SlideShare a Scribd company logo

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

Download as PPTX, PDF
Apigee | Google Cloud
Apigee | Google Cloud

The document discusses JSON Web Tokens (JWT), JSON Web Signature (JWS), and JSON Web Encryption (JWE). It provides an overview of each specification and how they relate. It also describes how JWT can be used for authentication in Apigee Edge using custom Java callout policies to generate, parse, and verify JWT without additional coding. Examples of generating signed and encrypted JWT are shown using these callout policies.

Technology
1 of 29
©2016 Apigee Corp. All Rights Reserved.
Dino Chiesa Apigee dchiesa@apigee.com Vinit Mehta Apigee vmehta@apigee.com Today’s presenters
Slideshare slideshare.com/apigee Apigee Community https://community.apigee.com YouTube youtube.com/apigee
4 What do these companies have in common?
All are supporting OpenID Connect and JWT. 5
Authentication and Authorization is hard. Many systems do it poorly. (Do YOU provide 2FA ?) JWT and OpenID Connect will help solve that problem. You need to get JWT, now. 6
JWT, JWE, JWS 7
JWS, JWE, JWT are all part of JOSE: “JSON Object Signing and Encryption” 8
JWT Enables Federated Identity 9©2015 Apigee. All Rights Reserved. Internal Client Application Authentication Server (aka Identity Provider, IdP) API Proxy User store Login Create JWT (Signed) JWT Data Public Key Internal Systems JWT Data JWT Data Data JWT Validate Validate Validate Validate
JWT Integrates with external Identity Providers 10©2015 Apigee. All Rights Reserved. Partner Application’s Authentication Server (aka Identity Provider, IdP) API Proxy User store Login JWT (Signed) JWT JWT Data JWT Data Data Public Key Validat e 1 2 3 4 5 6 7 Internal or Partner Systems
• JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 11 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
• JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 12 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
Demo: Azure AD JWT and JWT.io 13
Apigee Edge includes standard policies for many security tasks. Oauth1.0a generation and verification, Oauth2 generation and verification, SAML generation and verification… 14
Apigee Edge does not yet include standard policies for JWT, JWE, JWS 15
But … Code + Configure ! 16
• Embed your Java code as a policy in Apigee Edge • One Interface, one method, 2 parameters • Can read policy configuration • Can read and write context variables • …anchor anywhere in Edge policy flow • One of the ways to extend Edge with custom code. Also JavaScript, Python, nodejs. • RTFM: http://apigee.com/docs/api- services/reference/java-callout-policy What are Java Callouts? 17©2015 Apigee. All Rights Reserved.
• Re-usable now in any of your Proxies • Configure it with XML as any other policy • Make decisions based on embedded claims • Can read JWT generated by third parties, such as Google or Windows Azure Java Callout for JWT Parse/Verification 18©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
• Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWT for use by others • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWT Generation 19©2015 Apigee. All Rights Reserved.
JWT Code walkthrough & Demo 20
Some comments • This JWT policy handles Signed, not Encrypted JWT • RS256 and HS256 are supported • We have a different policy that produces Encrypted JWT (JWE) using RS256 • JWT cannot be “revoked” – so limit your lifetimes • Exercise for the reader: –ES256, other algorithms 21©2015 Apigee. All Rights Reserved.
When to use JWT vs Oauth 2.0 tokens? 22
When to use JWT vs Oauth 2.0 tokens? • Trick Question! JWT are OAuth2.0 tokens • Better phrased as: When to use JWT vs Opaque Oauth 2.0 tokens? • Federation • When you want the client to know everything that is being claimed • JWT implies minimal impact to client and server apps • JWT do not work well with revocation 23©2015 Apigee. All Rights Reserved.
• Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWE for use by others • Configurable Key strength and key derivation • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWE Generation 24©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
Java Callout for JWE Decryption 25©2015 Apigee. All Rights Reserved.
When to use JWS and JWE? • Trick Question! Don’t ever use them! • No, seriously. • JWS and JWE imply some change to client apps • More limited scope of usage than JWT • There are already ways to sign and encrypt arbitrary data • My opinion: JWE and JWS are mostly interesting in support of JWT 26©2015 Apigee. All Rights Reserved.
What did we learn? 27 APIs Apps Users ©2015 Apigee. All Rights Reserved. • YOU NEED to handle JWT • You can use JWT, JWS, JWE in Apigee Edge today via custom policies • No coding needed ! • These policies complement the existing built-in policies in Apigee Edgehttps://github.com/apigee/iloveapis2015-jwt-jwe-jws
©2016 Apigee Corp. All Rights Reserved. Questions? 28
Thank you

Recommended

Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee | Google Cloud
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the EnterpriseApigee | Google Cloud
 
Introducing OpenAPI Version 3.1
Introducing OpenAPI Version 3.1Introducing OpenAPI Version 3.1
Introducing OpenAPI Version 3.1SmartBear
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 

Recommended

Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee | Google Cloud
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee | Google Cloud
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the EnterpriseApigee | Google Cloud
 
Introducing OpenAPI Version 3.1
Introducing OpenAPI Version 3.1Introducing OpenAPI Version 3.1
Introducing OpenAPI Version 3.1SmartBear
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayAmazon Web Services
 
Webcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayWebcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayApigee | Google Cloud
 
API for Beginners
API for BeginnersAPI for Beginners
API for BeginnersGustavo De Vita
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API StrategyMatt McLarty
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee | Google Cloud
 
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations WorkshopI Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations WorkshopApigee | Google Cloud
 
We Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge ArchitectureWe Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge ArchitectureApigee | Google Cloud
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products OverviewApigee | Google Cloud
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
Serverless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesServerless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesAmazon Web Services
 
API
APIAPI
APIMasters Academy
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0WSO2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product DemoApigee | Google Cloud
 
EKS Workshop
EKS Workshop EKS Workshop
EKS WorkshopAWS Germany
 
Api-First service design
Api-First service designApi-First service design
Api-First service designStefaan Ponnet
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...Hitachi, Ltd. OSS Solution Center.
 

More Related Content

What's hot

Webcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayWebcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayApigee | Google Cloud
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API StrategyMatt McLarty
 
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations WorkshopI Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations WorkshopApigee | Google Cloud
 
We Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge ArchitectureWe Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge ArchitectureApigee | Google Cloud
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservicesKunal Hire
 
Serverless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesServerless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesAmazon Web Services
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0WSO2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
Api-First service design
Api-First service designApi-First service design
Api-First service designStefaan Ponnet
 

What's hot (20)

Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Webcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge MicrogatewayWebcast: Deep-Dive Apigee Edge Microgateway
Webcast: Deep-Dive Apigee Edge Microgateway
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API Strategy
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations WorkshopI Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
 
We Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge ArchitectureWe Built This City - Apigee Edge Architecture
We Built This City - Apigee Edge Architecture
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
 
Serverless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best PracticesServerless Architecture - Design Patterns and Best Practices
Serverless Architecture - Design Patterns and Best Practices
 
API
APIAPI
API
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
 
EKS Workshop
EKS Workshop EKS Workshop
EKS Workshop
 
Api-First service design
Api-First service designApi-First service design
Api-First service design
 

Similar to Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSApigee | Google Cloud
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...Hitachi, Ltd. OSS Solution Center.
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Apigee | Google Cloud
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsApigee | Google Cloud
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays
 
Moving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'AlboraMoving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'Alboramfrancis
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)ForgeRock
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyNordic APIs
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Evernym
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Alex Kosowski
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopApigee | Google Cloud
 
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...Neo4j
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyNordic APIs
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1tactqa
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1tactqa
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfLibbySchulze
 

Similar to Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS (20)

I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
 
Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture Using containerization to enable your microservice architecture
Using containerization to enable your microservice architecture
 
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIsModernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
 
Moving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'AlboraMoving the Guidewire platform to OSGi - Paul D'Albora
Moving the Guidewire platform to OSGi - Paul D'Albora
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375
 
Java SE Subscription Workshop
Java SE Subscription WorkshopJava SE Subscription Workshop
Java SE Subscription Workshop
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
 
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
026 Neo4j Data Loading (ETL_ELT) Best Practices - NODES2022 AMERICAS Advanced...
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1
 
Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1Microsoft power point automation-opensourcetestingtools_matrix-1
Microsoft power point automation-opensourcetestingtools_matrix-1
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdf
 

More from Apigee | Google Cloud

Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Apigee | Google Cloud
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldApigee | Google Cloud
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketApigee | Google Cloud
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsApigee | Google Cloud
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessApigee | Google Cloud
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailApigee | Google Cloud
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranApigee | Google Cloud
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!Apigee | Google Cloud
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorApigee | Google Cloud
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorApigee | Google Cloud
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryApigee | Google Cloud
 

More from Apigee | Google Cloud (20)

Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS

  • 1. ©2016 Apigee Corp. All Rights Reserved.
  • 4. 4 What do these companies have in common?
  • 5. All are supporting OpenID Connect and JWT. 5
  • 6. Authentication and Authorization is hard. Many systems do it poorly. (Do YOU provide 2FA ?) JWT and OpenID Connect will help solve that problem. You need to get JWT, now. 6
  • 8. JWS, JWE, JWT are all part of JOSE: “JSON Object Signing and Encryption” 8
  • 9. JWT Enables Federated Identity 9©2015 Apigee. All Rights Reserved. Internal Client Application Authentication Server (aka Identity Provider, IdP) API Proxy User store Login Create JWT (Signed) JWT Data Public Key Internal Systems JWT Data JWT Data Data JWT Validate Validate Validate Validate
  • 10. JWT Integrates with external Identity Providers 10©2015 Apigee. All Rights Reserved. Partner Application’s Authentication Server (aka Identity Provider, IdP) API Proxy User store Login JWT (Signed) JWT JWT Data JWT Data Data Public Key Validat e 1 2 3 4 5 6 7 Internal or Partner Systems
  • 11. • JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 11 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
  • 12. • JWS – Signature IETF RFC 7515 https://tools.ietf.org/html /rfc7515 • JSON representation of Signed or HMAC’ed Content • Payload that is signed need not be JSON! • The resulting JWS can be verified by receivers • JWE – Encryption IETF RFC 7516 https://tools.ietf.org/ht ml/rfc7516 • JSON representation of Encrypted content • Payload that is encrypted need not be JSON • Resulting JWE Can be decrypted by receivers JSON Web Token, Signature, Encryption 12 • JWT – Token IETF RFC 7519 https://tools.ietf.org/ht ml/rfc7519 • Signed, or optionally, Encrypted, set of claims. • Issuer, Subject, audience, issue time, not- before time, expiration. • Used as a BEARER token • “Self-validating” • Receiving parties can make decisions based on the claims and signing party, or encrypting party. ©2015 Apigee. All Rights Reserved.
  • 13. Demo: Azure AD JWT and JWT.io 13
  • 14. Apigee Edge includes standard policies for many security tasks. Oauth1.0a generation and verification, Oauth2 generation and verification, SAML generation and verification… 14
  • 15. Apigee Edge does not yet include standard policies for JWT, JWE, JWS 15
  • 16. But … Code + Configure ! 16
  • 17. • Embed your Java code as a policy in Apigee Edge • One Interface, one method, 2 parameters • Can read policy configuration • Can read and write context variables • …anchor anywhere in Edge policy flow • One of the ways to extend Edge with custom code. Also JavaScript, Python, nodejs. • RTFM: http://apigee.com/docs/api- services/reference/java-callout-policy What are Java Callouts? 17©2015 Apigee. All Rights Reserved.
  • 18. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Make decisions based on embedded claims • Can read JWT generated by third parties, such as Google or Windows Azure Java Callout for JWT Parse/Verification 18©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
  • 19. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWT for use by others • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWT Generation 19©2015 Apigee. All Rights Reserved.
  • 21. Some comments • This JWT policy handles Signed, not Encrypted JWT • RS256 and HS256 are supported • We have a different policy that produces Encrypted JWT (JWE) using RS256 • JWT cannot be “revoked” – so limit your lifetimes • Exercise for the reader: –ES256, other algorithms 21©2015 Apigee. All Rights Reserved.
  • 22. When to use JWT vs Oauth 2.0 tokens? 22
  • 23. When to use JWT vs Oauth 2.0 tokens? • Trick Question! JWT are OAuth2.0 tokens • Better phrased as: When to use JWT vs Opaque Oauth 2.0 tokens? • Federation • When you want the client to know everything that is being claimed • JWT implies minimal impact to client and server apps • JWT do not work well with revocation 23©2015 Apigee. All Rights Reserved.
  • 24. • Re-usable now in any of your Proxies • Configure it with XML as any other policy • Generate JWE for use by others • Configurable Key strength and key derivation • Can be used by backends or other systems called by clients • Can be consumed by Edge itself Java Callout for JWE Generation 24©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-jwt-jwe-jws
  • 25. Java Callout for JWE Decryption 25©2015 Apigee. All Rights Reserved.
  • 26. When to use JWS and JWE? • Trick Question! Don’t ever use them! • No, seriously. • JWS and JWE imply some change to client apps • More limited scope of usage than JWT • There are already ways to sign and encrypt arbitrary data • My opinion: JWE and JWS are mostly interesting in support of JWT 26©2015 Apigee. All Rights Reserved.
  • 27. What did we learn? 27 APIs Apps Users ©2015 Apigee. All Rights Reserved. • YOU NEED to handle JWT • You can use JWT, JWS, JWE in Apigee Edge today via custom policies • No coding needed ! • These policies complement the existing built-in policies in Apigee Edgehttps://github.com/apigee/iloveapis2015-jwt-jwe-jws
  • 28. ©2016 Apigee Corp. All Rights Reserved. Questions? 28

Editor's Notes

  1. With that , it is time for introductions, This is Aashima Gupta , I lead the healthcare vertical for Apigee with focus on API and Analytics. In this role ,I closely working with marque clients inclding payers , providers and pharmas in helping them with digital health strategy acceleratio and also n in identifying transformative opportunities ( FHIR being one of them) Prior to joining the firm ,I was leading the Digital Health Incubations at Kaiser and drove innovation around multitude of digital channels including launch of the Lifestyle integration platform and first public API for kaiser.
  2. Vinit will talk to this slide. Move blocks around to fit. Which big vendors are supporting this? Facebook, Azure, Salesforce… (Verify)
  3. Vinit will talk to this slide. Move blocks around to fit. Which big vendors are supporting this? Facebook, Azure, Salesforce… (Verify)
  4. JWK – JSON Web Key - RFC 7517 JWA – JSON Web Algorithms – RFC 7518
  5. JWK – JSON Web Key - RFC 7517 JWA – JSON Web Algorithms – RFC 7518