The document discusses the integration of third-party providers for APIs using OAuth 2.0, focusing on issues of identity issuance, verification, and trust between organizations. It outlines different types of identities (1st party and 3rd party) and the mechanisms for accessing APIs, including the issuance and verification of tokens. The conclusion emphasizes the need for a clear trust model and standardized identity management practices.

1. Third Party Provider
Integration for APIs
Leverage OAuth 2.0 for TPP access
Copyright Curity AB 2018

2. The problem with Identity
• Who issues identities
• Can we trust them
• Can we verify that they issued it
Copyright Curity AB 2017 2

3. Entity Definition
Copyright Curity AB 2017 3
Organization Partner Organization Non-Partner Organization

4. Use-case: API Access
Copyright Curity AB 2017 4
Organization
Partner Organization
Non-Partner OrganizationAPIs &
Services

5. How to allow access?
• How to verify caller
• How to verify on who’s behalf the call is made
Copyright Curity AB 2018 5

6. Who defines the identity?
Copyright Curity AB 2017 6
1st party Identity
Issued by Organization
3rd party Identity
Issued by Partner Organization
3rd party Identity
Issued by Non-Partner Organization

7. • Bank has direct relationship
• Identity is verified by Bank
1st Party Identity – issued by Organization
Copyright Curity AB 2017 7
1st party Customer

8. • Organization has direct
relationship with 3rd party
• Trust
• Legal contract
• Users are known ?
• Identity is verified by 3rd party
3rd Party Identity– issued by Partner
Copyright Curity AB 2017 8
3rd party Customer

9. • Bank has no relationship with
3rd party
• User is known ?
• Identity is verified by 3rd party
• No legal contract
• Trust?
3rd Party Identity– issued by Non-Partner
Copyright Curity AB 2017 9
3rd party Customer

10. 1st party identity access
Copyright Curity AB 2017 10
Organization
APIs &
Services
1. Call API
Partner or Non-Partner Organization

11. 1st party identity access
Copyright Curity AB 2017 11
Organization
APIs &
Services
2. Access Denied: Authenticate
Partner or Non-Partner Organization

12. 1st party identity access
Copyright Curity AB 2017 12
Organization
APIs &
Services
3. Request Token (start in browser)
Partner or Non-Partner Organization

13. 1st party identity access
Copyright Curity AB 2017 13
Organization
APIs &
Services
4. User Authenticates
Partner or Non-Partner Organization

14. 1st party identity access
Copyright Curity AB 2017 14
Organization
APIs &
Services
5. Token is issued
Partner or Non-Partner Organization

15. 1st party identity access
Copyright Curity AB 2017 15
Organization
APIs &
Services
6. Call API Partner or Non-Partner Organization

16. 1st party identity access
Copyright Curity AB 2017 16
Organization
APIs &
Services
7. Access is granted Partner or Non-Partner Organization

17. The Token
• Contains information about:
• Calling organization
• The user that authenticated
• APIs the caller may use (via scopes or claims)
Copyright Curity AB 2018 17

18. The API
• Verifies token
• Verifies the issuer of the token (your org)
• Extracts user identity
• Agnostic to how the token was obtained
• API + Token = Contract
Copyright Curity AB 2018 18

19. 3rd party identity – issued by Partner
Copyright Curity AB 2017 19
Organization
APIs &
Services
Partner Organization
1. Call API

20. 3rd party identity – issued by Partner
Copyright Curity AB 2017 20
Organization
APIs &
Services
Partner Organization
2. Access Denied - authenticate

21. 3rd party identity – issued by Partner
Copyright Curity AB 2017 21
Organization
APIs &
Services
Partner Organization
3. Request Token

22. 3rd party identity – issued by Partner
Copyright Curity AB 2017 22
Organization
APIs &
Services
Partner Organization
4. User Authenticates

23. 3rd party identity – issued by Partner
Copyright Curity AB 2017 23
Organization
APIs &
Services
Partner Organization
5. Partner token issued

24. 3rd party identity – issued by Partner
Copyright Curity AB 2017 24
Organization
APIs &
Services
Partner Organization
6. Request API token

25. 3rd party identity – issued by Partner
Copyright Curity AB 2017 25
Organization
APIs &
Services
Partner Organization
7. Token issued

26. 3rd party identity – issued by Partner
Copyright Curity AB 2017 26
Organization
APIs &
Services
Partner Organization8. Call API

27. • The organization verifies the
token
• Legal contract binds token
contents
• Authentication requirements
• Other requirements
• API never sees “foreign”
tokens
Token exchange
Copyright Curity AB 2017 27

28. Organizational trust
Copyright Curity AB 2017 28
Deep access can be given, due to trust

29. What about Non-partners
• No explicit legal contract
• Law?
• Agreed upon convention
• Level of trust?
Copyright Curity AB 2018 29

30. What can we use?
• PKI – the global trust framework
• Used on the WEB
• Tokens are signed by who they
say they are
• Still – can we trust them?
• At least we can audit
Copyright Curity AB 2018 30

31. Signed tokens
• JSON Web Tokens
• Signed with a private key
• Verified with public key
• Contains data
Copyright Curity AB 2018 31

32. {
"sub": "janedoe",
"name" : "Jane Doe",
"email" : "jane@doe.com",
"phone_number" "+46 (0) 12345678",
"aud": "https://mymail.com",
"iss": "https://fs.example.com",
"nbf": 1409213888783,
"jti": "622a9973-fc4d-4797-be31-7c2116f549df",
"exp": 1409213890583,
"iat": 1409213888783
}
{
"iss": "https://fs.example.com",
"x5t": "5F0A1359B4BB9FBB104155908DEC1FDCB5AC8865",
"typ": "JWT",
"alg": "RS256”
}
Certificate
orQOOKvXN3jbEpBSl0RHAyaQNxcx9DFgtMsJJgMxm9Az6QJMKKy6m0WvP1UzXZA
_nsK16g9etg2yEW9IXbQU0RbSQktUtObRB9SxHtW_AcCk693XDAz15Y4aP9DeD62n
ROzd1MS4FZTmY3Cgzo1-3-
sqW6_4Rgzs94aLO3aLP_zoVtJycCUKtJQhGhPTyjXXYWMsp0E4uTtL8Rif7cWu4olme
_XNFlAs73pOrfzsQYc1GD2dB70l1M8SDaJZFURr9jAAaavX7Xqs_FPXY1PZLXLbc3ARX
FmRf_-Z4B6uLCGI2shzl12ni54Yun6dflL9rQwaxXYuNZZodUWchID2cA
Signature
JSON Web Tokens

33. 3rd party identity – issued by Non-Partner
Copyright Curity AB 2017 33
Organization
APIs &
Services
Non-Partner Organization

34. 3rd party identity – issued by Non-Partner
Copyright Curity AB 2017 34
Organization
APIs &
Services
Non-Partner Organization
2. Verify Signature

35. 3rd party identity – issued by Non-Partner
Copyright Curity AB 2017 35
Organization
APIs &
Services
Non-Partner Organization
3. Issue Token

36. 3rd party identity – issued by Non-Partner
Copyright Curity AB 2017 36
Organization
APIs &
Services
Non-Partner Organization
4. Call API

37. The issue with Trust
• Anyone can buy certificates
• All it says is: I’m holding this key
• For audit that’s good
• For identity verification – probably not enough
• White-list organizations?
• New trust authority for banking?
Copyright Curity AB 2017 37

38. Conclusion
• Trust is complex
• Use an open standard like OAuth 2.0
• Each organization should have a single point of trust
• Control where access is granted
• Avoid spaghetti of trust
• Your Identity management needs to be a toolbox of standards
Copyright Curity AB 2018 38

39. Visit curity.io or e-mail us for more information
Copyright Curity AB 2017