Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing APIs with OAuth & the Neo-security Stack

Securing APIs with OAuth & the Neo-security Stack

Protecting APIs with the new stack of RESTful technologies!

Travis Spencer: CEO @ Twobo Technologies
Session: Security and Testing
API Strategy & Practice Conference, Amsterdam 2014

More Decks by API Strategy & Practice Conference

Other Decks in Technology

Transcript

  1. Securing APIs with OAuth & the Neo-security Stack Protecting APIs

    with the new stack of RESTful technologies! ! By Travis Spencer, CEO! @travisspencer of @2botech & @nordicapis Copyright © 2014 Twobo Technologies AB. All rights reserved
  2. Agenda ▪ The security challenge in context! ▪ Neo-security stack!

    ▪ OAuth highlights Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  3. Disruptive Trends Cloud Computing Social Networks Mobile Big
 Data Copyright

    © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  4. Identity is central Social
 Networks Cloud
 Computing Mobile Big
 Data

    Identity Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  5. The Neo-security Stack JSON Identity Suite OpenID SCIM OAuth XACML

    Provisioning Identities Federation Delegated Access Authorization Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  6. OAuth ▪ OAuth 2 is the new protocol of protocols!

    ▪ Used as the base of other specifications! ▪ OpenID Connect, UMA, etc.! ▪ Addresses some important requirements! ▪ Delegated access! ▪ No password sharing! ▪ Revocation of access Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  7. OAuth Actors ▪ Client! ▪ Authorization Server (AS)! ▪ Resource

    Server (RS) (i.e., API)! ▪ Resource Owner (RO) Get a token User a token RS Client AS Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  8. Scopes ▪ Like permissions! ▪ Scopes specify extent of tokens’

    usefulness! ▪ Listed on consent UI (if shown)! ▪ Issued tokens may have narrower scope than requested! ▪ No standardized scopes Copyright © 2014 Twobo Technologies AB. All rights reserved
  9. Access Tokens Refresh Tokens Kinds of Tokens Like a Session!

    ! ! Used to secure API calls Like a Password! ! ! Used to get new access tokens Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  10. By Value By Reference Passing Tokens 123XYZ 123XYZ ! !

    ! User attributes are in the token ! ! ! User attributes are referenced by an identifier Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  11. Bearer! ! ! ! ! ! ! Bearer tokens are

    like cash Holder of Key! ! ! ! ! ! ! HoK tokens are like credit cards Profiles of Tokens $ Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  12. Types of Tokens ▪ WS-Security! ▪ SAML! ▪ JWT! ▪

    Custom! ▪ Home-grown! ▪ Oracle Access Manager! ▪ SiteMinder! ▪ Etc. Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  13. Usage of OAuth Not for authentication Not really for authorization

    For delegated access Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  14. Requirements Demand More ▪ Today’s use cases require more than

    just delegation! ▪ Must answer:! ▪ Who are you?! ▪ What are you allowed to do?! ▪ OAuth is important but insufficient Identities APIs Entitlements Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  15. Authorization Delegated Access Identity Provisioning Federation OpenID Connect SCIM JSON

    Identity Suite OAuth XACML Need the Entire Stack Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech