Find out how today’s authorization experts are getting maximum value from OAuth
OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
Empower employees with external access to SharePoint and other intranet resources
Microsoft SharePoint authorizes user access based on a Microsoft domain session using Kerberos or similar technologies. An external user without a direct domain session cannot access SharePoint directly using common Single Sign-On (SSO) solutions deployed at the perimeter of the enterprise. Requiring VPN access to the enterprise for accessing SharePoint and other intranet resources is not practical and widens the attack surface of the enterprise.
Layer 7 delivers a simple solution for brokering access to Microsoft-based Web applications and APIs. By deploying Layer 7’s SecureSpan Gateway in the DMZ, the enterprise can enable and control access to Microsoft SharePoint without the need for VPN connections. The enterprise can leverage the same SecureSpan Gateway to control access to any Web applications and APIs that need to be consumed by mobile applications.
Simplify secure mobile app access to enterprise resources
When mobile apps access enterprise data and services, the risk of security being compromised is increased. Layer 7’s solution for mobile Single Sign-On simplifies the process through which apps require users to sign in to the enterprise in order to secure this access. The solution leverages the underlying security in a device’s operating system to effectively create a secure sign-on container for apps.
Layer 7 offers a complete end-to-end, standards-based and proven security solution for mobile SSO. This solution uses OAuth 2.0, OpenID Connect and JWT standards. Communication is secured through Layer 7’s SecureSpan Mobile Access Gateway and SSO libraries that abstract out all the complex OAuth and OpenID Connect protocol handshakes between mobile device and Gateway.
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
APIs create incredible business opportunities. But how do you recognize the real value among all the hype? This session will take a frank look at the good and bad decisions that are being made by organisations seeking to harness the power of APIs
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
The Internet of Things (IoT) promises to improve our productivity and day-to-day lives by connecting a vast range of devices – from cell phones, to cars, to domestic appliances and even to drones. APIs represent the key technology that will make it possible to integrate and leverage information from all these “things”.
There are obvious security and privacy concerns associated with using APIs to expose data and functionality from one device to many others. So, how can we make sure hackers cannot exploit the unprecedented connectivity created by IoT? This webinar will explore key IoT use cases and explain how to address the API security requirements for these use cases.
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
Learn about innovative approaches to differentiating, extending reach and establishing trust in financial service.
Web and mobile technologies have changed the way we bank, spend money and manage our finances. Using APIs to expose backend systems is central to how financial services organizations are using these digital channels to maximize customer engagement and extend reach into new markets.
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves.
There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.
With APIs gaining momentum as the building blocks of Application Economy, an agile API platform architecture is key to aligning API based 'Dev with DevOps'. A platform that can either quickly adapt to incorporate disruptive changes and new architecture patterns like micro services/containerization on the back end or be extended to create seamless yet secure Apps and connected mobile experiences (IoT) on the front end is the foundation of a successful and complete DevOps strategy. It is also a competitive differentiators from time to market standpoint.
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
Empower employees with external access to SharePoint and other intranet resources
Microsoft SharePoint authorizes user access based on a Microsoft domain session using Kerberos or similar technologies. An external user without a direct domain session cannot access SharePoint directly using common Single Sign-On (SSO) solutions deployed at the perimeter of the enterprise. Requiring VPN access to the enterprise for accessing SharePoint and other intranet resources is not practical and widens the attack surface of the enterprise.
Layer 7 delivers a simple solution for brokering access to Microsoft-based Web applications and APIs. By deploying Layer 7’s SecureSpan Gateway in the DMZ, the enterprise can enable and control access to Microsoft SharePoint without the need for VPN connections. The enterprise can leverage the same SecureSpan Gateway to control access to any Web applications and APIs that need to be consumed by mobile applications.
Simplify secure mobile app access to enterprise resources
When mobile apps access enterprise data and services, the risk of security being compromised is increased. Layer 7’s solution for mobile Single Sign-On simplifies the process through which apps require users to sign in to the enterprise in order to secure this access. The solution leverages the underlying security in a device’s operating system to effectively create a secure sign-on container for apps.
Layer 7 offers a complete end-to-end, standards-based and proven security solution for mobile SSO. This solution uses OAuth 2.0, OpenID Connect and JWT standards. Communication is secured through Layer 7’s SecureSpan Mobile Access Gateway and SSO libraries that abstract out all the complex OAuth and OpenID Connect protocol handshakes between mobile device and Gateway.
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
APIs create incredible business opportunities. But how do you recognize the real value among all the hype? This session will take a frank look at the good and bad decisions that are being made by organisations seeking to harness the power of APIs
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
The Internet of Things (IoT) promises to improve our productivity and day-to-day lives by connecting a vast range of devices – from cell phones, to cars, to domestic appliances and even to drones. APIs represent the key technology that will make it possible to integrate and leverage information from all these “things”.
There are obvious security and privacy concerns associated with using APIs to expose data and functionality from one device to many others. So, how can we make sure hackers cannot exploit the unprecedented connectivity created by IoT? This webinar will explore key IoT use cases and explain how to address the API security requirements for these use cases.
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
Learn about innovative approaches to differentiating, extending reach and establishing trust in financial service.
Web and mobile technologies have changed the way we bank, spend money and manage our finances. Using APIs to expose backend systems is central to how financial services organizations are using these digital channels to maximize customer engagement and extend reach into new markets.
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves.
There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.
With APIs gaining momentum as the building blocks of Application Economy, an agile API platform architecture is key to aligning API based 'Dev with DevOps'. A platform that can either quickly adapt to incorporate disruptive changes and new architecture patterns like micro services/containerization on the back end or be extended to create seamless yet secure Apps and connected mobile experiences (IoT) on the front end is the foundation of a successful and complete DevOps strategy. It is also a competitive differentiators from time to market standpoint.
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
Overview
Delivering services to consumers via mobile apps is essential for differentiation and competitiveness in today’s business climate. But as more services are exposed, more risk is incurred – putting mobile app security at the top of the list for any security professional.
While strict BYOD policies, device-level security and application management solutions may fit enterprise requirements, the privacy and usability implications of these approaches are likely to negatively affect the consumer experience.
This webinar, presented by Tyson Whitten of CA Technologies and Leif Bildoy of CA Layer 7, will explain how enterprises can secure services exposed by mobile apps in a way that satisfies internal security requirements without impacting the user experience for external consumers.
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
Today’s enterprise mobility solutions emphasize heavy-handed IT governance of devices and applications that impose a burden on developers and/or users. However, managing data and applications using high performance mobile-optimized infrastructure can enable secure, scalable apps while minimizing the effort required by developers and allowing them to focus on their strengths. Come learn how to facilitate the best of both worlds – multi-layer mobile security using modern standards and a fantastic user experience.
These slides are from our "Master Digital Channels with APIs" webinar on April 28, 2015.
The webinar provides practical guidance for any Chief Digital Officer or Chief Marketing Officer who is pushing for digital transformation within their business.
Learn more about APIs at ca.com/api
Every competitive business is now a digital business. In a world where differentiation and scale are being driven through apps and data, success is not a question of whether the businesses should go digital – it is a question of how the business should go digital.
In this webinar, Tyson Whitten – Director of API & Mobility Solutions at CA Technologies – will describe the key methods that successful organizations are using to create sustainable competitive advantage through digital transformation.
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
APIs are everywhere: powering mobile apps, enabling cloud computing, connecting people through social networks and helping to create the Internet of Things. Organizations of every kind are evaluating how they can leverage APIs and replicate the success of companies like Amazon, Google and Salesforce.
Join this webinar to learn about the #API360 model for enterprise API success. This model covers the full spectrum of considerations for companies looking to succeed with APIs for the long haul. You will also hear more about the upcoming #API360 Summit that will take place in Dallas on February 26.
You Will Learn
• How leading Web companies have used APIs to boost revenues and market share
• How to create an enterprise API strategy that will yield real business results
• How to institutionalize best practices that will allow your APIs to evolve and grow
Deploy a system that will empower you to expose APIs in a secure, manageable way
Choosing the right API Management solution can make implementing a successful API strategy much easier and help to ensure your APIs are exposed in a secure, manageable way. Join this Layer 7 webinar to learn the key criteria for selecting an API Management solution and to get a solid understanding of the factors that will impact the success of your API strategy. Everyone who registers for the webinar will receive a complimentary copy of The Forrester Wave: API Management Platforms, Q1 2013.
In this presentation, Mike Amundsen, Francois Lascelles and Devon Winkworth of Layer 7 Technologies provide information on:
The latest trends in the API economy and best practices and tips for securely exposing enterprise APIs
Key issues around API Management, including access control, data security/privacy, developer management and API performance management
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
Delivering secure, convenient access to financial protection benefits for over 80,000 employers, including a third of Fortune 500 companies, requires the careful choreography of more than 140 applications, services and mobile experiences. To address this rapid growth, Unum embarked early on an API gateway strategy that has resulted in faster adoption, better security and reduced risks. Join Tom Porterfield, Sr. Software Engineer at Unum, as he shares lessons learned from four years of implementation success with API management solutions from CA Technologies.
For more information, please visit http://cainc.to/Nv2VOe
Examining today's biggest API breaches to mitigate API security vulnerabilities
Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position?
This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure.
You Will Learn
-Recent breaches in the news involving APIs
-Top attacks that compromise your business
-Mitigating steps to protect your business from attacks and unauthorized access
-API Management solutions that both enable and protect your business
Learn about API Security at http://www.ca.com/api
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelCA Technologies
The mobile application is becoming the primary interface between your enterprise and end users — but what will be used to secure this access? Come learn how to leverage data from mobile devices to help identify the legitimacy of a user attempting to login or perform a sensitive transaction.
For more information, please visit http://cainc.to/Nv2VOe
Moving beyond conventional single sign-on to seamless cross-device access with APIs
People are carrying more devices every day – with the average being 2.9 per person. Meanwhile, multitasking has gone into overdrive, as users quickly move from laptop to phone to tablet, expecting a seamless experience when accessing their favorite apps. And this expectation is not just limited to leisure and personal use – it extends to business applications.
Security has broken this seamless workflow and inhibited the mobile “stickiness” businesses are striving to achieve. This webinar with Scott Morrison and Leif Bildoy of CA Technologies will demonstrate how the right combination of identity functionality and secure APIs can help your organization to overcome these challenges and enable the multi-device universe.
You Will Learn
• What challenges must be overcome when supporting multiple mobile app types
• How SSO is evolving past mobile app access to device access
• Why the right implementation of identity and APIs will create consumer stickiness
• How the Internet of Things (IoT) is creating new business opportunities
APIs: State of the Union - Ross Garrett @ AppsWorld 2014CA API Management
APIs are transitioning from an early adopter market to a mainstream technology used by enterprises to foster mobile innovation and developer channels. After a wave of consolidation in the market over the past year, this talk will take a snapshot of the API market among publishers, consumers and vendors, examine how the market has evolved and identify trends, opportunities and challenges for next several years.
IBM API Connect is a Comprehensive API Solution. It is an integrated creation, runtime, management, and security foundation for enterprise grade API’s and Microservices to power modern digital applications.
In this webinar,
API Management Concepts
IBM API Connect overview and features
Kellton Tech’s API Strategy with IBM API Connect.
Technology: IBM API Connect 5.0
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
Enterprise API management in agile integration
Raghuram Banda, Solution Architect at Entiros Integrations AB
Secure and Govern Integration between the Enterprise & the CloudCA API Management
Secure, govern and mediate integrations between enterprise applications and Cloud services
Overview
For Best Buy, the public Cloud provides a strategic way to dynamically scale consumer and partner-facing Web and API assets. The Cloud lets Best Buy accommodate peaks in demand without overbuilding, while isolating sensitive data from the public.
Best Buy also needs a consistent way to control what information is shared with applications in the Cloud, while simultaneously insulating development teams from the vagaries of security, management and mediation challenges that arise when implementing a hybrid Cloud solution.
This Webinar, presented by Best Buy, Amazon Web Services and Layer 7 Technologies, looks at a specific example of the Best Buy API Developer Portal and share best practices for security, governance and mediation of enterprise services with applications in the Cloud.
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
Overview
Delivering services to consumers via mobile apps is essential for differentiation and competitiveness in today’s business climate. But as more services are exposed, more risk is incurred – putting mobile app security at the top of the list for any security professional.
While strict BYOD policies, device-level security and application management solutions may fit enterprise requirements, the privacy and usability implications of these approaches are likely to negatively affect the consumer experience.
This webinar, presented by Tyson Whitten of CA Technologies and Leif Bildoy of CA Layer 7, will explain how enterprises can secure services exposed by mobile apps in a way that satisfies internal security requirements without impacting the user experience for external consumers.
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
Today’s enterprise mobility solutions emphasize heavy-handed IT governance of devices and applications that impose a burden on developers and/or users. However, managing data and applications using high performance mobile-optimized infrastructure can enable secure, scalable apps while minimizing the effort required by developers and allowing them to focus on their strengths. Come learn how to facilitate the best of both worlds – multi-layer mobile security using modern standards and a fantastic user experience.
These slides are from our "Master Digital Channels with APIs" webinar on April 28, 2015.
The webinar provides practical guidance for any Chief Digital Officer or Chief Marketing Officer who is pushing for digital transformation within their business.
Learn more about APIs at ca.com/api
Every competitive business is now a digital business. In a world where differentiation and scale are being driven through apps and data, success is not a question of whether the businesses should go digital – it is a question of how the business should go digital.
In this webinar, Tyson Whitten – Director of API & Mobility Solutions at CA Technologies – will describe the key methods that successful organizations are using to create sustainable competitive advantage through digital transformation.
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
APIs are everywhere: powering mobile apps, enabling cloud computing, connecting people through social networks and helping to create the Internet of Things. Organizations of every kind are evaluating how they can leverage APIs and replicate the success of companies like Amazon, Google and Salesforce.
Join this webinar to learn about the #API360 model for enterprise API success. This model covers the full spectrum of considerations for companies looking to succeed with APIs for the long haul. You will also hear more about the upcoming #API360 Summit that will take place in Dallas on February 26.
You Will Learn
• How leading Web companies have used APIs to boost revenues and market share
• How to create an enterprise API strategy that will yield real business results
• How to institutionalize best practices that will allow your APIs to evolve and grow
Deploy a system that will empower you to expose APIs in a secure, manageable way
Choosing the right API Management solution can make implementing a successful API strategy much easier and help to ensure your APIs are exposed in a secure, manageable way. Join this Layer 7 webinar to learn the key criteria for selecting an API Management solution and to get a solid understanding of the factors that will impact the success of your API strategy. Everyone who registers for the webinar will receive a complimentary copy of The Forrester Wave: API Management Platforms, Q1 2013.
In this presentation, Mike Amundsen, Francois Lascelles and Devon Winkworth of Layer 7 Technologies provide information on:
The latest trends in the API economy and best practices and tips for securely exposing enterprise APIs
Key issues around API Management, including access control, data security/privacy, developer management and API performance management
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
Delivering secure, convenient access to financial protection benefits for over 80,000 employers, including a third of Fortune 500 companies, requires the careful choreography of more than 140 applications, services and mobile experiences. To address this rapid growth, Unum embarked early on an API gateway strategy that has resulted in faster adoption, better security and reduced risks. Join Tom Porterfield, Sr. Software Engineer at Unum, as he shares lessons learned from four years of implementation success with API management solutions from CA Technologies.
For more information, please visit http://cainc.to/Nv2VOe
Examining today's biggest API breaches to mitigate API security vulnerabilities
Data breaches have become the top news story. And APIs are quickly becoming the hacker's new favorite attack vector. They offer a direct path to critical information and business services that can be easily stolen or disrupted. And your private APIs can be exploited just as easily as a public API. So what measures can you take to strengthen your security position?
This webinar explores recent API data breaches, the top API security vulnerabilities that are most impactful to today's enterprise and the protective measures that need to be taken to mitigate API and business exposure.
You Will Learn
-Recent breaches in the news involving APIs
-Top attacks that compromise your business
-Mitigating steps to protect your business from attacks and unauthorized access
-API Management solutions that both enable and protect your business
Learn about API Security at http://www.ca.com/api
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelCA Technologies
The mobile application is becoming the primary interface between your enterprise and end users — but what will be used to secure this access? Come learn how to leverage data from mobile devices to help identify the legitimacy of a user attempting to login or perform a sensitive transaction.
For more information, please visit http://cainc.to/Nv2VOe
Moving beyond conventional single sign-on to seamless cross-device access with APIs
People are carrying more devices every day – with the average being 2.9 per person. Meanwhile, multitasking has gone into overdrive, as users quickly move from laptop to phone to tablet, expecting a seamless experience when accessing their favorite apps. And this expectation is not just limited to leisure and personal use – it extends to business applications.
Security has broken this seamless workflow and inhibited the mobile “stickiness” businesses are striving to achieve. This webinar with Scott Morrison and Leif Bildoy of CA Technologies will demonstrate how the right combination of identity functionality and secure APIs can help your organization to overcome these challenges and enable the multi-device universe.
You Will Learn
• What challenges must be overcome when supporting multiple mobile app types
• How SSO is evolving past mobile app access to device access
• Why the right implementation of identity and APIs will create consumer stickiness
• How the Internet of Things (IoT) is creating new business opportunities
APIs: State of the Union - Ross Garrett @ AppsWorld 2014CA API Management
APIs are transitioning from an early adopter market to a mainstream technology used by enterprises to foster mobile innovation and developer channels. After a wave of consolidation in the market over the past year, this talk will take a snapshot of the API market among publishers, consumers and vendors, examine how the market has evolved and identify trends, opportunities and challenges for next several years.
IBM API Connect is a Comprehensive API Solution. It is an integrated creation, runtime, management, and security foundation for enterprise grade API’s and Microservices to power modern digital applications.
In this webinar,
API Management Concepts
IBM API Connect overview and features
Kellton Tech’s API Strategy with IBM API Connect.
Technology: IBM API Connect 5.0
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
apidays LIVE JAKARTA - Connecting the Digital Stack
Enterprise API management in agile integration
Raghuram Banda, Solution Architect at Entiros Integrations AB
Secure and Govern Integration between the Enterprise & the CloudCA API Management
Secure, govern and mediate integrations between enterprise applications and Cloud services
Overview
For Best Buy, the public Cloud provides a strategic way to dynamically scale consumer and partner-facing Web and API assets. The Cloud lets Best Buy accommodate peaks in demand without overbuilding, while isolating sensitive data from the public.
Best Buy also needs a consistent way to control what information is shared with applications in the Cloud, while simultaneously insulating development teams from the vagaries of security, management and mediation challenges that arise when implementing a hybrid Cloud solution.
This Webinar, presented by Best Buy, Amazon Web Services and Layer 7 Technologies, looks at a specific example of the Best Buy API Developer Portal and share best practices for security, governance and mediation of enterprise services with applications in the Cloud.
Ringers cut 5 knit for pinch point and knuckle impact protectionProject Sales Corp
PSC Knit Impact Glove
Range from Mechanix,
HexArmor, KONG, Ringers, Superior
reduced cost of ownership of
impact protection gloves in
2014 and increased
penetration in the oil and
gas industry.
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Why Assertion-based Access Token is preferred to a Handle-based one?
Yoshiyuki Tabata, Software Engineer at Hitachi
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
https://www.hackmiami.com/hmc5-speakers-day-2
OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure Web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder Secure Proxy Server). This presentation provides a comprehensive overview of the new features in CA Single Sign On.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
Find here the slides of the presentation on Sentinet, given by Massimo Crippa (Codit) on the BTUG Event of 13th of October 2015.
Sentinet has recently introduced the support for the OAuth and OpenID Connect protocols.
In this presentation you will see the supported authentication flows, how to secure a regular BizTalk SOAP and REST service with OAuth 2.0 and how to call an OAuth-protected API from BizTalk with no coding or any changes in the existing application.
What secure standards are there when working with a new API? And why should you care?
Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Trondheim, June 11 - 2013
John Bradley, Senior Technical Architect, Ping Identity
OAuth 2.0 is the future of API Security, allowing software clients to request and use access tokens to access necessary APIs rather than caching and replaying usernames and passwords on every API fetch. John Bradley will explain the OAuth 2.0 protocol from top to bottom. Response types, authorization codes, front-channel vs. back-channel architecture decisions, security considerations and best practices will all be discussed. If you want to really understand OAuth, this session will dig deep.
API Security in a Microservice ArchitectureMatt McLarty
This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
Entreprises are deploying more applications to workers phones and tablets. These applications are currently all using separate authentications to establish user identity and authorization.
This session will look at how the Native Application profile of OpenID Connect creates a local token broker on the device to centralize authentication for multiple enterprise and SaaS applications on a device.
This can be used to increase security by enabling additional authentication factors and a enhanced view of device posture, as well as increasing usability, bu reducing the number of unnecessary authentications that interrupt the users work flow every day.
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
Understanding how emerging standards like OAuth and OpenID Connect impact federation
Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience.
This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards.
You Will Learn
Best practices for federating identity across mobile and cloud
How emerging identity federation standards will impact your infrastructure
How to implement an identity-centric API security and management infrastructure
Presenters
Ehud Amiri
Director, Product Management, CA Technologies
Francois Lascelles
Chief Architect, Layer 7
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn:
• The top ways hackers exploit APIs in the wild
• Common identity pitfalls and how to avoid them
• Why OAuth scopes are essential to master
• How to keep web developers from bringing bad habits with them
RESTful APIs,SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms…and the glue to tie all that together? Are you kidding? A technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
Securing Servers in Public and Hybrid CloudsRightScale
RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.
Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.
We will discuss:
- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts
Don't miss out on this opportunity to find out about all you need to secure your cloud servers!
When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
Technologies that are being used together to secure RESTful APIs: SAML (and eventually OpenID Connect), OAuth, SCIM, and the JSON Identity Protocol Suite (esp. JWT).
Discussion how these technologies can be combined to provide enterprise grade security for APIs and put this need into the broader context.
Similar to OAuth in the Real World featuring Webshell (20)
Extend your legacy SOA/ESB infrastructure to Mobile & IoT
This webinar recording provides a use-case driven discussion around appropriate use of existing middleware infrastructure as well as its shortcomings. It dives deep into how APIs can not only complement an ESB or SOA infrastructure but also fill existing gaps.
Watch this webinar recording to learn about:
- Strengths and weaknesses of your existing ESB/SOA infrastructure
- Architecture strategy: extend and add value to legacy middleware with APIs
- Integration / API use cases in Retail, Manufacturing and Telecom
- The API360 approach to digital strategy
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
At some point, we all need to design and implement APIs for the Web. What makes Web APIs different than typical component APIs? How can you leverage the power of the Internet when creating your Web API? What characteristics to many "great" Web APIs share? Is there a consistent process you can use to make sure you design a Web API that best fits your needs both now and in the future?
In this session Mike Amundsen describes a clear methodology for designing Web APIs (based on the book "RESTful Web APIs" by Richardson and Amundsen) that allows you to map key aspects of your business into a usable, scalable, and flexible interface that will reach your goals while creating a compelling API for both server and client developers. Whether you are looking to implement a private, partner, or public API, these principles will help you focus on the right metrics and design goals to create a successful API.
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
Liberating the API Economy with Scale-Free Networks
The Web exhibits a feature found in many complex systems known as "Scale-Free" or "Power-Law" networks, sometimes called the "long tail" Most people think of the "long tail" as an economic and/or social property. However, it also represents physical and informational properties fundamental to the way the Web works. But the steady increase in major service outages indicate that many current Web APIs, services, and even client applications ignore this basic "law of the Web."
This talk explores the "Scale-Free" rule of complex systems and offers clear and simple advice to those planning to build and/or consume APIs for the Web. Such as what to avoid, what to plan for, what to build, and how to identify & steer clear of clients and services that fail to abide by the rules and, in the process, are making it harder for all of us to liberate the API Economy.
Securely Open data as APIs to internal groups and third parties to generate revenue
In today's application economy, organizations are leveraging APIs to create new revenue streams. To monetize its information, the enterprise needs a way to transform data into APIs, enforce SLAs and implement a standardized fulfillment process with flexible and integrated billing systems.
This webinar will explored how enterprises can overcome these monetization challenges, using an API management solution that securely opens data to internal groups and third parties as APIs, in order to generate revenue.
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
The Information Age, 100 years on
The rise of the computer and the digital revolution is responsible for an explosion of devices, data, and connectedness. These are all enabling what is called the dawning of the Information Age. And software designers, developers, and architects all share an important responsibility for shaping and guiding the world’s progress through this axial age into the future.
However, more than 100 years ago, the work of organizing the world’s information into a single all-encompassing taxonomy had already begun. Partially influenced by the positivist doctrine of Auguste Comte, leading thinkers of the early 20th century such as the librarian Paul Otlet in Belgium, museum curator Patrick Geddes in Scotland, and educator Melvil Dewey in the US were each working to design universal classification systems that would encompass and coordinate the explosion of information appearing in libraries, museums, newspapers, magazines, and eventually even radio, movies, and television.
What did we learn in the last century? What have we forgotten? How does their work affect our current trajectory in transforming the work of software and systems design and development? What can we take from Dewey, Otlet, and Geddes with us in to the next 100 years of the Information Age.
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
The VIP networking lunch will feature a presentation by Keith Junius, Solution Architect, from Veda on ‘Implementing an API Management Platform’. Attendees will hear about how Veda has modernized their B2B API platform by deploying SOA Gateways. Join Layer 7 at this lunch to learn about:
• Design considerations for API management platforms
• Technical and business challenges faced across the whole system lifecycle
• The soft skills required to achieve a successful outcome
• Lessons learned during and after the project
• Benefits realized by the new platform
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
Today, tech-savvy consumers are always connected, using their mobile devices to compare prices, read user-generated reviews and pay for products - and many leading e-tailers already connect their customers to this information. The any time, any place connectivity enabled by mobile devices empowers all retailers to offer the kinds of enhanced shopping experiences modern consumers are becoming accustomed to.
To truly satisfy the needs of these well-informed, mobile consumers, retail organizations will need ways to create unified shopping experiences across all channels – from brick-and-mortar stores to the Web to mobile. Increasingly, offering a compelling mobile experience will become the cornerstone upon which these omni-channel shopping experiences are built.
In this webinar, you will learn how APIs can:
• Help deliver a consistent retail experience across multiple channels
• Connect retailers with social data
• Extend legacy systems to mobile apps
• Enable organizations to make real-time use of contextual data and buying patterns
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
Cars are already full of sensors and producing gigabytes of data, but they are not connected yet. Connecting them can represent a tremendous opportunity for several industries (insurance companies, repairs, traffic optimization...) but it certainly comes with a lot of challenges. Security and Privacy are the biggest challenges this market have to overcome, especially because it has been completely out of scope for this industry so far.
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
As HTTP-based APIs become more common and more standardized, mindshare and momentum is shifting from a service-oriented model to the "client-side" of the application space. It is the client application that users fall in love with and it is the client application developer that holds the keys to this relationship.
Client developers pick APIs based not just on ease of use and helpful document. Often they are selecting APIs that make their applications "look good" and APIs that can be easily "mashed up" with other service offerings into new "applications" - ones that don't rely on just one service API.
This talk reviews patterns in developer practices and trends in services and libraries -- from the increase in the number of client-side libraries such as EmberJS, Angular, and Bootstrap to the appearance of new "API composition" platforms such as Strong Loop -- that give us a picture of why it's important to identify and leverage the growing sentiment that "Clients Matter, Services Don't.
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management
Whether it be infotainment, companion or ecommerce apps, they all have one thing in common - APIs. APIs are enabling the development of new apps both inside and outside the vehicle. But the "always on" connectivity comes with increased risk to both the user and data.
Explore common app initiatives fueling the connected car industry
Understand the intersection of connected car apps, identities and agile API platforms
Learn how to apply the right security and UX balance that drives connected car app adoption
An opinionated investigation into the impact of the Internet of Thing on APIs. What will remain and what will change? How will the future API design, protocols and developer experience be impacted by the promises and limitations of IoT. If you are wondering if IoT is hype or reality and how you will integrate it with it from an API perspective this talk is for you. This presentation will get you an (admittedly) opinionated overview over the current state of the art and possible future direction of APIs in IoT.
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureCA API Management
Mike Amundsen's "lightning talk" at the APIStrat Tech Un-Workshop at Gluecon 2014 Here's a link to the slide descriptions: http://g.mamund.com/gluecon2014-talk
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...CA API Management
If you build it will they come? Lots of advice exists around building APIs but precious little around how to align business and API. This talk briefly introduces lean business planning approaches and demonstrates the use of the Business Model Canvas to align Business Objective and API Program.
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...CA API Management
Competitive businesses have always strived for agility. From brick and mortar to software enabled enterprises. But while software provides competitive advantages it also has limitations. The question then becomes how to achieve that next level of agility. The answer is through APIs.
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...CA API Management
Devon Winkworth, Snr. Principal Consultant for Layer 7, presented on the essentials for BYOD & Mobile Enablement during The Mobile Asia Show in Singapore. He discusses BYOD and the app explosion and factors driving BYOD Adoption, along with approaches to address challenges with BYOD.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
31. OAuth 1.0/1.a
- Released in October 2007
- Revised in June 2009 (Revision A)
- Hard to implement with signatures, no expiration of tokens, no control the level
of access requested.
Some implementations have tried to get around these problems, which
causes interoperability issues
OAuth.io@medjawii
32. OAuth 2.0
- Non-backward compatible alternative.
- Several drafts from January 2010 and October 2012 where published as RFC 6749
- Facebook and many others implemented it when not final
- OAuth 2.0 is more flexible, wide range of non-interoperable implementations
- less secure than OAuth 1.0, relying on SSL connections rather than signatures to
protect the user’s access token,
- Easier to install when developing clients
OAuth.io@medjawii
36. Facebook :
Refresh_token
grant_type: "refresh_token" => grant_type: "fb_exchange_token"
refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}"
scope “notation”: friends_actions.music, friends_actions.video
Separator is a “,” instead of “%20“
OAuth.io@medjawii
37. Deezer
client_id -> app_id=...
scope -> perms=email,read_friendlists...
state=... [non documented]
response_type=code [useless]
“Facebook is the standard”
OAuth.io@medjawii
38. Google :
More parameters options for the authorization form:
access_type: to choose to send a refresh_token or not
approval_prompt to force the popup even if we are already connected
login_hint to select an account or prefill the email address
include_granted_scopes to add more authorizations “incremental
authorization”
OAuth.io@medjawii
39. Foursquare :
- Some OAuth libraries expect to pass the OAuth token as access_token
instead of oauth_token, since this is the expectation created by Facebook, at
odds with earlier versions of the OAuth spec. We may add support for both
parameter names, depending on feedback, but for now know that this may
come up.
- No scope.
OAuth.io@medjawii
40. Salesforce :
Added custom authorization parameters:
immediate: whether the user should be prompted for login and approval
display: template web, mobile, popup
login_hint: to prefill an email
prompt: prompt the user for reauthorization or reapproval
the authorization returns custom fields:
- “instance_url”: the api url binded to a resource server, this is the only way to receive the domain
- a signature: can be used to verify the identity URL was not modified (id & date signed with a private
key)
- issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration
duration
- id_token: to support openid
UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form)
OAuth.io@medjawii
41. VK:
Added authorizations parameters v: API version
The authorization returns the user id, that is needed to call the api relative to
the authorized user (there is no /me/..., /self/... or so)
Instead of
access_token: xxx
/user/me?access_token=xxx
You have
access_token: xxx
user_id: yyy
/user/yyy?access_token=xxx
OAuth.io@medjawii
43. Tencent weibo:
Authorization parameters : chinese language only
oauth_version=2.a (useless parameter)
Extra : Chinese/English documentation for OAuth1.0 but Chinese
documentation only for OAuth2.0
OAuth.io@medjawii
47. The "state" param
● inexistent (dailymotion, eventbrite...) so you
have to put it in the callback
● undocumented (wordpress, deezer...)
● impossible (angelist.co) “fixed callback url”
OAuth.io@medjawii
48. What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
49. April fool: Introducing OAuth 3:0
- “0 token” paradigm
- No more secret key, everything public
The huge majority did not understand...
OAuth.io@medjawii
50. What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
51. Even if you are right,
3rd party developers will be lost…
because of others providers already
did it wrong before you
OAuth.io@medjawii
52. What you should not tell yourself about OAuth
- “OAuth is not so hard to understand”
- “It will be easier to it in this non-standard way”
- “Developers just have to read our documentation”
OAuth.io@medjawii
53. “In a design perspective,
documentation is a bug, not a feature”
It is the most important but the last place to find information
OAuth.io@medjawii
59. OAuth.io@medjawii
- Register on oauth.io
- Click on the OAuth provider you want in the list
- Share you credentials
- Click on “try me“
That’s it, you have your token.
90seconds after signup.
67. OAuth.io@medjawii
OAuth.popup('twitter', function(err, res) {
if (err) {
// do something with error
}
res.get('/1.1/account/verify_credentials.json')
.done(function(data) {
alert('Hello ' + data.name)
})
})
No need to call your own
server and to sign your
API request and send it
back
No more access token
management, it’s now
completely abstracted
It feels lighter right?
69. Open source : oauthd for on premises
implementation to consume your own oauth
https://github.com/oauth-io/oauthd
Easy contributions process,
with a small JSON to fill on github