SlideShare a Scribd company logo

Secure your APIs using OAuth 2 and OpenID Connect

Nordic APIs
Nordic APIs

Session held by Travis Spencer at PayEx and Nordic APIs event "Secure, flexible and modern APIs for Payments" event in Oslo, May 10th. Description: When opening up secure APIs, OAuth 2 and OpenID Connect are the primary standards being used today. Implementing and using these standards can be challenging. In this session, Travis Spencer, CEO of Twobo Technologies, will provide an in-depth overview of these standards and explain how they can be integrated into financial services apps. The overview will include information on: The actors involved in OAuth and OpenID Connect The flows used in the standards What grant types are, which are defined, and the message exchanges of each What scopes are and examples of their use Different classes of tokens and how they are used Overview of the OpenID Foundation’s work in the Financial API WG Attendees will leave with: An overview of OAuth 2 and OpenID Connect Knowledge of the basics necessary to using these standards Resources and information sources where more information can be found

Software
1 of 40
Download to read offline
Overview of OAuth and OpenID Connect The Nuts and Bolts of API Security By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
ü All API Conferences ü API Community ü Active blogosphere Organizers and founders
Agenda § The security challenge in context § OAuth 2 Fundamentals § Building OpenID Connect on OAuth § 2 example use cases Copyright © 2013-2014 Twobo Technologies AB. All rights reserved
API Security == API Keys § Problem solved! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
API Security != API Keys § Revocable, un-audienced, non-expiring, bearer access tokens § Symmetric keys § Passwords! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
API Security == OAuth § Problem solved for real this time? Not that easy! Sorry L Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Crucial Security Concerns Enterprise Security API Security Mobile Security Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Identity is Central MDM MAM Mobile Security API Security Enterprise Security Identity Venn diagram by Gunnar Peterson AuthZ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Neo-security Stack JSON Identity Suite OpenID Connect SCIM OAuth 2 Provisioning Identities Federation Delegated Access Authorization U2FAuthentication Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
§ OAuth 2 is a protocol of protocols § Used as the base of other specifications § OpenID Connect, UMA, HEART, etc. § Addresses some important requirements § Delegated access § No password sharing § Revocation of access OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token OAuth Actors Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Request, Authenticate & Consent Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Requests Access Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Requires the RO to Authenticate Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Issues the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Redeems the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Issues the Token Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Presents the Token to the RS Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The RS Validates the Token Resource Owner (RO) Resource Server (RS)Client Authorization Server (AS) Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Access! Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
§ Like permissions § Scopes specify extent of tokens’ usefulness § Listed on consent UI (if shown) § No standardized scopes Scopes Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Kinds of Tokens Access Tokens Like a Session Used to secure API calls Refresh Tokens Like a Password Used to get new access tokens Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Holder of Key HoK tokens are like credit cards Profiles of Tokens Bearer Bearer tokens are like cash $ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Types of Tokens § WS-Security § SAML § Custom § Home-grown § Oracle Access Manager § SiteMinder § JWT Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
JWT Tokens § Pronounced like the English word “jot” § Lightweight tokens passed in HTTP headers & query strings § Akin to SAML tokens § Less expressive § Less security options § More compact § Encoded w/ JSON not XML Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Passing Tokens 123XYZ John Doe By Value By Reference Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Not for authentication Not really for authorization Not for federation Improper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
For delegated access User to app delegation in particular Proper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
• Next generation federation protocol – Based on OAuth 2 – Made for mobile – Not backward compatible • Client & API receive tokens • User info endpoint provided for client to get user data OpenID Connect Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Get user info using access token OpenID Connect Example OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes User info Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
ID Token is for Client § Access token is for API; ID token is for client § ID token provides client with info about § Intended client recipient § Username § Credential used to login § Issuer of token § Expiration time Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
User Info Endpoint § Token issuance and user discovery endpoint § Authenticate using bearer access token issued by OpenID Provider § Output depends on requested and authorized scopes § sub claim must match sub claim in ID token Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Applying All this to Micro-services Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
All Micro-services Accept JWTs Resource Owner (RO) But translate! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Translate from by-ref to by-value in gateway Resource Owner (RO) 123 XYZ API Firewall / Reverse Proxy Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Additional Resources § Blog posts § bit.ly/oauth-deep-dive § bit.ly/4-api-security-defenses § bit.ly/building-secure-api § bit.ly/right-api-armor § API keys http://bit.ly/2dI9Z7Q § Videos § bit.ly/oauth-in-depth § bit.ly/micro-services-security § bit.ly/building-secure-api-video § API security insights § http://nordicapis.com/api- insights/security/ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
For more information, visit curity.io
Summary § API security > API keys & OAuth § OAuth 2 fundamentals § Token types § Profiles § Passing tokens § Building OpenID Connect on OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
Thank you! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
Secure your APIs using OAuth 2 and OpenID Connect

Recommended

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
Nordic APIs
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
Twobo Technologies
 

Recommended

OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
Nordic APIs
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Nordic APIs
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
Twobo Technologies
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
Twobo Technologies
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
Twobo Technologies
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
Nordic APIs
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
Twobo Technologies
 
Designing an API
Designing an APIDesigning an API
Designing an API
Twobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SSL Certificate and Code Signing
SSL Certificate and Code SigningSSL Certificate and Code Signing
SSL Certificate and Code Signing
Li-Wei Yao
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open IdConSanFrancisco123
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
Twobo Technologies
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep DiveAT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep Dive
Michael Owens
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 

More Related Content

What's hot

Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Nordic APIs
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
Twobo Technologies
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
Twobo Technologies
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
Twobo Technologies
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
Nordic APIs
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
Twobo Technologies
 
Designing an API
Designing an APIDesigning an API
Designing an API
Twobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SSL Certificate and Code Signing
SSL Certificate and Code SigningSSL Certificate and Code Signing
SSL Certificate and Code Signing
Li-Wei Yao
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
Twobo Technologies
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 

What's hot (20)

Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
Designing an API
Designing an APIDesigning an API
Designing an API
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
SSL Certificate and Code Signing
SSL Certificate and Code SigningSSL Certificate and Code Signing
SSL Certificate and Code Signing
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 

Similar to Secure your APIs using OAuth 2 and OpenID Connect

AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep DiveAT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep Dive
Michael Owens
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
Microservices architecture
Microservices architectureMicroservices architecture
Microservices architecture
Daniel Foo
 
CTD303_Korea’s Largest OTT provider
CTD303_Korea’s Largest OTT providerCTD303_Korea’s Largest OTT provider
CTD303_Korea’s Largest OTT provider
Amazon Web Services
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
CA API Management
 
MCL207_Amazon Lex Integration with IVR
MCL207_Amazon Lex Integration with IVRMCL207_Amazon Lex Integration with IVR
MCL207_Amazon Lex Integration with IVR
Amazon Web Services
 
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdfITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
Ortus Solutions, Corp
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Amazon Web Services
 
Soup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWSSoup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWS
Amazon Web Services
 
Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!
Alex Borysov
 
An Introduction to AWS IoT - Web Summit Lisbon
An Introduction to AWS IoT - Web Summit LisbonAn Introduction to AWS IoT - Web Summit Lisbon
An Introduction to AWS IoT - Web Summit Lisbon
Boaz Ziniman
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
Amazon Web Services
 
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuth
Chris Adriaensen
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
Edureka!
 
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Edureka!
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
Serverless Software Architecture - Gears 17
Serverless Software Architecture - Gears 17Serverless Software Architecture - Gears 17
Serverless Software Architecture - Gears 17
Tars Joris
 

Similar to Secure your APIs using OAuth 2 and OpenID Connect (20)

AT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep DiveAT&T 2012 DevLab Speech API Deep Dive
AT&T 2012 DevLab Speech API Deep Dive
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)
 
Microservices architecture
Microservices architectureMicroservices architecture
Microservices architecture
 
CTD303_Korea’s Largest OTT provider
CTD303_Korea’s Largest OTT providerCTD303_Korea’s Largest OTT provider
CTD303_Korea’s Largest OTT provider
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
MCL207_Amazon Lex Integration with IVR
MCL207_Amazon Lex Integration with IVRMCL207_Amazon Lex Integration with IVR
MCL207_Amazon Lex Integration with IVR
 
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdfITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
 
Soup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWSSoup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWS
 
Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flows
 
gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!gRPC vs REST: let the battle begin!
gRPC vs REST: let the battle begin!
 
An Introduction to AWS IoT - Web Summit Lisbon
An Introduction to AWS IoT - Web Summit LisbonAn Introduction to AWS IoT - Web Summit Lisbon
An Introduction to AWS IoT - Web Summit Lisbon
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
 
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
 
The Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuthThe Hitchhiker's Guide to the Land of OAuth
The Hitchhiker's Guide to the Land of OAuth
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
 
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Serverless Software Architecture - Gears 17
Serverless Software Architecture - Gears 17Serverless Software Architecture - Gears 17
Serverless Software Architecture - Gears 17
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
Nordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
Nordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
Nordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Nordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
Nordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Nordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
Nordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Recently uploaded

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 

Recently uploaded (20)

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 

Secure your APIs using OAuth 2 and OpenID Connect

  • 1. Overview of OAuth and OpenID Connect The Nuts and Bolts of API Security By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
  • 2. ü All API Conferences ü API Community ü Active blogosphere Organizers and founders
  • 3. Agenda § The security challenge in context § OAuth 2 Fundamentals § Building OpenID Connect on OAuth § 2 example use cases Copyright © 2013-2014 Twobo Technologies AB. All rights reserved
  • 4. API Security == API Keys § Problem solved! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 5. API Security != API Keys § Revocable, un-audienced, non-expiring, bearer access tokens § Symmetric keys § Passwords! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 6. API Security == OAuth § Problem solved for real this time? Not that easy! Sorry L Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 7. Crucial Security Concerns Enterprise Security API Security Mobile Security Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 8. Identity is Central MDM MAM Mobile Security API Security Enterprise Security Identity Venn diagram by Gunnar Peterson AuthZ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 9. The Neo-security Stack JSON Identity Suite OpenID Connect SCIM OAuth 2 Provisioning Identities Federation Delegated Access Authorization U2FAuthentication Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 10. § OAuth 2 is a protocol of protocols § Used as the base of other specifications § OpenID Connect, UMA, HEART, etc. § Addresses some important requirements § Delegated access § No password sharing § Revocation of access OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 11. 1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token OAuth Actors Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 12. Request, Authenticate & Consent Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 13. The Client Requests Access Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 14. The AS Requires the RO to Authenticate Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 15. The AS Issues the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 16. The Client Redeems the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 17. The AS Issues the Token Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 18. The Client Presents the Token to the RS Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 19. The RS Validates the Token Resource Owner (RO) Resource Server (RS)Client Authorization Server (AS) Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 20. Access! Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 21. § Like permissions § Scopes specify extent of tokens’ usefulness § Listed on consent UI (if shown) § No standardized scopes Scopes Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 22. Kinds of Tokens Access Tokens Like a Session Used to secure API calls Refresh Tokens Like a Password Used to get new access tokens Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 23. Holder of Key HoK tokens are like credit cards Profiles of Tokens Bearer Bearer tokens are like cash $ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 24. Types of Tokens § WS-Security § SAML § Custom § Home-grown § Oracle Access Manager § SiteMinder § JWT Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 25. JWT Tokens § Pronounced like the English word “jot” § Lightweight tokens passed in HTTP headers & query strings § Akin to SAML tokens § Less expressive § Less security options § More compact § Encoded w/ JSON not XML Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 26. Passing Tokens 123XYZ John Doe By Value By Reference Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 27. Not for authentication Not really for authorization Not for federation Improper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 28. For delegated access User to app delegation in particular Proper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 29. • Next generation federation protocol – Based on OAuth 2 – Made for mobile – Not backward compatible • Client & API receive tokens • User info endpoint provided for client to get user data OpenID Connect Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 30. Get user info using access token OpenID Connect Example OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes User info Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 31. ID Token is for Client § Access token is for API; ID token is for client § ID token provides client with info about § Intended client recipient § Username § Credential used to login § Issuer of token § Expiration time Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 32. User Info Endpoint § Token issuance and user discovery endpoint § Authenticate using bearer access token issued by OpenID Provider § Output depends on requested and authorized scopes § sub claim must match sub claim in ID token Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 33. Applying All this to Micro-services Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 34. All Micro-services Accept JWTs Resource Owner (RO) But translate! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 35. Translate from by-ref to by-value in gateway Resource Owner (RO) 123 XYZ API Firewall / Reverse Proxy Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 36. Additional Resources § Blog posts § bit.ly/oauth-deep-dive § bit.ly/4-api-security-defenses § bit.ly/building-secure-api § bit.ly/right-api-armor § API keys http://bit.ly/2dI9Z7Q § Videos § bit.ly/oauth-in-depth § bit.ly/micro-services-security § bit.ly/building-secure-api-video § API security insights § http://nordicapis.com/api- insights/security/ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 37. For more information, visit curity.io
  • 38. Summary § API security > API keys & OAuth § OAuth 2 fundamentals § Token types § Profiles § Passing tokens § Building OpenID Connect on OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
  • 39. Thank you! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved