Nordic APIs - Building a Secure API

The document discusses the JSON-based Identity Protocol Suite, which defines standards for JSON Web Tokens (JWTs), JSON Web Encryption (JWE), JSON Web Keys (JWK), and JSON Web Signatures (JWS). JWTs are compact tokens passed in HTTP that contain claims and can be signed or encrypted. JWE defines how to encrypt JWTs using symmetric or asymmetric encryption. JWK defines public key representations in JSON. JWS defines how to digitally sign JWTs using symmetric or asymmetric signatures. These standards are defined by the IETF and provide a common way to securely transmit identity and authorization data.

Transforming organizations into platforms

Synergies of Cloud Identity: Putting it All Together

Designing an API

The document discusses API design choices and trends. It covers the history of APIs from early CGI and COM/CORBA standards to modern RESTful approaches. It also discusses targeting the right audience for an API and whether to focus on aggregation by combining multiple APIs or allowing mashups. The document advocates for RESTful design using hypermedia and HTTP verbs at higher levels of the Richardson maturity model. It notes that as an API grows more advanced, aggregation of other APIs becomes necessary but also very challenging.

OAuth and OpenID Connect for Microservices

The document discusses using OAuth and OpenID Connect to secure microservices. It describes how OAuth allows for scalable delegation of access across services. OpenID Connect builds on OAuth to also return identity information to clients in a JSON Web Token (JWT), allowing for single sign-on. The document recommends using OAuth/OIDC to authenticate users centrally and issuing JWTs to microservices, translating tokens through an API gateway for service-to-service communication.

The document discusses how to integrate OAuth into mobile apps for security purposes. It provides an overview of OAuth basics, including the actors (client, authorization server, resource server, resource owner), common flows, and use of JSON Web Tokens. It also discusses related standards like SCIM, SAML, and OpenID Connect, with OAuth serving as the meta-protocol for handling tokens across these different approaches. The goal is to explain how OAuth addresses old security requirements and solves new problems in a standardized way for modern app development.

Authorization The Missing Piece of the Puzzle

XACML (eXtensible Access Control Markup Language) is an OASIS standard for defining and interpreting access control policies across multiple security domains. It provides a policy language and request/response protocol for making authorization decisions based on attributes. XACML policies can be defined in terms of attributes for subjects, resources, actions, and the environment, allowing for fine-grained and context-aware access control (ABAC). The XACML architecture separates policy enforcement from decision making and includes policy administration, information, and retrieval points.

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

This is a session given by Jacob Ideskog at Nordic APIs 2016 Platform Summit on October 25th, in Stockholm Sweden. Description: In this talk Jacob Ideskog (Identity Expert at Twobo Technologies) address the growing need to secure the emerging devices accessible over the Internet. The Internet of Things has many interpretations, but the common denominator is that there will be a vast number of connected devices, and nobody (almost) want’s those hacked.

Secure your APIs using OAuth 2 and OpenID Connect

Session held by Travis Spencer at PayEx and Nordic APIs event "Secure, flexible and modern APIs for Payments" event in Oslo, May 10th. Description: When opening up secure APIs, OAuth 2 and OpenID Connect are the primary standards being used today. Implementing and using these standards can be challenging. In this session, Travis Spencer, CEO of Twobo Technologies, will provide an in-depth overview of these standards and explain how they can be integrated into financial services apps. The overview will include information on: The actors involved in OAuth and OpenID Connect The flows used in the standards What grant types are, which are defined, and the message exchanges of each What scopes are and examples of their use Different classes of tokens and how they are used Overview of the OpenID Foundation’s work in the Financial API WG Attendees will leave with: An overview of OAuth 2 and OpenID Connect Knowledge of the basics necessary to using these standards Resources and information sources where more information can be found

Launching a Successful and Secure API

1400 ping madsen-nordicapis-connect-01

This document discusses potential applications and extensions of OpenID Connect and the OAuth 2.0 protocol. It speculates about how OpenID Connect could be used for native single sign-on, mobile information management to encrypt sensitive data on devices, and providing identity capabilities for internet of things devices to authenticate to APIs on behalf of users. The document also outlines proposals for standardizing an authorization agent concept to enable single sign-on across native apps and considers how OpenID Connect could define profiles for new domains like CoAP to support internet-connected devices.

Open APIs - Risks and Rewards (Øredev 2013)

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Integrated social solutions, the power and pitfalls of mashups

OpenID Connect Explained

Vladimir Dzhuvinov

OpenID Connect 101 @ OpenID TechNight vol.11

Security Cas And Open Id

ConSanFrancisco123

The document discusses security and identity for web applications. It introduces Ruby CAS and OpenID as solutions for centralized authentication. CAS is described as a private, Java-based central authentication service, while OpenID is a public standard for decentralized authentication using vendors. Ruby gems like ruby-openid and rubycas-client allow integrating OpenID and CAS into Rails applications. Other authentication options like LDAP and NTLM are also mentioned briefly.

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

1. The document discusses OAuth 2.0 and OpenID Connect for API access control and authorization. It provides a brief history of OAuth and describes the core specification and response types. 2. The core specification defines two response types - code and token. The code response type uses authorization codes to obtain access tokens in a two-step process, while the token response type returns access tokens directly. 3. The document also covers token types, notably the bearer token which transmits no signature or secret and is commonly used for API access. It notes that some providers may not follow the latest OAuth draft specifications strictly.

Windows azure media services overview

Guada Casuso

This document outlines various media partners that work with a company to either build technology into their platform or build additional solutions on top of the platform. It lists categories of partners including those for ingestion, encoding, content protection, origin, CDN, ISVs, broadcasters, and clients/devices. It also distinguishes between partners that offer do-it-yourself options versus third party solutions.

AT&T 2012 DevLab Speech API Deep Dive

Michael Owens

The document discusses the AT&T Speech API, which provides speech recognition services. It describes how the API works, including submitting audio files for transcription and receiving a JSON response. It also provides instructions for developers to get started, including signing up for an API key and examples of making authentication requests and posting audio files. Code samples are shown for capturing audio, making POST requests to submit it for transcription, and receiving the transcription response.

Troubleshooting Novell Access Manager 3.1

Novell

In this session Novell technical support engineers will cover best practices guidelines for functionality and performance to proactively avoid problems in Novell Access Manager. They will discuss architecture issues and cover the flow of operation of key Access Manager components. Finally, they will describe key troubleshooting tips and tools to enable you to proactively avoid common issues, and solve them more quickly should they occur. Speaker: Neil Cashell Technical Support Engineer

OAuth & OpenID Connect Deep Dive

Hitachi, Ltd. OSS Solution Center.

Why Assertion-based Access Token is preferred to Handle-based one?

This document discusses the differences between assertion-based access tokens and handle-based access tokens in OAuth 2.0. Assertion-based tokens are parsable tokens like JWTs that contain user and client information, while handle-based tokens are opaque references. Assertion-based tokens have advantages for performance and scalability but require cryptographic protection, while handle-based tokens require validation through the authorization server. The document then examines scenarios where handle-based tokens could cause problems, such as with multiple authorization servers, and outlines secure validation steps for assertion-based tokens.

PKI in today's landscape (Mauritius - Siddick)

Siddick Elaheebocus

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

The document discusses stateless authentication using OAuth 2.0 and JSON Web Tokens (JWT). It begins with an introduction to OAuth 2.0, including its roles, common grant types like authorization code and implicit grants. It then discusses how JWT can be used to achieve statelessness by encoding claims in the token that are signed and can be verified without storing state on the authorization server. The document provides examples of what a JWT looks like and considerations for using JWT in applications.

Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...

Edureka!

Secure Your REST API (The Right Way)

Stormpath

Microservice Websites (microXchg 2017)

Gustaf Nilsson Kotte

This document discusses developing websites with multiple teams using a microservice approach. It proposes having each service have its own frontend to enable continuous delivery, decentralized governance, and good mobile performance. Integration is done through transclusion, where one service can include static resources like HTML fragments from another service. Server-side transclusion of resources is preferred for performance. Services should not rely on global client-side dependencies.

What's hot

Incorporating OAuth: How to integrate OAuth into your mobile app

Authorization The Missing Piece of the Puzzle

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Secure your APIs using OAuth 2 and OpenID Connect

Launching a Successful and Secure API

1400 ping madsen-nordicapis-connect-01

Open APIs - Risks and Rewards (Øredev 2013)

Integrated social solutions, the power and pitfalls of mashups

OpenID Connect Explained

Vladimir Dzhuvinov

OpenID Connect 101 @ OpenID TechNight vol.11

Security Cas And Open Id

ConSanFrancisco123

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

Windows azure media services overview

Guada Casuso

AT&T 2012 DevLab Speech API Deep Dive

Michael Owens

Troubleshooting Novell Access Manager 3.1

Novell

OAuth & OpenID Connect Deep Dive

Hitachi, Ltd. OSS Solution Center.

Why Assertion-based Access Token is preferred to Handle-based one?

PKI in today's landscape (Mauritius - Siddick)

Siddick Elaheebocus

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...

Edureka!

What's hot (20)

Incorporating OAuth: How to integrate OAuth into your mobile app

Authorization The Missing Piece of the Puzzle

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)

Secure your APIs using OAuth 2 and OpenID Connect

Launching a Successful and Secure API

1400 ping madsen-nordicapis-connect-01

Open APIs - Risks and Rewards (Øredev 2013)

Integrated social solutions, the power and pitfalls of mashups

OpenID Connect Explained

OpenID Connect 101 @ OpenID TechNight vol.11

Security Cas And Open Id

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

Windows azure media services overview

AT&T 2012 DevLab Speech API Deep Dive

Troubleshooting Novell Access Manager 3.1

OAuth & OpenID Connect Deep Dive

Why Assertion-based Access Token is preferred to Handle-based one?

PKI in today's landscape (Mauritius - Siddick)

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Azure Virtual Network Tutorial | Azure Virtual Machine Tutorial | Azure Train...

Viewers also liked

Secure Your REST API (The Right Way)

Stormpath

Microservice Websites (microXchg 2017)

Gustaf Nilsson Kotte

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

The document discusses best practices for securing APIs and identifies three key areas: parameterization, identity, and cryptography. It notes that APIs have a larger attack surface than traditional web apps due to more direct parameterization. It recommends rigorous input and output validation, schema validation, and constraining HTTP methods and URIs. For identity, it advises using real security tokens like OAuth instead of API keys alone. It also stresses the importance of proper cryptography, like using SSL everywhere and following best practices for key management and PKI. The overall message is that APIs require different security practices than traditional web apps.

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

The document discusses authentication and authorization architectures for microservices. It describes using OpenAM for centralized authentication and authorization across microservices. Tokens like access tokens, refresh tokens and ID tokens are used to authenticate service-to-service calls in a stateless manner. The document outlines approaches for different tiers of microservices and integrating OpenAM with Cloud Foundry.

Calling an OAuth 1.0a API from an OAuth 2.0 API

Travis Spencer

The document describes how an OAuth 2.0 protected service can call an OAuth 1.0a protected Twitter API. It involves the service obtaining an access token from Twitter by redirecting the user through Twitter's OAuth 1.0a authorization process. The service then uses the access token to call the Twitter API on behalf of the user. When a third-party OAuth 2.0 client calls the service, it provides an access token issued by the service's OAuth 2.0 authorization server to access the user's Twitter data through the intermediate service.

Design Beautiful REST + JSON APIs

Stormpath

Les Hazlewood, Stormpath co-founder and CTO and the Apache Shiro PMC Chair demonstrates how to design a beautiful REST + JSON API. Includes the principles of RESTful design, how REST differs from XML, tips for increasing adoption of your API, and security concerns. Presentation video: https://www.youtube.com/watch?v=5WXYw4J4QOU More info: http://www.stormpath.com/blog/designing-rest-json-apis Further reading: http://www.stormpath.com/blog Sign up for Stormpath: https://api.stormpath.com/register Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.

Twobo LDAP Attribute Store for ADFS

The document discusses the limitations of using non-Windows LDAP servers with ADFS and introduces the Twobo LDAP Attribute Store as an alternative. It allows ADFS to authenticate to and retrieve attributes from LDAP directories without Windows authentication by supporting simple and anonymous binding. The Twobo store is open source but also commercially supported. The document provides instructions for configuring and using the Twobo store within ADFS rules and policies.

Who’s Knocking? Identity for APIs, Web and Mobile

This document discusses identity management for APIs, web, and mobile applications. It begins with an overview of trends in cloud computing and APIs. It then discusses how traditional network security is inadequate for these new architectures and that identity has become the new perimeter. The document outlines recommendations for an API identity strategy, including implementing OAuth 2.0 for authorization instead of passwords and leveraging an identity provider to apply enterprise security policies to cloud applications and APIs. It recommends architects design for interoperability across multiple devices, users, locations, and protocols.

Stateless authentication for microservices

Alvaro Sanchez-Mariscal

This talk is about how to secure your frontend+backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Video available at https://skillsmatter.com/skillscasts/6058-stateless-authentication-for-microservices

Public and private APIs: differences and challenges

Restlet

Magento database diagram

Tuyến Trần

Tjänsteplattform i mtg - 2014 02-05

Advania

I den här presentationen diskuteras begreppet tjänsteplattform, e-tjänsteplattform, "kommunal tjänsteplattform" och vad den plattformen egentligen behöver innehålla för att svara upp mot en hållbar e-utveckling. Med hållbar avses här att göra rätt från början, att inte måla in sig i ett hörn, att inte hamna i en återvändsgränd - bara för att man inte hade hela bilden klart för sig när man startade. Och det går att börja smått, ändå. Med enkla e-tjänster.

2. Day 2 - Identify and SSO

Huy Pham

This document provides an overview of identity management options in Office 365 and describes the Synchronized Identity Model (DirSync), Federated Identity Model (SSO), and key considerations for each. It compares the models based on organization size and capabilities like single sign-on and management of credentials. The Synchronized Identity Model uses Azure Active Directory Connect to synchronize on-premises directories with Azure AD. The Federated Identity Model implements Security Assertion Markup Language for single sign-on using federation servers like Active Directory Federation Services.

SäKerhet I MolnenPredrag Mitrovic

Samtrafiken - Lessons learned from Trafiklab

Criticality of identity

State of APIs: Now & Next

Andreas Krohn

Sveriges radio nordic apis 21 mars 2013

Sveriges Radio's API grew organically from the needs of external developers to access RSS feeds of podcasts. It was initially created to support an iPhone app but later an Android app. An official launch was held in 2010 and word spread within the organization. Work began in 2012 to create a more useful and standardized API while loosening the connection to internal apps. The current API version 2 is used by multiple external developers and Sveriges Radio apps are being migrated to it. While there are no immediate plans for version 3, the future includes evaluating real needs and continued education within the organization on the benefits of an open API.

Java Aktuell Bernd Zuther Canary Releases mit der Very Awesome Microservices ...

Bernd Zuther

Bau dein eigenes extreme feedback device

Bernd Zuther

Unit Testing, Extreme Programming, Refactoring, Continuous Integration, das Agile Manifest – all das waren Meilensteine auf dem Weg zur modernen Softwareentwicklung. Doch wie behält man immer alle Aktivitäten auf dem Schirm – etwa, wenn man wissen möchte, ob der Build Server einem kurz vor dem nächsten Release einen Strich durch die Rechnung macht? Gut ist es deshalb, wenn man ein sogenanntes Extreme Feedback Device besitzt, dass uns den Status des Build Server direkt visualisiert. In diesem Vortrag wird es darum gehen, wie man ein Extreme Feedback Device selber bauen kann. Dabei werden die folgenden Themen besprochen, wie reengineert man einen USB Treiber und was muss man tun, um einen Microcontroller, wie z.B. einen Arduino, dazu benutzen ein solches Gerät selber zu bauen.

Viewers also liked (20)

Secure Your REST API (The Right Way)

Microservice Websites (microXchg 2017)

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

An Authentication and Authorization Architecture for a Microservices World

Calling an OAuth 1.0a API from an OAuth 2.0 API

Design Beautiful REST + JSON APIs

Twobo LDAP Attribute Store for ADFS

Who’s Knocking? Identity for APIs, Web and Mobile

Stateless authentication for microservices

Public and private APIs: differences and challenges

Magento database diagram

Tjänsteplattform i mtg - 2014 02-05

2. Day 2 - Identify and SSO

SäKerhet I Molnen

Samtrafiken - Lessons learned from Trafiklab

Criticality of identity

State of APIs: Now & Next

Sveriges radio nordic apis 21 mars 2013

Java Aktuell Bernd Zuther Canary Releases mit der Very Awesome Microservices ...

Bau dein eigenes extreme feedback device

Similar to Nordic APIs - Building a Secure API

OAuth in the Real World featuring Webshell

Find out how today’s authorization experts are getting maximum value from OAuth OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.

OAuth 101 & Secure APIs 2012 Cloud Identity Summit

Brian Campbell

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...

CIS13: Mobile Single Sign-On: Extending SSO Out to the Client

CloudIDSummit

This document discusses extending single sign-on (SSO) capabilities to mobile clients. It proposes using OAuth and OpenID Connect to implement cross-application SSO on mobile devices while distinguishing between the device, user, and individual apps. A key challenge is the isolation of apps and data on mobile operating systems, which this solution aims to address through a native SDK and centralized management of tokens. The overall architecture features device registration, requesting access tokens via JSON Web Tokens to enable SSO, and administration of tokens.

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Akana

The document discusses API security and outlines the SOA Software API platform. It describes the evolution of digital channels from client-server/web applications to web services to APIs. It then covers various aspects of API security like authentication, authorization, OAuth, message security, threat protection, content filtering, rate limiting. Finally, it provides an overview of the capabilities of the SOA Software API platform for securing APIs across the lifecycle.

Platform Security that will Last for Decades (Travis Spencer)

The document discusses building a secure platform for the future. It predicts that identity will be the number one impediment to security with the rise of more devices. The document proposes building upon open standards like OAuth, OpenID Connect, and SCIM to create a future-proof security architecture with an identity management system and API management system. This architecture would be ready to support changes like new communication protocols for internet and IoT, ensuring security lasts for decades to come.

Over the Air 2011 Security Workshop

Ericsson Labs

CIS 2015- Beyond Federation Protocols- Praerit Garg

CloudIDSummit

The document discusses the evolution of federated identity protocols over the past 10+ years. While OAuth 2.0 is now widely adopted for federating web identities, the document argues that federation protocols alone are not sufficient. It suggests that applications also need ways to: 1) scope trust with federated identity providers, 2) provision access for federated identities, and 3) enable collaboration across federated identities. The document calls on the audience to build on existing work and find standards-based solutions to make these capabilities easier.

Leveraging open banking specifications for rigorous API security – What’s in...

Rogue Wave Software

Presented at APIdays Paris. API security is the principal concern when it comes to establishing a trusted API ecosystem. Rightly so, because opening up business systems through APIs by definition expands the attack surface that can be exploited. Although many threat vectors and vulnerabilities are well known, we have to remain on the lookout for new threats continuously. On the positive side, open standards that help defend against security threats are constantly being created and refined. What is even more helpful are the specifications that aggregate relevant standards into a comprehensive API security profile. Excellent examples of these are the current specifications that support open banking initiatives like UK Open Banking and PSD2. Could these specifications not have a wider applicability? In other words, would we be able to benefit from the security guidelines captured in these specifications in other verticals like logistics, retail, energy, healthcare and government, too? In this talk, we will compare security guidelines covered in the specifications and see to what extent they may benefit the wider enterprise API developer community.

API Security: Securing Digital Channels and Mobile Apps Against Hacks

Akana

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...

This document discusses why APIs must be part of a mobile strategy and provides 5 reasons: 1) Firewalls make accessing APIs difficult due to changing clients and back-end systems, 2) Authentication, authorization, and single sign-on are important for mobile access but challenging, 3) Local app single sign-on is desirable without the negatives of a VPN, 4) Mobile OS isolation silos data and prevents sharing credentials, 5) Users need a way to logout if their device is lost or stolen. It then describes a solution of a native single sign-on SDK for mobile developers to address these problems using OAuth, OpenID Connect, and managing users, apps, and devices securely.

Bridging the Enterprise and the Cloud from Layer 7

Identity and Client Management using OpenID Connect and SAML

pqrs1234

Mulesoft

Melissa Narvaez

MuleSoft is a leading provider of integration solutions. It has over 100,000 developers using its platform and is used by 3,200+ companies including 35% of Fortune 500 companies. MuleSoft provides an open source integration platform (Mule) that is lightweight, scalable, and cloud-ready. It allows for rapid innovation by connecting applications and data sources across clouds and on-premises systems.

Identity 2.0 and User-Centric Identity

Oliver Pfaff

Spellpoint - Securing Access for Microservices

Ubisecure

Soa And Web Services Security

ConSanFrancisco123

The document discusses top security issues related to web services. It summarizes the background and credentials of the speaker on web services security. The speaker discusses four main issues: 1) Not spending enough on application security 2) Knowing applicable security standards 3) Using message-level security as defined in standards like WS-Security 4) Using XML encryption to encrypt parts of messages. The speaker advocates balancing security spending based on where organizations allocate IT budgets. Standards like WS-Security, SAML and XML encryption are presented as ways to address threats like spoofing and information disclosure for web services.

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...

APIsecure_ Official

Web Architecture - Mechanism and Threats

Sumedt Jitpukdebodin

This document discusses web architecture, mechanisms, and threats. It describes the basic components of web architecture including HTML, HTTP, URIs, cookies, and the three-tier architecture. It also outlines some common web attacks like injection, XSS, and CSRF. Finally, it discusses security controls at the application layer through input validation, authentication, and sessions management and at the network layer using firewalls, IDS, WAF, and centralized logging.

API Security and OAuth for the Enterprise