SlideShare a Scribd company logo

OAuth based reference architecture for API Management

WSO2
WSO2

The document discusses OAuth 2.0 and how it is implemented in WSO2 API Manager. It provides an overview of OAuth 2.0 concepts like authorization grants, tokens and flows. It also summarizes how WSO2 supports the OAuth 2.0 framework for API management, including token management and authorization code, implicit and password grants. Extensions to OAuth 2.0 in WSO2 API Manager are also briefly covered.

Technology
1 of 46
Download to read offline
OAuth  2.0  Reference  Model   for     API  Management   Sumedha  Rubasinghe   Senior  Architect,  WSO2  API  Manager  Team  
About  WSO2   ๏  ๏  Global  enterprise,  founded  in   2005  by  acknowledged  leaders  in   XML,  web  services    technologies,   standards    and  open  source   Provides  only  open  source   pla:orm-­‐as-­‐a-­‐service  for  private,   public  and  hybrid  cloud   deployments   ๏  ๏  *   All  WSO2  products  are  100%  open   source  and  released  under  the   Apache  License  Version  2.0.   Is  an  AcIve  Member  of  OASIS,   Cloud  Security  Alliance,  OSGi   Alliance,  AMQP  Working  Group,   OpenID  FoundaIon  and  W3C.   ๏  Driven  by  InnovaIon   ๏  Launched  first  open  source  API   Management  soluIon  in  2012   ๏  Launched  App  Factory  in  2Q   2013   ๏  Launched  Enterprise  Store  and   first  open  source  Mobile  soluIon   in  4Q  2013  
What  we  Deliver   *  
What  we  will  cover...   ●  Main  concepts  in  OAuth  2.0  model     ●  How  WSO2  supports  OAuth  2.0  based  API  Management?     ●  OAuth  2.0  based  extensions  in  WSO2  API  Management   soluIon     *  
Web  (based)  APIs   ●  hXps://www.facebook.com/sam.jason/photos   ●  hXp://api-­‐public.ne:lix.com/catalog/Itles/movies/60021896   ●  many  more..     *  
Pre  OAuth  Era  ..   How  do  I  know  for  sure?   *  
Pre  OAuth  Era  ..   *  
Pre  OAuth  Era  ..   No  Control  over  password   storage.   Complete  access  to  user   account.   *   ApplicaIons  can  be   compromised.   Changing  password  can  break   many  apps.   Requires  password  reset  to   revoke.  
OAuth  2.0  -­‐  in  a  nutshell..   “The  OAuth  2.0  authorizaIon  framework  enables  a  third-­‐party   applica2on  to  obtain  limited  access  to  an  HTTP  service…”     -­‐OAuth  2.0  SpecificaKon,  hLp://tools.ieO.org/html/rfc6749   *  
WSO2  API  Manager   ●  Complete  API  Management  Pla:orm   ○  ○  ○  ○  ○  ○  ○  ○  API  Publishing   API  Store   SubscripIon  Mgt   Token  Management   ThroXling   StaIsIcs   Scalable  Deployment   OAuth  2.0  based   ●  Apache  v2  Licensed     ●  Build  on  top  of  proven  WSO2  components   *   ○  Enterprise  Service  Bus   ○  IdenIty  Server   ○  Governance  Registry   ●  hXp://docs.wso2.org/display/AM160/WSO2+API+Manager
OAuth  2.0  -­‐  DefiniKons   *   ●  Resource  Owner   ○  EnIty(end  user)  capable  of  granIng  access  to  a  resource   ○  FB  user  (enIty)  -­‐>   hXps://www.facebook.com/search/me/friends  (resource)     ●  Resource  Server  (hXps://www.facebook.com)   ○  Server  hosIng  protected  resources   ○  Capable  of  accepIng  and  responding  to  resource  requests     ●  Client  (FB  applicaIon)   ○  ApplicaIon  making  requests  to  access  protected  resources     ●  Authoriza2on  Server  (can  be  same  as  Resource  Server)   ○  Server  issuing  access  tokens  to  the  client  
OAuth  2.0  Protocol  Flow   hLp://tools.ieO.org/html/rfc6749   *  
AuthorizaKon  Grants   *  
AuthorizaKon  Code   ●  End  user  visits  auth  page   ○  response_type=code Web  Server  Apps   ●  End  user  is  redirected  to  your  site  with  auth  code   ○  http://yoursite.com/?code=xxxxxx ●  Web  Server  exchanges  Auth  Code  for  an  Access  Token   ○  POST /token code=xxxxxx&grant_type=authorization_code *  
AuthorizaKon  Code   *  
AuthorizaKon  Code   *  
Access  Token  from  Auth  Code   hLp://docs.wso2.org/display/AM160/Token+API   *  
Access  Token  Response   *  
Implicit  Grant   ●  Browser  based  apps   ■  no  server  side  code   ■  browser  makes  API  requests  directly     ●  User  visits  a  page   ○  response_type=token Browser  based  Apps   ●  User  is  redirected  to  your  site  with  access  token   ○  http://yoursite.com/#token=xxxxxx ●  Token  is  only  available  to  browser  (only  in  fragment)   *  
Implicit  Grant  -­‐  Syntax   Browser  based  Apps   hLp://docs.wso2.org/display/AM160/Token+API   *  
Password  Grant   Trusted  ApplicaKons   ●  Only  by  trusted  clients   ○  Apps  &  APIs  -­‐  by  same  enterprise  /First  party  Apps   hLp://docs.wso2.org/display/AM160/Token+API   *  
Client  CredenKals   ApplicaKons   ●  ApplicaIon  level  access   ●  ApplicaIon  has   ○  client_id  (consumer  key)   ○  client_secret  (consumer  secret)     ●  Server  uses  client_id  &  client_secret  to  obtain  access  token   ○  POST  /token   grant_type=client_credenIals&client_id=XXXX&client_secret= YYYY   *  
Client  CredenKals   hLp://docs.wso2.org/display/AM160/Token+API   *  
Mobile  ApplicaKons   ●  Use  ‘implicit’  grant  type     ○  (similar  to  browser  based  apps)     ●  Mobile  App  directly  does  API  calls     ●  No  client  (mobile  app)  secret     ●  NaIve  App  -­‐>  Browser  based  call   *   Mobile  Apps  
Facebook  Login   hXps://developers.facebook.com/docs/facebook-­‐login/     *  
Grant  Type  Summary   ●  authorizaKon_code   ○  Web  Server  based  applicaIons     ●  implicit   ○  Browser  based  applicaIons,  Mobile  Apps     ●  password   ○  username/password  based  access     ●  client  _credenKals   ○  ApplicaIons  (with  no  need  of  user  level  authorizaIon)   *  
Extensions  to  Grant  Types   ●  SAML2  Bearer  Tokens  -­‐>  OAuth2   *  
Accessing  APIs   Query  Parameter   Access  token  in  HTTP  Header   *  
Access  Token  Lifecycle   ●  AcIve   ●  Revoked   ●  Expired   ●  In-­‐AcIve   *  
Refreshing  an  expired  token   hLp://docs.wso2.org/display/AM160/Token+API   *  
Bearer  Tokens   ●  Security  ConsideraIons   ○  Replies  on  transport  level  security  (HTTPS)   ○  No  cryptographic  verificaIon       ●  Security  RecommendaIons   ○  Use  HTTPs  (always)  &  verify  SSL  CerIficates   ○  Protect  Bearer  tokens   ○  Choose  token  lifeIme  wisely   ○  Do  not  persist  tokens  unnecessarily     *  
MAC  Tokens   ●  Provides  cryptographic  verificaIon  of  request   *  
LimiKng  Access  through  ‘scope'   ●  ‘scope’  -­‐>  specifies  what  needs  be  done  with  the  access  token     ●  Specified  @  the  point  of  obtaining  access  token     ●  space  delimited,  comma  delimited  string     ●  eg:  Facebook  Extended  Permissions   ○  hXps://developers.facebook.com/docs/reference/login/ extended-­‐permissions/     *  
“scope”  -­‐  Facebook  Example   hXps://developers.facebook.com/docs/reference/login/extended-­‐permissions/   *  
“scope”  -­‐  Facebook  Example   *  
“scope”  -­‐  Facebook  Example   *  
“scope”  -­‐  Token  Request  Syntax   hXps://www.facebook.com/dialog/oauth? client_id=APP_ID&redirect_uri=APP_URL&scope=read_friendlists ,read_mailbox   *  
Extensions  based  on  OAuth  Model   ●  API  InvocaIon  StaIsIcs  CollecIon   ●  Access  ThroXling   *  
WSO2  API  Manager   *  
SubscripKon  Management   *  
Token  Management   *  
Resource  Level  AuthorizaKon   *  
Tier  based  ThroLling   *  
StaKsKcs   *  
Business  Model   *  
Contact  us  !  

Recommended

Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API Manager
WSO2
 
Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager
WSO2
 
Scalable deployment options in WSO2 API Manager
Scalable deployment options in WSO2 API ManagerScalable deployment options in WSO2 API Manager
Scalable deployment options in WSO2 API ManagerWSO2
 
WSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementWSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API Management
Edgar Silva
 
APIStrat Conference Workshop: WSO2 - Best Practices for API Management
APIStrat Conference Workshop: WSO2 - Best Practices for API ManagementAPIStrat Conference Workshop: WSO2 - Best Practices for API Management
APIStrat Conference Workshop: WSO2 - Best Practices for API Management
Isabelle Mauny
 
WSO2 API Manager - Product Overview
WSO2 API Manager - Product OverviewWSO2 API Manager - Product Overview
WSO2 API Manager - Product Overview
WSO2
 
Customizing workflows in WSO2 API Manager
Customizing workflows in WSO2 API ManagerCustomizing workflows in WSO2 API Manager
Customizing workflows in WSO2 API Manager
WSO2
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Edgar Silva
 

Recommended

Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API Manager
WSO2
 
Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager Scalable Deployment Patterns in WSO2 API Manager
Scalable Deployment Patterns in WSO2 API Manager
WSO2
 
Scalable deployment options in WSO2 API Manager
Scalable deployment options in WSO2 API ManagerScalable deployment options in WSO2 API Manager
Scalable deployment options in WSO2 API ManagerWSO2
 
WSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementWSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API Management
Edgar Silva
 
APIStrat Conference Workshop: WSO2 - Best Practices for API Management
APIStrat Conference Workshop: WSO2 - Best Practices for API ManagementAPIStrat Conference Workshop: WSO2 - Best Practices for API Management
APIStrat Conference Workshop: WSO2 - Best Practices for API Management
Isabelle Mauny
 
WSO2 API Manager - Product Overview
WSO2 API Manager - Product OverviewWSO2 API Manager - Product Overview
WSO2 API Manager - Product Overview
WSO2
 
Customizing workflows in WSO2 API Manager
Customizing workflows in WSO2 API ManagerCustomizing workflows in WSO2 API Manager
Customizing workflows in WSO2 API Manager
WSO2
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
Edgar Silva
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO2
 
An Introduction to the WSO2 API Manager
An Introduction to the WSO2 API Manager An Introduction to the WSO2 API Manager
An Introduction to the WSO2 API Manager WSO2
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
WSO2
 
Best Practices: The Role of API Management
Best Practices: The Role of API ManagementBest Practices: The Role of API Management
Best Practices: The Role of API Management
Akana
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
WSO2
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
 
Lessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric ArchitectureLessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric Architecture
WSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
WSO2
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api manager
Chanaka Fernando
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital Economy
WSO2
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
Markus Schlichting
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
Charles Moulliard
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
Matthias Käppler
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 

More Related Content

What's hot

Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO2
 
An Introduction to the WSO2 API Manager
An Introduction to the WSO2 API Manager An Introduction to the WSO2 API Manager
An Introduction to the WSO2 API Manager WSO2
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
WSO2
 
Best Practices: The Role of API Management
Best Practices: The Role of API ManagementBest Practices: The Role of API Management
Best Practices: The Role of API Management
Akana
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
WSO2
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
 
Lessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric ArchitectureLessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric Architecture
WSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
WSO2
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api manager
Chanaka Fernando
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital Economy
WSO2
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
Markus Schlichting
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
Charles Moulliard
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
Isabelle Mauny
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
Matthias Käppler
 

What's hot (20)

Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
 
An Introduction to the WSO2 API Manager
An Introduction to the WSO2 API Manager An Introduction to the WSO2 API Manager
An Introduction to the WSO2 API Manager
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
 
Best Practices: The Role of API Management
Best Practices: The Role of API ManagementBest Practices: The Role of API Management
Best Practices: The Role of API Management
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Lessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric ArchitectureLessons from the Trenches: Building an API-Centric Architecture
Lessons from the Trenches: Building an API-Centric Architecture
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
Api management best practices with wso2 api manager
Api management best practices with wso2 api managerApi management best practices with wso2 api manager
Api management best practices with wso2 api manager
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital Economy
 
Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)Token vs Cookies (DevoxxMA 2015)
Token vs Cookies (DevoxxMA 2015)
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
Guidelines to protect your APIs from threats
Guidelines to protect your APIs from threatsGuidelines to protect your APIs from threats
Guidelines to protect your APIs from threats
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 

Viewers also liked

Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentationsflynn073
 
WSO2 Identity Server 3.0
WSO2 Identity Server 3.0WSO2 Identity Server 3.0
WSO2 Identity Server 3.0
guestffaca0
 
Symfony2 as an api
Symfony2 as an apiSymfony2 as an api
Symfony2 as an api
Kifah Abbad
 
PHPBootcamp - Zend Framework
PHPBootcamp - Zend FrameworkPHPBootcamp - Zend Framework
PHPBootcamp - Zend Framework
thomasw
 
Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013 Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013
Lukas Smith
 
Clean Architecture
Clean ArchitectureClean Architecture
Clean Architecture
NSCoder Mexico
 
Symphony Software Foundation API Working Group Proposal
Symphony Software Foundation API Working Group ProposalSymphony Software Foundation API Working Group Proposal
Symphony Software Foundation API Working Group Proposal
Symphony Software Foundation
 
REST != WebAPI
REST != WebAPIREST != WebAPI
REST != WebAPI
Dan (Danut) Prisacaru
 
Apache Sling as a Microservices Gateway
Apache Sling as a Microservices GatewayApache Sling as a Microservices Gateway
Apache Sling as a Microservices Gateway
Robert Munteanu
 
API Governance
API Governance API Governance
API Governance
Sunil Kuchipudi
 
AE Foyer: Soa Integration Architecture and Api Management
AE Foyer: Soa Integration Architecture and Api ManagementAE Foyer: Soa Integration Architecture and Api Management
AE Foyer: Soa Integration Architecture and Api Management
AE - architects for business and ict
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Microservices Application Simplicity Infrastructure Complexity
Microservices Application Simplicity Infrastructure ComplexityMicroservices Application Simplicity Infrastructure Complexity
Microservices Application Simplicity Infrastructure Complexity
Centric Consulting
 
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
CA API Management
 
Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014
Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014
Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014
Michelangelo van Dam
 
WSO2 & eBay Case Study
WSO2 & eBay Case StudyWSO2 & eBay Case Study
WSO2 & eBay Case StudyWSO2
 
Understanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and TechnologyUnderstanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and TechnologyWSO2
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBob Paulin
 

Viewers also liked (20)

Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 
API Management architect presentation
API Management architect presentationAPI Management architect presentation
API Management architect presentation
 
WSO2 Identity Server 3.0
WSO2 Identity Server 3.0WSO2 Identity Server 3.0
WSO2 Identity Server 3.0
 
Symfony2 as an api
Symfony2 as an apiSymfony2 as an api
Symfony2 as an api
 
PHPBootcamp - Zend Framework
PHPBootcamp - Zend FrameworkPHPBootcamp - Zend Framework
PHPBootcamp - Zend Framework
 
Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013 Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013
 
Clean Architecture
Clean ArchitectureClean Architecture
Clean Architecture
 
Symphony Software Foundation API Working Group Proposal
Symphony Software Foundation API Working Group ProposalSymphony Software Foundation API Working Group Proposal
Symphony Software Foundation API Working Group Proposal
 
REST != WebAPI
REST != WebAPIREST != WebAPI
REST != WebAPI
 
Apache Sling as a Microservices Gateway
Apache Sling as a Microservices GatewayApache Sling as a Microservices Gateway
Apache Sling as a Microservices Gateway
 
API Governance
API Governance API Governance
API Governance
 
AE Foyer: Soa Integration Architecture and Api Management
AE Foyer: Soa Integration Architecture and Api ManagementAE Foyer: Soa Integration Architecture and Api Management
AE Foyer: Soa Integration Architecture and Api Management
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
Microservices Application Simplicity Infrastructure Complexity
Microservices Application Simplicity Infrastructure ComplexityMicroservices Application Simplicity Infrastructure Complexity
Microservices Application Simplicity Infrastructure Complexity
 
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
Considerations For an API Strategy - Ronnie MItra API Architect Layer 7 Londo...
 
Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014
Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014
Pimp legacy PHP apps with Apigility - TrueNorthPHP 2014
 
WSO2 & eBay Case Study
WSO2 & eBay Case StudyWSO2 & eBay Case Study
WSO2 & eBay Case Study
 
Understanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and TechnologyUnderstanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and Technology
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache Sling
 

Similar to OAuth based reference architecture for API Management

Introducing API Manager 1.7
Introducing API Manager 1.7 Introducing API Manager 1.7
Introducing API Manager 1.7 WSO2
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
Bahman Kalali
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
API First with Connexion - PyConWeb 2018
API First with Connexion - PyConWeb 2018API First with Connexion - PyConWeb 2018
API First with Connexion - PyConWeb 2018
Henning Jacobs
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
Álvaro Alonso González
 
What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0
WSO2
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
FIWARE
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
Globus
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
WSO2
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Hyperledger Composer architecture
Hyperledger Composer architectureHyperledger Composer architecture
Hyperledger Composer architecture
Simon Stone
 
WSO2 API microgateway introduction
WSO2 API microgateway introductionWSO2 API microgateway introduction
WSO2 API microgateway introduction
Chanaka Fernando
 

Similar to OAuth based reference architecture for API Management (20)

Introducing API Manager 1.7
Introducing API Manager 1.7 Introducing API Manager 1.7
Introducing API Manager 1.7
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
API First with Connexion - PyConWeb 2018
API First with Connexion - PyConWeb 2018API First with Connexion - PyConWeb 2018
API First with Connexion - PyConWeb 2018
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0What’s New in WSO2 IoT Server 3.1.0
What’s New in WSO2 IoT Server 3.1.0
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
[Workshop] API-driven Integration
[Workshop] API-driven Integration[Workshop] API-driven Integration
[Workshop] API-driven Integration
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Hyperledger Composer architecture
Hyperledger Composer architectureHyperledger Composer architecture
Hyperledger Composer architecture
 
WSO2 API microgateway introduction
WSO2 API microgateway introductionWSO2 API microgateway introduction
WSO2 API microgateway introduction
 

More from WSO2

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
WSO2
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
WSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2
 

More from WSO2 (20)

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 

Recently uploaded

Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 

Recently uploaded (20)

Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 

OAuth based reference architecture for API Management

  • 1. OAuth  2.0  Reference  Model   for     API  Management   Sumedha  Rubasinghe   Senior  Architect,  WSO2  API  Manager  Team  
  • 2. About  WSO2   ๏  ๏  Global  enterprise,  founded  in   2005  by  acknowledged  leaders  in   XML,  web  services    technologies,   standards    and  open  source   Provides  only  open  source   pla:orm-­‐as-­‐a-­‐service  for  private,   public  and  hybrid  cloud   deployments   ๏  ๏  *   All  WSO2  products  are  100%  open   source  and  released  under  the   Apache  License  Version  2.0.   Is  an  AcIve  Member  of  OASIS,   Cloud  Security  Alliance,  OSGi   Alliance,  AMQP  Working  Group,   OpenID  FoundaIon  and  W3C.   ๏  Driven  by  InnovaIon   ๏  Launched  first  open  source  API   Management  soluIon  in  2012   ๏  Launched  App  Factory  in  2Q   2013   ๏  Launched  Enterprise  Store  and   first  open  source  Mobile  soluIon   in  4Q  2013  
  • 4. What  we  will  cover...   ●  Main  concepts  in  OAuth  2.0  model     ●  How  WSO2  supports  OAuth  2.0  based  API  Management?     ●  OAuth  2.0  based  extensions  in  WSO2  API  Management   soluIon     *  
  • 5. Web  (based)  APIs   ●  hXps://www.facebook.com/sam.jason/photos   ●  hXp://api-­‐public.ne:lix.com/catalog/Itles/movies/60021896   ●  many  more..     *  
  • 6. Pre  OAuth  Era  ..   How  do  I  know  for  sure?   *  
  • 7. Pre  OAuth  Era  ..   *  
  • 8. Pre  OAuth  Era  ..   No  Control  over  password   storage.   Complete  access  to  user   account.   *   ApplicaIons  can  be   compromised.   Changing  password  can  break   many  apps.   Requires  password  reset  to   revoke.  
  • 9. OAuth  2.0  -­‐  in  a  nutshell..   “The  OAuth  2.0  authorizaIon  framework  enables  a  third-­‐party   applica2on  to  obtain  limited  access  to  an  HTTP  service…”     -­‐OAuth  2.0  SpecificaKon,  hLp://tools.ieO.org/html/rfc6749   *  
  • 10. WSO2  API  Manager   ●  Complete  API  Management  Pla:orm   ○  ○  ○  ○  ○  ○  ○  ○  API  Publishing   API  Store   SubscripIon  Mgt   Token  Management   ThroXling   StaIsIcs   Scalable  Deployment   OAuth  2.0  based   ●  Apache  v2  Licensed     ●  Build  on  top  of  proven  WSO2  components   *   ○  Enterprise  Service  Bus   ○  IdenIty  Server   ○  Governance  Registry   ●  hXp://docs.wso2.org/display/AM160/WSO2+API+Manager
  • 11. OAuth  2.0  -­‐  DefiniKons   *   ●  Resource  Owner   ○  EnIty(end  user)  capable  of  granIng  access  to  a  resource   ○  FB  user  (enIty)  -­‐>   hXps://www.facebook.com/search/me/friends  (resource)     ●  Resource  Server  (hXps://www.facebook.com)   ○  Server  hosIng  protected  resources   ○  Capable  of  accepIng  and  responding  to  resource  requests     ●  Client  (FB  applicaIon)   ○  ApplicaIon  making  requests  to  access  protected  resources     ●  Authoriza2on  Server  (can  be  same  as  Resource  Server)   ○  Server  issuing  access  tokens  to  the  client  
  • 12. OAuth  2.0  Protocol  Flow   hLp://tools.ieO.org/html/rfc6749   *  
  • 14. AuthorizaKon  Code   ●  End  user  visits  auth  page   ○  response_type=code Web  Server  Apps   ●  End  user  is  redirected  to  your  site  with  auth  code   ○  http://yoursite.com/?code=xxxxxx ●  Web  Server  exchanges  Auth  Code  for  an  Access  Token   ○  POST /token code=xxxxxx&grant_type=authorization_code *  
  • 17. Access  Token  from  Auth  Code   hLp://docs.wso2.org/display/AM160/Token+API   *  
  • 19. Implicit  Grant   ●  Browser  based  apps   ■  no  server  side  code   ■  browser  makes  API  requests  directly     ●  User  visits  a  page   ○  response_type=token Browser  based  Apps   ●  User  is  redirected  to  your  site  with  access  token   ○  http://yoursite.com/#token=xxxxxx ●  Token  is  only  available  to  browser  (only  in  fragment)   *  
  • 20. Implicit  Grant  -­‐  Syntax   Browser  based  Apps   hLp://docs.wso2.org/display/AM160/Token+API   *  
  • 21. Password  Grant   Trusted  ApplicaKons   ●  Only  by  trusted  clients   ○  Apps  &  APIs  -­‐  by  same  enterprise  /First  party  Apps   hLp://docs.wso2.org/display/AM160/Token+API   *  
  • 22. Client  CredenKals   ApplicaKons   ●  ApplicaIon  level  access   ●  ApplicaIon  has   ○  client_id  (consumer  key)   ○  client_secret  (consumer  secret)     ●  Server  uses  client_id  &  client_secret  to  obtain  access  token   ○  POST  /token   grant_type=client_credenIals&client_id=XXXX&client_secret= YYYY   *  
  • 24. Mobile  ApplicaKons   ●  Use  ‘implicit’  grant  type     ○  (similar  to  browser  based  apps)     ●  Mobile  App  directly  does  API  calls     ●  No  client  (mobile  app)  secret     ●  NaIve  App  -­‐>  Browser  based  call   *   Mobile  Apps  
  • 26. Grant  Type  Summary   ●  authorizaKon_code   ○  Web  Server  based  applicaIons     ●  implicit   ○  Browser  based  applicaIons,  Mobile  Apps     ●  password   ○  username/password  based  access     ●  client  _credenKals   ○  ApplicaIons  (with  no  need  of  user  level  authorizaIon)   *  
  • 27. Extensions  to  Grant  Types   ●  SAML2  Bearer  Tokens  -­‐>  OAuth2   *  
  • 28. Accessing  APIs   Query  Parameter   Access  token  in  HTTP  Header   *  
  • 29. Access  Token  Lifecycle   ●  AcIve   ●  Revoked   ●  Expired   ●  In-­‐AcIve   *  
  • 30. Refreshing  an  expired  token   hLp://docs.wso2.org/display/AM160/Token+API   *  
  • 31. Bearer  Tokens   ●  Security  ConsideraIons   ○  Replies  on  transport  level  security  (HTTPS)   ○  No  cryptographic  verificaIon       ●  Security  RecommendaIons   ○  Use  HTTPs  (always)  &  verify  SSL  CerIficates   ○  Protect  Bearer  tokens   ○  Choose  token  lifeIme  wisely   ○  Do  not  persist  tokens  unnecessarily     *  
  • 32. MAC  Tokens   ●  Provides  cryptographic  verificaIon  of  request   *  
  • 33. LimiKng  Access  through  ‘scope'   ●  ‘scope’  -­‐>  specifies  what  needs  be  done  with  the  access  token     ●  Specified  @  the  point  of  obtaining  access  token     ●  space  delimited,  comma  delimited  string     ●  eg:  Facebook  Extended  Permissions   ○  hXps://developers.facebook.com/docs/reference/login/ extended-­‐permissions/     *  
  • 34. “scope”  -­‐  Facebook  Example   hXps://developers.facebook.com/docs/reference/login/extended-­‐permissions/   *  
  • 35. “scope”  -­‐  Facebook  Example   *  
  • 36. “scope”  -­‐  Facebook  Example   *  
  • 37. “scope”  -­‐  Token  Request  Syntax   hXps://www.facebook.com/dialog/oauth? client_id=APP_ID&redirect_uri=APP_URL&scope=read_friendlists ,read_mailbox   *  
  • 38. Extensions  based  on  OAuth  Model   ●  API  InvocaIon  StaIsIcs  CollecIon   ●  Access  ThroXling   *