.0Cloudhub 2.0
Cloudhub 2.0Christopher Co
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020Royston Lobo
 
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptxRuntime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptxSandeep Deshmukh
 

Recommended

API Governance
API Governance API Governance
API Governance Sunil Kuchipudi
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 
Okta docs
Okta docsOkta docs
Okta docsSam Bauch
 
Api presentation
Api presentationApi presentation
Api presentationTiago Cardoso
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Cloudhub 2.0
Cloudhub 2.0Cloudhub 2.0
Cloudhub 2.0Christopher Co
 
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020MuleSoft Online Meetup a Guide to RTF application deployment - October 2020
MuleSoft Online Meetup a Guide to RTF application deployment - October 2020Royston Lobo
 
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptxRuntime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptx
Runtime Fabric on OpenShift _--_ MuleSoft Meetup Deck.pptxSandeep Deshmukh
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API GatewayAlbert Lombarte
 
Guide to an API-first Strategy
Guide to an API-first StrategyGuide to an API-first Strategy
Guide to an API-first StrategyKellton Tech Solutions Ltd
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy IntroductionDoug Gregory
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
MuleSoft: How to Engage Partners/Customers and API Led with Alexa
MuleSoft: How to Engage Partners/Customers and API Led with Alexa MuleSoft: How to Engage Partners/Customers and API Led with Alexa
MuleSoft: How to Engage Partners/Customers and API Led with Alexa Angel Alberici
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overviewMark Argent
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to MicroservicesAmazon Web Services
 
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...Jitendra Bafna
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
Microservices
MicroservicesMicroservices
MicroservicesStephan Lindauer
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
API Integration For Building Software Applications Powerpoint Presentation Sl...
API Integration For Building Software Applications Powerpoint Presentation Sl...API Integration For Building Software Applications Powerpoint Presentation Sl...
API Integration For Building Software Applications Powerpoint Presentation Sl...SlideTeam
 
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Angel Alberici
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products OverviewApigee | Google Cloud
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
Webcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayWebcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayApigee | Google Cloud
 

More Related Content

What's hot

The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy IntroductionDoug Gregory
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
MuleSoft: How to Engage Partners/Customers and API Led with Alexa
MuleSoft: How to Engage Partners/Customers and API Led with Alexa MuleSoft: How to Engage Partners/Customers and API Led with Alexa
MuleSoft: How to Engage Partners/Customers and API Led with Alexa Angel Alberici
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overviewMark Argent
 
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...Jitendra Bafna
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...Amazon Web Services
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
API Integration For Building Software Applications Powerpoint Presentation Sl...
API Integration For Building Software Applications Powerpoint Presentation Sl...API Integration For Building Software Applications Powerpoint Presentation Sl...
API Integration For Building Software Applications Powerpoint Presentation Sl...SlideTeam
 
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Angel Alberici
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 

What's hot (20)

The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
 
Guide to an API-first Strategy
Guide to an API-first StrategyGuide to an API-first Strategy
Guide to an API-first Strategy
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy Introduction
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 
MuleSoft: How to Engage Partners/Customers and API Led with Alexa
MuleSoft: How to Engage Partners/Customers and API Led with Alexa MuleSoft: How to Engage Partners/Customers and API Led with Alexa
MuleSoft: How to Engage Partners/Customers and API Led with Alexa
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
 
Confidential Computing overview
Confidential Computing overviewConfidential Computing overview
Confidential Computing overview
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
MuleSoft Surat Meetup#41 - Universal API Management, Anypoint Flex Gateway an...
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Microservices
MicroservicesMicroservices
Microservices
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
 
API Integration For Building Software Applications Powerpoint Presentation Sl...
API Integration For Building Software Applications Powerpoint Presentation Sl...API Integration For Building Software Applications Powerpoint Presentation Sl...
API Integration For Building Software Applications Powerpoint Presentation Sl...
 
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
Mule 4 migration + Common Integration Challenges : MuleSoft Virtual Muleys Me...
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleys
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 

Similar to Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
Webcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayWebcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayApigee | Google Cloud
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...Hitachi, Ltd. OSS Solution Center.
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Apigee | Google Cloud
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsApigee | Google Cloud
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays
 
Moving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'AlboraMoving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'Alboramfrancis
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)ForgeRock
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyNordic APIs
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Evernym
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...Neo4j
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyNordic APIs
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1tactqa
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1tactqa
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfLibbySchulze
 

Similar to Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS (20)

I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
 
Webcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayWebcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge Microgateway
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
 
Moving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'AlboraMoving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'Albora
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375
 
Java SE Subscription Workshop
Java SE Subscription WorkshopJava SE Subscription Workshop
Java SE Subscription Workshop
 
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdf
 

More from Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 

More from Apigee | Google Cloud (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

  • 1. ©2016 Apigee Corp. All Rights Reserved.
  • 4. 4 What do these companies have in common?
  • 5. All are supporting OpenID Connect and JWT. 5
  • 6. Authentication and Authorization is hard. Many systems do it poorly. (Do YOU provide 2FA ?) JWT and OpenID Connect will help solve that problem. You need to get JWT, now. 6
  • 8. JWS, JWE, JWT are all part of JOSE: “JSON Object Signing and Encryption” 8
  • 9. JWT Enables Federated Identity 9©2015 Apigee. All Rights Reserved. Internal Client Application Authentication Server (aka Identity Provider, IdP) API Proxy User store Login Create JWT (Signed) JWT Data Public Key Internal Systems JWT Data JWT Data Data JWT Validate Validate Validate Validate
  • 10. JWT Integrates with external Identity Providers 10©2015 Apigee. All Rights Reserved. Partner Application’s Authentication Server (aka Identity Provider, IdP) API Proxy User store Login JWT (Signed) JWT JWT Data JWT Data Data Public Key Validat e 1 2 3 4 5 6 7 Internal or Partner Systems
  • 11. • JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 11 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
  • 12. • JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 12 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
  • 13. Demo: Azure AD JWT and JWT.io 13
  • 14. Apigee Edge includes standard policies for many security tasks. Oauth1.0a generation and verification, Oauth2 generation and verification, SAML generation and verification… 14
  • 15. Apigee Edge does not yet include standard policies for JWT, JWE, JWS 15
  • 16. But … Code + Configure ! 16
  • 17. • Embed your Java code as a policy in Apigee Edge • One Interface, one method, 2 parameters • Can read policy configuration • Can read and write context variables • …anchor anywhere in Edge policy flow • One of the ways to extend Edge with custom code. Also JavaScript, Python, nodejs. • RTFM: http://apigee.com/docs/api- services/reference/java-callout-policy What are Java Callouts? 17©2015 Apigee. All Rights Reserved.
  • 18. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Make decisions based on embedded claims • Can read JWT generated by third parties, such as Google or Windows Azure Java Callout for JWT Parse/Verification 18©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
  • 19. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWT for use by others • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWT Generation 19©2015 Apigee. All Rights Reserved.
  • 21. Some comments • This JWT policy handles Signed, not Encrypted JWT • RS256 and HS256 are supported • We have a different policy that produces Encrypted JWT (JWE) using RS256 • JWT cannot be “revoked” – so limit your lifetimes • Exercise for the reader: –ES256, other algorithms 21©2015 Apigee. All Rights Reserved.
  • 22. When to use JWT vs Oauth 2.0 tokens? 22
  • 23. When to use JWT vs Oauth 2.0 tokens? • Trick Question! JWT are OAuth2.0 tokens • Better phrased as: When to use JWT vs Opaque Oauth 2.0 tokens? • Federation • When you want the client to know everything that is being claimed • JWT implies minimal impact to client and server apps • JWT do not work well with revocation 23©2015 Apigee. All Rights Reserved.
  • 24. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWE for use by others • Configurable Key strength and key derivation • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWE Generation 24©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
  • 25. Java Callout for JWE Decryption 25©2015 Apigee. All Rights Reserved.
  • 26. When to use JWS and JWE? • Trick Question! Don’t ever use them! • No, seriously. • JWS and JWE imply some change to client apps • More limited scope of usage than JWT • There are already ways to sign and encrypt arbitrary data • My opinion: JWE and JWS are mostly interesting in support of JWT 26©2015 Apigee. All Rights Reserved.
  • 27. What did we learn? 27 APIs Apps Users ©2015 Apigee. All Rights Reserved. • YOU NEED to handle JWT • You can use JWT, JWS, JWE in Apigee Edge today via custom policies • No coding needed ! • These policies complement the existing built-in policies in Apigee Edgehttps://github.com/apigee/iloveapis2015-jwt-jwe-jws
  • 28. ©2016 Apigee Corp. All Rights Reserved. Questions? 28

Editor's Notes

  1. With that , it is time for introductions, This is Aashima Gupta , I lead the healthcare vertical for Apigee with focus on API and Analytics. In this role ,I closely working with marque clients inclding payers , providers and pharmas in helping them with digital health strategy acceleratio and also n in identifying transformative opportunities ( FHIR being one of them) Prior to joining the firm ,I was leading the Digital Health Incubations at Kaiser and drove innovation around multitude of digital channels including launch of the Lifestyle integration platform and first public API for kaiser.
  2. Vinit will talk to this slide. Move blocks around to fit. Which big vendors are supporting this? Facebook, Azure, Salesforce… (Verify)
  3. Vinit will talk to this slide. Move blocks around to fit. Which big vendors are supporting this? Facebook, Azure, Salesforce… (Verify)
  4. JWK – JSON Web Key - RFC 7517 JWA – JSON Web Algorithms – RFC 7518
  5. JWK – JSON Web Key - RFC 7517 JWA – JSON Web Algorithms – RFC 7518