In today’s API economy, APIs are an integral part of every organization. APIs play a key role in enabling organizations to connect seamlessly with customers, partners, and employees. With the growth of API usage and the number of APIs, organizations increasingly rely on API management solutions to manage API usage. Given today’s threat landscape, API security is a key consideration and a major component of an API management solution. In this webinar, you will learn how API management solutions can leverage identity and access management (IAM) capabilities of WSO2 Identity Server to enhance the security of managed APIs. DURING THE WEBINAR, WE WILL COVER: Importance of API security Introduction to WSO2 Identity Server OAuth 2.0 API security capabilities of WSO2 Identity Server Demo of integrating WSO2 Identity Server with WSO2 API Manager Watch the OD webinar: https://wso2.com/library/webinars/securing-apis-with-wso2-identity-server/

1. Securing APIs With WSO2 Identity Server
Thursday, November 05, 2020

2. Hello!
Janak Amarasena
Isura Karunaratne
Senior Software Engineer
isura@wso2.com
janak@wso2.com
Technical Lead

3. About ‘API Security and Beyond’ Webinar Series
3

4. 4
Addresses full API lifecycle
management operations. Open,
extensible, customizable.
200K+ APIs for 20K+ Orgs
Hybrid integration platform for
quick, iterative integration of any
application, data, or system.
6 Trillion Transactions/yr
Federates and manages identities
across both cloud service and
enterprise environments.
250M+ identities managed
WSO2 API MANAGER WSO2 IDENTITY SERVERWSO2 ENTERPRISE INTEGRATOR
WSO2 Integration Platform

5. 5
WSO2 Identity Server is a strong performer
among the 13 CIAM providers that matter
most according to Forrester Research, Inc..
● Highest scores possible in customer
authentication, self service, business
integration, reporting and dashboarding, and
privacy & consent management in the
Product Offering category
● Highest scores for commercial model in
strategy and authentication plans
WSO2 Identity Server has been recognized as a strong performer

6. API Economy

7. 100% of revenue comes
through API calls
Source
https://www.information-age.com/organisations-advantage-api-economy-123485729/
APIs and API Economy
7

8. Akamai Survey Report 2019
“Our survey of API traffic surprised us by revealing that 83% of the
hits we see there are API driven. ”
“For security practitioners, this is vitally important.”
Source -
(https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security-retail-attacks-and-api-traffic-report-2
019.pdf)
APIs and API Economy
8

9. Importance of API security

10. APIs will become the
#1 Attack vector by 2022
10

11. ● Facebook Security breach
⦾ 50 million affected users
● Google plus security breach
⦾ Over 50 million affected users
● An average Application or API has 26.7 vulnerabilities.
● 81% of confirmed data breaches have used stolen valid credentials.
Importance of API security
11
Source -
(https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html, https://www.wired.com/story/google-plus-bug-52-million-users-data-exposed,
https://techbeacon.com/app-dev-testing/post-equifax-why-api-security-should-be-priority)

12. Failure of API security can affect on
● Operation level disruptions
● Negative publicity
● Legal problems
● Repeat attacks
Importance of API security
12

13. Role of API Key Manager

14. Role of API Key Manager
14

15. Introduction to WSO2 Identity Server

16. 16
Key Capabilities
● Identity federation and SSO
● Identity bridging
● MFA and adaptive authentication
● Managing access to APIs
● Fine-grained access control
● Consent management
● Accounts management
● Progressive profiling
● RESTful APIs for integration
● Regulatory compliance
● Identity analytics
WSO2 Identity Server Capabilities

17. 17
Key Capabilities
● Extended Access Delegation Capabilities
● Strong and Adaptive Authentication
● Cross Protocol Single Sign-On / Sign-Out
● Enforce authorization
● End-User Identity Management
● Privacy management
Why IAM is important in API Management

18. API Security capabilities of WSO2
Identity Server

19. Leveraging OAuth 2.0 capabilities
● Generating access tokens with various grant types and flows
⦿ Authorization Code grant
⦿ Client Credentials grant
⦿ Implicit grant | Discouraged in OAuth 2.0 Security BCP document
⦿ Password grant | Deprecated in OAuth 2.0 Security BCP document
⦿ JWT Bearer grant
⦿ SAML2 Bearer grant
⦿ OIDC hybrid flow
⦿ Several other grant types and flows
⦿ Extension points to easily deploy custom grants and flows
● Support for security best practices
⦿ PKCE flow for authorization code grant
⦿ Refresh token rotation
⦿ Encryption/Hashing of client secret
19

20. Leveraging OAuth 2.0 capabilities contd.
● Token introspection
⦿ Checking the validity of the token received to the API Gateway
● Revoking tokens
⦿ Supports token revocation via standard API
⦿ Auto token revocation when a user state changes (locked, deleted, credential
change, etc)
⦿ Auto token revocation when a application state changes (disabled, deleted, etc.)
⦿ Extension points to add token revocation based on events
⦿ Firing events when token revocation happens
20

21. Easy integration of capabilities
● Fully API enabled
⦿ Support for standard APIs
● Service discovery via standard APIs
⦿ Webfinger
⦿ Discovery
⦿ JWKS
● DCR and DCRM API support for client application registration and
management via APIs
21

22. Scope validation
● Scope is a mechanism in OAuth 2.0 to limit the application's access to a user's
protected resources
● Able to define scope validators to validate the scopes being assigned to a
access token
● OOTB scope validators
⦿ Roles based
⦿ XACML based
● Extension point to easily deploy a custom scope validator
● REST API to manage scopes
22

23. Fine-grained access control
● Includes a fully fledged XACML engine
● API enabled. Invoke XACML policy checks via APIs.
● Integration support with a Open Policy Agent(OPA) engine for policy evaluation
at user authentication for token generation
23

24. Event notifications and extensibility
● Eventing framework that fires events
⦿ Several examples;
⦾ Alerts on user such claim updates
⦾ Alerts on user getting locked
● Extension points to easily deploy event listeners to listen on required events
and relay information to the API Manager
⦾ Ex: Clear gateway token related cache when a token revocation happens
● Extension points to add custom components and extend product capabilities
according to business needs
⦿ Several examples;
⦾ Adding a custom token type
⦾ Adding custom token validation at introspection
⦾ Introducing a new grant type
24

25. Demo

26. Setup
26

27. Scenario 01 - Secured API calls
Generate an access token with user John using the Authorization Code grant to
make a secured API call
● Generate a token
● Invoke introspection endpoint
● Invoke the [GET] /menu API
27

28. Scenario 02 - Implicit token revocation
Update user Johns’ credentials and try to invoke a API with the previously generated
token
● Invoke introspection endpoint
● Update user Johns’ credentials
● Invoke the [GET] /menu API
● Invoke introspection endpoint
28

29. Scenario 03 - Role based scope validation
Obtain a token with the “add” scope to call the [POST]/order API
● Check role required for the scope “add”
● Try to generate a token with user John
● Generate a token with user Jane
● Invoke the [POST] /order API
29

30. Scenario 04 - Explicit token revocation
Call the OAuth token revocation endpoint and revoke an access token
● Invoke introspection endpoint
● Invoke token revocation endpoint
● Invoke the [POST] /order API
● Invoke introspection endpoint
30

31. Scenario 05 - Fine-grained access control with XACML
Invoke the XACML policy decision point for a [POST]/order API call
● XACML configuration
● Generate an access token with client credentials grant
● Invoke XACML PDP
31

32. Let’s Recap
32
● API Economy
● Importance of API security
● Role of API Key Manager
● Introduction to WSO2 Identity Server
● API Security capabilities of WSO2 Identity Server
● Demo

33. Question Time!
33

34. Next in the Series
34

35. wso2.com
Thanks!