Michae Blakeney, profile picture
Uploaded byMichae Blakeney
PPTX, PDF112 views

Securing APIs with oAuth2

The document discusses OAuth 2.0, an authorization framework that enables third-party applications to obtain limited access to HTTP services. It outlines various components including resource owner, resource server, client, and authorization server, as well as different authorization flows like client credentials and authorization code grants. Use cases for API access include server-to-server communication and mobile application sales for agents.

Embed presentation

Download to read offline
Securing APIs with oAuth2
Securing APIs with oAuth2 Use Case 2 – Mobile App Use Case 1 – Server to Server What is oAuth2?
PROPRIETARY AND CONFIDENTIAL What is oAuth2? "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." - RFC 6749 3
PROPRIETARY AND CONFIDENTIAL An entity capable of granting access to a protected resource. What is oAuth2? 4 Resource Owner The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. Resource Server An application making protected resource requests on behalf of the resource owner and with its authorization. Client The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Authorization Server
PROPRIETARY AND CONFIDENTIAL What is oAuth2? • Authorization Code • Implicit • Resource Owner Password Credentials • Client Credentials 5 Authorization Flows
PROPRIETARY AND CONFIDENTIAL Three Hour Boat Tour Travel Insurance, LLC est. 1965
PROPRIETARY AND CONFIDENTIAL Franchise servers need to have API access to the data so that the offices can report on their sales data. Business would like to deploy a mobile app for agents to use to make sales while trolling the docks. Use Cases 7 Server to Server Mobile Sales App
PROPRIETARY AND CONFIDENTIAL Use Case 1 – Server to Server 8
PROPRIETARY AND CONFIDENTIAL Worker App Demo 9
PROPRIETARY AND CONFIDENTIAL Use Case 1 – Server to Server • Client Credentials Flow, RFC 6749 section 4.4 • Bearer tokens, RFC 6750 • Json Web Tokens, RFC 7519 • HS256 and RS256 signatures, RFC 7518 • Using .well_known, RFC 5785, and OpenID Connect Discovery 1.0 • Json Web Key, draft-ietf-jose-json-web-key-41
PROPRIETARY AND CONFIDENTIAL Use Case 2 – Mobile Application 11
PROPRIETARY AND CONFIDENTIAL Web App Demo 12
PROPRIETARY AND CONFIDENTIAL Use Case 2 – Mobile App • Authorization Code Grant Flow, RFC 6749 section 4.1 • Access Token Scope, RFC 6749 section 3.3 • Scopes should be actions on resources • Scopes define the permissions delegated to a client on behalf of the user • Refresh Tokens, OpenId Connect Core 1.0 section 11 Offline Access • For additional security consider PKCE , RFC 7636

More Related Content

PDF
UMA for ACE
byHannes Tschofenig
 
ODP
Security components in mule esb
byhimajareddys
 
PPTX
Adding layers of security to an API in real-time
byRogue Wave Software
 
ODP
Security in mulesoft
byakshay yeluru
 
PPTX
Best Practices for API Security
byMuleSoft
 
PDF
Gravitee.io
byKnoldus Inc.
 
PPTX
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
bycdanger
 
PDF
CIS14: PingAccess in Action
byCloudIDSummit
 
UMA for ACE
byHannes Tschofenig
 
Security components in mule esb
byhimajareddys
 
Adding layers of security to an API in real-time
byRogue Wave Software
 
Security in mulesoft
byakshay yeluru
 
Best Practices for API Security
byMuleSoft
 
Gravitee.io
byKnoldus Inc.
 
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
bycdanger
 
CIS14: PingAccess in Action
byCloudIDSummit
 

What's hot

PPTX
Protecting APIs from Mobile Threats- Beyond Oauth
byApigee | Google Cloud
 
PDF
API Security In Cloud Native Era
byWSO2
 
PDF
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
PPTX
Authentication and single sign on (sso)
byKumaresh Chandra Baruri
 
PDF
Learn with WSO2 - API Security
byWSO2
 
PPTX
OAuth2 Introduction
byArpit Suthar
 
PDF
Secure your api from basics to beyond
byAlexandre Faria
 
PDF
Secure your api - from basics to beyond
byAlexandre Faria
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPTX
Cryptzone: The Software-Defined Perimeter
byCryptzone
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PDF
CIS14: User-Managed Access
byCloudIDSummit
 
PDF
CIS14: PingAccess 101
byCloudIDSummit
 
PPTX
Extended Security with WSO2 API Management Platform
byWSO2
 
PPTX
Managing Identities in the World of APIs
byApigee | Google Cloud
 
PDF
IETF meeting - SIP OAuth use cases
byVictor Pascual Ávila
 
PPTX
API Security: Securing Digital Channels and Mobile Apps Against Hacks
byAkana
 
PPTX
OAuth
byTom Elrod
 
PPTX
API Security and Management Best Practices
byCA API Management
 
Protecting APIs from Mobile Threats- Beyond Oauth
byApigee | Google Cloud
 
API Security In Cloud Native Era
byWSO2
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
Authentication and single sign on (sso)
byKumaresh Chandra Baruri
 
Learn with WSO2 - API Security
byWSO2
 
OAuth2 Introduction
byArpit Suthar
 
Secure your api from basics to beyond
byAlexandre Faria
 
Secure your api - from basics to beyond
byAlexandre Faria
 
Securing RESTful API
byMuhammad Zbeedat
 
Cryptzone: The Software-Defined Perimeter
byCryptzone
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
CIS14: User-Managed Access
byCloudIDSummit
 
CIS14: PingAccess 101
byCloudIDSummit
 
Extended Security with WSO2 API Management Platform
byWSO2
 
Managing Identities in the World of APIs
byApigee | Google Cloud
 
IETF meeting - SIP OAuth use cases
byVictor Pascual Ávila
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
byAkana
 
OAuth
byTom Elrod
 
API Security and Management Best Practices
byCA API Management
 

Similar to Securing APIs with oAuth2

PDF
When and Why Would I use Oauth2?
byDave Syer
 
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
byCA API Management
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
PDF
OAuth2
bySPARK MEDIA
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PDF
Draft Ietf Oauth V2 12
byVishal Shah
 
PPT
O auth 2
byNisha Baswal
 
KEY
OAuth 2.0
byAlex Bilbie
 
PPTX
O auth
byAshok Kumar N
 
PDF
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
PPTX
API Management and Mobile App Enablement
byCA API Management
 
PDF
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
OAuth2 para desarrolladores
byLuis Ruiz Pavón
 
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
PDF
Full stack security
byDPC Consulting Ltd
 
PDF
OAuth: Trust Issues
byLorna Mitchell
 
PPTX
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 
When and Why Would I use Oauth2?
byDave Syer
 
Enterprise Access Control Patterns for Rest and Web APIs
byCA API Management
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
byBrian Campbell
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
OAuth2
bySPARK MEDIA
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
Draft Ietf Oauth V2 12
byVishal Shah
 
O auth 2
byNisha Baswal
 
OAuth 2.0
byAlex Bilbie
 
O auth
byAshok Kumar N
 
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
API Management and Mobile App Enablement
byCA API Management
 
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
OAuth2 para desarrolladores
byLuis Ruiz Pavón
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
byCA API Management
 
Full stack security
byDPC Consulting Ltd
 
OAuth: Trust Issues
byLorna Mitchell
 
Oauth2 and OWSM OAuth2 support
byGaurav Sharma
 

Recently uploaded

PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 

Securing APIs with oAuth2

  • 1.
  • 2.
    Securing APIs with oAuth2 UseCase 2 – Mobile App Use Case 1 – Server to Server What is oAuth2?
  • 3.
    PROPRIETARY AND CONFIDENTIAL Whatis oAuth2? "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." - RFC 6749 3
  • 4.
    PROPRIETARY AND CONFIDENTIAL Anentity capable of granting access to a protected resource. What is oAuth2? 4 Resource Owner The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. Resource Server An application making protected resource requests on behalf of the resource owner and with its authorization. Client The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. Authorization Server
  • 5.
    PROPRIETARY AND CONFIDENTIAL Whatis oAuth2? • Authorization Code • Implicit • Resource Owner Password Credentials • Client Credentials 5 Authorization Flows
  • 6.
    PROPRIETARY AND CONFIDENTIAL ThreeHour Boat Tour Travel Insurance, LLC est. 1965
  • 7.
    PROPRIETARY AND CONFIDENTIAL Franchiseservers need to have API access to the data so that the offices can report on their sales data. Business would like to deploy a mobile app for agents to use to make sales while trolling the docks. Use Cases 7 Server to Server Mobile Sales App
  • 8.
    PROPRIETARY AND CONFIDENTIAL UseCase 1 – Server to Server 8
  • 9.
  • 10.
    PROPRIETARY AND CONFIDENTIAL UseCase 1 – Server to Server • Client Credentials Flow, RFC 6749 section 4.4 • Bearer tokens, RFC 6750 • Json Web Tokens, RFC 7519 • HS256 and RS256 signatures, RFC 7518 • Using .well_known, RFC 5785, and OpenID Connect Discovery 1.0 • Json Web Key, draft-ietf-jose-json-web-key-41
  • 11.
    PROPRIETARY AND CONFIDENTIAL UseCase 2 – Mobile Application 11
  • 12.
  • 13.
    PROPRIETARY AND CONFIDENTIAL UseCase 2 – Mobile App • Authorization Code Grant Flow, RFC 6749 section 4.1 • Access Token Scope, RFC 6749 section 3.3 • Scopes should be actions on resources • Scopes define the permissions delegated to a client on behalf of the user • Refresh Tokens, OpenId Connect Core 1.0 section 11 Offline Access • For additional security consider PKCE , RFC 7636

Editor's Notes

  • #5 Resource Owner:  When the resource owner is a person, it is referred to as an end-user. Client: The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
  • #9 POST {Token Endpoint} HTTP/1.1 Host: {Authorization Server} Authorization: Basic {Client Credentials} Content-Type: application/x-www-form-urlecodedgrant_type=client_credentials // - Required &scope={Scopes}
  • #12 GET {Authorization Endpoint} ?response_type=code // - Required &client_id={Client ID} // - Required &redirect_uri={Redirect URI} // - Conditionally required &scope={Scopes} // - Optional &state={Arbitrary String} // - Recommended &code_challenge={Challenge} // - Optional &code_challenge_method={Method} // - Optional HTTP/1.1 HOST: {Authorization Server} POST {Token Endpoint} HTTP/1.1 Host: {Authorization Server} Content-Type: application/x-www-form-urlencodedgrant_type=authorization_code // - Required &code={Authorization Code} // - Required &redirect_uri={Redirect URI} // - Required if the authorization // request included 'redirect_uri'. &code_verifier={Verifier} // - Required if the authorization // request included // 'code_challenge'.