SlideShare a Scribd company logo

OAuth in the Real World featuring Webshell

CA API Management
CA API Management

Find out how today’s authorization experts are getting maximum value from OAuth OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.

1 of 72
Download to read offline
© 2014 CA. All rights reserved. OAuth In The Real World How today’s authorization experts get maximum value from OAuth K. Scott Morrison Senior Vice President and Distinguished Engineer April 2014 Mehdi Medjaoul Co-Founder & Executive Director of Webshell
2 © 2014 CA. All rights reserved. Housekeeping Layer 7 @layer7 layer7.com/blogs layer7.com Chat questions into the sidebar or use hashtag: #L7webinar Webshell.io @Webshell_
3 © 2014 CA. All rights reserved. Today’s Talk  Why OAuth is more than just another security token  The basic OAuth architecture  What’s your grant type?  Token revocation and the implications for scaling  Managing dangerous windows of opportunity  Where should tokens reside?  Scopes, privileges and consent  OAuth facades over existing IAM systems  OAuth integration with legacy HTML login pages
4 © 2014 CA. All rights reserved. Basic OAuth 2.0 Client Authorization Server Resource Server Resource Owner Acquire Tokens Use Access Token
5 © 2014 CA. All rights reserved. A Fundamental Shift Is Occurring In Identity and Access Control The Old Enterprise The New Modern Enterprise This is the secret to achieve scale and agile federation
6 © 2014 CA. All rights reserved. What’s Your Grant Type? Do you need to authenticate the end user? No Yes Client Credentials Grant Type Asking the right questions will lead to the right answer
7 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Do you control the user’s credentials? Yes No Password Grant Type
8 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Can clients keep secrets? Yes No Authorization Code Grant Type Implicit Flow, response_type=token These are usually JavaScript clients. Note that you can’t secure clients here!
9 © 2014 CA. All rights reserved. What Kind Of Scale Are We Talking? 1000s of validated transactions per second Millions of active sessions
10 © 2014 CA. All rights reserved. Token Validation and the Question of Revocation Will you ever need to revoke access tokens? No Yes Easy street Tough Road Tokens have a lifetime. But will you ever need to cut this short? Tokens can be signed and self- contained (incl. expiration time, scope, and other attributes). Tokens need a central validation service
11 © 2014 CA. All rights reserved. No Revocation – The Simple Case Very simple distributed auth architecture  Authorization Server (AS) keeps refresh tokens locally for issuance of new access tokens  Resource Server (RS) validates access tokens according to trust model  Need signed tokens  Kind of like SAML Enterprise Network Informal, API-driven integrations Firewall Mobile Devices Clouds, Webapps, etc Authorization Server Key DB Directory Protected Resource Servers Trust Refresh tokens only. Low transaction rate (eg: 10 mins for each active session)
12 © 2014 CA. All rights reserved. Revocation – The Much Harder Scenario More Complex distributed architecture  Authorization Server (AS) keeps refresh and access tokens  Resource Server (RS) validates access tokens live (various options for this)  Scalable DB needed  Security model for token storage Enterprise Network Firewall Mobile Devices Authorization Server Key DB Directory Protected Resource Servers Validates Admin This is where scale and reliability become important requirements.
13 © 2014 CA. All rights reserved. Managing Dangerous Windows of Opportunity Time t=10 minutes time-to-live for access token No Revocation Token hijack 10 min Time t=10 minutes time-to-live for access token With Revocation Token hijack 4 min 5 min 10 min Validation cache time out Revoke tokens
14 © 2014 CA. All rights reserved. Where Should The Tokens Reside? Enterprise Network Firewall 1 Authorization Server Directory Validates Admin Key DB Firewall 2 Protected Resource Servers DB Inside Secure Zone  Tokens do not reside in DMZ  Remember: Bearer tokens are dangerous!  RDBMS vs NoSQL  Token maintenance issues  Authorization Server (AS) manages access and refresh tokens using JDBC/ODBC or noSQL  Resource Server (RS) validates access tokens using JDBC/ODBC or noSQL Case 1: Just use a DB
15 © 2014 CA. All rights reserved. Where Should The Tokens Reside (cont.)? Enterprise Network Firewall 1 Authorization Server Directory Admin Key DB Firewall 2 DB Inside Secure Zone  Tokens do not reside in DMZ  Authorization Server (AS) accesses access and refresh tokens using simple CRUD APIs  Resource Server (RS) validates access tokens using validation API or OpenID Connect UserInfo Case 2: API server fronting DB Validate Key CRUD Protected Resource Servers
16 © 2014 CA. All rights reserved. Scopes and Privileges  Scopes are critical in OAuth – But developers too often overlook their power  Attach scope to an access token based on user privileges – Same endpoint, but different capabilities  The OpenID Connect UserInfo endpoint is like this  We are seeing scope being differentiated based on how an access token was acquired – Eg: If the access token derives from an immediate authentication event, it is of higher relative “value” than if it comes from a refresh  Continuous authentication is an important trend in security  Scope is the key to integrating risk-based evaluation, step-up authentication, idle time mgmt, privileged action mgmt, etc The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued.
17 © 2014 CA. All rights reserved. Consent  This remains very black and white – It is the responsibility of the OAuth (and API) provider to seek consent expression and reflect this in the scopes granted to a session – You still can’t choose what you agree to  But watch this space – This is the new frontier for OAuth and related technologies Do you agree to let application foo: Records on your behalf?  Create  Retrieve  Update  Delete No Yes
18 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: Proxy Model - OAuth Facades over legacy IAM Infrastructure Simple, drop-in virtual or hardware gateway  Acts as both Authorization Server (AS) and Resource Server (RS)  Advanced security on all APIs Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources SecureSpan Gateway as AS IAM System SecureSpan Gateway Protecting RS Token can encapsulate legacy sessionID or gateway can manage mapping AS is Mapping to Internal Security Models/Tokens ➠ Simple Username/passwd ➠ Kerberos ➠ X.509v3 certificates ➠ SAML, etc
19 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: OAuth Integration With Existing Web Authentication Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources not shown for clarity SecureSpan Gateway as AS Leverage Existing Auth Pages ➠ Redirect to web authentication server ➠ Authentication user, redirect back to OAuth authorization server ➠ Validate returned “legacy” session ➠ Issue standard access and refresh tokens (or encapsulate) Legacy Directory Web Auth Page Validate session Redirects This is interesting because it decouples authentication and consent
20 © 2014 CA. All rights reserved. Summary  You can tell OAuth is mature because its boundaries are being pushed.  But there is still considerable misunderstanding about how to use OAuth effectively.  Scalability and reliability remain difficult  We highly recommend you use proven solutions rather than trying to cobble together a solution.
@medjawii OAuth.io@medjawii APIscene.com
Are you getting the maximum from OAuth? OAuth.io@medjawii
Identity provider Identity consumer (Application) User OAuth.io@medjawii
OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
OAuth.io@medjawii
OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
The business value data is concentrated mainly on the provider and the consumer OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
OAuth enables to concentrate the business value data on the provider side. OAuth.io@medjawii
The tale of 2 OAuth... OAuth.io@medjawii
OAuth 1.0/1.a - Released in October 2007 - Revised in June 2009 (Revision A) - Hard to implement with signatures, no expiration of tokens, no control the level of access requested. Some implementations have tried to get around these problems, which causes interoperability issues OAuth.io@medjawii
OAuth 2.0 - Non-backward compatible alternative. - Several drafts from January 2010 and October 2012 where published as RFC 6749 - Facebook and many others implemented it when not final - OAuth 2.0 is more flexible, wide range of non-interoperable implementations - less secure than OAuth 1.0, relying on SSL connections rather than signatures to protect the user’s access token, - Easier to install when developing clients OAuth.io@medjawii
The tale of 2 OAuth... OAuth.io@medjawii
The tale of too many OAuth... OAuth.io@medjawii
10 OAuth implementations you can’t guess… that differ from RFC6949 OAuth.io@medjawii
Facebook : Refresh_token grant_type: "refresh_token" => grant_type: "fb_exchange_token" refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}" scope “notation”: friends_actions.music, friends_actions.video Separator is a “,” instead of “%20“ OAuth.io@medjawii
Deezer client_id -> app_id=... scope -> perms=email,read_friendlists... state=... [non documented] response_type=code [useless] “Facebook is the standard” OAuth.io@medjawii
Google : More parameters options for the authorization form: access_type: to choose to send a refresh_token or not approval_prompt to force the popup even if we are already connected login_hint to select an account or prefill the email address include_granted_scopes to add more authorizations “incremental authorization” OAuth.io@medjawii
Foursquare : - Some OAuth libraries expect to pass the OAuth token as access_token instead of oauth_token, since this is the expectation created by Facebook, at odds with earlier versions of the OAuth spec. We may add support for both parameter names, depending on feedback, but for now know that this may come up. - No scope. OAuth.io@medjawii
Salesforce : Added custom authorization parameters: immediate: whether the user should be prompted for login and approval display: template web, mobile, popup login_hint: to prefill an email prompt: prompt the user for reauthorization or reapproval the authorization returns custom fields: - “instance_url”: the api url binded to a resource server, this is the only way to receive the domain - a signature: can be used to verify the identity URL was not modified (id & date signed with a private key) - issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration duration - id_token: to support openid UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form) OAuth.io@medjawii
VK: Added authorizations parameters v: API version The authorization returns the user id, that is needed to call the api relative to the authorized user (there is no /me/..., /self/... or so) Instead of access_token: xxx /user/me?access_token=xxx You have access_token: xxx user_id: yyy /user/yyy?access_token=xxx OAuth.io@medjawii
23ANDME: scope “notation”: profile:write profile:read OAuth.io@medjawii
Tencent weibo: Authorization parameters : chinese language only oauth_version=2.a (useless parameter) Extra : Chinese/English documentation for OAuth1.0 but Chinese documentation only for OAuth2.0 OAuth.io@medjawii
This was just non exhaustive. OAuth.io@medjawii
API calls Authorization api.provider.com/path/action?access_token=TOKEN api.provider.com/path/action?oauth_token=TOKEN api.provider.com/path/action?token=TOKEN Authorization HTTP header: Bearer TOKEN Authorization HTTP Header: OAuth TOKEN OAuth.io@medjawii
Scope scope=email%20publish scope=email,publish scope=email;publish scope=email:publish scope=email|publish scope=read_only or scope=read_write OAuth.io@medjawii
The "state" param ● inexistent (dailymotion, eventbrite...) so you have to put it in the callback ● undocumented (wordpress, deezer...) ● impossible (angelist.co) “fixed callback url” OAuth.io@medjawii
What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
April fool: Introducing OAuth 3:0 - “0 token” paradigm - No more secret key, everything public The huge majority did not understand... OAuth.io@medjawii
What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
Even if you are right, 3rd party developers will be lost… because of others providers already did it wrong before you OAuth.io@medjawii
What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
“In a design perspective, documentation is a bug, not a feature” It is the most important but the last place to find information OAuth.io@medjawii
OAuth.io@medjawii Devil’s in the details.
OAuth.io@medjawii OAuth.io
100+ providers unified and simplified OAuth.io@medjawii
OAuth.io@medjawii To retrieve you token
OAuth.io@medjawii - Register on oauth.io - Click on the OAuth provider you want in the list - Share you credentials - Click on “try me“ That’s it, you have your token. 90seconds after signup.
OAuth.io@medjawii And for generating the pop- up?
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('facebook', function(err) { if (err) { // do something with error }
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('twitter', function(err) { if (err) { // do something with error }
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('salesforce', function(err) { if (err) { // do something with error }
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('yourcompany', function(err) { if (err) { // do something with error }
OAuth.io@medjawii And for deeper APIs calls?
OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) })
OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) }) No need to call your own server and to sign your API request and send it back No more access token management, it’s now completely abstracted It feels lighter right?
For web and mobile
Open source : oauthd for on premises implementation to consume your own oauth https://github.com/oauth-io/oauthd Easy contributions process, with a small JSON to fill on github
Questions?
Scott.Morrison@ca.com @KScottMorrison slideshare.net/CAinc linkedin.com/KScottMorrison ca.com K. Scott Morrison Distinguished Engineer
23 Copyright © 2014 CA. All rights reserved. © Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis. notices

Recommended

Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
CA API Management
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
CA API Management
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop London
CA API Management
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
Rajat Vijayvargiya
 

Recommended

Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
CA API Management
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for Mobile
CA API Management
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop London
CA API Management
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
Rajat Vijayvargiya
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps
CA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
CA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
CA API Management
 
CA API Gateway
CA API GatewayCA API Gateway
CA API Gateway
James Farley-Sutton
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
CA API Management
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs
CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
James Farley-Sutton
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
CA API Management
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
CA API Management
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at Unum
CA Technologies
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
CA API Management
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
CA Technologies
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
CA API Management
 
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
CA API Management
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
Akana
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
Kellton Tech Solutions Ltd
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays
 
API Management
API ManagementAPI Management
API Management
Prolifics
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
WSO2
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the Cloud
CA API Management
 
Coordenadas089 wifi
Coordenadas089 wifiCoordenadas089 wifi
Coordenadas089 wifiOsvaldo Pablo Ivani
 

More Related Content

What's hot

5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps
CA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
CA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
CA API Management
 
CA API Gateway
CA API GatewayCA API Gateway
CA API Gateway
James Farley-Sutton
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
CA API Management
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs
CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
James Farley-Sutton
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
CA API Management
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
CA API Management
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at Unum
CA Technologies
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
CA API Management
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
CA Technologies
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
CA API Management
 
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
CA API Management
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
Akana
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
Kellton Tech Solutions Ltd
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays
 
API Management
API ManagementAPI Management
API Management
Prolifics
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
WSO2
 

What's hot (20)

5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
CA API Gateway
CA API GatewayCA API Gateway
CA API Gateway
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at Unum
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
 
API Management
API ManagementAPI Management
API Management
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
 

Viewers also liked

Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the Cloud
CA API Management
 
Ringers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protectionRingers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protection
Project Sales Corp
 
Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas. Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas.
ProColombia
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neige
Igal Assaf
 
2008111807581919
20081118075819192008111807581919
2008111807581919
psy101618
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010Michael Jones
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?
seltzoid
 
Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)
Sara Truscott
 
Blackwell Esteem AFSL
Blackwell Esteem AFSLBlackwell Esteem AFSL
Blackwell Esteem AFSLsamueltay77
 
Caldwell recognition-2012
Caldwell recognition-2012Caldwell recognition-2012
Caldwell recognition-2012ryanatsofa
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Shao-Chuan Wang
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statistics
Ranjeet Dubey
 
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri LankaCilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Maersk Line
 
Is she a good student
Is she a good studentIs she a good student
Is she a good student
paku_sol
 
Ikp'ko;b0yp
Ikp'ko;b0ypIkp'ko;b0yp
Ikp'ko;b0ypnoylove
 

Viewers also liked (19)

Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the Cloud
 
Coordenadas089 wifi
Coordenadas089 wifiCoordenadas089 wifi
Coordenadas089 wifi
 
Ringers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protectionRingers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protection
 
Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas. Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas.
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neige
 
2008111807581919
20081118075819192008111807581919
2008111807581919
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?
 
Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)
 
Blackwell Esteem AFSL
Blackwell Esteem AFSLBlackwell Esteem AFSL
Blackwell Esteem AFSL
 
Caldwell recognition-2012
Caldwell recognition-2012Caldwell recognition-2012
Caldwell recognition-2012
 
Pk std
Pk stdPk std
Pk std
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
 
Abc learning-annual-report-2006
Abc learning-annual-report-2006Abc learning-annual-report-2006
Abc learning-annual-report-2006
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statistics
 
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri LankaCilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
 
Aitana
AitanaAitana
Aitana
 
Is she a good student
Is she a good studentIs she a good student
Is she a good student
 
Ikp'ko;b0yp
Ikp'ko;b0ypIkp'ko;b0yp
Ikp'ko;b0yp
 

Similar to OAuth in the Real World featuring Webshell

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Codit
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
CA Technologies
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
Nordic APIs
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Hitachi, Ltd. OSS Solution Center.
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
Twobo Technologies
 

Similar to OAuth in the Real World featuring Webshell (20)

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
CA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
CA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
CA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
CA API Management
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
CA API Management
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?
CA API Management
 
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureMapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
CA API Management
 
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
CA API Management
 
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
CA API Management
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
CA API Management
 

More from CA API Management (19)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?
 
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureMapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
 
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
 
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 

Recently uploaded

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

OAuth in the Real World featuring Webshell

  • 1. © 2014 CA. All rights reserved. OAuth In The Real World How today’s authorization experts get maximum value from OAuth K. Scott Morrison Senior Vice President and Distinguished Engineer April 2014 Mehdi Medjaoul Co-Founder & Executive Director of Webshell
  • 2. 2 © 2014 CA. All rights reserved. Housekeeping Layer 7 @layer7 layer7.com/blogs layer7.com Chat questions into the sidebar or use hashtag: #L7webinar Webshell.io @Webshell_
  • 3. 3 © 2014 CA. All rights reserved. Today’s Talk  Why OAuth is more than just another security token  The basic OAuth architecture  What’s your grant type?  Token revocation and the implications for scaling  Managing dangerous windows of opportunity  Where should tokens reside?  Scopes, privileges and consent  OAuth facades over existing IAM systems  OAuth integration with legacy HTML login pages
  • 4. 4 © 2014 CA. All rights reserved. Basic OAuth 2.0 Client Authorization Server Resource Server Resource Owner Acquire Tokens Use Access Token
  • 5. 5 © 2014 CA. All rights reserved. A Fundamental Shift Is Occurring In Identity and Access Control The Old Enterprise The New Modern Enterprise This is the secret to achieve scale and agile federation
  • 6. 6 © 2014 CA. All rights reserved. What’s Your Grant Type? Do you need to authenticate the end user? No Yes Client Credentials Grant Type Asking the right questions will lead to the right answer
  • 7. 7 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Do you control the user’s credentials? Yes No Password Grant Type
  • 8. 8 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Can clients keep secrets? Yes No Authorization Code Grant Type Implicit Flow, response_type=token These are usually JavaScript clients. Note that you can’t secure clients here!
  • 9. 9 © 2014 CA. All rights reserved. What Kind Of Scale Are We Talking? 1000s of validated transactions per second Millions of active sessions
  • 10. 10 © 2014 CA. All rights reserved. Token Validation and the Question of Revocation Will you ever need to revoke access tokens? No Yes Easy street Tough Road Tokens have a lifetime. But will you ever need to cut this short? Tokens can be signed and self- contained (incl. expiration time, scope, and other attributes). Tokens need a central validation service
  • 11. 11 © 2014 CA. All rights reserved. No Revocation – The Simple Case Very simple distributed auth architecture  Authorization Server (AS) keeps refresh tokens locally for issuance of new access tokens  Resource Server (RS) validates access tokens according to trust model  Need signed tokens  Kind of like SAML Enterprise Network Informal, API-driven integrations Firewall Mobile Devices Clouds, Webapps, etc Authorization Server Key DB Directory Protected Resource Servers Trust Refresh tokens only. Low transaction rate (eg: 10 mins for each active session)
  • 12. 12 © 2014 CA. All rights reserved. Revocation – The Much Harder Scenario More Complex distributed architecture  Authorization Server (AS) keeps refresh and access tokens  Resource Server (RS) validates access tokens live (various options for this)  Scalable DB needed  Security model for token storage Enterprise Network Firewall Mobile Devices Authorization Server Key DB Directory Protected Resource Servers Validates Admin This is where scale and reliability become important requirements.
  • 13. 13 © 2014 CA. All rights reserved. Managing Dangerous Windows of Opportunity Time t=10 minutes time-to-live for access token No Revocation Token hijack 10 min Time t=10 minutes time-to-live for access token With Revocation Token hijack 4 min 5 min 10 min Validation cache time out Revoke tokens
  • 14. 14 © 2014 CA. All rights reserved. Where Should The Tokens Reside? Enterprise Network Firewall 1 Authorization Server Directory Validates Admin Key DB Firewall 2 Protected Resource Servers DB Inside Secure Zone  Tokens do not reside in DMZ  Remember: Bearer tokens are dangerous!  RDBMS vs NoSQL  Token maintenance issues  Authorization Server (AS) manages access and refresh tokens using JDBC/ODBC or noSQL  Resource Server (RS) validates access tokens using JDBC/ODBC or noSQL Case 1: Just use a DB
  • 15. 15 © 2014 CA. All rights reserved. Where Should The Tokens Reside (cont.)? Enterprise Network Firewall 1 Authorization Server Directory Admin Key DB Firewall 2 DB Inside Secure Zone  Tokens do not reside in DMZ  Authorization Server (AS) accesses access and refresh tokens using simple CRUD APIs  Resource Server (RS) validates access tokens using validation API or OpenID Connect UserInfo Case 2: API server fronting DB Validate Key CRUD Protected Resource Servers
  • 16. 16 © 2014 CA. All rights reserved. Scopes and Privileges  Scopes are critical in OAuth – But developers too often overlook their power  Attach scope to an access token based on user privileges – Same endpoint, but different capabilities  The OpenID Connect UserInfo endpoint is like this  We are seeing scope being differentiated based on how an access token was acquired – Eg: If the access token derives from an immediate authentication event, it is of higher relative “value” than if it comes from a refresh  Continuous authentication is an important trend in security  Scope is the key to integrating risk-based evaluation, step-up authentication, idle time mgmt, privileged action mgmt, etc The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued.
  • 17. 17 © 2014 CA. All rights reserved. Consent  This remains very black and white – It is the responsibility of the OAuth (and API) provider to seek consent expression and reflect this in the scopes granted to a session – You still can’t choose what you agree to  But watch this space – This is the new frontier for OAuth and related technologies Do you agree to let application foo: Records on your behalf?  Create  Retrieve  Update  Delete No Yes
  • 18. 18 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: Proxy Model - OAuth Facades over legacy IAM Infrastructure Simple, drop-in virtual or hardware gateway  Acts as both Authorization Server (AS) and Resource Server (RS)  Advanced security on all APIs Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources SecureSpan Gateway as AS IAM System SecureSpan Gateway Protecting RS Token can encapsulate legacy sessionID or gateway can manage mapping AS is Mapping to Internal Security Models/Tokens ➠ Simple Username/passwd ➠ Kerberos ➠ X.509v3 certificates ➠ SAML, etc
  • 19. 19 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: OAuth Integration With Existing Web Authentication Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources not shown for clarity SecureSpan Gateway as AS Leverage Existing Auth Pages ➠ Redirect to web authentication server ➠ Authentication user, redirect back to OAuth authorization server ➠ Validate returned “legacy” session ➠ Issue standard access and refresh tokens (or encapsulate) Legacy Directory Web Auth Page Validate session Redirects This is interesting because it decouples authentication and consent
  • 20. 20 © 2014 CA. All rights reserved. Summary  You can tell OAuth is mature because its boundaries are being pushed.  But there is still considerable misunderstanding about how to use OAuth effectively.  Scalability and reliability remain difficult  We highly recommend you use proven solutions rather than trying to cobble together a solution.
  • 22. Are you getting the maximum from OAuth? OAuth.io@medjawii
  • 25.
  • 28. The business value data is concentrated mainly on the provider and the consumer OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
  • 29. OAuth enables to concentrate the business value data on the provider side. OAuth.io@medjawii
  • 30. The tale of 2 OAuth... OAuth.io@medjawii
  • 31. OAuth 1.0/1.a - Released in October 2007 - Revised in June 2009 (Revision A) - Hard to implement with signatures, no expiration of tokens, no control the level of access requested. Some implementations have tried to get around these problems, which causes interoperability issues OAuth.io@medjawii
  • 32. OAuth 2.0 - Non-backward compatible alternative. - Several drafts from January 2010 and October 2012 where published as RFC 6749 - Facebook and many others implemented it when not final - OAuth 2.0 is more flexible, wide range of non-interoperable implementations - less secure than OAuth 1.0, relying on SSL connections rather than signatures to protect the user’s access token, - Easier to install when developing clients OAuth.io@medjawii
  • 33. The tale of 2 OAuth... OAuth.io@medjawii
  • 34. The tale of too many OAuth... OAuth.io@medjawii
  • 35. 10 OAuth implementations you can’t guess… that differ from RFC6949 OAuth.io@medjawii
  • 36. Facebook : Refresh_token grant_type: "refresh_token" => grant_type: "fb_exchange_token" refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}" scope “notation”: friends_actions.music, friends_actions.video Separator is a “,” instead of “%20“ OAuth.io@medjawii
  • 37. Deezer client_id -> app_id=... scope -> perms=email,read_friendlists... state=... [non documented] response_type=code [useless] “Facebook is the standard” OAuth.io@medjawii
  • 38. Google : More parameters options for the authorization form: access_type: to choose to send a refresh_token or not approval_prompt to force the popup even if we are already connected login_hint to select an account or prefill the email address include_granted_scopes to add more authorizations “incremental authorization” OAuth.io@medjawii
  • 39. Foursquare : - Some OAuth libraries expect to pass the OAuth token as access_token instead of oauth_token, since this is the expectation created by Facebook, at odds with earlier versions of the OAuth spec. We may add support for both parameter names, depending on feedback, but for now know that this may come up. - No scope. OAuth.io@medjawii
  • 40. Salesforce : Added custom authorization parameters: immediate: whether the user should be prompted for login and approval display: template web, mobile, popup login_hint: to prefill an email prompt: prompt the user for reauthorization or reapproval the authorization returns custom fields: - “instance_url”: the api url binded to a resource server, this is the only way to receive the domain - a signature: can be used to verify the identity URL was not modified (id & date signed with a private key) - issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration duration - id_token: to support openid UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form) OAuth.io@medjawii
  • 41. VK: Added authorizations parameters v: API version The authorization returns the user id, that is needed to call the api relative to the authorized user (there is no /me/..., /self/... or so) Instead of access_token: xxx /user/me?access_token=xxx You have access_token: xxx user_id: yyy /user/yyy?access_token=xxx OAuth.io@medjawii
  • 42. 23ANDME: scope “notation”: profile:write profile:read OAuth.io@medjawii
  • 43. Tencent weibo: Authorization parameters : chinese language only oauth_version=2.a (useless parameter) Extra : Chinese/English documentation for OAuth1.0 but Chinese documentation only for OAuth2.0 OAuth.io@medjawii
  • 44. This was just non exhaustive. OAuth.io@medjawii
  • 47. The "state" param ● inexistent (dailymotion, eventbrite...) so you have to put it in the callback ● undocumented (wordpress, deezer...) ● impossible (angelist.co) “fixed callback url” OAuth.io@medjawii
  • 48. What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
  • 49. April fool: Introducing OAuth 3:0 - “0 token” paradigm - No more secret key, everything public The huge majority did not understand... OAuth.io@medjawii
  • 50. What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
  • 51. Even if you are right, 3rd party developers will be lost… because of others providers already did it wrong before you OAuth.io@medjawii
  • 52. What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
  • 53. “In a design perspective, documentation is a bug, not a feature” It is the most important but the last place to find information OAuth.io@medjawii
  • 54.
  • 57. 100+ providers unified and simplified OAuth.io@medjawii
  • 59. OAuth.io@medjawii - Register on oauth.io - Click on the OAuth provider you want in the list - Share you credentials - Click on “try me“ That’s it, you have your token. 90seconds after signup.
  • 66. OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) })
  • 67. OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) }) No need to call your own server and to sign your API request and send it back No more access token management, it’s now completely abstracted It feels lighter right?
  • 68. For web and mobile
  • 69. Open source : oauthd for on premises implementation to consume your own oauth https://github.com/oauth-io/oauthd Easy contributions process, with a small JSON to fill on github
  • 72. 23 Copyright © 2014 CA. All rights reserved. © Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis. notices