Apigee | Google Cloud, profile picture
Uploaded byApigee | Google Cloud
2,340 views

OAuth: The API Gatekeeper

The document outlines a presentation agenda covering access control, OAuth history, OAuth flows, implementation steps, and potential issues that may arise. It details the lifecycle of authorization codes and access tokens, including database keying and JWT considerations. Additionally, it addresses common problems such as client secret compromises, access token vulnerabilities, and user revocation of authorization.

Embed presentation

Downloaded 49 times
The API Gatekeeper Dick Hardt Monday, November 4, 13
Agenda 2 Monday, November 4, 13
Agenda •Access Control Overview 2 Monday, November 4, 13
Agenda •Access Control Overview •OAuth History 2 Monday, November 4, 13
Agenda •Access Control Overview •OAuth History •OAuth Flows 2 Monday, November 4, 13
Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps 2 Monday, November 4, 13
Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps •What can go wrong? 2 Monday, November 4, 13
Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps •What can go wrong? •Q & A 2 Monday, November 4, 13
Authorization Code 3 Monday, November 4, 13
Authorization Code •key into database 3 Monday, November 4, 13
Authorization Code •key into database –user, scope, app id, expiry (5 min) 3 Monday, November 4, 13
Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) 3 Monday, November 4, 13
Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) –user, scope, app id, expiry (5 min) 3 Monday, November 4, 13
Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) –user, scope, app id, expiry (5 min) –JWT 3 Monday, November 4, 13
Access Token Lifecycle 4 Monday, November 4, 13
Access Token Lifecycle •key into database 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token –user, scope, app id, expiry / status 4 Monday, November 4, 13
Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token –user, scope, app id, expiry / status –JWT 4 Monday, November 4, 13
API Authorization Middleware implementation dependent Monday, November 4, 13
X-RateLimit-Limit: 500 X-RateLimit-Remaining: 432 Monday, November 4, 13
Developer Documentation / Sandbox Monday, November 4, 13
Developer Documentation / Sandbox Monday, November 4, 13
What can go wrong? 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) –User revokes authorization 8 Monday, November 4, 13
What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) –User revokes authorization •Resolution is self service 8 Monday, November 4, 13

More Related Content

PDF
Incident response, Hacker Techniques and Countermeasures
byJose L. Quiñones-Borrero
 
PDF
Cryto Party at CCU
byJose L. Quiñones-Borrero
 
PDF
HAcktive Directory - Microsoft Meetup July 2020
byYossi Sassi
 
PDF
Data Driven Security
byApigee | Google Cloud
 
PDF
API Security and OAuth for the Enterprise
byCA API Management
 
ODP
Securing your Web API with OAuth
byMohan Krishnan
 
PPTX
Twitter API & OAuth 101 TVUG October 2009
byAndrew Badera
 
PDF
OAuth 2.0 - Because API
byTheodor Tonum
 
Incident response, Hacker Techniques and Countermeasures
byJose L. Quiñones-Borrero
 
Cryto Party at CCU
byJose L. Quiñones-Borrero
 
HAcktive Directory - Microsoft Meetup July 2020
byYossi Sassi
 
Data Driven Security
byApigee | Google Cloud
 
API Security and OAuth for the Enterprise
byCA API Management
 
Securing your Web API with OAuth
byMohan Krishnan
 
Twitter API & OAuth 101 TVUG October 2009
byAndrew Badera
 
OAuth 2.0 - Because API
byTheodor Tonum
 

Viewers also liked

PPTX
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
byCA API Management
 
PDF
Implementing OAuth with PHP
byLorna Mitchell
 
PDF
Secure and Govern Integration between the Enterprise & the Cloud
byCA API Management
 
PDF
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
byCA API Management
 
PDF
A How-to Guide to OAuth & API Security
byCA API Management
 
PDF
OAuth for your API - The Big Picture
byApigee | Google Cloud
 
PPT
Open API Ecosystem Overview: December 2010
byJohn Musser
 
PPTX
Whitebase : Assault Carrier for Micro-Services
byJaewoo Ahn
 
PDF
OAuth - Open API Authentication
byleahculver
 
PDF
Oracle API Gateway
byRakesh Gujjarlapudi
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
PPTX
Api gateway : To be or not to be
byJaewoo Ahn
 
PPTX
Secure Your REST API (The Right Way)
byStormpath
 
API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...
byCA API Management
 
Implementing OAuth with PHP
byLorna Mitchell
 
Secure and Govern Integration between the Enterprise & the Cloud
byCA API Management
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
byCA API Management
 
A How-to Guide to OAuth & API Security
byCA API Management
 
OAuth for your API - The Big Picture
byApigee | Google Cloud
 
Open API Ecosystem Overview: December 2010
byJohn Musser
 
Whitebase : Assault Carrier for Micro-Services
byJaewoo Ahn
 
OAuth - Open API Authentication
byleahculver
 
Oracle API Gateway
byRakesh Gujjarlapudi
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
An Introduction to OAuth 2
byAaron Parecki
 
Api gateway : To be or not to be
byJaewoo Ahn
 
Secure Your REST API (The Right Way)
byStormpath
 

Similar to OAuth: The API Gatekeeper

PPTX
API security
byEduards Salnikovs
 
PDF
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
PDF
OAuth in the Real World featuring Webshell
byCA API Management
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
PDF
IBM Index Conference - 10 steps to build token based API Security
bySenthilkumar Gopal
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PDF
Securing APIs with OAuth 2.0
byKai Hofstetter
 
PPTX
Api security
byteodorcotruta
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
PDF
Beyond API Authorization
byJared Hanson
 
PDF
Draft Ietf Oauth V2 12
byVishal Shah
 
PPTX
OAuth
byAdi Challa
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
PDF
Are You Properly Using JWTs?
by42Crunch
 
PPTX
Securing APIs using OAuth 2.0
byAdam Lewis
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
API security
byEduards Salnikovs
 
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
OAuth in the Real World featuring Webshell
byCA API Management
 
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
IBM Index Conference - 10 steps to build token based API Security
bySenthilkumar Gopal
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
Securing RESTful API
byMuhammad Zbeedat
 
Securing APIs with OAuth 2.0
byKai Hofstetter
 
Api security
byteodorcotruta
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
Beyond API Authorization
byJared Hanson
 
Draft Ietf Oauth V2 12
byVishal Shah
 
OAuth
byAdi Challa
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
byNilanjan Roy
 
Are You Properly Using JWTs?
by42Crunch
 
Securing APIs using OAuth 2.0
byAdam Lewis
 
API Security Best Practices and Guidelines
byWSO2
 
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 

More from Apigee | Google Cloud

PDF
How Secure Are Your APIs?
byApigee | Google Cloud
 
PDF
Magazine Luiza at a glance (1)
byApigee | Google Cloud
 
PPTX
Monetization: Unlock More Value from Your APIs
byApigee | Google Cloud
 
PDF
Apigee Demo: API Platform Overview
byApigee | Google Cloud
 
PDF
Ticketmaster at a glance
byApigee | Google Cloud
 
PDF
AccuWeather: Recasting API Experiences in a Developer-First World
byApigee | Google Cloud
 
PDF
Which Application Modernization Pattern Is Right For You?
byApigee | Google Cloud
 
PPTX
Apigee Product Roadmap Part 2
byApigee | Google Cloud
 
PPTX
The Four Transformative Forces of the API Management Market
byApigee | Google Cloud
 
PDF
Walgreens at a glance
byApigee | Google Cloud
 
PDF
Apigee Edge: Intro to Microgateway
byApigee | Google Cloud
 
PDF
Managing the Complexity of Microservices Deployments
byApigee | Google Cloud
 
PDF
Pitney Bowes at a glance
byApigee | Google Cloud
 
PPTX
Microservices Done Right: Key Ingredients for Microservices Success
byApigee | Google Cloud
 
PDF
Adapt or Die: Opening Keynote with Chet Kapoor
byApigee | Google Cloud
 
PDF
Adapt or Die: Keynote with Greg Brail
byApigee | Google Cloud
 
PDF
Adapt or Die: Keynote with Anant Jhingran
byApigee | Google Cloud
 
PDF
London Adapt or Die: Opening Keynot
byApigee | Google Cloud
 
PDF
London Adapt or Die: Lunch keynote
byApigee | Google Cloud
 
PDF
London Adapt or Die: Closing Keynote — Adapt Now!
byApigee | Google Cloud
 
How Secure Are Your APIs?
byApigee | Google Cloud
 
Magazine Luiza at a glance (1)
byApigee | Google Cloud
 
Monetization: Unlock More Value from Your APIs
byApigee | Google Cloud
 
Apigee Demo: API Platform Overview
byApigee | Google Cloud
 
Ticketmaster at a glance
byApigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
byApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
byApigee | Google Cloud
 
Apigee Product Roadmap Part 2
byApigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
byApigee | Google Cloud
 
Walgreens at a glance
byApigee | Google Cloud
 
Apigee Edge: Intro to Microgateway
byApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
byApigee | Google Cloud
 
Pitney Bowes at a glance
byApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
byApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
byApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
byApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
byApigee | Google Cloud
 
London Adapt or Die: Opening Keynot
byApigee | Google Cloud
 
London Adapt or Die: Lunch keynote
byApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
byApigee | Google Cloud
 

Recently uploaded

PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
API-First Architecture in Financial Systems
bycyy111112
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 

OAuth: The API Gatekeeper