SlideShare uma empresa Scribd logo

CIS 2017 - So you want to use standards to secure your APIs?

Bertrand Carlier
Bertrand Carlier

The document discusses OAuth and identity management standards for securing APIs. It provides an overview of OAuth concepts like authorization codes, refresh tokens, and OpenID Connect. It also discusses current challenges around pairing devices, protecting tokens from hijacking, sharing access and consent, and transmitting identity. The document emphasizes that OAuth is a rich ecosystem and to choose the right specifications, integrate them carefully, and avoid a flawed security architecture or false sense of security.

Tecnologia
1 de 28
Baixar para ler offline
So you want to use standards to secure your APIs? Do you? really? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017 Tier one clients leaders in their industry 2,500 professionals across 4 continents Among the leading independent consultancies in Europe, n°1 in France Paris | London | New York | Hong Kong | Singapore* | Dubai* Brussels | Luxembourg | Geneva | Casablanca Lyon | Marseille | Nantes In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017 Win the digital race with digital trust PROVEN EXPERTISE / Digital Risk Strategy & Compliance / Safe Business Transformation / Security Design & Program Management / Identity, Fraud & Trust Services / Penetration Testing & Incident Response / Business Continuity & Resilience / Industrial Control Systems ACTIONABLE INSIGHTS / Industry-specific risk mapping / AMT Master plan methodology / Startups & Innovation Radars / ICS-Attacks demonstrator / CERT-W & Bug Bounty Digital trust is a key business enabler that will put you ahead to win the digital transformation race Wavestone Cybersecurity & Digital Trust 500+ Consultants & Experts in Paris, London, New York & Hong Kong 1,000+ Engagements per year in 20+ countries Our clients Board, Business, CDO, CIO, CISO, BCM
confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017 Obligatory XKCD
confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017 What I do 1/2 User companies (my clients) Other vendors My mom People who use standards but don’t really care Me You? Fellow colleagues & competitors People who (try to) understand standards and build things The “industry” Research scientists Vendors I like People who make standards
confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017 What I do 2/2 Gather requirements Benchmark market Design target solutions Deliver solutions
1. Oauth 101
confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017 Implicit and Client Credentials YOU’VE GOT MAIL Comparator website Airline API Airline API Airline API Client Authorization server Resource server Access token Flight comparator Economy Direct Two stops Business class Boat You’ve been accepted!
confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017 Authorization code ARE YOU AUTHORIZED? Airline website Airline API Client Authorization server Resource server Access token Resource owner
confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017 Proof Key for Code Exchange PIXIES Airline website Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636)
confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017 Refresh token (RE)FRESH Refresh token Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636) Airline website
confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017 20 17 18 76 OAuth2.0 : it’s quite simple Who’s up for a 130-pages RFC read? And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations » Refresh token Client Authorization server Resource server Access token Resource owner Proof Key for Code Exchange
2. OAuth Advanced
confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017 OAuth2.0 : Real Life requirements Adaptive authentication Application initiated (acr request) or Authorization Server mandated (adaptive authentication) APIs federation REST friendly Scalable Modern Web Single Sign-On Beyond the enterprise perimeter Browser and mobile friendly
confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017 OpenID Connect FRENCH CONNECTION Client Authorization server Resource server Access token Resource owner Refresh token PKCE (RFC 7636) Town’s website Tax department API France Connect hub ID token
confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017 Authentication Context Reference (acr) SMS, I KNOW… Bank API Bank authorization server Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636)
confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017 JWT Bearer profile ONE RING TOKEN TO RULE THEM ALL Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636) Bank website Bank & Insurance discount White label insurance Bank website Insurance’s Authorization server Insurance’s API 1 2
confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017 Oauth2.0 for Native Applications SSO ON THE GO app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Mobile phone Bank’s authorization server OpenID Connect provider
3. OAuth & Beyond
confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017 OAuth : Today’s challenges Pair with devices Protect from token hijacking Share and Consent Transmit Identity These are the current use cases that we need to solve now with only draft standards!
confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017 OAuth2 Device Flow 2 MINUTES TWICE A DAY app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) OpenID Connect provider Connected toothbrush Toothbrush’s cloud services Toothbrush’s app 2 1 3 4
confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017 Token Binding LATER AGGREGATOR Bank API Multi-account aggregator Bank API Bank API app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Token Binding & Mutual TLS profiles The “Personal Finance Manager” usecase OpenID Connect provider
confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017 User Managed Access RUN BABY RUN Token Binding & Mutual TLS profiles app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Doctor Receptionist OpenID Connect provider Receptionist Doctor Some medical software Personal health records Me Authorization server
confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017 Token Exchange WALL STREET ( ) Customer support Customer API Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Token Exchange OpenID Connect provider Micro services
confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017 Not to mention / Dynamic Client Registration & Management / OIDC/Oauth Discovery / Signed request / Mobile Connect / OIDC Session Management / Token revocation / … The big picture AT LAST Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636)Requesting party Token Exchange OpenID Connect provider
confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017 “Just saying #OAuth does not do the job” ONE LAST WORD / OAuth is a very rich ecosystem  Choose the right specifications  Integrate them carefully within a well- designed architecture  Don’t end up with a flawed API security or a false sense of security
wavestone.com @wavestone_ riskinsight-wavestone.com @Risk_Insight securityinsider-solucom.fr @SecuInsider Bertrand CARLIER Senior Manager M +33 6 18 64 42 52 bertrand.carlier@wavestone.com
PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * BRUSSELS LUXEMBOURG GENEVA CASABLANCA LYON MARSEILLE NANTES * Partenaires stratégiques PARIS LONDRES NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILAN * BRUXELLES GENEVE CASABLANCA ISTAMBUL * LYON MARSEILLE NANTES * Partenariats

Recomendados

Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiBertrand Carlier
 
An Introduction to Open Banking (PSD2)
An Introduction to Open Banking (PSD2)An Introduction to Open Banking (PSD2)
An Introduction to Open Banking (PSD2)Paul Ark (Polapat Arkkrapridi)
 
Atm reconciliation manual
Atm reconciliation manualAtm reconciliation manual
Atm reconciliation manualCharles Itsuokor
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server WSO2
 
Blockchain Solution for the Global Bond Markets
Blockchain Solution for the Global Bond MarketsBlockchain Solution for the Global Bond Markets
Blockchain Solution for the Global Bond MarketsPrajeesh Jayaram FRM
 
Open Banking - Opening the door to Digital Transformation
Open Banking - Opening the door to Digital Transformation Open Banking - Opening the door to Digital Transformation
Open Banking - Opening the door to Digital Transformation WSO2
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayKillian Delaney
 
次世代KYCと自己主権型アイデンティティの動向
次世代KYCと自己主権型アイデンティティの動向次世代KYCと自己主権型アイデンティティの動向
次世代KYCと自己主権型アイデンティティの動向Naohiro Fujie
 

Recomendados

Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiBertrand Carlier
 
An Introduction to Open Banking (PSD2)
An Introduction to Open Banking (PSD2)An Introduction to Open Banking (PSD2)
An Introduction to Open Banking (PSD2)Paul Ark (Polapat Arkkrapridi)
 
Atm reconciliation manual
Atm reconciliation manualAtm reconciliation manual
Atm reconciliation manualCharles Itsuokor
 
WSO2 Identity Server
WSO2 Identity Server WSO2 Identity Server
WSO2 Identity Server WSO2
 
Blockchain Solution for the Global Bond Markets
Blockchain Solution for the Global Bond MarketsBlockchain Solution for the Global Bond Markets
Blockchain Solution for the Global Bond MarketsPrajeesh Jayaram FRM
 
Open Banking - Opening the door to Digital Transformation
Open Banking - Opening the door to Digital Transformation Open Banking - Opening the door to Digital Transformation
Open Banking - Opening the door to Digital Transformation WSO2
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayKillian Delaney
 
次世代KYCと自己主権型アイデンティティの動向
次世代KYCと自己主権型アイデンティティの動向次世代KYCと自己主権型アイデンティティの動向
次世代KYCと自己主権型アイデンティティの動向Naohiro Fujie
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
An introduction to SwiftNET
An introduction to SwiftNETAn introduction to SwiftNET
An introduction to SwiftNETRishabh Dangwal
 
Social media in banking
Social media in bankingSocial media in banking
Social media in bankingSi Krishan
 
The Future of Fintech in Southeast Asia
The Future of Fintech in Southeast AsiaThe Future of Fintech in Southeast Asia
The Future of Fintech in Southeast AsiaFinch Capital
 
Kunai presents: BNPL strategy
Kunai presents: BNPL strategyKunai presents: BNPL strategy
Kunai presents: BNPL strategyTarun Bhasin
 
The Journey to Digital Transformation with Touch Bank
The Journey to Digital Transformation with Touch BankThe Journey to Digital Transformation with Touch Bank
The Journey to Digital Transformation with Touch BankBackbase
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceIndusNetMarketing
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)ICICI Bank
 
NEFT & RTGS
NEFT & RTGSNEFT & RTGS
NEFT & RTGSNavriti
 
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...OCTO Technology
 
New banking technology
New banking technologyNew banking technology
New banking technologyKumar Nirmal Prasad
 
Step by-step presentation on digital payments
Step by-step presentation on digital paymentsStep by-step presentation on digital payments
Step by-step presentation on digital paymentsMahantesh Biradar
 
NBFC Sector and understanding or risk management model credit memorandum
NBFC Sector and understanding or risk management model credit memorandumNBFC Sector and understanding or risk management model credit memorandum
NBFC Sector and understanding or risk management model credit memorandumRohit Kerkar
 
Bitcoin : comment ça marche et pourquoi c’est une révolution ?
Bitcoin : comment ça marche et pourquoi c’est une révolution ?Bitcoin : comment ça marche et pourquoi c’est une révolution ?
Bitcoin : comment ça marche et pourquoi c’est une révolution ?Stéphane Traumat
 
Cash Less Society- Digital Payments
Cash Less Society- Digital PaymentsCash Less Society- Digital Payments
Cash Less Society- Digital Paymentsmahajanmanu
 
RBI guidelines for mobile banking: A brief report
RBI guidelines for mobile banking: A brief reportRBI guidelines for mobile banking: A brief report
RBI guidelines for mobile banking: A brief reportTirthankar Sutradhar
 
The Future of Online Payments
The Future of Online PaymentsThe Future of Online Payments
The Future of Online PaymentsRedSeer
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Kannan Srinivasan
 
Open banking-Future of Banking
Open banking-Future of BankingOpen banking-Future of Banking
Open banking-Future of Bankingfarhan ali
 
An Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureAn Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureWSO2
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014Andrew Ames
 

Mais conteúdo relacionado

Mais procurados

OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerShiu-Fun Poon
 
An introduction to SwiftNET
An introduction to SwiftNETAn introduction to SwiftNET
An introduction to SwiftNETRishabh Dangwal
 
Social media in banking
Social media in bankingSocial media in banking
Social media in bankingSi Krishan
 
The Future of Fintech in Southeast Asia
The Future of Fintech in Southeast AsiaThe Future of Fintech in Southeast Asia
The Future of Fintech in Southeast AsiaFinch Capital
 
Kunai presents: BNPL strategy
Kunai presents: BNPL strategyKunai presents: BNPL strategy
Kunai presents: BNPL strategyTarun Bhasin
 
The Journey to Digital Transformation with Touch Bank
The Journey to Digital Transformation with Touch BankThe Journey to Digital Transformation with Touch Bank
The Journey to Digital Transformation with Touch BankBackbase
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceIndusNetMarketing
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)ICICI Bank
 
NEFT & RTGS
NEFT & RTGSNEFT & RTGS
NEFT & RTGSNavriti
 
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...OCTO Technology
 
Step by-step presentation on digital payments
Step by-step presentation on digital paymentsStep by-step presentation on digital payments
Step by-step presentation on digital paymentsMahantesh Biradar
 
NBFC Sector and understanding or risk management model credit memorandum
NBFC Sector and understanding or risk management model credit memorandumNBFC Sector and understanding or risk management model credit memorandum
NBFC Sector and understanding or risk management model credit memorandumRohit Kerkar
 
Bitcoin : comment ça marche et pourquoi c’est une révolution ?
Bitcoin : comment ça marche et pourquoi c’est une révolution ?Bitcoin : comment ça marche et pourquoi c’est une révolution ?
Bitcoin : comment ça marche et pourquoi c’est une révolution ?Stéphane Traumat
 
Cash Less Society- Digital Payments
Cash Less Society- Digital PaymentsCash Less Society- Digital Payments
Cash Less Society- Digital Paymentsmahajanmanu
 
RBI guidelines for mobile banking: A brief report
RBI guidelines for mobile banking: A brief reportRBI guidelines for mobile banking: A brief report
RBI guidelines for mobile banking: A brief reportTirthankar Sutradhar
 
The Future of Online Payments
The Future of Online PaymentsThe Future of Online Payments
The Future of Online PaymentsRedSeer
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Kannan Srinivasan
 
Open banking-Future of Banking
Open banking-Future of BankingOpen banking-Future of Banking
Open banking-Future of Bankingfarhan ali
 
An Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureAn Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureWSO2
 

Mais procurados (20)

OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
An introduction to SwiftNET
An introduction to SwiftNETAn introduction to SwiftNET
An introduction to SwiftNET
 
Social media in banking
Social media in bankingSocial media in banking
Social media in banking
 
The Future of Fintech in Southeast Asia
The Future of Fintech in Southeast AsiaThe Future of Fintech in Southeast Asia
The Future of Fintech in Southeast Asia
 
Kunai presents: BNPL strategy
Kunai presents: BNPL strategyKunai presents: BNPL strategy
Kunai presents: BNPL strategy
 
The Journey to Digital Transformation with Touch Bank
The Journey to Digital Transformation with Touch BankThe Journey to Digital Transformation with Touch Bank
The Journey to Digital Transformation with Touch Bank
 
The Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial IntelligenceThe Power Of Open Banking Coupled With Artificial Intelligence
The Power Of Open Banking Coupled With Artificial Intelligence
 
PayU Biz Product Deck (1)
PayU Biz Product Deck (1)PayU Biz Product Deck (1)
PayU Biz Product Deck (1)
 
NEFT & RTGS
NEFT & RTGSNEFT & RTGS
NEFT & RTGS
 
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
La Banque de demain, chapitre 3. L'open-banking : l'enjeu clé pour l'innovati...
 
New banking technology
New banking technologyNew banking technology
New banking technology
 
Step by-step presentation on digital payments
Step by-step presentation on digital paymentsStep by-step presentation on digital payments
Step by-step presentation on digital payments
 
NBFC Sector and understanding or risk management model credit memorandum
NBFC Sector and understanding or risk management model credit memorandumNBFC Sector and understanding or risk management model credit memorandum
NBFC Sector and understanding or risk management model credit memorandum
 
Bitcoin : comment ça marche et pourquoi c’est une révolution ?
Bitcoin : comment ça marche et pourquoi c’est une révolution ?Bitcoin : comment ça marche et pourquoi c’est une révolution ?
Bitcoin : comment ça marche et pourquoi c’est une révolution ?
 
Cash Less Society- Digital Payments
Cash Less Society- Digital PaymentsCash Less Society- Digital Payments
Cash Less Society- Digital Payments
 
RBI guidelines for mobile banking: A brief report
RBI guidelines for mobile banking: A brief reportRBI guidelines for mobile banking: A brief report
RBI guidelines for mobile banking: A brief report
 
The Future of Online Payments
The Future of Online PaymentsThe Future of Online Payments
The Future of Online Payments
 
Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]Open banking [Evolution, Risks & Opportunities]
Open banking [Evolution, Risks & Opportunities]
 
Open banking-Future of Banking
Open banking-Future of BankingOpen banking-Future of Banking
Open banking-Future of Banking
 
An Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureAn Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking Architecture
 

Semelhante a CIS 2017 - So you want to use standards to secure your APIs?

Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014Andrew Ames
 
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseThe ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseForgeRock
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Startup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo PlatformsStartup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo PlatformsThe Digital Insurer
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Codemotion
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container EnvironmentsTwistlock
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
SECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMSECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMiQHub
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCA Technologies
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?Vignesh Ganesan I Microsoft MVP
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Ping Identity
 

Semelhante a CIS 2017 - So you want to use standards to secure your APIs? (20)

Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014
 
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseThe ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Startup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo PlatformsStartup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo Platforms
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
 
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
SECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMSECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORM
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
Open Banking APIs on AWS
Open Banking APIs on AWSOpen Banking APIs on AWS
Open Banking APIs on AWS
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 

Mais de Bertrand Carlier

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM projectBertrand Carlier
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsBertrand Carlier
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsBertrand Carlier
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsBertrand Carlier
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestoneDSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestoneBertrand Carlier
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Bertrand Carlier
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoTBertrand Carlier
 

Mais de Bertrand Carlier (9)

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
 
OAuth2 stands overview
OAuth2 stands overviewOAuth2 stands overview
OAuth2 stands overview
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestoneDSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestone
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoT
 

Último

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

CIS 2017 - So you want to use standards to secure your APIs?

  • 1. So you want to use standards to secure your APIs? Do you? really? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
  • 2. confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017 Tier one clients leaders in their industry 2,500 professionals across 4 continents Among the leading independent consultancies in Europe, n°1 in France Paris | London | New York | Hong Kong | Singapore* | Dubai* Brussels | Luxembourg | Geneva | Casablanca Lyon | Marseille | Nantes In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
  • 3. confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017 Win the digital race with digital trust PROVEN EXPERTISE / Digital Risk Strategy & Compliance / Safe Business Transformation / Security Design & Program Management / Identity, Fraud & Trust Services / Penetration Testing & Incident Response / Business Continuity & Resilience / Industrial Control Systems ACTIONABLE INSIGHTS / Industry-specific risk mapping / AMT Master plan methodology / Startups & Innovation Radars / ICS-Attacks demonstrator / CERT-W & Bug Bounty Digital trust is a key business enabler that will put you ahead to win the digital transformation race Wavestone Cybersecurity & Digital Trust 500+ Consultants & Experts in Paris, London, New York & Hong Kong 1,000+ Engagements per year in 20+ countries Our clients Board, Business, CDO, CIO, CISO, BCM
  • 4. confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017 Obligatory XKCD
  • 5. confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017 What I do 1/2 User companies (my clients) Other vendors My mom People who use standards but don’t really care Me You? Fellow colleagues & competitors People who (try to) understand standards and build things The “industry” Research scientists Vendors I like People who make standards
  • 6. confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017 What I do 2/2 Gather requirements Benchmark market Design target solutions Deliver solutions
  • 8. confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017 Implicit and Client Credentials YOU’VE GOT MAIL Comparator website Airline API Airline API Airline API Client Authorization server Resource server Access token Flight comparator Economy Direct Two stops Business class Boat You’ve been accepted!
  • 9. confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017 Authorization code ARE YOU AUTHORIZED? Airline website Airline API Client Authorization server Resource server Access token Resource owner
  • 10. confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017 Proof Key for Code Exchange PIXIES Airline website Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636)
  • 11. confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017 Refresh token (RE)FRESH Refresh token Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636) Airline website
  • 12. confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017 20 17 18 76 OAuth2.0 : it’s quite simple Who’s up for a 130-pages RFC read? And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations » Refresh token Client Authorization server Resource server Access token Resource owner Proof Key for Code Exchange
  • 14. confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017 OAuth2.0 : Real Life requirements Adaptive authentication Application initiated (acr request) or Authorization Server mandated (adaptive authentication) APIs federation REST friendly Scalable Modern Web Single Sign-On Beyond the enterprise perimeter Browser and mobile friendly
  • 15. confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017 OpenID Connect FRENCH CONNECTION Client Authorization server Resource server Access token Resource owner Refresh token PKCE (RFC 7636) Town’s website Tax department API France Connect hub ID token
  • 16. confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017 Authentication Context Reference (acr) SMS, I KNOW… Bank API Bank authorization server Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636)
  • 17. confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017 JWT Bearer profile ONE RING TOKEN TO RULE THEM ALL Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636) Bank website Bank & Insurance discount White label insurance Bank website Insurance’s Authorization server Insurance’s API 1 2
  • 18. confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017 Oauth2.0 for Native Applications SSO ON THE GO app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Mobile phone Bank’s authorization server OpenID Connect provider
  • 19. 3. OAuth & Beyond
  • 20. confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017 OAuth : Today’s challenges Pair with devices Protect from token hijacking Share and Consent Transmit Identity These are the current use cases that we need to solve now with only draft standards!
  • 21. confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017 OAuth2 Device Flow 2 MINUTES TWICE A DAY app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) OpenID Connect provider Connected toothbrush Toothbrush’s cloud services Toothbrush’s app 2 1 3 4
  • 22. confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017 Token Binding LATER AGGREGATOR Bank API Multi-account aggregator Bank API Bank API app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Token Binding & Mutual TLS profiles The “Personal Finance Manager” usecase OpenID Connect provider
  • 23. confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017 User Managed Access RUN BABY RUN Token Binding & Mutual TLS profiles app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Doctor Receptionist OpenID Connect provider Receptionist Doctor Some medical software Personal health records Me Authorization server
  • 24. confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017 Token Exchange WALL STREET ( ) Customer support Customer API Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Token Exchange OpenID Connect provider Micro services
  • 25. confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017 Not to mention / Dynamic Client Registration & Management / OIDC/Oauth Discovery / Signed request / Mobile Connect / OIDC Session Management / Token revocation / … The big picture AT LAST Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636)Requesting party Token Exchange OpenID Connect provider
  • 26. confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017 “Just saying #OAuth does not do the job” ONE LAST WORD / OAuth is a very rich ecosystem  Choose the right specifications  Integrate them carefully within a well- designed architecture  Don’t end up with a flawed API security or a false sense of security
  • 28. PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * BRUSSELS LUXEMBOURG GENEVA CASABLANCA LYON MARSEILLE NANTES * Partenaires stratégiques PARIS LONDRES NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILAN * BRUXELLES GENEVE CASABLANCA ISTAMBUL * LYON MARSEILLE NANTES * Partenariats