SlideShare a Scribd company logo

Secure your APIs using OAuth 2 and OpenID Connect

Nordic APIs, profile picture
Nordic APIs

The document provides an overview of OAuth 2.0 and OpenID Connect, highlighting their significance in API security by clarifying misconceptions around API keys and focusing on delegated access, identity management, and token types. It outlines the OAuth 2.0 protocol, its actors, and the token issuance process, while also discussing the importance of using JWTs and the proper applications of OAuth. Additionally, it explores how these technologies can be implemented in microservices architectures and offers resources for further information.

Software
Related topics:
Nordic APIsAPI Security Insights
1 of 40
Downloaded 84 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Overview of OAuth and OpenID Connect The Nuts and Bolts of API Security By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
ü All API Conferences ü API Community ü Active blogosphere Organizers and founders
Agenda § The security challenge in context § OAuth 2 Fundamentals § Building OpenID Connect on OAuth § 2 example use cases Copyright © 2013-2014 Twobo Technologies AB. All rights reserved
API Security == API Keys § Problem solved! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
API Security != API Keys § Revocable, un-audienced, non-expiring, bearer access tokens § Symmetric keys § Passwords! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
API Security == OAuth § Problem solved for real this time? Not that easy! Sorry L Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Crucial Security Concerns Enterprise Security API Security Mobile Security Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Identity is Central MDM MAM Mobile Security API Security Enterprise Security Identity Venn diagram by Gunnar Peterson AuthZ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Neo-security Stack JSON Identity Suite OpenID Connect SCIM OAuth 2 Provisioning Identities Federation Delegated Access Authorization U2FAuthentication Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
§ OAuth 2 is a protocol of protocols § Used as the base of other specifications § OpenID Connect, UMA, HEART, etc. § Addresses some important requirements § Delegated access § No password sharing § Revocation of access OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token OAuth Actors Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Request, Authenticate & Consent Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Requests Access Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Requires the RO to Authenticate Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Issues the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Redeems the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Issues the Token Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Presents the Token to the RS Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The RS Validates the Token Resource Owner (RO) Resource Server (RS)Client Authorization Server (AS) Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Access! Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
§ Like permissions § Scopes specify extent of tokens’ usefulness § Listed on consent UI (if shown) § No standardized scopes Scopes Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Kinds of Tokens Access Tokens Like a Session Used to secure API calls Refresh Tokens Like a Password Used to get new access tokens Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Holder of Key HoK tokens are like credit cards Profiles of Tokens Bearer Bearer tokens are like cash $ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Types of Tokens § WS-Security § SAML § Custom § Home-grown § Oracle Access Manager § SiteMinder § JWT Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
JWT Tokens § Pronounced like the English word “jot” § Lightweight tokens passed in HTTP headers & query strings § Akin to SAML tokens § Less expressive § Less security options § More compact § Encoded w/ JSON not XML Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Passing Tokens 123XYZ John Doe By Value By Reference Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Not for authentication Not really for authorization Not for federation Improper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
For delegated access User to app delegation in particular Proper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
• Next generation federation protocol – Based on OAuth 2 – Made for mobile – Not backward compatible • Client & API receive tokens • User info endpoint provided for client to get user data OpenID Connect Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Get user info using access token OpenID Connect Example OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes User info Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
ID Token is for Client § Access token is for API; ID token is for client § ID token provides client with info about § Intended client recipient § Username § Credential used to login § Issuer of token § Expiration time Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
User Info Endpoint § Token issuance and user discovery endpoint § Authenticate using bearer access token issued by OpenID Provider § Output depends on requested and authorized scopes § sub claim must match sub claim in ID token Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Applying All this to Micro-services Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
All Micro-services Accept JWTs Resource Owner (RO) But translate! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Translate from by-ref to by-value in gateway Resource Owner (RO) 123 XYZ API Firewall / Reverse Proxy Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Additional Resources § Blog posts § bit.ly/oauth-deep-dive § bit.ly/4-api-security-defenses § bit.ly/building-secure-api § bit.ly/right-api-armor § API keys http://bit.ly/2dI9Z7Q § Videos § bit.ly/oauth-in-depth § bit.ly/micro-services-security § bit.ly/building-secure-api-video § API security insights § http://nordicapis.com/api- insights/security/ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
For more information, visit curity.io
Summary § API security > API keys & OAuth § OAuth 2 fundamentals § Token types § Profiles § Passing tokens § Building OpenID Connect on OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
Thank you! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
Secure your APIs using OAuth 2 and OpenID Connect

More Related Content

PPTX
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
PDF
Launching a Successful and Secure API
Nordic APIs
 
PDF
1400 ping madsen-nordicapis-connect-01
Nordic APIs
 
PDF
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
PDF
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
PDF
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
PDF
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
PDF
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
Launching a Successful and Secure API
Nordic APIs
 
1400 ping madsen-nordicapis-connect-01
Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
OAuth and OpenID Connect for Microservices
Twobo Technologies
 

What's hot (20)

PDF
Authorization The Missing Piece of the Puzzle
Nordic APIs
 
PDF
Neo-security Stack
Twobo Technologies
 
PDF
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
PDF
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
 
PDF
Transforming organizations into platforms
Twobo Technologies
 
PPTX
Incorporating OAuth
Twobo Technologies
 
PPTX
OAuth Assisted Token Flow for Single Page Applications
Nordic APIs
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
Nordic APIs - Building a Secure API
Twobo Technologies
 
PDF
Designing an API
Twobo Technologies
 
PDF
Twobo LDAP Attribute Store for ADFS
Twobo Technologies
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
PDF
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PDF
SSL Certificate and Code Signing
Li-Wei Yao
 
PDF
Security Cas And Open Id
ConSanFrancisco123
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PPTX
The JSON-based Identity Protocol Suite
Twobo Technologies
 
PPTX
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
Authorization The Missing Piece of the Puzzle
Nordic APIs
 
Neo-security Stack
Twobo Technologies
 
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
 
Transforming organizations into platforms
Twobo Technologies
 
Incorporating OAuth
Twobo Technologies
 
OAuth Assisted Token Flow for Single Page Applications
Nordic APIs
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Nordic APIs - Building a Secure API
Twobo Technologies
 
Designing an API
Twobo Technologies
 
Twobo LDAP Attribute Store for ADFS
Twobo Technologies
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SSL Certificate and Code Signing
Li-Wei Yao
 
Security Cas And Open Id
ConSanFrancisco123
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
The JSON-based Identity Protocol Suite
Twobo Technologies
 
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
Ad

Similar to Secure your APIs using OAuth 2 and OpenID Connect (20)

PDF
AT&T 2012 DevLab Speech API Deep Dive
Michael Owens
 
PPTX
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
PPTX
Microservices architecture
Daniel Foo
 
PDF
OAuth in the Real World featuring Webshell
CA API Management
 
PDF
ITB 2023 - The Many Layers of OAuth - Keith Casey .pdf
Ortus Solutions, Corp
 
PDF
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
Ortus Solutions, Corp
 
PDF
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
PDF
gRPC vs REST: let the battle begin!
Alex Borysov
 
PDF
An Introduction to AWS IoT - Web Summit Lisbon
Boaz Ziniman
 
PDF
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
PPTX
The Hitchhiker's Guide to the Land of OAuth
Chris Adriaensen
 
PDF
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
PDF
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
Edureka!
 
PDF
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Edureka!
 
PPTX
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
PDF
Serverless Software Architecture - Gears 17
Tars Joris
 
PPTX
Code on the chain! An introduction in writing smart contracts and tooling for...
Codemotion
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PDF
Liferay as a headless platform
Jorge Ferrer
 
PDF
Using OAuth with PHP
David Ingram
 
AT&T 2012 DevLab Speech API Deep Dive
Michael Owens
 
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
Microservices architecture
Daniel Foo
 
OAuth in the Real World featuring Webshell
CA API Management
 
ITB 2023 - The Many Layers of OAuth - Keith Casey .pdf
Ortus Solutions, Corp
 
ITB_2023_The_Many_Layers_of_OAuth_Keith_Casey_.pdf
Ortus Solutions, Corp
 
Deep dive into the Open Banking payments flows
ForgeRock Identity Tech Talks
 
gRPC vs REST: let the battle begin!
Alex Borysov
 
An Introduction to AWS IoT - Web Summit Lisbon
Boaz Ziniman
 
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
The Hitchhiker's Guide to the Land of OAuth
Chris Adriaensen
 
OAuth2 - The Swiss Army Framework
Brent Shaffer
 
What is Hyperledger | Blockchain Technology | Blockchain Tutorial for Beginne...
Edureka!
 
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Edureka!
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Serverless Software Architecture - Gears 17
Tars Joris
 
Code on the chain! An introduction in writing smart contracts and tooling for...
Codemotion
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Liferay as a headless platform
Jorge Ferrer
 
Using OAuth with PHP
David Ingram
 
Ad

More from Nordic APIs (20)

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 

Recently uploaded (20)

PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
System and Network Administration Chapter 2
jaramharo
 
Introduction Database Management System for Course Database
ReinertYosua
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

Secure your APIs using OAuth 2 and OpenID Connect

  • 1. Overview of OAuth and OpenID Connect The Nuts and Bolts of API Security By Travis Spencer, CEO @travisspencer, @2botech Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
  • 2. ü All API Conferences ü API Community ü Active blogosphere Organizers and founders
  • 3. Agenda § The security challenge in context § OAuth 2 Fundamentals § Building OpenID Connect on OAuth § 2 example use cases Copyright © 2013-2014 Twobo Technologies AB. All rights reserved
  • 4. API Security == API Keys § Problem solved! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 5. API Security != API Keys § Revocable, un-audienced, non-expiring, bearer access tokens § Symmetric keys § Passwords! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 6. API Security == OAuth § Problem solved for real this time? Not that easy! Sorry L Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 7. Crucial Security Concerns Enterprise Security API Security Mobile Security Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 8. Identity is Central MDM MAM Mobile Security API Security Enterprise Security Identity Venn diagram by Gunnar Peterson AuthZ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 9. The Neo-security Stack JSON Identity Suite OpenID Connect SCIM OAuth 2 Provisioning Identities Federation Delegated Access Authorization U2FAuthentication Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 10. § OAuth 2 is a protocol of protocols § Used as the base of other specifications § OpenID Connect, UMA, HEART, etc. § Addresses some important requirements § Delegated access § No password sharing § Revocation of access OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 11. 1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token OAuth Actors Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 12. Request, Authenticate & Consent Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 13. The Client Requests Access Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 14. The AS Requires the RO to Authenticate Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 15. The AS Issues the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 16. The Client Redeems the One-time Use Code Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 17. The AS Issues the Token Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 18. The Client Presents the Token to the RS Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 19. The RS Validates the Token Resource Owner (RO) Resource Server (RS)Client Authorization Server (AS) Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 20. Access! Resource Owner (RO) Authorization Server (AS) Resource Server (RS)Client Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 21. § Like permissions § Scopes specify extent of tokens’ usefulness § Listed on consent UI (if shown) § No standardized scopes Scopes Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 22. Kinds of Tokens Access Tokens Like a Session Used to secure API calls Refresh Tokens Like a Password Used to get new access tokens Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 23. Holder of Key HoK tokens are like credit cards Profiles of Tokens Bearer Bearer tokens are like cash $ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 24. Types of Tokens § WS-Security § SAML § Custom § Home-grown § Oracle Access Manager § SiteMinder § JWT Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 25. JWT Tokens § Pronounced like the English word “jot” § Lightweight tokens passed in HTTP headers & query strings § Akin to SAML tokens § Less expressive § Less security options § More compact § Encoded w/ JSON not XML Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 26. Passing Tokens 123XYZ John Doe By Value By Reference Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 27. Not for authentication Not really for authorization Not for federation Improper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 28. For delegated access User to app delegation in particular Proper Usage of OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 29. • Next generation federation protocol – Based on OAuth 2 – Made for mobile – Not backward compatible • Client & API receive tokens • User info endpoint provided for client to get user data OpenID Connect Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 30. Get user info using access token OpenID Connect Example OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes User info Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 31. ID Token is for Client § Access token is for API; ID token is for client § ID token provides client with info about § Intended client recipient § Username § Credential used to login § Issuer of token § Expiration time Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 32. User Info Endpoint § Token issuance and user discovery endpoint § Authenticate using bearer access token issued by OpenID Provider § Output depends on requested and authorized scopes § sub claim must match sub claim in ID token Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 33. Applying All this to Micro-services Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 34. All Micro-services Accept JWTs Resource Owner (RO) But translate! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 35. Translate from by-ref to by-value in gateway Resource Owner (RO) 123 XYZ API Firewall / Reverse Proxy Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 36. Additional Resources § Blog posts § bit.ly/oauth-deep-dive § bit.ly/4-api-security-defenses § bit.ly/building-secure-api § bit.ly/right-api-armor § API keys http://bit.ly/2dI9Z7Q § Videos § bit.ly/oauth-in-depth § bit.ly/micro-services-security § bit.ly/building-secure-api-video § API security insights § http://nordicapis.com/api- insights/security/ Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
  • 37. For more information, visit curity.io
  • 38. Summary § API security > API keys & OAuth § OAuth 2 fundamentals § Token types § Profiles § Passing tokens § Building OpenID Connect on OAuth Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
  • 39. Thank you! Copyright © 2013-2017 Twobo Technologies AB. All rights reserved