Kellton Tech Solutions, Inc. specializes in integrating API security using the OAuth2 framework and has a diverse portfolio of technology services, including digital transformation and enterprise solutions. The company has expanded significantly through acquisitions and partnerships, achieving a $100 million run rate and working with over 600 clients. They emphasize innovation and operational excellence, aiming to provide secure, scalable, and customer-centric solutions across various industries.

1. Kellton Tech Solutions, Inc.
Presented By:
Siva Subrahmanyam
Sr. Integration Consultant
API Security : Using OAuth2 Framework

2. Our Values:
• Incorporated
• New management takes over led by Niranjan Chintam and Krishna Chintam
• $ 10 MN
• Acquired and merged Tekriti Software Private Limited, a software services
company focusing on web/open source
• Acquired SKAN DbyDx Software Private Limited, a mobility solutions company
• $ 40 MN
• Acquired Supremesoft Global Inc., and eVantage Solutions Inc., US based IT
consulting companies
• Acquired Vivos Professional Services LLC, a USA based focusing on life-
sciences & healthcare space
• 21st in Deloitte Technology fast 50 India 2014
• Selected among the ’20 Most Promising Travel & Hospitality Solution
Providers’ and ‘Top 20 Enterprise Mobility Companies in India by CIO Review
• $ 100 MN Run Rate.
• Acquired ProSoft Technology Group Inc., a US based ERP, EAI Solutions
company.
• KLGAME was nominated in the finals of HYSEA Annual Summit and Awards
2015.
• Acquired Bokanyi Group, leading US based cloud and analytics service
provider.
Our Mission:
Our Vision:
Offering infinite possibilities with technology
To be “the trusted partner” of our clients
Innovation
Ownership
Trust
Speed
Meritocracy
Accountability
Customer Centricity
Milestones:
FY 1993
FY 2009
FY 2013
FY 2015
FY 2017
About Kellton Tech
Infinite Possibilities with Technology

3. Thought Leaders in Technology Adoption:
As an early entrant in IoT and SMAC, we provide innovative
transformation solutions to the clients leveraging cloud ERP solutions,
digital business platforms, and digital systems integration
Focused on Design Thinking:
We understand the importance of digital customer experience and
operational excellence and explore infinite possibilities with the
technology to deliver desired business outcomes.
Disciplined and Experienced Team:
We hire the best talent, leverage the best practices from design,
development and implementation of systems of record, differentiation,
engagement and insight.
We Are: We Do:
Digital Transformation BU
Digital Connected Enterprise BU
Enterprise Solutions (SAP) BU
Systems of Engagement
New apps built leveraging design thinking that
provide next competitive advantage now and in the
future.
Systems of Differentiation
Business Processes and Orchestration layers that
provide competitive advantage.
Systems of Record
Standardized functions and processes across the
organisation that provide predictability, consistency
and optimization.
KLGAMETM
Who we are

4. Millions:
Software we have developed is being used by millions of people worldwide.
600:
We have partnered with more than 600 innovative clients (39 Fortune 1000) in
Healthcare, Retail, Insurance, Media, Software and Technology industries.
2 Million:
We perform more than 2 Million hours of engineering work for our clients
every year.
1100+ People:
Headquartered in Princeton, NJ we have global delivery centers across US, UK, and
India
Our Numbers

5. Partial Customers by Industry
OthersFinancials
Services
Energy
Utilities
ManufacturingRetail

6. Digital Transformation and Enterprise Architecture Strategy – Advisory Services
API / SOA / ESB Core Application Integration – API/SOA Strategy, Governance and COE
BPM Solutions with Business Workflows, Rules, Analytics and Dashboards
Distributed In-Memory Data Solutions for High Throughput and Low Latency
Applications
Real-time and Streaming Analytics Solutions in IoT and Big Data Applications
SaaS Integration, Cloud Enablement and Hybrid Infrastructure Services
Infrastructure Modernization, Continuous Integration / Dev-Ops Services and AMS
Core Services Portfolio

7. Technology Partnerships

8. Core Technology Expertise
Anypoint
Platform

9. Industry Solutions and Domain Expertise
 Banking and Finance
 Treasury Services – Payment and Forex
Gateways
 SWIFT Integration
 Business Process modeling and Optimization in
o Loan Origination
o Account Opening
o Risk and Regulatory
 Transportation and Logistics
 Fleet Management and Real-time On-Board
Application services
 B2B and Vendor Managed Inventory Solutions
 Retail and Manufacturing
 ERP Integration
 Omni Channel Services Architecture
 PoS and eCommerce Integration
 Energy and Utilities
 Energy Trading and Power Scheduling
 RTO Integration and Market Participation
 Smart Grid Integration and enablement

10.  API - Introduction
• API, API Strategy, API Economy etc.
 API Security Fundamentals.
• HTTP Basic Authentication
• Digest access Authentication, etc.
• Token based Authentication
 OAuth2.0 Framework – Deep Dive
 OAuth1.0a versus Oauth2.0 – Differences.
 OAuth2.0 Framework - Pros and Cons.
 Software AG webMethods – OAuth2.0 Demo
 Q & A
 Upcoming Webinars
Today’s Agenda

11. API - Introduction

12. API Security
Versioning
Status Codes
JSON
Authentication
&
Authorization
Paginate
Rate Limiting
Caching
Documentation

13. API Security Fundamentals
HTTP Security Mechanisms:
Basic Authentication:
Client: basic-credentials = "Basic" SP basic-cookie basic-cookie = base64encode(username+":"+password)
Cons:
• Attacker can obtain user's plain text password
• The username and password are sent with every request
• The server must know user's password in plain text
• If intercepted, requests can be reproduced on the future
• Vulnerable to Man-in-the-middle Attacks.

14. API Security Fundamentals, Contd...
Digestive Authentication:
The client sends a hashed form of the password to the server. Although, the password cannot be captured over HTTP, it
may be possible to replay requests using the hashed password.
HA1=MD5(username:realm:password)
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2)
Cons:
• Vulnerable to Man-In-The-Middle attacks in
some cases.
• Many of the security options are optional,
which makes it less secure.
• Difficult to design and implement.
• Limitations when working with certain
cryptic modules such as FIPS.

15. API Security Fundamentals, Contd...
Token Based Authentication:
What is a
• Token
• Bearer Token
• Holder-Of-Key Token (HOK)
Using a bearer token does not require a bearer to
prove possession of cryptographic key material
(proof-of-possession), whereas, HOK does.
Advantages:
• Extra security
• Stateless and scalable servers
• Pass authentication to other applications (Delegated Access)
• Fine-grained access control (Scopes)
• Expiry & Revoke Access

16. OAuth2.0 Framework – Deep Dive
OAuth Stands for Open Authorization (Token based
authorization scheme)
Facilitates Delegated Authorization.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either
on behalf of a resource owner by orchestrating an approval
interaction between the resource owner and the HTTP
service, or by allowing the third-party application to obtain
access on its own behalf.

17. OAuth2.0 Framework – Deep Dive, Contd…
OAuth Roles:
Resource Owner: An entity capable of granting access to a
protected resource. When the resource owner is a person, it
is referred to as an end-user.
Resource Server: The server hosting the protected
resources, capable of accepting and responding to protected
resource requests using access tokens.
Client: An application making protected resource requests on
behalf of the resource owner and with its authorization.
Authorization Server: The server issuing access tokens to
the client after successfully authenticating the resource
owner and obtaining authorization.

18. OAuth2.0 Framework – Deep Dive, Contd…
User / Resource Owner Browser / Client App Resource Server
Auth Server
1. User uses his app
2. Client Requests Authorization for User
2. Authorization request redirected to Resource Owner by Authorization Server
3. Resource Owner Grants Authorization by logging into Server & And Approving Authorization Request.
4. Authorization Server sends Authorization Code
5. Client passes Auth Code and Requests for Access token
6. Authorization Server sends Access Token & Refresh token
7. Client passes Access token and invokes Rest API
OAuth2.0Workflow
8. Protected Data / resource is sent by Resource Server API

19. OAuth2.0 Framework – Deep Dive, Contd…
User / Resource Owner Browser / Client App Resource Server
Auth Server
5. Client passes Expired Access token
6. Resource Server sends Invalid Token Error
7. Client passes Refresh token to Authorization Server
OAuth2.0Workflow
RefreshingAccessToken
8. Resource Server sends New Access Token & Optional Refresh token
9. Client passes Access token and invokes Rest API
10. Protected Data / resource is sent by Resource Server API

20. OAuth2.0 Grant Types
OAuth2.0 Framework provides different options by various Grant Types such as,
• Authorization code grant
o Used for Confidential Clients such as server based clients.
• Implicit Grant
o Used for Public Clients such as browser based clients.
• Resource owner credentials grant
o Used when Client has access to User’s credentials.
• Client credentials grant.
o Used when the registered client wants to obtain token for itself.
• Refresh token grant.
o Used to refresh expired access tokens, by passing refresh tokens.

21. OAuth1.0a versus OAuth2.0 Differences
S.No. OAuth1.0a OAuth2.0
1 Doesn’t need HTTPS Communication. Demands HTTPS Communication
2 Requires Digital Signatures to sign OAuth
request messages
Doesn’t need Digital Signatures and relies on
SSL/TLS.
3 Client app signs all OAuth requests to Auth
Server with its unique “consumer secret.”
Client application includes “client secret” with
every request.
2 More Secure because of the Digital
signatures for OAuth Communication as
well.
Relatively Less Secure than OAuth1.0a, as they
are centered around bearer tokens.
3 Less Flexible & More Complex to Design and
Develop.
Easier for 3rd Party Developers to Implement.
5 OAuth 1.0 only handled web browser based
implementations.
OAuth 2.0 considers non-web clients as well.

22. OAuth2.0 Framework - Pros and Cons
OAuth2.0 Advantages:
1. Various roles defined in this framework allows better separation of duties. Eg: Handling resource requests
and handling user authorization can be decoupled in OAuth 2.0.
2. Provided for greater flexibility and options by various Grant Types.
3. It lets users choose the actions the calling application can access. This serves as a limit to what third parties
can do with user information.
4. Concept of Refresh tokens was introduced.
5. Easy for 3rd party clients to develop and design.
6. Supports non-browser Implementations, and hence more widely used by all major companies.
OAuth2.0 Disadvantages:
1. Bearer tokens Centric., makes it relatively less secure than OAuth1.0
2. Not backward compatible with OAuth1.0

23. Demo
 Walk through of the
o OAuth2.0 Configuration in SoftwareAG webMethods Integration Server.
o OAuth2.0 Authorization work flow using Browser & SOAP UI Clients.
o OAuth2.0 Implementation – Server Client & Resource Server Code.
Kellton Tech Solutions Inc.
3 Independence Way, Princeton, NJ 08540

24. Demo
OAuth Support in Software AG webMethods:
Built-in Services:
1. pub.oauth:authorize  Initiates an authorization request from a client application to
the authorization server.
2. pub.oauth:getAccessToken  Requests an access token from the authorization server.
3. pub.oauth:refreshAccessToken  Requests a fresh token from the authorization server.
4. pub.client.oauth:executeRequest  To access protected resources on a resource server using an existing Open
Authentication (OAuth) access token
Kellton Tech Solutions Inc.
3 Independence Way, Princeton, NJ 08540

25. Kellton Tech Solutions Inc.
3 Independence Way, Princeton, NJ 08540

26. Upcoming Webinars
Kellton Tech Solutions Inc.
3 Independence Way, Princeton, NJ 08540
Date Topic Presenter
31st Jan 2017 Software AG Integration Cloud Ankit Malhotra