SlideShare a Scribd company logo

Api security with o auth2

Download as PPTX, PDF
Anthony Chow, profile picture
Anthony Chow

This document discusses API security topics like OAuth2, OpenID Connect, and JSON Web Tokens. It defines OAuth2 as an authorization framework that allows clients to access user accounts and defines common OAuth2 flows and actors. OpenID Connect builds upon OAuth2 to provide authentication. JSON Web Tokens are used to securely transmit information in OAuth2 and OpenID Connect flows. Links to documentation and resources for implementing these standards are also provided.

Technology
1 of 17
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Anthony Chow Twitter: @vCloudernBeer
Different kinds of APIs  https://ffeathers.wordpress.com/2014/02/16/api-types/
REST API Security Best Practice  OWASP - Open Web Application Security Project  https://www.owasp.org/index.php/REST_Security_ Cheat_Sheet  https://dzone.com/articles/top-5-rest-api-security- guidelines
What is OAuth2?
OAuth2  “Open Authentication” (??)  Authorization delegation  An authorization framework  Defined by RFC 6749 and 6750  OAuth 1 is defined by RFC 5849  OAuth 1 and OAuth 2 are not compatible
Oauth2 Actors  Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
OAuth2 Flows (grants)  image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
OAuth2 Authorization Grants  Different ways of getting a token  Authorization code,  Implicit grant,  Resource owner password credentials and  Client credentials  Which OAuth 2.0 flow should I use?
OAuth2 Tokens  Access Token  Refresh Token
OAuth2 simplified view  Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
OpenID Connect (OIDC)  Image source: https://developer.okta.com/standards/OIDC/index
OpenID Connect vs OAuth2  Image source: https://www.slideshare.net/vladimirdzhuvinov/openid-connectexplained
JSON Web Token (JWT)  Image source: www.youtube.com
OAuth2 + OIDC + JWT  Image source: http://kasunpanorama.blogspot.com/2015/11/microservices-in-practice.html
Resources for API Security  Auth0: https://auth0.com/  Mulesoft: https://www.mulesoft.com/  Ory: https://www.ory.am/index.html  Stormpath (now Okta): https://www.okta.com/  Nordic APIs: https://nordicapis.com/  Amazon Cognito: https://aws.amazon.com/cognito/
Resources for JSON Web Token  https://auth0.com/learn/json-web-tokens/  https://jwt.io/introduction/  https://scotch.io/tutorials/the-anatomy-of-a-json- web-token  https://auth0.com/e-books/jwt-handbook
Resource for OAuth2  RFC 6749 - https://tools.ietf.org/html/rfc6749  RFC 6750 - https://tools.ietf.org/html/rfc6750  https://auth0.com/docs/protocols/oauth2  https://developers.google.com/oauthplayground/

More Related Content

PPTX
Id fiware upm-dit
Joaquín Salvachúa
 
ODP
Synapse india reviews on security for the share point developer
saritasingh19866
 
PPTX
Web tools ppt
Tamara Pia Agavi
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
PDF
persentation
vinaykumarmahla
 
PPTX
OAuth Linking-Social Networks
G Jayendra Kartheek
 
PPT
Mule security - authorization using spring security
D.Rajesh Kumar
 
PDF
T04505103106
IJERA Editor
 
Id fiware upm-dit
Joaquín Salvachúa
 
Synapse india reviews on security for the share point developer
saritasingh19866
 
Web tools ppt
Tamara Pia Agavi
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
persentation
vinaykumarmahla
 
OAuth Linking-Social Networks
G Jayendra Kartheek
 
Mule security - authorization using spring security
D.Rajesh Kumar
 
T04505103106
IJERA Editor
 

What's hot (10)

PDF
RESTful Day 5
Akhil Mittal
 
PDF
Vulnerability Funalitics with vulners.com
Kirill Ermakov
 
PPTX
Introduction to OAuth2
Sean Whitesell
 
PDF
Vulners: Google for hackers
Kirill Ermakov
 
PPTX
SSO with sfdc
Ming Yuan
 
PDF
Top 10 Web App Security Risks
Sperasoft
 
PDF
Spring4 security oauth2
Sang Shin
 
PPTX
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
PDF
Seminar2015Bilic_Nicole
Nicole Bili?
 
PPTX
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
RESTful Day 5
Akhil Mittal
 
Vulnerability Funalitics with vulners.com
Kirill Ermakov
 
Introduction to OAuth2
Sean Whitesell
 
Vulners: Google for hackers
Kirill Ermakov
 
SSO with sfdc
Ming Yuan
 
Top 10 Web App Security Risks
Sperasoft
 
Spring4 security oauth2
Sang Shin
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
Seminar2015Bilic_Nicole
Nicole Bili?
 
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
Ad

Similar to Api security with o auth2 (20)

PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
Securing APIs using OAuth 2.0
Adam Lewis
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PDF
Protecting your APIs with OAuth 2.0
Ubisecure
 
PPT
Oauth2.0
Yasmine Gaber
 
PDF
O auth2.0 guide
Dilip Mohapatra
 
PDF
Facebook data breach and OAuth2
Leonard Moustacchis
 
PDF
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
ijtsrd
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PDF
OAuth 2.0 and Library
Kenji Otsuka
 
PPTX
Web API 2 Token Based Authentication
jeremysbrown
 
PDF
When and Why Would I use Oauth2?
Dave Syer
 
PDF
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
PPTX
OAuth2 Introduction
Arpit Suthar
 
PPT
Oauth
Aakanksha Bhardwaj
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Securing APIs using OAuth 2.0
Adam Lewis
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Single-Page-Application & REST security
Igor Bossenko
 
Protecting your APIs with OAuth 2.0
Ubisecure
 
Oauth2.0
Yasmine Gaber
 
O auth2.0 guide
Dilip Mohapatra
 
Facebook data breach and OAuth2
Leonard Moustacchis
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
ijtsrd
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OAuth 2.0 and Library
Kenji Otsuka
 
Web API 2 Token Based Authentication
jeremysbrown
 
When and Why Would I use Oauth2?
Dave Syer
 
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
OAuth2 Introduction
Arpit Suthar
 
Oauth
Aakanksha Bhardwaj
 
Ad

More from Anthony Chow (14)

PPTX
Build your own Blockchain with the right tool for your application
Anthony Chow
 
PPT
Container security
Anthony Chow
 
PPT
MQTT security
Anthony Chow
 
PPTX
Understanding gRPC Authentication Methods
Anthony Chow
 
PPTX
Container security
Anthony Chow
 
PPT
Container security
Anthony Chow
 
PPTX
V brownbag sept-14-2016
Anthony Chow
 
PPTX
Understanding the container landscape and it associated projects
Anthony Chow
 
PPTX
Getting over the barrier and start contributing to OpenStack
Anthony Chow
 
PPT
Introduction to go
Anthony Chow
 
PPTX
Micro segmentation – a perfect fit for microservices
Anthony Chow
 
PPTX
An overview of OpenStack for the VMware community
Anthony Chow
 
PPTX
VXLAN in the contemporary data center
Anthony Chow
 
PPT
What a Beginner Should Know About OpenStack
Anthony Chow
 
Build your own Blockchain with the right tool for your application
Anthony Chow
 
Container security
Anthony Chow
 
MQTT security
Anthony Chow
 
Understanding gRPC Authentication Methods
Anthony Chow
 
Container security
Anthony Chow
 
Container security
Anthony Chow
 
V brownbag sept-14-2016
Anthony Chow
 
Understanding the container landscape and it associated projects
Anthony Chow
 
Getting over the barrier and start contributing to OpenStack
Anthony Chow
 
Introduction to go
Anthony Chow
 
Micro segmentation – a perfect fit for microservices
Anthony Chow
 
An overview of OpenStack for the VMware community
Anthony Chow
 
VXLAN in the contemporary data center
Anthony Chow
 
What a Beginner Should Know About OpenStack
Anthony Chow
 

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Cloud computing and distributed systems.
kkkkkhan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Approach and Philosophy of On baking technology
30anthuong17
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

Api security with o auth2

  • 2. Different kinds of APIs  https://ffeathers.wordpress.com/2014/02/16/api-types/
  • 3. REST API Security Best Practice  OWASP - Open Web Application Security Project  https://www.owasp.org/index.php/REST_Security_ Cheat_Sheet  https://dzone.com/articles/top-5-rest-api-security- guidelines
  • 5. OAuth2  “Open Authentication” (??)  Authorization delegation  An authorization framework  Defined by RFC 6749 and 6750  OAuth 1 is defined by RFC 5849  OAuth 1 and OAuth 2 are not compatible
  • 6. Oauth2 Actors  Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
  • 7. OAuth2 Flows (grants)  image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
  • 8. OAuth2 Authorization Grants  Different ways of getting a token  Authorization code,  Implicit grant,  Resource owner password credentials and  Client credentials  Which OAuth 2.0 flow should I use?
  • 9. OAuth2 Tokens  Access Token  Refresh Token
  • 10. OAuth2 simplified view  Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
  • 11. OpenID Connect (OIDC)  Image source: https://developer.okta.com/standards/OIDC/index
  • 12. OpenID Connect vs OAuth2  Image source: https://www.slideshare.net/vladimirdzhuvinov/openid-connectexplained
  • 13. JSON Web Token (JWT)  Image source: www.youtube.com
  • 14. OAuth2 + OIDC + JWT  Image source: http://kasunpanorama.blogspot.com/2015/11/microservices-in-practice.html
  • 15. Resources for API Security  Auth0: https://auth0.com/  Mulesoft: https://www.mulesoft.com/  Ory: https://www.ory.am/index.html  Stormpath (now Okta): https://www.okta.com/  Nordic APIs: https://nordicapis.com/  Amazon Cognito: https://aws.amazon.com/cognito/
  • 16. Resources for JSON Web Token  https://auth0.com/learn/json-web-tokens/  https://jwt.io/introduction/  https://scotch.io/tutorials/the-anatomy-of-a-json- web-token  https://auth0.com/e-books/jwt-handbook
  • 17. Resource for OAuth2  RFC 6749 - https://tools.ietf.org/html/rfc6749  RFC 6750 - https://tools.ietf.org/html/rfc6750  https://auth0.com/docs/protocols/oauth2  https://developers.google.com/oauthplayground/