SlideShare a Scribd company logo

Securing RESTful APIs using OAuth 2 and OpenID Connect

ā€¢Download as PPTX, PDFā€¢
ā€¢
Jonathan LeBlanc
Jonathan LeBlanc

Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this. In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2

1 of 34
Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
Why do we Need This?
Poor Password Choices ā€¢ 4.7% of users have the password password; ā€¢ 8.5% have the passwords password or 123456; ā€¢ 9.8% have the passwords password, 123456 or 12345678; ā€¢ 14% have a password from the top 10 passwords ā€¢ 40% have a password from the top 100 passwords ā€¢ 79% have a password from the top 500 passwords ā€¢ 91% have a password from the top 1000 passwords
ā€¦And of Whatā€™s Left 1. Petā€™s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Childā€™s name 5. Other family memberā€™s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partnerā€™s name
Handing Over Account Passwords
Malicious Applications
Aspects of Revocation
App Revoked by User App Revoked by Service Provider
Path to the Standard
Username & Password to Auth
Rise of the Token
Two Widely Used Specifications
REST Request Components
How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)
Adding in the Auth
Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
When You Need Access Security
User Login (authentication) User Involvement (authorization) Application Only (monitoring)
Practical Implementation
Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint
Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFdā€¦" -d "grant_type=client_credentials"
Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6Kā€¦", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkvā€¦" -d "{...}"
Maintaining SDK Consistency
Defining APIs with WADL / WSDL
<?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> ā€¦ </types> <interface name="Interface1"> ā€¦ </interface> <binding name="HttpBinding" interface="tns:Interface1ā€> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" ā€¦> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>
<?xml version="1.0"?> <application xmlns:xsi=ā€¦> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically
Final Considerations REST and OAuth are specifications, not religions Donā€™t alienate your developers with security Open source is your friend
Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

Recommended

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
Ā 
Facebook data breach and OAuth2
Facebook data breach and OAuth2 Facebook data breach and OAuth2
Facebook data breach and OAuth2
Leonard Moustacchis
Ā 
Security 101
Security 101Security 101
Security 101
George V. Reilly
Ā 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
Ā 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
Ā 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
Ā 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
Ā 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
Ā 

Recommended

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
Ā 
Facebook data breach and OAuth2
Facebook data breach and OAuth2 Facebook data breach and OAuth2
Facebook data breach and OAuth2
Leonard Moustacchis
Ā 
Security 101
Security 101Security 101
Security 101
George V. Reilly
Ā 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
Ā 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
Ā 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
Ā 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
Ā 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
Ā 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
Ā 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
Ā 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
Ā 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
Ā 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
Ā 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
Ā 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 example
Mattia Reggiani
Ā 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
Ā 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
Ā 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
Ā 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
Ā 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
Ā 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
Ā 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
Ā 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
Ā 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
Ā 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
Syed Ali Raza
Ā 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
Ā 
How to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - IntroductionHow to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - Introduction
Javier CerviƱo
Ā 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
Ā 
The Upheaval of Open Commerce
The Upheaval of Open CommerceThe Upheaval of Open Commerce
The Upheaval of Open Commerce
Jonathan LeBlanc
Ā 
Patologia benigna de estomago
Patologia benigna de estomagoPatologia benigna de estomago
Patologia benigna de estomagoandrexcordoba
Ā 

More Related Content

What's hot

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
Ā 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
Ā 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
Ā 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
Ā 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
Ā 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
Ā 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 example
Mattia Reggiani
Ā 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
Ā 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
Ā 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
Ā 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
Ā 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
Ā 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
Ā 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
Ā 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
Ā 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extensionNat Sakimura
Ā 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
Syed Ali Raza
Ā 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
Ā 
How to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - IntroductionHow to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - Introduction
Javier CerviƱo
Ā 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
Ā 

What's hot (20)

Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Ā 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Ā 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
Ā 
Owasp eee 2015 csrf
Owasp eee 2015 csrfOwasp eee 2015 csrf
Owasp eee 2015 csrf
Ā 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
Ā 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
Ā 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 example
Ā 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Ā 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Ā 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Ā 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Ā 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Ā 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Ā 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Ā 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Ā 
Transient client secret extension
Transient client secret extensionTransient client secret extension
Transient client secret extension
Ā 
O auth2.0 20141003
O auth2.0 20141003O auth2.0 20141003
O auth2.0 20141003
Ā 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Ā 
How to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - IntroductionHow to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - Introduction
Ā 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Ā 

Viewers also liked

The Upheaval of Open Commerce
The Upheaval of Open CommerceThe Upheaval of Open Commerce
The Upheaval of Open Commerce
Jonathan LeBlanc
Ā 
Patologia benigna de estomago
Patologia benigna de estomagoPatologia benigna de estomago
Patologia benigna de estomagoandrexcordoba
Ā 
Building on Social Application Platforms
Building on Social Application PlatformsBuilding on Social Application Platforms
Building on Social Application Platforms
Jonathan LeBlanc
Ā 
Facebook for the Floundering
Facebook for the FlounderingFacebook for the Floundering
Facebook for the FlounderingLesley Miller
Ā 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
Kamyar Mohager
Ā 
Salem State College's Employee Handbook
Salem State College's Employee HandbookSalem State College's Employee Handbook
Salem State College's Employee Handbook
Martha White
Ā 

Viewers also liked (6)

The Upheaval of Open Commerce
The Upheaval of Open CommerceThe Upheaval of Open Commerce
The Upheaval of Open Commerce
Ā 
Patologia benigna de estomago
Patologia benigna de estomagoPatologia benigna de estomago
Patologia benigna de estomago
Ā 
Building on Social Application Platforms
Building on Social Application PlatformsBuilding on Social Application Platforms
Building on Social Application Platforms
Ā 
Facebook for the Floundering
Facebook for the FlounderingFacebook for the Floundering
Facebook for the Floundering
Ā 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedIn
Ā 
Salem State College's Employee Handbook
Salem State College's Employee HandbookSalem State College's Employee Handbook
Salem State College's Employee Handbook
Ā 

Similar to Securing RESTful APIs using OAuth 2 and OpenID Connect

Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...
CA API Management
Ā 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
Ā 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
guestd5dde6
Ā 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Matt Raible
Ā 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Matt Raible
Ā 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
ForgeRock
Ā 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra
Ā 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
Ā 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
Ā 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Matt Raible
Ā 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Kenji Otsuka
Ā 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
Ā 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
Ā 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
Ā 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
Ā 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
Ā 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Eric Shupps
Ā 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Channa Ly
Ā 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
Ā 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
JosƩ Haro Peralta
Ā 

Similar to Securing RESTful APIs using OAuth 2 and OpenID Connect (20)

Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs ā€“ Ronnie Mitra, API Architec...
Ā 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Ā 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
Ā 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
Ā 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
Ā 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
Ā 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Ā 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Ā 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Ā 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
Ā 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
Ā 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
Ā 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Ā 
Web API Security
Web API SecurityWeb API Security
Web API Security
Ā 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Ā 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
Ā 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Ā 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
Ā 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Ā 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
Ā 

More from Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
Ā 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
Ā 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
Ā 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
Jonathan LeBlanc
Ā 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
Jonathan LeBlanc
Ā 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
Jonathan LeBlanc
Ā 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
Jonathan LeBlanc
Ā 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
Jonathan LeBlanc
Ā 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
Jonathan LeBlanc
Ā 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
Ā 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
Ā 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
Ā 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
Ā 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
Ā 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
Ā 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Jonathan LeBlanc
Ā 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
Jonathan LeBlanc
Ā 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
Ā 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
Ā 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
Ā 

More from Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
Ā 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
Ā 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
Ā 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
Ā 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
Ā 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
Ā 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
Ā 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
Ā 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
Ā 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
Ā 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
Ā 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Ā 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
Ā 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Ā 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Ā 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Ā 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
Ā 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Ā 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Ā 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
Ā 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
Ā 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
Ā 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
Ā 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
Ā 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
Ā 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
Ā 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
Ā 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
Ā 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
Ā 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
Ā 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
Ā 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
Ā 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
Ā 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
Ā 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
Ā 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
Ā 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
Ā 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
Ā 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
Ā 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
Ā 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Ā 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Ā 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ā 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Ā 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Ā 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
Ā 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Ā 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
Ā 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Ā 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Ā 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Ā 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Ā 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
Ā 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Ā 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Ā 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Ā 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Ā 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Ā 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ā 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Ā 

Securing RESTful APIs using OAuth 2 and OpenID Connect

  • 1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
  • 2. Why do we Need This?
  • 3. Poor Password Choices ā€¢ 4.7% of users have the password password; ā€¢ 8.5% have the passwords password or 123456; ā€¢ 9.8% have the passwords password, 123456 or 12345678; ā€¢ 14% have a password from the top 10 passwords ā€¢ 40% have a password from the top 100 passwords ā€¢ 79% have a password from the top 500 passwords ā€¢ 91% have a password from the top 1000 passwords
  • 4. ā€¦And of Whatā€™s Left 1. Petā€™s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Childā€™s name 5. Other family memberā€™s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partnerā€™s name
  • 8. App Revoked by User App Revoked by Service Provider
  • 9. Path to the Standard
  • 11. Rise of the Token
  • 12. Two Widely Used Specifications
  • 14. How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
  • 15. How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
  • 16. Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)
  • 18. Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
  • 19. When You Need Access Security
  • 22. Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
  • 23. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint
  • 24. Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFdā€¦" -d "grant_type=client_credentials"
  • 25. Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6Kā€¦", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
  • 26. Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
  • 27. Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkvā€¦" -d "{...}"
  • 29. Defining APIs with WADL / WSDL
  • 30. <?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> ā€¦ </types> <interface name="Interface1"> ā€¦ </interface> <binding name="HttpBinding" interface="tns:Interface1ā€> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" ā€¦> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>
  • 31. <?xml version="1.0"?> <application xmlns:xsi=ā€¦> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
  • 32. Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically
  • 33. Final Considerations REST and OAuth are specifications, not religions Donā€™t alienate your developers with security Open source is your friend
  • 34. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal