Mais conteúdo relacionado Semelhante a Nordic APIs - Building a Secure API (20) Nordic APIs - Building a Secure API1. Building a Secure API
Overview of techniques and technologies needed to launch a
secure API
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved
2. Agenda
The security challenge in context
Neo-security stack
OAuth Basics
Overview of other layers
Copyright © 2013 Twobo Technologies AB. All rights reserved
3. Crucial Security Concerns
Enterprise API Mobile
Security Security Security
Copyright © 2013 Twobo Technologies AB. All rights reserved
4. Identity is Central
Mobile
Security
MDM MAM
Identity
Enterprise A
u API
Security t Security
h
Z
Copyright © 2013 Twobo Technologies AB. All rights reserved Venn diagram by Gunnar Peterson
5. Neo-security Stack
OpenID Connect
SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
OAuth 2 is the new meta-protocol defining how
tokens are handled
These address old requirements, solves new
problems & are composed
in useful ways Grandpa SAML
& junior
WS- again? Yep
Copyright © 2013 Twobo Technologies AB. All rights reserved
6. OAuth Actors
Client
AS
Authorization Server (AS)
Resource Server (RS) (i.e., API)
Get a token
Resource Owner (RO)
User a token
RS Client
Copyright © 2013 Twobo Technologies AB. All rights reserved
7. OAuth Web Server Flow
Copyright © 2013 Twobo Technologies AB. All rights reserved
8. What OAuth is and is not for
Not for authentication
Not really for authorization
For delegation
Copyright © 2013 Twobo Technologies AB. All rights reserved
9. Authentication & Federation
How you authenticate to AS is undefined
Use SAML or OpenID Connect for SSO to AS
Relay OAuth token in SAML messages
Copyright © 2013 Twobo Technologies AB. All rights reserved
10. Push Tokens & Pull Data
IdP & API Provider SaaS App
Data
Get Data
Access token in
federation message
Browser
Copyright © 2013 Twobo Technologies AB. All rights reserved
11. Overview of OpenID Connect
Builds on OAuth for profile sharing
Uses the flows optimized for user-consent
scenarios
Adds identity-based inputs/outputs to core OAuth
messages
Tokens are JWTs
Copyright © 2013 Twobo Technologies AB. All rights reserved
12. Overview of SCIM
Defines RESTful API to manage users & groups
Specifies core user & group schemas
Supports bulk updates for ingest
Binding for SAML and eventually OpenID Connect
Copyright © 2013 Twobo Technologies AB. All rights reserved
13. Overview of JSON Identity Suite
Suite of JSON-based identity protocols
Tokens (JWT) ▪ Encryption (JWE)
Keys (JWK) ▪ Signatures (JWS)
Algorithms (JWA)
Bearer Token spec explains how to use w/ OAuth
Being defined in IETF
Copyright © 2013 Twobo Technologies AB. All rights reserved
14. Overview of JWT
Pronounced like the English word “jot”
Lightweight tokens passed in HTTP headers &
query strings
Akin to SAML tokens
Less expressive
Less security options
More compact
Encoded w/ JSON not XML
Copyright © 2013 Twobo Technologies AB. All rights reserved
15. SCIM + OAuth
Use OAuth to secure SCIM API calls
Use SCIM to create accounts needed to access
APIs secured using OAuth
Copyright © 2013 Twobo Technologies AB. All rights reserved
16. SCIM + SAML/OIC
Carry SCIM attributes in SAML assertions
(bindings for SCIM)
Enables JIT provisioning
Supplements SCIM API & schema
Provisioning accounts using SCIM API to be
updated before/after logon
Copyright © 2013 Twobo Technologies AB. All rights reserved
17. Questions & Thanks
@2botech
@travisspencer
www.2botech.com
travisspencer.com
Copyright © 2013 Twobo Technologies AB. All rights reserved