Securing APIs with OAuth & the Neo-security Stack

Transcript

1. Securing APIs with OAuth & the Neo-security Stack Protecting APIs

   with the new stack of RESTful technologies! ! By Travis Spencer, CEO! @travisspencer of @2botech & @nordicapis Copyright © 2014 Twobo Technologies AB. All rights reserved

2. Agenda ▪ The security challenge in context! ▪ Neo-security stack!

   ▪ OAuth highlights Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

3. Disruptive Trends Cloud Computing Social Networks Mobile Big
 Data Copyright

   © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

4. Identity is central Social
 Networks Cloud
 Computing Mobile Big
 Data

   Identity Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

5. The Neo-security Stack JSON Identity Suite OpenID SCIM OAuth XACML

   Provisioning Identities Federation Delegated Access Authorization Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

6. OAuth ▪ OAuth 2 is the new protocol of protocols!

   ▪ Used as the base of other specifications! ▪ OpenID Connect, UMA, etc.! ▪ Addresses some important requirements! ▪ Delegated access! ▪ No password sharing! ▪ Revocation of access Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

7. OAuth Actors ▪ Client! ▪ Authorization Server (AS)! ▪ Resource

   Server (RS) (i.e., API)! ▪ Resource Owner (RO) Get a token User a token RS Client AS Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

8. Scopes ▪ Like permissions! ▪ Scopes specify extent of tokens’

   usefulness! ▪ Listed on consent UI (if shown)! ▪ Issued tokens may have narrower scope than requested! ▪ No standardized scopes Copyright © 2014 Twobo Technologies AB. All rights reserved

9. Access Tokens Refresh Tokens Kinds of Tokens Like a Session!

   ! ! Used to secure API calls Like a Password! ! ! Used to get new access tokens Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

10. By Value By Reference Passing Tokens 123XYZ 123XYZ ! !

    ! User attributes are in the token ! ! ! User attributes are referenced by an identifier Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

11. Bearer! ! ! ! ! ! ! Bearer tokens are

    like cash Holder of Key! ! ! ! ! ! ! HoK tokens are like credit cards Profiles of Tokens $ Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

12. Types of Tokens ▪ WS-Security! ▪ SAML! ▪ JWT! ▪

    Custom! ▪ Home-grown! ▪ Oracle Access Manager! ▪ SiteMinder! ▪ Etc. Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

13. Usage of OAuth Not for authentication Not really for authorization

    For delegated access Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

14. Requirements Demand More ▪ Today’s use cases require more than

    just delegation! ▪ Must answer:! ▪ Who are you?! ▪ What are you allowed to do?! ▪ OAuth is important but insufficient Identities APIs Entitlements Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

15. Authorization Delegated Access Identity Provisioning Federation OpenID Connect SCIM JSON

    Identity Suite OAuth XACML Need the Entire Stack Copyright © 2014 Twobo Technologies AB. All rights reserved @travisspencer / @2botech

16. Questions & Thanks @2botech! @travisspencer! www.twobo.com! travisspencer.com Copyright © 2014

    Twobo Technologies AB. All rights reserved ?
17. None