SlideShare a Scribd company logo

API Management and Mobile App Enablement

Download as PPTX, PDF
CA API Management
CA API Management

Layer 7's Chief Architect Francois Lascelles will be speaking at The Chicago Mobile Meetup Group's meeting on August 14. He will be discussing mobile apps and API Management. This is an informal professional group focused on developing relationships and fostering mobile technology innovation.

TechnologyBusiness
1 of 16
API Management and Mobile APP enablement Francois Lascelles Tom Neinhaus Chief Architect Consultant Layer 7 Technologies
Enterprise API Management Drivers Mobile workforce (BYOD) Big! Developers SAAS Subscribers Mobile apps Web ! Enterprise APIs ! Partners  Mobile APIs !  Integration APIs  Public/private APIs IAAS/PAAS
API Management Scope Developer Developer Portal API App API Gateway API Management Infrastructure  Discovery, documentation  Access control  Developer onboarding  SLA enforcement  API Delivery  Threat protection  Performance, scaling  Analytics  Integration  Monetization
API discovery and mobile APP registration  Developer portal - Discover an API - Try the API - Register as a developer - Register an application - Get an API key  Demo
API access control  You got an API key, now what? - An app is sometimes identified at runtime by including its API key in a query parameter (that doesn’t count as access control) - If you use an API key-style shared secrets how is it provisioned (confidential vs public client)? - Typically, the user of the mobile app is authenticated, not the app itself - Standard moving fwd: OAuth 2.0 - Multiple grant types possible - Opaque, bearer tokens is the most common approach
Anatomy of an OAuth handshake (authorization code grant type) OAuth Authorization Server Subscriber (resource owner) consent 1 Authorization endpoint 1 +autz code 2 Token endpoint Mobile App (client) +access token This is a shared secret …(but an ephemeral one)
OAuth handshake from mobile APP  DIY - Send user to OAuth AS by redirecting it via browser (embedded or not) - Catch redirection coming back (tricky part) - On iOS, you set a custom URL scheme for your project so that second redirection flows through your app (myapp://something) - Call token endpoint to exchange code for access token (depending on grant type) - Parse response, extract access token  Libraries - Libraries for specific API providers, LROAuth2, https://github.com/nxtbgthng/OAuth2Client, … 1. Most libraries don’t support redirect flows and expect the app to get the secret from the user (ropc grant type?) 2. Some of these support an earlier draft. OAuth 2.0 has been a moving target 3. Not enough control on scope
DIY - Initiate OAuth handshake sample (iOS)  Redirect the end user to grant authorization on OAuth provider // construct URL for sending user to authorization server NSURL *url = [NSURL URLWithString:@"https://apis.my.org/oauth2/authorization?client_id=[pluginAPIk eyhere]&response_type=code&redirect_uri=[myapp://something]"]; // open browser [[UIApplication sharedApplication] openURL:url]; // ...
DIY - Complete OAuth handshake sample (iOS)  Catch browser redirection back to the application (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { // extract code value from url // exchange code for access token NSMutableURLRequest *req = [[[NSMutableURLRequest alloc] init] autorelease]; [req setURL:[NSURL URLWithString:@"https://apis.my.org/oauth2/authorization"]]; [req setHTTPMethod:@"POST”]; [req setValue:@"application/x-www-form-urlencoded" forHTTPHeaderField:@"Content- Type"]; NSString *postStr = [NSString stringWithFormat:@"grant_type=authorization_code&code=%@", code]; NSData *postEncoded = [postStr dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES]; [req setHTTPBody:postEncoded]; NSURLConnection *c=[[NSURLConnection alloc] initWithRequest:req delegate:self]; // parse json response, isolate access token, etc... }
Alternative handshakes (grant types)  Authorization code (what we saw so far)  Implicit +access token - Like autz code, but simpler - No code, just an access token  Resource owner password credentials - Client gets credentials from resource owner +access token directly. No Redirection  - Mobile app controls user experience - Mobile app must be trusted  Client credentials - Simple, two way handshake +access token - Not for the typical mobile app
Why exchange a secret with an OAuth authorization server in the first place? OAuth Provider  A: In order to consume an API OAuth Authorization Server Consume REST API OAuth Resource Server With access token from handshake API endpoint  access token -> app, user  Enforce access control policies
DIY - API consumption using access token  Sample (iOS) //Syntax is Authorization: Bearer [insert_token_here] NSString *httpAutzHeaderValue = [NSString stringWithFormat:@"Bearer %@", token]; NSMutableURLRequest *req = [[[NSMutableURLRequest alloc] init] autorelease]; [req setValue:httpAutzHeaderValue forHTTPHeaderField:@"Authorization"]; [req setURL:[NSURL URLWithString:@"https://myapi/resource/foo"]]; NSURLConnection *conn=[[NSURLConnection alloc] initWithRequest:req delegate:self]; //... Read response, etc
App and device authentication challenge with mobile apps  Access token are potentially associated with 3 levels of identity: - App - User - Device  How can each identity be verified at handshake time? - User: authentication at AS - App, Device - Keystore for SSL mutual authentication? - Shared secret provisioned through private app store?  Is it enough for app and device to be ‘asserted’ by user?
Patterns for token provisioning to APPs  Each app does its own - Each app does its own handshake and manages it’s own oauth access token - This is facilitated through a library - Shared OAuth authorization server address through keychain group  Shared token - Control center app does the handshake, shared token - Token shared using Keychain access group (iOS) - Disadvantage: no way to distinguish between apps at api provider side  Native app redirection social-login style - Each app leverages a specialized app to facilitate the handshake instead of redirecting through mobile browser - Specialized app has private key provisioned to
Case study: iOS Keychain for Simplified Sign On Copyright 2012, Eli Lilly and Company
Mobile Control Center Concept  Mobile ‘control center’ app as an extension to API Management infrastructure - PKI provisioning - Authorize/revoke devices, apps (built-in api) - Control permissions from any device for easy revocation by user - Enterprise Notifications - Enterprise App Store L7 Control Center

Recommended

A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 

Recommended

A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Security components in mule esb
Security components in mule esbSecurity components in mule esb
Security components in mule esbhimajareddys
 
Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceCA API Management
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Is authorization always needed for sms messages in ringcentral-api
Is authorization always needed for sms messages in ringcentral-apiIs authorization always needed for sms messages in ringcentral-api
Is authorization always needed for sms messages in ringcentral-apiAnirban Sen Chowdhary
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
Inside the Android AccountManager
Inside the Android AccountManagerInside the Android AccountManager
Inside the Android AccountManagerSamael Wang
 
Mobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson LabsMobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson LabsEricsson Labs
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03Paul Madsen
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft 365 Developer
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...Amazon Web Services
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 

More Related Content

What's hot

Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceCA API Management
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Is authorization always needed for sms messages in ringcentral-api
Is authorization always needed for sms messages in ringcentral-apiIs authorization always needed for sms messages in ringcentral-api
Is authorization always needed for sms messages in ringcentral-apiAnirban Sen Chowdhary
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsTom Freestone
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
Inside the Android AccountManager
Inside the Android AccountManagerInside the Android AccountManager
Inside the Android AccountManagerSamael Wang
 
Mobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson LabsMobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson LabsEricsson Labs
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03Paul Madsen
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft 365 Developer
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...Amazon Web Services
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 

What's hot (20)

Single sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConferenceSingle sign-on Across Mobile Applications from RSAConference
Single sign-on Across Mobile Applications from RSAConference
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Is authorization always needed for sms messages in ringcentral-api
Is authorization always needed for sms messages in ringcentral-apiIs authorization always needed for sms messages in ringcentral-api
Is authorization always needed for sms messages in ringcentral-api
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation AppsIdentity Management: Using OIDC to Empower the Next-Generation Apps
Identity Management: Using OIDC to Empower the Next-Generation Apps
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon Cognito
 
Inside the Android AccountManager
Inside the Android AccountManagerInside the Android AccountManager
Inside the Android AccountManager
 
Mobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson LabsMobile Web Security Bootstrap on Ericsson Labs
Mobile Web Security Bootstrap on Ericsson Labs
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Gluecon oauth-03
Gluecon oauth-03Gluecon oauth-03
Gluecon oauth-03
 
Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)Building an SSO platform in php (Zendcon 2010)
Building an SSO platform in php (Zendcon 2010)
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
 
Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020Microsoft identity platform community call-May 2020
Microsoft identity platform community call-May 2020
 
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 

Similar to API Management and Mobile App Enablement

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asankaWSO2
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewayZuaib
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture StrategyOCTO Technology
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...apidays
 
More Coverage, Better Diagnostics
More Coverage, Better DiagnosticsMore Coverage, Better Diagnostics
More Coverage, Better DiagnosticsSmartBear
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityBui Kiet
 
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity APIBuilding SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity APISharePointRadi
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Adam Lewis
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 

Similar to API Management and Mobile App Enablement (20)

Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
 
Wso2 Api Manager
Wso2 Api ManagerWso2 Api Manager
Wso2 Api Manager
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gateway
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture Strategy
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
 
More Coverage, Better Diagnostics
More Coverage, Better DiagnosticsMore Coverage, Better Diagnostics
More Coverage, Better Diagnostics
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity APIBuilding SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
Building SharePoint 2013 Apps - Architecture, Authentication & Connectivity API
 
Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0Securing APIs using OAuth 2.0
Securing APIs using OAuth 2.0
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

API Management and Mobile App Enablement

  • 1. API Management and Mobile APP enablement Francois Lascelles Tom Neinhaus Chief Architect Consultant Layer 7 Technologies
  • 2. Enterprise API Management Drivers Mobile workforce (BYOD) Big! Developers SAAS Subscribers Mobile apps Web ! Enterprise APIs ! Partners  Mobile APIs !  Integration APIs  Public/private APIs IAAS/PAAS
  • 3. API Management Scope Developer Developer Portal API App API Gateway API Management Infrastructure  Discovery, documentation  Access control  Developer onboarding  SLA enforcement  API Delivery  Threat protection  Performance, scaling  Analytics  Integration  Monetization
  • 4. API discovery and mobile APP registration  Developer portal - Discover an API - Try the API - Register as a developer - Register an application - Get an API key  Demo
  • 5. API access control  You got an API key, now what? - An app is sometimes identified at runtime by including its API key in a query parameter (that doesn’t count as access control) - If you use an API key-style shared secrets how is it provisioned (confidential vs public client)? - Typically, the user of the mobile app is authenticated, not the app itself - Standard moving fwd: OAuth 2.0 - Multiple grant types possible - Opaque, bearer tokens is the most common approach
  • 6. Anatomy of an OAuth handshake (authorization code grant type) OAuth Authorization Server Subscriber (resource owner) consent 1 Authorization endpoint 1 +autz code 2 Token endpoint Mobile App (client) +access token This is a shared secret …(but an ephemeral one)
  • 7. OAuth handshake from mobile APP  DIY - Send user to OAuth AS by redirecting it via browser (embedded or not) - Catch redirection coming back (tricky part) - On iOS, you set a custom URL scheme for your project so that second redirection flows through your app (myapp://something) - Call token endpoint to exchange code for access token (depending on grant type) - Parse response, extract access token  Libraries - Libraries for specific API providers, LROAuth2, https://github.com/nxtbgthng/OAuth2Client, … 1. Most libraries don’t support redirect flows and expect the app to get the secret from the user (ropc grant type?) 2. Some of these support an earlier draft. OAuth 2.0 has been a moving target 3. Not enough control on scope
  • 8. DIY - Initiate OAuth handshake sample (iOS)  Redirect the end user to grant authorization on OAuth provider // construct URL for sending user to authorization server NSURL *url = [NSURL URLWithString:@"https://apis.my.org/oauth2/authorization?client_id=[pluginAPIk eyhere]&response_type=code&redirect_uri=[myapp://something]"]; // open browser [[UIApplication sharedApplication] openURL:url]; // ...
  • 9. DIY - Complete OAuth handshake sample (iOS)  Catch browser redirection back to the application (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url { // extract code value from url // exchange code for access token NSMutableURLRequest *req = [[[NSMutableURLRequest alloc] init] autorelease]; [req setURL:[NSURL URLWithString:@"https://apis.my.org/oauth2/authorization"]]; [req setHTTPMethod:@"POST”]; [req setValue:@"application/x-www-form-urlencoded" forHTTPHeaderField:@"Content- Type"]; NSString *postStr = [NSString stringWithFormat:@"grant_type=authorization_code&code=%@", code]; NSData *postEncoded = [postStr dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES]; [req setHTTPBody:postEncoded]; NSURLConnection *c=[[NSURLConnection alloc] initWithRequest:req delegate:self]; // parse json response, isolate access token, etc... }
  • 10. Alternative handshakes (grant types)  Authorization code (what we saw so far)  Implicit +access token - Like autz code, but simpler - No code, just an access token  Resource owner password credentials - Client gets credentials from resource owner +access token directly. No Redirection  - Mobile app controls user experience - Mobile app must be trusted  Client credentials - Simple, two way handshake +access token - Not for the typical mobile app
  • 11. Why exchange a secret with an OAuth authorization server in the first place? OAuth Provider  A: In order to consume an API OAuth Authorization Server Consume REST API OAuth Resource Server With access token from handshake API endpoint  access token -> app, user  Enforce access control policies
  • 12. DIY - API consumption using access token  Sample (iOS) //Syntax is Authorization: Bearer [insert_token_here] NSString *httpAutzHeaderValue = [NSString stringWithFormat:@"Bearer %@", token]; NSMutableURLRequest *req = [[[NSMutableURLRequest alloc] init] autorelease]; [req setValue:httpAutzHeaderValue forHTTPHeaderField:@"Authorization"]; [req setURL:[NSURL URLWithString:@"https://myapi/resource/foo"]]; NSURLConnection *conn=[[NSURLConnection alloc] initWithRequest:req delegate:self]; //... Read response, etc
  • 13. App and device authentication challenge with mobile apps  Access token are potentially associated with 3 levels of identity: - App - User - Device  How can each identity be verified at handshake time? - User: authentication at AS - App, Device - Keystore for SSL mutual authentication? - Shared secret provisioned through private app store?  Is it enough for app and device to be ‘asserted’ by user?
  • 14. Patterns for token provisioning to APPs  Each app does its own - Each app does its own handshake and manages it’s own oauth access token - This is facilitated through a library - Shared OAuth authorization server address through keychain group  Shared token - Control center app does the handshake, shared token - Token shared using Keychain access group (iOS) - Disadvantage: no way to distinguish between apps at api provider side  Native app redirection social-login style - Each app leverages a specialized app to facilitate the handshake instead of redirecting through mobile browser - Specialized app has private key provisioned to
  • 15. Case study: iOS Keychain for Simplified Sign On Copyright 2012, Eli Lilly and Company
  • 16. Mobile Control Center Concept  Mobile ‘control center’ app as an extension to API Management infrastructure - PKI provisioning - Authorize/revoke devices, apps (built-in api) - Control permissions from any device for easy revocation by user - Enterprise Notifications - Enterprise App Store L7 Control Center