SlideShare a Scribd company logo

Does REST Change the Game for IAM?

Oliver Pfaff
Oliver Pfaff

My 2012 Groundhog Day - needed much bandwidth over the past weeks to discuss the same topic with various folks: how do identity and access management and RESTful Web services relate? This slide deck aims at taking this question from its root.

Technology
1 of 25
Does REST Change the Game For IAM? Oliver Pfaff February 29, 2012
Contents ▶ Questions ▶ Fundamentals ▶ Observations ▶ Answers – Employing IAM – Delivering IAM ▶ Conclusions ▶ References February 2012 - All rights reserved 2
Questions ▶ IAM for REST: – How to provide IAM functionality for RESTful Web services? ▶ REST for IAM: – How to use RESTful Web services to deliver IAM functionality? February 2012 - All rights reserved 3
Fundamentals Characterizing RESTful Web Services ▶ Message layout: Response: – JSON, XML (or else)-in-HTTP for JSON, XML requests and responses or arbitrary ▶ Clients: data – Content-unaware clients (Web browsers) Request: – Content-aware clients (e.g. apps JSON, XML utilizing WADLs/WSDLs or client- or arbitrary side classes based on e.g. JAX-RS) data ▶ Aiming at following callers: – Humans (represented by their user agents) HTTP – Applications (facilitating machine- body to-machine interactions) POST: create GET: read ▶ Service descriptions/contracts: HTTP PUT: update header – WADL, WSDL 2.0 DELETE: delete – XSD February 2012 - All rights reserved 4
Fundamentals Vs. SOAP-Based Web Services ▶ Message layout: XML, – XML-in-SOAP-in-HTTP for requests arbitrary and responses data via ▶ Clients: attach- ments – Content-aware clients (e.g. Web service clients utilizing WSDLs or client-side classes based on e.g. SOAP JAX-WS) body ▶ Aiming at following callers: SOAP – Applications (facilitating machine- header to-machine interactions) ▶ Service descriptions/contracts: HTTP – WSDL body – XSD POST: request-response HTTP GET: soap-response header February 2012 - All rights reserved 5
Fundamentals Vs. Traditional Web Applications ▶ Message layout: Response: – URL query or HTML form HTML, arbitrary parameters-in-HTTP (for requests) data via – HTML-in-HTTP (for responses) MIME type ▶ Clients: Request: – Content-unaware clients (Web empty or browsers) keyword/ ▶ Aiming at following callers: value pairs as URL query – Humans (represented by their user or HTML form agents) parameters ▶ Service descriptions/contracts: – None HTTP body POST: user input HTTP GET: read header February 2012 - All rights reserved 6
Fundamentals Relevance of RESTful Web Services ▶ For those starting from traditional Web applications, RESTful Web services provide a more natural evolution path than SOAP-based Web services: – Conceptually RESTful Web services present a superset of traditional Web applications: RESTful Web services can serve off-the-shelf Web browsers – SOAP-based Web services and traditional Web applications are rather disjoint: SOAP-based Web services can not serve off-the-shelf Web browsers ▶ Constrained clients (apps upon smart phones) tend to prefer RESTful Web services (with JSON) over traditional Web applications (HTML). For bandwidth reasons, XML (hence SOAP) is avoided by such clients. – The popularity of smart phones pushes application providers towards JSON as preferred form-factor for exchanged data. – REST provides the architectural style for that. ▶ The so-called API economy rather depends on REST than SOAP style: composite applications/mashups rather build upon RESTful Web services than SOAP-based Web services. For instance, www.programmableweb.com currently lists: – 3557 APIs for the REST style – 966 APIs for the SOAP style February 2012 - All rights reserved 7
Observations Content Data vs. Protocol Stack ▶ RESTful Web services are a bit of a chameleon: – With respect to their support of structured data aiming at consumption by content-aware clients, RESTful Web services compare to SOAP-based Web services rather than traditional Web applications – With respect to the employed protocol stack, RESTful Web services compare to traditional Web applications rather than SOAP-based Web services ▶ Hence, IAM and security mechanisms designed for the – HTTP layer provide candidates for usage with RESTful Web services e.g. • HTTP authentication • SSL/TLS – SOAP layer are unavailable for RESTful Web services e.g. • WS-Trust (as key IAM enabler for SOAP-based Web services) • WS-Security (as key security enabler for SOAP-based Web services) February 2012 - All rights reserved 8
Observations Referring to Resource Instances ▶ When RESTful Web services are used to implement CRUD functionality, they need to refer to instances of resource objects (e.g. John Doe’s contact list). ▶ This can be done by means contained in HTTP requests (headers and/or bodies). Details are specific to the actual implementations including following options: – Instances of resource objects are referred to by path parts in HTTP request URLs (GET, PUT, DELETE) – the best practice approach – Instances of resource objects are referred to by query parts in HTTP request URLs (GET) resp. body parts in HTTP requests (PUT, DELETE) ▶ Note: POST serves the (initial) creation of an instance of a resource object. Identifiers for (new) instances of resource objects are implicitly assigned. February 2012 - All rights reserved 9
Answers – Employing IAM IAM Fingerprint of RESTful Web Services ▶ The section “employing IAM” identifies the IAM fingerprint of RESTful Web services ▶ Following topics are considered: – Initial authentication: refers to the authentication of REST requestors resp. requests through credentials (e.g. passwords, shared secret keys for one- time-password authentication, public key certificates) sustained by the REST responder or within its domain – Federated authentication: refers to the authentication of REST requestors resp. requests through credentials not sustained by the REST responder or within its domain – Single-sign-on: refers to the ability to subsequently authenticate at multiple systems or applications and access them after a single initial or federated authentication – Authorization: refers to the determination whether requestors may access particular resources according specific actions and its enforcement February 2012 - All rights reserved 10
Answers – Employing IAM Initial Authentication – Standards-Based ▶ To establish initial authentication, REST responders need to challenge requestors to present credentials. The mechanisms catalog comprises means: – Beneath the HTTP layer: SSL/TLS client authentication (RFC 2818) – On HTTP header level: HTTP-defined authentication means (RFC 2616) • Classical: Basic and Digest (RFC 2617), Negotiate (RFC 4559) • Emerging: MAC (draft-ietf-oauth-v2-http-mac-01.txt), Bearer (draft-ietf- oauth-v2-bearer-17.txt) – On HTTP payload level: • Traditional Web applications use HTML forms for user authentication with static or one-time-passwords (and other means). This is achieved through dedicated login Web applications to which users are redirected. o RESTful Web services may use such means when responding to requests from Web browsers (aiming at user authentication) o When serving content-aware clients (aiming at system authentication) means requiring interactions with users are no option • When aiming at system authentication with schemes not natively supported on HTTP header level or underneath the HTTP layer, RESTful Web services need to consider dedicated non-interactive login applications (cf. below). February 2012 - All rights reserved 11
Answers – Employing IAM Initial Authentication – Proprietary ▶ The current practice for authenticating non-user requestors of RESTful Web services is to establish ID/API key-tuples through a registration process. – This is equivalent to username/password-tuples which are established for users accessing traditional Web applications ▶ By default, the API keys are shared secrets. They are employed with HTTP Basic or proprietary authentication schemes (in case there is a need to protect [a subset] of the message contents through cryptographic checksums) – HTTP Digest authentication also allows to protect some message contents through cryptographic checksums but is not used in practice ▶ Proprietary schemes to authenticate REST API calls present an anti-pattern: – It can be commonly found (quote: “Everyone feels the need to write a custom authentication protocol”, cf. broadcast.oreilly.com/2009/12/principles-for- standardized-rest-authentication.html) – The MAC access authentication scheme for HTTP provides means to avoid this anti-pattern in future: • This scheme is currently being developed in the IETF (oauth working group) • It evolves from OAuth but is not tightly bound to the native OAuth use case of delegating authorization and can be used on a broader base. February 2012 - All rights reserved 12
Answers – Employing IAM Federated Authentication ▶ SAML provides the plain vanilla approach to identity federation for traditional Web applications: – Defines an XML vocabulary (SAML assertion and protocol syntaxes) to cover a variety of federated identity management use cases including cross domain SSO, attribute querying, and SLO. – Defines 3-party exchanges (actors: user agent, SP, IdP) and 2-party exchanges (actors: SP, IdP) based on HTTP – Provides a means to remote initial authentication to an external IdP that is entity-centric (does not bind or authenticate contents of exchanged messages) ▶ SAML messages pass transparently through user agents and thus may be considered to federate user and system authentication for RESTful Web services provided: – IdPs support means of initial authentication available to non-Web browser REST clients (esp. non-interactive means of authentication) – IdPs and SPs employ redirections means supported by non-Web browser REST clients (e.g. SAML Redirect rather than POST bindings) – Single-sign-on constraints (cf. below) are not expected to be met in an orthodox fashion (SAML’s requirement that bearer assertions are not replayed and REST’s requirement that services are stateless do conflict) February 2012 - All rights reserved 13
Answers – Employing IAM Single-Sign-On ▶ The REST architecture style assumes services to be stateless: RESTful Web services shall not store client-specific contexts between requests ▶ Hence (orthodox) RESTful Web services will abstain from the current practices of traditional Web applications: sustain local state about authenticated users and identify this state in exchanges with Web browsers by means such as: – HTTP cookie headers (cf. RFC 2965) – URL query parameters – HTML form contents ▶ This does constrain RESTful Web services in providing single-sign-on experiences for user authentication (not so much an issue for system authentication): – Encourages Kerberos style: rather than identifiers referring to state sustained elsewhere, self-contained objects representing an authenticated system entity should be transferred. – This comes with challenges on side of IT-security (data origin authentication, proof-of-possession for those self-contained objects as well as their binding to message contents) and non-functional characteristics (per message overhead). February 2012 - All rights reserved 14
Answers – Employing IAM Authorization ▶ Authorization is a local matter of RESTful Web service providers. It does not add further dependencies between consumers and producers of REST services (unless specific use cases such as user consent [e.g. OAuth] are to be addressed). ▶ With PEPs (e.g. servlet-filters) that recognize request contents on the HTTP header level only, access control can be achieved on following granularity: – For RESTful Web services identifying resource instances in the URL path • Create operation: requested resource class o For example, the Group resource class in SCIM (www.simplecloud.info/specs/draft-scim-core-schema-00.html) identified by http(s)://hostname:port/Groups allowing to decide e.g. may John Doe create a group (endpoint and type of operation) • Read/update/delete operations: requested resource instance o For example, the Group resource instance with id=01234-56789 in SCIM identified as http(s)://hostname:port/Groups/01234-56789 allowing to decide e.g. may John Doe delete this instance of group (endpoint, type of operation, and instance of resource object) ▶ If further details of actual requests shall be considered in authorization decision making, PEPs for RESTful Web services need to understand HTTP request bodies. Such PEPs may reside in the actual business application or the REST stack. February 2012 - All rights reserved 15
Answers – Delivering IAM RESTful IAM Services ▶ The section “delivering IAM” considers the realization of IAM functionality through RESTful Web services ▶ Following use cases are considered: – User provisioning: IAM services concerned with creating, maintaining, and terminating user objects – Login applications: IAM services concerned with performing initial authentication through an application dedicated to this purpose – Identity federation: IAM services using federated authentication to split identity management tasks according the roles of IdPs and SPs as the producers and consumers of authenticated information about system entities – Claims-based identity management: IAM services supporting the consumption of identity data according a clean dependency injection model (consumers of identity data such as business applications shall be decoupled from means of storing and managing the identity data) – Authorization management: IAM services supporting the tasks of authorization policy management and authorization decision making February 2012 - All rights reserved 16
Answers – Delivering IAM User Provisioning ▶ User provisioning is concerned with creating, reading, updating, and deleting user objects (comprising identifiers, attributes, credentials…) in persisted storage ▶ RESTful Web services are capable of providing CRUD functionality for arbitrary business objects through a variety of input formats (e.g. URL query or HTML form parameters, JSON, XML) and output formats (e.g. HTML, JSON, XML) via HTTP ▶ This includes user objects (represented as e.g. entries in an LDAP server) and makes RESTful Web services a straight-forward candidate for addressing the user provisioning use case ▶ SCIM (www.simplecloud.info) provides a specification addressing the user provisioning according the REST style February 2012 - All rights reserved 17
Answers – Delivering IAM Login Applications ▶ Traditional Web applications use dedicated login applications to – Brand and customize login screens for initial authentication (esp. initial authentication with usernames/static passwords) – Support authentication schemes not natively supported on HTTP or SSL/TLS level (e.g. one-time-passwords such as RFCs 2289/4226/6238) ▶ Such dedicated login Web applications may be provided as RESTful Web services: – Does not result in new functionality for the initial authentication of users (conducted via Web browsers) – Provides a solution-specific way of performing initial authentication of systems as clients of RESTful Web services for schemes not natively supported on HTTP or SSL/TLS level – Imposes constraints on REST-friendliness of single-sign-on esp. transfer of authentication context to another application as a consumer. February 2012 - All rights reserved 18
Answers – Delivering IAM Identity Federation ▶ The well-known identity federation techniques address traditional Web applications and SOAP-based Web services: – Traditional Web applications: SAML, OpenID – SOAP-based Web services: WS-Trust, WS-Federation ▶ There is not yet a standardization effort that would shape IdP and SP components as well as their protocol interactions according the REST style (here: as RESTful IdP and SP services that address use cases in federated identity management such as cross-domain SSO, SLO and attribute exchange) ▶ Some initiatives look at a subset of this problem: the expression of assertions/ statements about an authenticated system entity in non-XML formats esp. JSON: JWT (JSON Web Token, draft-jones-json-web-token-07.txt, cf. tools.ietf.org/html/draft-jones-json-web-token-07). – The goal to address the identity federation use case and retain its main concepts while avoiding the per-message overhead of XML encodings. – For a survey of specifications defining and using JWT cf. www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_30.pdf February 2012 - All rights reserved 19
Answers – Delivering IAM Claims-Based Identity Management for REST ▶ In claims-based identity management, the consumers of identity data: – Deliberately ask for identifying information (e.g. UID) and attributes or contexts (e.g. group memberships, role assignments) they depend on. Corresponding information is expected to travel in-band with request objects – Do not lookup supplementary information about requestors from sources in their backend ▶ This concept goes well with SOAP-based Web services. WS-Trust STSs are key components in delivering claims-based identity management: – WS-Trust RST messages allow to request a variety of identity-related information (identifiers, attributes, contexts such as group assignments and role membership, authentication state) – WS-Trust STS components allow to encapsulate the supply and management of such information – The integration of WS-Trust exchanges with WS-stacks reliefs the actual implementations of the Web service providers and consumers from handling details ▶ A corresponding machinery does not exist for RESTful Web services. Their current potentials towards claims-based identity management are limited. February 2012 - All rights reserved 20
Answers – Delivering IAM Authorization Management ▶ OAuth 2.0 introduces a system component called authorization server: – This component encapsulates the authorization management for OAuth – It has following interactions with resource owners (end users represented by Web browsers as user agents), OAuth intermediaries (composite applications), and OAuth resource servers: • Resource owners: user authentication, delegation of access rights • OAuth intermediaries: system authentication, acquisition of tokens resp. token credentials • OAuth resource servers: system authentication, validation of access tokens or supply of keying information to facilitate validation by resource servers (subject to type of access token – MAC vs. Bearer) ▶ OAuth authorization servers are candidates for an implementation according the REST style: – This component needs to serve accesses from Web browsers in parallel to accesses from other clients (OAuth intermediaries and resource servers) – It emerges from a REST-aware environment February 2012 - All rights reserved 21
Conclusions IAM for REST ▶ Delivering IAM to enable RESTful Web services needs to differentiate according the caller types: – Web browsers: to a large extent IAM for RESTful Web services resembles that for classical Web applications with some REST style-imposed constraints on achieving SSO – Other content-aware clients: new requirements dominate as • Additional media types (e.g. JSON, XML) in HTTP requests need to be handled beyond the classical URL query and HTML form parameters • For unattended clients (e.g. composite applications) it is difficult to impossible to use techniques that depend on user attention or interaction ▶ RESTful Web services have a completely different IAM fingerprint than SOAP- based Web services. This is due to the absence of the SOAP-based IAM and security mechanisms. ▶ Their IAM fingerprint is closer to that of classical Web applications. But the advent of new caller types and media types requires new mechanisms to address topics such as API authentication and authorization. – OAuth is an example for a new IAM mechanism that addresses IAM for RESTful Web services (according a specific use case) February 2012 - All rights reserved 22
Conclusions REST for IAM ▶ Supplying IAM services via REST (e.g. user data, authentication, authorization or policy services) is pretty straight-forward since it is simple to RESTify an already existing functionality or create it from scratch. ▶ Challenges are on the side of: – How to establish clients for RESTful IAM services and make it convenient for (other) services or their consumers to integrate it? – How to establish security for RESTful IAM services? ▶ Current state of using RESTful Web services for delivering IAM functionality: – Things already underway: • RESTful user provisioning (SCIM) – Not (yet) underway (on the level of standardization initiatives): • RESTful claims-based identity management • RESTful authorization management February 2012 - All rights reserved 23
References ▶ Fielding, R.: Architectural Styles and the Design of Network-based Software Architectures. PhD Thesis. University of California, Irvine. 2000 ▶ Hadley, M.; Sandoz, P. (eds): JAX-RS: Java API for RESTful Web Services. JSR- 311, Java Community Process. 2008 ▶ N.N.: Jersey. JAX-RS reference implementation ▶ Pautasso, C.; Zimmermann, O.; Leymann, F.: RESTful Web Services vs. “Big” Web Services: Making the Right Architectural Decision. Proc. of the 17th International World Wide Web Conference, Bejing. 2008 ▶ Pautasso, C.: REST-Inspired SOA Design Patterns (and Anti-Patterns). 2nd International SOA Symposium, Rotterdam. 2009 February 2012 - All rights reserved 24
Author ▶ Oliver Pfaff oliver.frank.pfaff@gmail.com February 2012 - All rights reserved 25

Recommended

Ch21
Ch21Ch21
Ch21Welly Dian Astika
 
The Semantic Web
The Semantic WebThe Semantic Web
The Semantic WebAnil Mishra
 
Improving Your Web Services Thorough Semantic Web Techniques
Improving Your Web Services Thorough Semantic Web TechniquesImproving Your Web Services Thorough Semantic Web Techniques
Improving Your Web Services Thorough Semantic Web TechniquesGihan Wikramanayake
 
VNSISPL_DBMS_Concepts_ch8
VNSISPL_DBMS_Concepts_ch8VNSISPL_DBMS_Concepts_ch8
VNSISPL_DBMS_Concepts_ch8sriprasoon
 
Data Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsData Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsRaymond Feng
 
Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...
Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...
Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...ecosio GmbH
 
Web Services - Introduction
Web Services - IntroductionWeb Services - Introduction
Web Services - IntroductionMartin Necasky
 
Overview of web services
Overview of web servicesOverview of web services
Overview of web servicesPeople Strategists
 

Recommended

Ch21
Ch21Ch21
Ch21Welly Dian Astika
 
The Semantic Web
The Semantic WebThe Semantic Web
The Semantic WebAnil Mishra
 
Improving Your Web Services Thorough Semantic Web Techniques
Improving Your Web Services Thorough Semantic Web TechniquesImproving Your Web Services Thorough Semantic Web Techniques
Improving Your Web Services Thorough Semantic Web TechniquesGihan Wikramanayake
 
VNSISPL_DBMS_Concepts_ch8
VNSISPL_DBMS_Concepts_ch8VNSISPL_DBMS_Concepts_ch8
VNSISPL_DBMS_Concepts_ch8sriprasoon
 
Data Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsData Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsRaymond Feng
 
Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...
Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...
Introduction to Service Oriented Architectures, SOAP/WSDL Web Services and RE...ecosio GmbH
 
Web Services - Introduction
Web Services - IntroductionWeb Services - Introduction
Web Services - IntroductionMartin Necasky
 
Overview of web services
Overview of web servicesOverview of web services
Overview of web servicesPeople Strategists
 
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...Lucas Jellema
 
6 10-presentation
6 10-presentation6 10-presentation
6 10-presentationRemi Arnaud
 
A Deep Dive into RESTful API Design Part 1
A Deep Dive into RESTful API Design Part 1A Deep Dive into RESTful API Design Part 1
A Deep Dive into RESTful API Design Part 1VivekKrishna34
 
Web2 0 Incredibles
Web2 0 IncrediblesWeb2 0 Incredibles
Web2 0 Incrediblesanjeshdubey
 
Bt0083, server side programming theory
Bt0083, server side programming theoryBt0083, server side programming theory
Bt0083, server side programming theorysmumbahelp
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.pptJayaprasanna4
 
Scalable Architectures - Microsoft Finland DevDays 2014
Scalable Architectures - Microsoft Finland DevDays 2014Scalable Architectures - Microsoft Finland DevDays 2014
Scalable Architectures - Microsoft Finland DevDays 2014Kallex
 
Pinterest like site using REST and Bottle
Pinterest like site using REST and Bottle Pinterest like site using REST and Bottle
Pinterest like site using REST and Bottle Gaurav Bhardwaj
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web SignonChris Phillips
 
Ead pertemuan-7
Ead pertemuan-7Ead pertemuan-7
Ead pertemuan-7Yudha Arif Budiman
 
The Story of How an Oracle Classic Stronghold successfully embraced SOA
The Story of How an Oracle Classic Stronghold successfully embraced SOAThe Story of How an Oracle Classic Stronghold successfully embraced SOA
The Story of How an Oracle Classic Stronghold successfully embraced SOALucas Jellema
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuthOliver Pfaff
 
IBM Innovate 2013: Making Rational HATS a Strategic Investment
IBM Innovate 2013: Making Rational HATS a Strategic InvestmentIBM Innovate 2013: Making Rational HATS a Strategic Investment
IBM Innovate 2013: Making Rational HATS a Strategic InvestmentStrongback Consulting
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaLucas Jellema
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Subscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsSubscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsdbpublications
 
Rest introduction
Rest introductionRest introduction
Rest introductionWilliam Martinez Pomares
 
WS-* with WCF
WS-* with WCFWS-* with WCF
WS-* with WCFppcanodehuelva
 
James Turner (Caplin) - Enterprise HTML5 Patterns
James Turner (Caplin) - Enterprise HTML5 PatternsJames Turner (Caplin) - Enterprise HTML5 Patterns
James Turner (Caplin) - Enterprise HTML5 Patternsakqaanoraks
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 

More Related Content

Similar to Does REST Change the Game for IAM?

The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...Lucas Jellema
 
6 10-presentation
6 10-presentation6 10-presentation
6 10-presentationRemi Arnaud
 
A Deep Dive into RESTful API Design Part 1
A Deep Dive into RESTful API Design Part 1A Deep Dive into RESTful API Design Part 1
A Deep Dive into RESTful API Design Part 1VivekKrishna34
 
Web2 0 Incredibles
Web2 0 IncrediblesWeb2 0 Incredibles
Web2 0 Incrediblesanjeshdubey
 
Bt0083, server side programming theory
Bt0083, server side programming theoryBt0083, server side programming theory
Bt0083, server side programming theorysmumbahelp
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.pptJayaprasanna4
 
Scalable Architectures - Microsoft Finland DevDays 2014
Scalable Architectures - Microsoft Finland DevDays 2014Scalable Architectures - Microsoft Finland DevDays 2014
Scalable Architectures - Microsoft Finland DevDays 2014Kallex
 
Pinterest like site using REST and Bottle
Pinterest like site using REST and Bottle Pinterest like site using REST and Bottle
Pinterest like site using REST and Bottle Gaurav Bhardwaj
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web SignonChris Phillips
 
The Story of How an Oracle Classic Stronghold successfully embraced SOA
The Story of How an Oracle Classic Stronghold successfully embraced SOAThe Story of How an Oracle Classic Stronghold successfully embraced SOA
The Story of How an Oracle Classic Stronghold successfully embraced SOALucas Jellema
 
IBM Innovate 2013: Making Rational HATS a Strategic Investment
IBM Innovate 2013: Making Rational HATS a Strategic InvestmentIBM Innovate 2013: Making Rational HATS a Strategic Investment
IBM Innovate 2013: Making Rational HATS a Strategic InvestmentStrongback Consulting
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaLucas Jellema
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
Subscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsSubscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsdbpublications
 
James Turner (Caplin) - Enterprise HTML5 Patterns
James Turner (Caplin) - Enterprise HTML5 PatternsJames Turner (Caplin) - Enterprise HTML5 Patterns
James Turner (Caplin) - Enterprise HTML5 Patternsakqaanoraks
 

Similar to Does REST Change the Game for IAM? (20)

The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
 
6 10-presentation
6 10-presentation6 10-presentation
6 10-presentation
 
A Deep Dive into RESTful API Design Part 1
A Deep Dive into RESTful API Design Part 1A Deep Dive into RESTful API Design Part 1
A Deep Dive into RESTful API Design Part 1
 
Web2 0 Incredibles
Web2 0 IncrediblesWeb2 0 Incredibles
Web2 0 Incredibles
 
Bt0083, server side programming theory
Bt0083, server side programming theoryBt0083, server side programming theory
Bt0083, server side programming theory
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.ppt
 
Scalable Architectures - Microsoft Finland DevDays 2014
Scalable Architectures - Microsoft Finland DevDays 2014Scalable Architectures - Microsoft Finland DevDays 2014
Scalable Architectures - Microsoft Finland DevDays 2014
 
Pinterest like site using REST and Bottle
Pinterest like site using REST and Bottle Pinterest like site using REST and Bottle
Pinterest like site using REST and Bottle
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web Signon
 
Ead pertemuan-7
Ead pertemuan-7Ead pertemuan-7
Ead pertemuan-7
 
The Story of How an Oracle Classic Stronghold successfully embraced SOA
The Story of How an Oracle Classic Stronghold successfully embraced SOAThe Story of How an Oracle Classic Stronghold successfully embraced SOA
The Story of How an Oracle Classic Stronghold successfully embraced SOA
 
Analyzing OAuth
Analyzing OAuthAnalyzing OAuth
Analyzing OAuth
 
IBM Innovate 2013: Making Rational HATS a Strategic Investment
IBM Innovate 2013: Making Rational HATS a Strategic InvestmentIBM Innovate 2013: Making Rational HATS a Strategic Investment
IBM Innovate 2013: Making Rational HATS a Strategic Investment
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas Jellema
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
 
Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)Unit 02: Web Technologies (2/2)
Unit 02: Web Technologies (2/2)
 
Subscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsSubscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robots
 
Rest introduction
Rest introductionRest introduction
Rest introduction
 
WS-* with WCF
WS-* with WCFWS-* with WCF
WS-* with WCF
 
James Turner (Caplin) - Enterprise HTML5 Patterns
James Turner (Caplin) - Enterprise HTML5 PatternsJames Turner (Caplin) - Enterprise HTML5 Patterns
James Turner (Caplin) - Enterprise HTML5 Patterns
 

More from Oliver Pfaff

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary LifeOliver Pfaff
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityOliver Pfaff
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceOliver Pfaff
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationOliver Pfaff
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPOliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareOliver Pfaff
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 

More from Oliver Pfaff (17)

Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'
 
IT-Security@Contemporary Life
IT-Security@Contemporary LifeIT-Security@Contemporary Life
IT-Security@Contemporary Life
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Trust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-SecurityTrust in E- and M-Business - Advances Through IT-Security
Trust in E- and M-Business - Advances Through IT-Security
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
State-of-the-Art in Web Services Federation
State-of-the-Art in Web Services FederationState-of-the-Art in Web Services Federation
State-of-the-Art in Web Services Federation
 
Unified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAPUnified Security Architectures for Web and WAP
Unified Security Architectures for Web and WAP
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
 
Identity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health CareIdentity 2.0, Web services and SOA in Health Care
Identity 2.0, Web services and SOA in Health Care
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Does REST Change the Game for IAM?

  • 1. Does REST Change the Game For IAM? Oliver Pfaff February 29, 2012
  • 2. Contents ▶ Questions ▶ Fundamentals ▶ Observations ▶ Answers – Employing IAM – Delivering IAM ▶ Conclusions ▶ References February 2012 - All rights reserved 2
  • 3. Questions ▶ IAM for REST: – How to provide IAM functionality for RESTful Web services? ▶ REST for IAM: – How to use RESTful Web services to deliver IAM functionality? February 2012 - All rights reserved 3
  • 4. Fundamentals Characterizing RESTful Web Services ▶ Message layout: Response: – JSON, XML (or else)-in-HTTP for JSON, XML requests and responses or arbitrary ▶ Clients: data – Content-unaware clients (Web browsers) Request: – Content-aware clients (e.g. apps JSON, XML utilizing WADLs/WSDLs or client- or arbitrary side classes based on e.g. JAX-RS) data ▶ Aiming at following callers: – Humans (represented by their user agents) HTTP – Applications (facilitating machine- body to-machine interactions) POST: create GET: read ▶ Service descriptions/contracts: HTTP PUT: update header – WADL, WSDL 2.0 DELETE: delete – XSD February 2012 - All rights reserved 4
  • 5. Fundamentals Vs. SOAP-Based Web Services ▶ Message layout: XML, – XML-in-SOAP-in-HTTP for requests arbitrary and responses data via ▶ Clients: attach- ments – Content-aware clients (e.g. Web service clients utilizing WSDLs or client-side classes based on e.g. SOAP JAX-WS) body ▶ Aiming at following callers: SOAP – Applications (facilitating machine- header to-machine interactions) ▶ Service descriptions/contracts: HTTP – WSDL body – XSD POST: request-response HTTP GET: soap-response header February 2012 - All rights reserved 5
  • 6. Fundamentals Vs. Traditional Web Applications ▶ Message layout: Response: – URL query or HTML form HTML, arbitrary parameters-in-HTTP (for requests) data via – HTML-in-HTTP (for responses) MIME type ▶ Clients: Request: – Content-unaware clients (Web empty or browsers) keyword/ ▶ Aiming at following callers: value pairs as URL query – Humans (represented by their user or HTML form agents) parameters ▶ Service descriptions/contracts: – None HTTP body POST: user input HTTP GET: read header February 2012 - All rights reserved 6
  • 7. Fundamentals Relevance of RESTful Web Services ▶ For those starting from traditional Web applications, RESTful Web services provide a more natural evolution path than SOAP-based Web services: – Conceptually RESTful Web services present a superset of traditional Web applications: RESTful Web services can serve off-the-shelf Web browsers – SOAP-based Web services and traditional Web applications are rather disjoint: SOAP-based Web services can not serve off-the-shelf Web browsers ▶ Constrained clients (apps upon smart phones) tend to prefer RESTful Web services (with JSON) over traditional Web applications (HTML). For bandwidth reasons, XML (hence SOAP) is avoided by such clients. – The popularity of smart phones pushes application providers towards JSON as preferred form-factor for exchanged data. – REST provides the architectural style for that. ▶ The so-called API economy rather depends on REST than SOAP style: composite applications/mashups rather build upon RESTful Web services than SOAP-based Web services. For instance, www.programmableweb.com currently lists: – 3557 APIs for the REST style – 966 APIs for the SOAP style February 2012 - All rights reserved 7
  • 8. Observations Content Data vs. Protocol Stack ▶ RESTful Web services are a bit of a chameleon: – With respect to their support of structured data aiming at consumption by content-aware clients, RESTful Web services compare to SOAP-based Web services rather than traditional Web applications – With respect to the employed protocol stack, RESTful Web services compare to traditional Web applications rather than SOAP-based Web services ▶ Hence, IAM and security mechanisms designed for the – HTTP layer provide candidates for usage with RESTful Web services e.g. • HTTP authentication • SSL/TLS – SOAP layer are unavailable for RESTful Web services e.g. • WS-Trust (as key IAM enabler for SOAP-based Web services) • WS-Security (as key security enabler for SOAP-based Web services) February 2012 - All rights reserved 8
  • 9. Observations Referring to Resource Instances ▶ When RESTful Web services are used to implement CRUD functionality, they need to refer to instances of resource objects (e.g. John Doe’s contact list). ▶ This can be done by means contained in HTTP requests (headers and/or bodies). Details are specific to the actual implementations including following options: – Instances of resource objects are referred to by path parts in HTTP request URLs (GET, PUT, DELETE) – the best practice approach – Instances of resource objects are referred to by query parts in HTTP request URLs (GET) resp. body parts in HTTP requests (PUT, DELETE) ▶ Note: POST serves the (initial) creation of an instance of a resource object. Identifiers for (new) instances of resource objects are implicitly assigned. February 2012 - All rights reserved 9
  • 10. Answers – Employing IAM IAM Fingerprint of RESTful Web Services ▶ The section “employing IAM” identifies the IAM fingerprint of RESTful Web services ▶ Following topics are considered: – Initial authentication: refers to the authentication of REST requestors resp. requests through credentials (e.g. passwords, shared secret keys for one- time-password authentication, public key certificates) sustained by the REST responder or within its domain – Federated authentication: refers to the authentication of REST requestors resp. requests through credentials not sustained by the REST responder or within its domain – Single-sign-on: refers to the ability to subsequently authenticate at multiple systems or applications and access them after a single initial or federated authentication – Authorization: refers to the determination whether requestors may access particular resources according specific actions and its enforcement February 2012 - All rights reserved 10
  • 11. Answers – Employing IAM Initial Authentication – Standards-Based ▶ To establish initial authentication, REST responders need to challenge requestors to present credentials. The mechanisms catalog comprises means: – Beneath the HTTP layer: SSL/TLS client authentication (RFC 2818) – On HTTP header level: HTTP-defined authentication means (RFC 2616) • Classical: Basic and Digest (RFC 2617), Negotiate (RFC 4559) • Emerging: MAC (draft-ietf-oauth-v2-http-mac-01.txt), Bearer (draft-ietf- oauth-v2-bearer-17.txt) – On HTTP payload level: • Traditional Web applications use HTML forms for user authentication with static or one-time-passwords (and other means). This is achieved through dedicated login Web applications to which users are redirected. o RESTful Web services may use such means when responding to requests from Web browsers (aiming at user authentication) o When serving content-aware clients (aiming at system authentication) means requiring interactions with users are no option • When aiming at system authentication with schemes not natively supported on HTTP header level or underneath the HTTP layer, RESTful Web services need to consider dedicated non-interactive login applications (cf. below). February 2012 - All rights reserved 11
  • 12. Answers – Employing IAM Initial Authentication – Proprietary ▶ The current practice for authenticating non-user requestors of RESTful Web services is to establish ID/API key-tuples through a registration process. – This is equivalent to username/password-tuples which are established for users accessing traditional Web applications ▶ By default, the API keys are shared secrets. They are employed with HTTP Basic or proprietary authentication schemes (in case there is a need to protect [a subset] of the message contents through cryptographic checksums) – HTTP Digest authentication also allows to protect some message contents through cryptographic checksums but is not used in practice ▶ Proprietary schemes to authenticate REST API calls present an anti-pattern: – It can be commonly found (quote: “Everyone feels the need to write a custom authentication protocol”, cf. broadcast.oreilly.com/2009/12/principles-for- standardized-rest-authentication.html) – The MAC access authentication scheme for HTTP provides means to avoid this anti-pattern in future: • This scheme is currently being developed in the IETF (oauth working group) • It evolves from OAuth but is not tightly bound to the native OAuth use case of delegating authorization and can be used on a broader base. February 2012 - All rights reserved 12
  • 13. Answers – Employing IAM Federated Authentication ▶ SAML provides the plain vanilla approach to identity federation for traditional Web applications: – Defines an XML vocabulary (SAML assertion and protocol syntaxes) to cover a variety of federated identity management use cases including cross domain SSO, attribute querying, and SLO. – Defines 3-party exchanges (actors: user agent, SP, IdP) and 2-party exchanges (actors: SP, IdP) based on HTTP – Provides a means to remote initial authentication to an external IdP that is entity-centric (does not bind or authenticate contents of exchanged messages) ▶ SAML messages pass transparently through user agents and thus may be considered to federate user and system authentication for RESTful Web services provided: – IdPs support means of initial authentication available to non-Web browser REST clients (esp. non-interactive means of authentication) – IdPs and SPs employ redirections means supported by non-Web browser REST clients (e.g. SAML Redirect rather than POST bindings) – Single-sign-on constraints (cf. below) are not expected to be met in an orthodox fashion (SAML’s requirement that bearer assertions are not replayed and REST’s requirement that services are stateless do conflict) February 2012 - All rights reserved 13
  • 14. Answers – Employing IAM Single-Sign-On ▶ The REST architecture style assumes services to be stateless: RESTful Web services shall not store client-specific contexts between requests ▶ Hence (orthodox) RESTful Web services will abstain from the current practices of traditional Web applications: sustain local state about authenticated users and identify this state in exchanges with Web browsers by means such as: – HTTP cookie headers (cf. RFC 2965) – URL query parameters – HTML form contents ▶ This does constrain RESTful Web services in providing single-sign-on experiences for user authentication (not so much an issue for system authentication): – Encourages Kerberos style: rather than identifiers referring to state sustained elsewhere, self-contained objects representing an authenticated system entity should be transferred. – This comes with challenges on side of IT-security (data origin authentication, proof-of-possession for those self-contained objects as well as their binding to message contents) and non-functional characteristics (per message overhead). February 2012 - All rights reserved 14
  • 15. Answers – Employing IAM Authorization ▶ Authorization is a local matter of RESTful Web service providers. It does not add further dependencies between consumers and producers of REST services (unless specific use cases such as user consent [e.g. OAuth] are to be addressed). ▶ With PEPs (e.g. servlet-filters) that recognize request contents on the HTTP header level only, access control can be achieved on following granularity: – For RESTful Web services identifying resource instances in the URL path • Create operation: requested resource class o For example, the Group resource class in SCIM (www.simplecloud.info/specs/draft-scim-core-schema-00.html) identified by http(s)://hostname:port/Groups allowing to decide e.g. may John Doe create a group (endpoint and type of operation) • Read/update/delete operations: requested resource instance o For example, the Group resource instance with id=01234-56789 in SCIM identified as http(s)://hostname:port/Groups/01234-56789 allowing to decide e.g. may John Doe delete this instance of group (endpoint, type of operation, and instance of resource object) ▶ If further details of actual requests shall be considered in authorization decision making, PEPs for RESTful Web services need to understand HTTP request bodies. Such PEPs may reside in the actual business application or the REST stack. February 2012 - All rights reserved 15
  • 16. Answers – Delivering IAM RESTful IAM Services ▶ The section “delivering IAM” considers the realization of IAM functionality through RESTful Web services ▶ Following use cases are considered: – User provisioning: IAM services concerned with creating, maintaining, and terminating user objects – Login applications: IAM services concerned with performing initial authentication through an application dedicated to this purpose – Identity federation: IAM services using federated authentication to split identity management tasks according the roles of IdPs and SPs as the producers and consumers of authenticated information about system entities – Claims-based identity management: IAM services supporting the consumption of identity data according a clean dependency injection model (consumers of identity data such as business applications shall be decoupled from means of storing and managing the identity data) – Authorization management: IAM services supporting the tasks of authorization policy management and authorization decision making February 2012 - All rights reserved 16
  • 17. Answers – Delivering IAM User Provisioning ▶ User provisioning is concerned with creating, reading, updating, and deleting user objects (comprising identifiers, attributes, credentials…) in persisted storage ▶ RESTful Web services are capable of providing CRUD functionality for arbitrary business objects through a variety of input formats (e.g. URL query or HTML form parameters, JSON, XML) and output formats (e.g. HTML, JSON, XML) via HTTP ▶ This includes user objects (represented as e.g. entries in an LDAP server) and makes RESTful Web services a straight-forward candidate for addressing the user provisioning use case ▶ SCIM (www.simplecloud.info) provides a specification addressing the user provisioning according the REST style February 2012 - All rights reserved 17
  • 18. Answers – Delivering IAM Login Applications ▶ Traditional Web applications use dedicated login applications to – Brand and customize login screens for initial authentication (esp. initial authentication with usernames/static passwords) – Support authentication schemes not natively supported on HTTP or SSL/TLS level (e.g. one-time-passwords such as RFCs 2289/4226/6238) ▶ Such dedicated login Web applications may be provided as RESTful Web services: – Does not result in new functionality for the initial authentication of users (conducted via Web browsers) – Provides a solution-specific way of performing initial authentication of systems as clients of RESTful Web services for schemes not natively supported on HTTP or SSL/TLS level – Imposes constraints on REST-friendliness of single-sign-on esp. transfer of authentication context to another application as a consumer. February 2012 - All rights reserved 18
  • 19. Answers – Delivering IAM Identity Federation ▶ The well-known identity federation techniques address traditional Web applications and SOAP-based Web services: – Traditional Web applications: SAML, OpenID – SOAP-based Web services: WS-Trust, WS-Federation ▶ There is not yet a standardization effort that would shape IdP and SP components as well as their protocol interactions according the REST style (here: as RESTful IdP and SP services that address use cases in federated identity management such as cross-domain SSO, SLO and attribute exchange) ▶ Some initiatives look at a subset of this problem: the expression of assertions/ statements about an authenticated system entity in non-XML formats esp. JSON: JWT (JSON Web Token, draft-jones-json-web-token-07.txt, cf. tools.ietf.org/html/draft-jones-json-web-token-07). – The goal to address the identity federation use case and retain its main concepts while avoiding the per-message overhead of XML encodings. – For a survey of specifications defining and using JWT cf. www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_30.pdf February 2012 - All rights reserved 19
  • 20. Answers – Delivering IAM Claims-Based Identity Management for REST ▶ In claims-based identity management, the consumers of identity data: – Deliberately ask for identifying information (e.g. UID) and attributes or contexts (e.g. group memberships, role assignments) they depend on. Corresponding information is expected to travel in-band with request objects – Do not lookup supplementary information about requestors from sources in their backend ▶ This concept goes well with SOAP-based Web services. WS-Trust STSs are key components in delivering claims-based identity management: – WS-Trust RST messages allow to request a variety of identity-related information (identifiers, attributes, contexts such as group assignments and role membership, authentication state) – WS-Trust STS components allow to encapsulate the supply and management of such information – The integration of WS-Trust exchanges with WS-stacks reliefs the actual implementations of the Web service providers and consumers from handling details ▶ A corresponding machinery does not exist for RESTful Web services. Their current potentials towards claims-based identity management are limited. February 2012 - All rights reserved 20
  • 21. Answers – Delivering IAM Authorization Management ▶ OAuth 2.0 introduces a system component called authorization server: – This component encapsulates the authorization management for OAuth – It has following interactions with resource owners (end users represented by Web browsers as user agents), OAuth intermediaries (composite applications), and OAuth resource servers: • Resource owners: user authentication, delegation of access rights • OAuth intermediaries: system authentication, acquisition of tokens resp. token credentials • OAuth resource servers: system authentication, validation of access tokens or supply of keying information to facilitate validation by resource servers (subject to type of access token – MAC vs. Bearer) ▶ OAuth authorization servers are candidates for an implementation according the REST style: – This component needs to serve accesses from Web browsers in parallel to accesses from other clients (OAuth intermediaries and resource servers) – It emerges from a REST-aware environment February 2012 - All rights reserved 21
  • 22. Conclusions IAM for REST ▶ Delivering IAM to enable RESTful Web services needs to differentiate according the caller types: – Web browsers: to a large extent IAM for RESTful Web services resembles that for classical Web applications with some REST style-imposed constraints on achieving SSO – Other content-aware clients: new requirements dominate as • Additional media types (e.g. JSON, XML) in HTTP requests need to be handled beyond the classical URL query and HTML form parameters • For unattended clients (e.g. composite applications) it is difficult to impossible to use techniques that depend on user attention or interaction ▶ RESTful Web services have a completely different IAM fingerprint than SOAP- based Web services. This is due to the absence of the SOAP-based IAM and security mechanisms. ▶ Their IAM fingerprint is closer to that of classical Web applications. But the advent of new caller types and media types requires new mechanisms to address topics such as API authentication and authorization. – OAuth is an example for a new IAM mechanism that addresses IAM for RESTful Web services (according a specific use case) February 2012 - All rights reserved 22
  • 23. Conclusions REST for IAM ▶ Supplying IAM services via REST (e.g. user data, authentication, authorization or policy services) is pretty straight-forward since it is simple to RESTify an already existing functionality or create it from scratch. ▶ Challenges are on the side of: – How to establish clients for RESTful IAM services and make it convenient for (other) services or their consumers to integrate it? – How to establish security for RESTful IAM services? ▶ Current state of using RESTful Web services for delivering IAM functionality: – Things already underway: • RESTful user provisioning (SCIM) – Not (yet) underway (on the level of standardization initiatives): • RESTful claims-based identity management • RESTful authorization management February 2012 - All rights reserved 23
  • 24. References ▶ Fielding, R.: Architectural Styles and the Design of Network-based Software Architectures. PhD Thesis. University of California, Irvine. 2000 ▶ Hadley, M.; Sandoz, P. (eds): JAX-RS: Java API for RESTful Web Services. JSR- 311, Java Community Process. 2008 ▶ N.N.: Jersey. JAX-RS reference implementation ▶ Pautasso, C.; Zimmermann, O.; Leymann, F.: RESTful Web Services vs. “Big” Web Services: Making the Right Architectural Decision. Proc. of the 17th International World Wide Web Conference, Bejing. 2008 ▶ Pautasso, C.: REST-Inspired SOA Design Patterns (and Anti-Patterns). 2nd International SOA Symposium, Rotterdam. 2009 February 2012 - All rights reserved 24
  • 25. Author ▶ Oliver Pfaff oliver.frank.pfaff@gmail.com February 2012 - All rights reserved 25