Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[WSO2Con Asia 2018] Identity APIs is the New Black

109 views

Published on

This slide deck explores how Identity APIs have evolved over the time to cater the consumer and enterprise requirements, and real-world scenarios where tough identity challenges have been successfully tackled by using them.

Learn more: https://wso2.com/library/conference/2018/08/wso2con-asia-2018-identity-apis-is-the-new-black/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

[WSO2Con Asia 2018] Identity APIs is the New Black

  1. 1. Identity APIs is the New Black Technical Lead, WSO2 Ishara Karunarathna
  2. 2. Story of Kermit Corporation LDAP HR Application Payroll Application License Application AD RDB Kermit Corp John John Li JohnL
  3. 3. ● Same physical user digitally represented in different siloes with different credentials ● No single sign-on across silos ● Higher probability of identity mismanagement ● Identity integrations across department/enterprise borders are difficult or impossible IAM Challenges in Kermit Corp
  4. 4. Story of Kermit Corporation Dave
  5. 5. Siloed IAM - Centralized but Proprietary Payroll Application Identity Provider HR Application License Application Kermit Corp FinOrg CRM Application Kermit Proprietary Kermit Proprietary Kermit Proprietary
  6. 6. Centralized IAM - Standard APIs Payroll Application Identity Provider HR Application License Application Kermit Corp FinOrg CRM Application SAML SSO / SCIM / OAuth OpenID Connect / SCIM WS-Fed / SCIM OpenID Connect / SCIM
  7. 7. Dave is Not Happy Yet!
  8. 8. Customer (is the king!) IAM ● Social login and BYOI ● Seamless experience across devices (Omnichannel) ● Privacy ○ Consent management ○ Ownership of user information ● Party-to-party delegation
  9. 9. Self Care Portal Identity Provider Retail Application Cloud OIDC OpenID Connect / SCIM / Consent Receipt Customer CRM SCIM Kermit Corp CIAM at a Glance
  10. 10. Business Success Seamless Experience Customer Satisfaction Identity Integrations Identity APIs
  11. 11. Dave is Happy !!
  12. 12. Next Big Challenge -> Identity of Things ● Dynamic device registration ● Device to device authentication ● Delegation of device access
  13. 13. Modern Identity APIs
  14. 14. User Provisioning with SCIM Self Care Portal Identity Provider Foo Org Zee Org Identity Provider Bar Org Identity Provider SCIM SCIM SCIM Inbound Outbound Inbound
  15. 15. SCIM 2.0 Payloads User Creation Group Creation curl --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"}," userName":"kim","password":"kimwso2","emails":[{"primary":true,"va lue":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.c om","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users curl --user admin:admin --data '{"displayName":"manager"}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups
  16. 16. Delegated Authorization with OAuth 2.0 Authorization Code Grant Suitable for web applications SAML Bearer Grant Suitable for apps already using SAML SSO for authentication JWT Grant Suitable for apps already using a JWT mechanism for authentication Client Credentials Grant Suitable to retrieve data not specific to end users - e.g. Weather/Stocks - and for machine-to-machine communications
  17. 17. Application (OAuth Client) OAuth Authorization Server 2 3 4 1 5 6 7 8 Authz Code Grant Flow OAuth Resource Server Introspect Authenticate + Consent 302 Access Token Rq Access Token Access Token Access Token Resource Request Prerequisite Client application registered with the Authz Server manually or via Dynamic Client Registration Resource Owner Authz Code
  18. 18. Authentication with OIDC ● OpenID Connect was created on top of OAuth 2.0 to provide an identity layer ● Introduces a new scope named “openid” ● Introduces a new token named ID Token, containing user claims ● Introduces a new endpoint named ‘userinfo’, to fetch additional user claims
  19. 19. OIDC Flow Application (OAuth Client) OAuth Authorization Server Resource Owner 2 3 4 1 5 6 9 OAuth Resource Server Introspect Authz Code 302 Access Token Rq Access Token ID Token User Info Request 7 Access Token Access Token 8 Access Token Resource Request scope=openid Authenticate + Consent
  20. 20. Party-to-party Delegation with UMA 2.0 ● Developed on top of OAuth 2.0 ● Introduces an entity named ‘Requesting Party’, and two access tokens named ‘Protection API token’ (PAT) and ‘Requesting Party Token’ (RPT) ● Lots of use cases in CIAM and IoT: ○ E.g. A patient granting access to Doctor and Insurer to their health records ○ E.g. Homeowner granting rotate access of the CCTV camera to the housemaid
  21. 21. UMA 2.0 in Action OAuth Resource Server Application (OAuth Client) Resource Owner Requesting Party Protection API Authorization API OAuth Authorization Server Register Resource Access Protected Resource Request Authorization Authorize to register resources Define policies Introspection API Validate RPT Result: RPT Result: PAT
  22. 22. Fine-grained Authorization with XACML ● Standard for attribute based access control ● Decouples authorization logic from the application code by introducing XML based policies ● Consists of 4 key components: ○ Policy Administration Point ○ Policy Decision Point ○ Policy Information Point ○ Policy Enforcement Point
  23. 23. Policy Store Policy Administration Point Policy Decision Point Identity Provider HR Application Policy Enforcement Point End-user Policy Information Point XACML in Action Entitlement Administrator CRUD Policies Do operation XACML Request
  24. 24. Open Policy Agent (OPA) Enforcement API : Service requests decisions Management API : Management pushes updates Service OPA Query Decision Data Policy
  25. 25. User Consent Management Change Consent Self Care Portal Consent Mgt API Identity Provider ConsentStorages End-user
  26. 26. User Data Exposure Export PII Self Care Portal PII Exposure API Identity Provider PIIStorages End-user Claims Security questions Consent receipts
  27. 27. THANK YOU wso2.com

×