Bigger, Better Business With OAuth
Download as PPTX, PDF3 likes2,416 views
The document discusses the evolution of business intermediaries, emphasizing the role of apps as new facilitators connecting buyers and sellers in a rapidly growing market. It introduces OAuth as a security protocol essential for establishing trust in open platforms, allowing for controlled access to user data without compromising security. The imperative is for businesses to standardize OAuth to foster developer innovation and ensure secure transaction mechanisms in the API era.
![[Ecosystem Competition]
Kishore S. Swaminathan, Chief Scientist, Accenture](https://image.slidesharecdn.com/biggerbolderbusinesswithoauth-111118164217-phpapp02/85/Bigger-Better-Business-With-OAuth-30-320.jpg)
Bigger, Better Business With OAuth
- 1. Bigger, Better Business with OAuth 11.11.17 @ 11:05 PST VOIP or Dial-in (see chat) groups.google.com/group/api-craft Sam Ramji @sramji Brian Mulloy @landlessness
- 2. Your hosts
- 3. @landlessness @sramji
- 5. youtube.com/apigee 5
- 7. Every market in history has had intermediaries
- 8. Business Intermediaries Customers
- 9. These intermediaries connect buyers and sellers by knowing what both want and creating convenient ways to transact
- 10. Apps are the new intermediaries.
- 11. Business Apps Customers
- 12. They occupy many niches already and continue to multiply
- 13. App Store Growth 2008-2011 600 12 500 10 Apps Available Thousands Total App Downloads 400 8 Billions 300 6 200 4 100 2 0 0 Data from Wikipedia
- 14. As do devices.
- 16. Companies cannot build for all these niches as each one requires distinct expertise in design and development, and there are too many niches.
- 17. As Marc Andreessen observed recently
- 18. “ In short, software is eating the world. We are in the middle of a dramatic and broad technological and economic shift in which software companies are poised to take over large swathes of the economy. Marc Andreessen
- 19. Evans, Hagiu, and Schmalensee explored this deeply in 2006
- 21. And Annabelle Gawer has formalized the solution
- 23. The platform business model.
- 25. As we’ve learned from digital natives like
- 27. open platforms grow the fastest.
- 29. In the API era of competition, speed is crucial because critical mass leads rapidly to market dominance.
- 30. [Ecosystem Competition] Kishore S. Swaminathan, Chief Scientist, Accenture
- 31. Open platforms mean that apps can be built by developers quickly without formal commitment to joint research, joint development, and joint marketing.
- 32. Open platforms decouple partners from the platform provider’s business cycles.
- 33. This reduces the cost of innovation, enabling many more experiments to be made more quickly, increasing the chance of a major improvement to the platform business, its customers, and its intermediaries.
- 34. This is low-friction innovation.
- 36. This takes us to the stakes required for a digital business in the API era.
- 37. For an intermediary to connect a buyer and seller, there must be trust.
- 38. The intermediary must be trustworthy, and the transaction must be trustworthy.
- 39. In modern businesses, buyers (users) have accounts with sellers (providers) which are filled with data as well as transaction privileges.
- 40. For the system to function well, buyers must be able to fire their intermediary without breaking their relationship with the seller.
- 41. With apps as the intermediary, new dynamics exist on top of the historical foundation.
- 42. Apps are new. They are often short-lived. Their business model depends on building a high volume of users. They must have some way to attain their first transaction and be proven or else improved.
- 43. And this way must align with the loose coupling philosophy at the heart of an open platform otherwise we’ve just secured our way back into old-fashioned closed businesses and killed our platform opportunity.
- 44. “ 20th Century IT was about raising barriers to entry for competitors. 21st Century IT is about lowering barriers to participation. James Governor Redmonk
- 45. So how do you build a trustworthy system in an open world?
- 46. It takes an open security architecture.
- 49. It’s a free and open protocol built on licenses from the Open Web Foundation and it’s the right choice for securing open platforms.
- 50. The Valet Key Metaphor
- 51. Eran Hammer-Lahav compares the OAuth model to a valet key. This is an apt metaphor.
- 55. A Valet Key for Open Platforms
- 56. The heart of OAuth is an authorization token with limited rights which the user can revoke at any time should they become suspicious or dissatisfied with the app they’re using to access your business.
- 57. When the token is first granted the business shows the user what rights the app is asking for
- 59. and this negotiation is invisible to the app.
- 60. A perfect design for bootstrapping trust.
- 62. An app should have just enough permission to do the things the user wants it to.
- 64. OAuth allows for granular access to the user’s account. The current alternative is all or none Give the app your username and password – which gives the app access to everything about you.
- 65. In OAuth, permissions can be gracefully upgraded as well. If the user tries to do something in an app and they haven’t authorized the corresponding permission, the business can give the users the option to add that permission, using the bootstrapping sequence used to grant the token in the first place.
- 67. App developers are not security experts.
- 68. A developer’s job is to make software that does what it is supposed to do. A security expert’s job is to make sure software never does what it is not supposed to do.
- 69. App developers DO NOT WANT the responsibility of holding a user’s secret information. Usernames and passwords, Credit card and banking information, Lifetime history of everyone you’ve emailed These are heavy secrets and require heavy security.
- 70. The right place for these is within your own business, secured by your own experts and your own infrastructure investments.
- 71. Decoupling partners from these challenges keeps security consistent with the open platform potential for low-friction innovation.
- 73. The most popular intermediaries are connecting buyers with several complementary sellers at the same time
- 76. That increases their value to the buyer but also multiplies the difficulty and risk of security
- 77. If one app holds secrets for many businesses that app becomes the highest-risk part of the system.
- 78. As more businesses follow the platform imperative and add APIs
- 79. there is an imperative for the healthy growth of the market through the new intermediaries.
- 80. The imperative is to make it easy for developers to build great apps that can delight users and grow businesses.
- 81. The imperative is for businesses to standardize on OAuth.
- 82. “We have our own version of OAuth”
- 83. “We invented something that’s kind of like OAuth”
- 84. The imperative is to make it easy for developers to build great apps that can delight users and grow businesses.
- 85. The imperative is for businesses to standardize on OAuth.
- 86. No developers were harmed in the production of this presentation.
- 87. A BRIEF HISTORY OF OAUTH
- 88. 3 B.O. 89
- 89. App 90
- 90. U CANT HAS PLZ? MAH PASWORDZ! App App Developer User 91
- 91. App App Limited Developer User 92
- 92. 93
- 93. 94
- 94. 95
- 95. PLZ? NO MOAR 4 U! App API Developer Team 96
- 96. App App App World of API Internal App API User Store Developer APIs Team Systems 97
- 97. Big Company Big Big Big Customer Partner Company App App API User Developer Team 98
- 98. 4 A.O. 99
- 99. Big Company API Team Big Big Customer Partner App App User Developer 100
- 100. b a 101
- 101. b security a capability 102
- 102. Questions? 103
- 103. THANK YOU Questions and ideas to: @sramji @landlessness groups.google.com/group/api-craft youtube.com/apigee
Editor's Notes
- #2: Creative Commons Attribution-Share Alike 3.0 United States License
- #21: Invisible Engines
- #54: For most people, their car is their first or second most valuable possession, valued in tens of thousands of dollars. They are convenient places to leave our other valuables like computers and clothing. Yet we are sometimes required to give them to young, low-paid workers whom we’ve never met before.
- #55: http://www.istockphoto.com/stock-photo-15802228-young-man-in-hoodie-smiling.php?st=6167408How can we trust them?
- #56: In this situation we can give them a valet key – an authorization token with limited rights that can operate the vehicle but not grant access to the trunk, glovebox - or the rest of our keychain.