SlideShare ist ein Scribd-Unternehmen logo

Jacob has a horse, says Travis

Als PPTX, PDF herunterladen
J
jacobideskog

Jacob has a horse named Travis. The document discusses establishing trust in a microservices architecture through the use of claims instead of directly passing user attributes between services. Claims assert attributes about a user from a trusted source, rather than just providing the attributes alone. This allows services to verify the source of identity data and establish an authorization model with scopes. The document advocates using claims and centralized trust models to avoid issues that can arise from directly sharing user data between loosely coupled services without context.

Technologie
1 von 67
Jacob Has a Horse, says Travis a tale of truths in a microservice architecture
Who Am I?
Who Am I, attributes? Name: Jacob Age: 38 Length: 177cm Family-role: Father Son: Bertil Weather: Sunny Location: Some Café
Me, using a service Name: Jacob Age: 38 Length: 177 Shirt size: 48 Location: Home Weather: Rainy StoreAccount: 123-XYZ Clothing Store /buy
Part 1: The API Security Maturity Model
API Security Maturity Model API Keys and Basic Authentication
Example Name: Jacob Age: 38 Length: 177 Shirt size: 48 Location: Home Weather: Rainy StoreAccount: 123-XYZ Clothing Store /buy
Example Clothing Store Web /buy /inventory /purchase
Example Clothing Store Web /buy /inventory /purchase Authorization: Basic YWRtaW46UGFzc3dvcmQx Authorization: Basic YWRtaW46UGFzc3dvcmQx
Example Clothing Store Web /buy /inventory /purchase Authorization: Basic YWRtaW46UGFzc3dvcmQx { user: 123-XYZ } Authorization: Basic YWRtaW46UGFzc3dvcmQx { user: 123-XYZ }
The problem with API Keys and Basic Auth • Machine verification(ish) • User isn’t bound to the requested resource • Authentication only, no Authorization
API Security Maturity Model API Keys and Basic Authentication Token based Authentication
Example: The publisher
Example: The publisher Inside organization Web Content The Internet
Example: The publisher Inside organization Web Content The Internet Authorization: Bearer AT Authorization: Bearer AT Authorization: Bearer AT
The problem • Access Tokens only used for authentication • Authorization is not performed • Machine access to the same API • Result: Anyone who could obtain a token can update the content API.
API Security Maturity Model API Keys and Basic Authentication Token based Authentication Token based Authorization
Scopes • Named “permissions” in a token • Strings • Does not contain any values • Requested by the client • Authorized by the user and the OAuth server
Scopes Example • content_read • content_write • email • address • invoice_list Content Invoices Users
Example: The Swish app Image Copyright Getswish AB
Example: The Swish app Image Copyright Getswish AB BankID (eID) Swish
Example: The Swish app Image Copyright Getswish AB BankID (eID) Swish
Example: The Swish app Image Copyright Getswish AB BankID (eID) Swish /payment-history/<phone-number>/ALL
Passing information around
Passing information around PhoneNumber = 123213
Passing information around PhoneNumber = 123213
What could go wrong? • What can happen when an API calls another API? • Who trust’s who? • Information gets added along the way
Spaghetti Photo by Immo Wegmann on Unsplash
API Security Maturity Model API Keys and Basic Authentication Token based Authentication Token based Authorization Centralized trust using Claims
Part 2: Claims – the missing piece
Who do we trust? • The caller? • The API Gateway? • The issuer of the tokens? • The user database?
Trust Trust is a subjective assessment of another’s influence in terms of the extent of one’s perception about the quality and significance of another’s impact over one’s outcomes in a given situation, such that one’s expectation of, openness to, and inclination toward such influence provide a sense of control over the potential outcomes of the situation. Romano D.M. (2003). "The Nature of Trust: Conceptual and Operational Clarification". Louisiana State University, PhD Thesis.
Trust, in other words • Trust is subjective • It does not guarantee absolute truth • It helps us predict the correctness of a decision
Participants in Trust The issuer / authority The relying partyThe requesting party
Who Am I, attributes? Name: Jacob Age: 38 Length: 177cm Family-role: Father Son: Bertil Weather: Sunny Location: Some Café
Who Am I, Context attributes?Weather: Sunny Location: Some Café CONTEXT ATTRIBUTES
Who am I, subject attributes Name: Jacob Age: 38 Length: 177cm Family-role: Father Son: Bertil SUBJECT ATTRIBUTES
Asserting parties
Attribute: firstName = Jacob age = 38 Trust Claims, not attributes
Claim: Skatteverket says: the firstName of this person is Jacob Jacob is 38, says Polisen Jacob has a son, says Skatteverket Trust Claims, not attributes
The anatomy of a claim Jacob is 177cm tall, says Polisen Subject Attribute Asserting party
How can we trust the data • Always verify all incoming data against the original source • Trust an common party to provide the data
Using claims The issuer / authority The relying partyThe requesting party
Using claims The issuer / authority The relying partyThe requesting party
Verifying claims The issuer / authority The relying partyThe requesting party OK
Verifying claims The issuer / authority The relying partyThe requesting party Verify signature
Hey, I can use a JWT eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqY W5lZG9lQGV4YW1wbGUuY29tIiwibmFtZSI6IkphbmUgR G9lIiwiaWF0IjoxNTQ2MzAwODAwLCJleHAiOjE4OTM0N TYwMDB9.XcNkubx0GNwbOohJGVAUVxl187oYSR0ecFz 0wvHvksOsOW9m6z3WyW4- Q_yZUMuJaq_WZCX0y8EIUj9bur7aVfSONKv2uS_m7Cn h_GlAAXFRkLZk9cBg3Xrv8mF2rcmZMy_0l5RdRDzF48H 35agZoImUR8sfPU- S7ypgSmNX0j3nlLJLZNqjjF2XkFr54rNsXYFBQZUunzBgV moeqfWRKcSB- HJOrSWEiKL8JLMp8qgS0x4h5YRVtNiJ5o7I3KDYVGG4bw ExFFPwHakseTdjkRJOGcUu1P5- 8DoLnsp1JLYbpfGLC3ebO1rRLQYuDDkqEmqzrMXTyXXT 8Lg8I2IkBw { sub: janedoe@example.com name: Jane Doe iat: 1546300800 exp: 1893456000 iss: https://login.curity.io subscriber_id: ABC_123 }
A JWT has Claims { sub: janedoe@example.com name: Jane Doe iat: 1546300800 exp: 1893456000 iss: https://login.curity.io subscriber_id: ABC_123 } These are claims!
A JWT has Claims { sub: janedoe@example.com name: Jane Doe iat: 1546300800 exp: 1893456000 iss: https://login.curity.io subscriber_id: ABC_123 } There’s a subject
A JWT has Claims { sub: janedoe@example.com name: Jane Doe iat: 1546300800 exp: 1893456000 iss: https://login.curity.io subscriber_id: ABC_123 } Issued by
Using the JWT The issuer / authority The relying partyThe requesting party Verify signature JWT
A JWT is not a protocol!
Traffic Photo by Denys Nevozhai on Unsplash
Using Claims
Using Claims
Using Claims { sub: janedoe@example.com name: Jane Doe iat: 1546300800 exp: 1893456000 iss: https://login.curity.io subscriber_id: ABC_123 phone_number: +46 123 123 123 }
Using Claims
Attribute sources
Claim data • Organize sensitive data to be reachable only by the OIDC server • Include identity specific data in the token • Use Opaque tokens on the internet and JWTs internally • Only add data when the client needs it!
How to identify data to put in the token • It should be relevant to a large set of your APIs • It should not be application specific • It should be attributes of the user • It should not be contextual for the session
Summary: Trust few sources
Summary: No spaghetti Photo by Eiliv-Sonas Aceron on Unsplash
Summary: Attributes are not claims age: 34 firstName: Jane lastName: Doe email: jane@example.com carVIN: 123123123123
Summary: Claims are easy • The car is yellow, Jacob says. • Travis phone number is 123 123 123, says his wife
Jacob has a horse, says Travis
Thank you https://curity.io https://developer.curity.io info@curity.io @curity.io

Empfohlen

4 GDPR Hacks to Mitigate Breach Risks Post GDPR
4 GDPR Hacks to Mitigate Breach Risks Post GDPR4 GDPR Hacks to Mitigate Breach Risks Post GDPR
4 GDPR Hacks to Mitigate Breach Risks Post GDPR
TransUnion
 
Computer Class Day 4 Level 3.pptx
Computer Class Day 4 Level 3.pptxComputer Class Day 4 Level 3.pptx
Computer Class Day 4 Level 3.pptx
Cyprian Konyeha
 
Laws of relationships v7
Laws of relationships v7Laws of relationships v7
Laws of relationships v7
kantarainitiative
 
Sequence Life Sciences
Sequence Life SciencesSequence Life Sciences
Sequence Life Sciences
sequence
 
Welcome to ZOCCAM 6.0
Welcome to ZOCCAM 6.0Welcome to ZOCCAM 6.0
Welcome to ZOCCAM 6.0
JoleneVickers
 
Welcome to ZOCCAM
Welcome to ZOCCAMWelcome to ZOCCAM
Welcome to ZOCCAM
JoleneVickers
 
TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015
Miles Spencer
 
Dynamic authentication rollin'
Dynamic authentication rollin'Dynamic authentication rollin'
Dynamic authentication rollin'
TransUnion
 

Empfohlen

4 GDPR Hacks to Mitigate Breach Risks Post GDPR
4 GDPR Hacks to Mitigate Breach Risks Post GDPR4 GDPR Hacks to Mitigate Breach Risks Post GDPR
4 GDPR Hacks to Mitigate Breach Risks Post GDPR
TransUnion
 
Computer Class Day 4 Level 3.pptx
Computer Class Day 4 Level 3.pptxComputer Class Day 4 Level 3.pptx
Computer Class Day 4 Level 3.pptx
Cyprian Konyeha
 
Laws of relationships v7
Laws of relationships v7Laws of relationships v7
Laws of relationships v7
kantarainitiative
 
Sequence Life Sciences
Sequence Life SciencesSequence Life Sciences
Sequence Life Sciences
sequence
 
Welcome to ZOCCAM 6.0
Welcome to ZOCCAM 6.0Welcome to ZOCCAM 6.0
Welcome to ZOCCAM 6.0
JoleneVickers
 
Welcome to ZOCCAM
Welcome to ZOCCAMWelcome to ZOCCAM
Welcome to ZOCCAM
JoleneVickers
 
TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015
Miles Spencer
 
Dynamic authentication rollin'
Dynamic authentication rollin'Dynamic authentication rollin'
Dynamic authentication rollin'
TransUnion
 
TrustCloud: Satisfaction in Sharing Survey 8 June 2015
TrustCloud: Satisfaction in Sharing Survey 8 June 2015TrustCloud: Satisfaction in Sharing Survey 8 June 2015
TrustCloud: Satisfaction in Sharing Survey 8 June 2015
Miles Spencer
 
criminal procedure code analyst certification
criminal procedure code analyst certificationcriminal procedure code analyst certification
criminal procedure code analyst certification
Vskills
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Your Customer Is In Control
Your Customer Is In ControlYour Customer Is In Control
Your Customer Is In Control
Chris Parker
 
The Consumerization of Authentication with iovation
The Consumerization of Authentication with iovationThe Consumerization of Authentication with iovation
The Consumerization of Authentication with iovation
TransUnion
 
Cross-device: one of biggest marketer's headaches. How to approach it?
Cross-device: one of biggest marketer's headaches. How to approach it?Cross-device: one of biggest marketer's headaches. How to approach it?
Cross-device: one of biggest marketer's headaches. How to approach it?
MariuszGasiewski
 
Unicorn Business Plans - Blockchain Pitch Deck
Unicorn Business Plans - Blockchain Pitch DeckUnicorn Business Plans - Blockchain Pitch Deck
Unicorn Business Plans - Blockchain Pitch Deck
Unicorn Business Plans
 
When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...
When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...
When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...
TransUnion
 
2020 cypheme global presentation
2020 cypheme global presentation2020 cypheme global presentation
2020 cypheme global presentation
Le Nguyen
 
After the Fire Article
After the Fire ArticleAfter the Fire Article
After the Fire Article
Brian Benoit
 
When Customers Win: 
OmniChannel Authentication 
When Customers Win: 
OmniChannel Authentication When Customers Win: 
OmniChannel Authentication 
When Customers Win: 
OmniChannel Authentication 
Michael Thelander
 
LGC Title VI: Property and Supply Management in the Local Government Units
LGC Title VI: Property and Supply Management in the Local Government UnitsLGC Title VI: Property and Supply Management in the Local Government Units
LGC Title VI: Property and Supply Management in the Local Government Units
Ian Owen Rana
 
Trust Drives Ecommerce Differentiations & Conversions
Trust Drives Ecommerce Differentiations & ConversionsTrust Drives Ecommerce Differentiations & Conversions
Trust Drives Ecommerce Differentiations & Conversions
Miva
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
FIDO Alliance
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
Paolo Missier
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
FIDO Alliance
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
Memoori
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
GDSC PJATK
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
ScyllaDB
 

Weitere ähnliche Inhalte

Ähnlich wie Jacob has a horse, says Travis

The Consumerization of Authentication with iovation
The Consumerization of Authentication with iovationThe Consumerization of Authentication with iovation
The Consumerization of Authentication with iovation
TransUnion
 
After the Fire Article
After the Fire ArticleAfter the Fire Article
After the Fire Article
Brian Benoit
 

Ähnlich wie Jacob has a horse, says Travis (13)

TrustCloud: Satisfaction in Sharing Survey 8 June 2015
TrustCloud: Satisfaction in Sharing Survey 8 June 2015TrustCloud: Satisfaction in Sharing Survey 8 June 2015
TrustCloud: Satisfaction in Sharing Survey 8 June 2015
 
criminal procedure code analyst certification
criminal procedure code analyst certificationcriminal procedure code analyst certification
criminal procedure code analyst certification
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Your Customer Is In Control
Your Customer Is In ControlYour Customer Is In Control
Your Customer Is In Control
 
The Consumerization of Authentication with iovation
The Consumerization of Authentication with iovationThe Consumerization of Authentication with iovation
The Consumerization of Authentication with iovation
 
Cross-device: one of biggest marketer's headaches. How to approach it?
Cross-device: one of biggest marketer's headaches. How to approach it?Cross-device: one of biggest marketer's headaches. How to approach it?
Cross-device: one of biggest marketer's headaches. How to approach it?
 
Unicorn Business Plans - Blockchain Pitch Deck
Unicorn Business Plans - Blockchain Pitch DeckUnicorn Business Plans - Blockchain Pitch Deck
Unicorn Business Plans - Blockchain Pitch Deck
 
When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...
When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...
When Customers Win: Omnichannel Authentication in the Age of the Empowered Co...
 
2020 cypheme global presentation
2020 cypheme global presentation2020 cypheme global presentation
2020 cypheme global presentation
 
After the Fire Article
After the Fire ArticleAfter the Fire Article
After the Fire Article
 
When Customers Win: 
OmniChannel Authentication 
When Customers Win: 
OmniChannel Authentication When Customers Win: 
OmniChannel Authentication 
When Customers Win: 
OmniChannel Authentication 
 
LGC Title VI: Property and Supply Management in the Local Government Units
LGC Title VI: Property and Supply Management in the Local Government UnitsLGC Title VI: Property and Supply Management in the Local Government Units
LGC Title VI: Property and Supply Management in the Local Government Units
 
Trust Drives Ecommerce Differentiations & Conversions
Trust Drives Ecommerce Differentiations & ConversionsTrust Drives Ecommerce Differentiations & Conversions
Trust Drives Ecommerce Differentiations & Conversions
 

Kürzlich hochgeladen

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Kürzlich hochgeladen (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

Jacob has a horse, says Travis

Hinweis der Redaktion

  1. I’m going to talk about something important today. But in order to get there, we need to take a step back and look at what the security model looks like today. Part 1. The API Security Maturity Model So bear with me, when we first dive into some examples, to build up the model that we can dive into later in part 2
  2. I can present myself in many ways. If I use this photo as a basis, we could add some basic info that makes sense.
  3. One example is when I buy clothes. The store doesn’t really care if I’m actually 38 years old, or if my shirt size is 48. They don’t call the police to check that I’m really who I say I am. As long as I pay… Context? – where to ship to? So, I guess there’s no issue here… We’re getting ahead of ourselves a bit!
  4. Lets leave that example for a bit now and lets take a historic look at where we stand I’ve defined a model for how we can categorize the maturity of API Security The basic level is where you protect your API using only APIKeys and Basic Authentication. Essentially this means that you are protecting the API itself from being called from unauthorized clients, but you are not protecting the API from incorrect usage or malicious usage
  5. Token based Authorization = Scopes
  6. The API is protected with system credentials Network security policies Not reachable from the outside
  7. Token based Authorization = Scopes
  8. Lets side track slightly. Some of you who have worked with OAuth before probably know this.
  9. Lets side track slightly. Some of you who have worked with OAuth before probably know this.
  10. They used certificate pinning to lock down the caller of the API. However you can decompile the app to retrieve the certificate Then endpoint then was used to retrieve the payment history The call was authenticated, but not authorized properly It was possible to replace the phonenumber and retrieve the payment history of anyone with an account at swish
  11. To add complexity to the problem, we should remember that we pass a lot of information around. It’s rarely one system involved when building complex services. Give a few examples. Simple to more complex
  12. To add complexity to the problem, we should remember that we pass a lot of information around. It’s rarely one system involved when building complex services. Give a few examples. Simple to more complex
  13. Spaghetti of trust In swish, the API trusted the App to provide the correct phone number.
  14. Token based Authorization = Scopes
  15. We don’t trust the gateway (particularly) Give examples of where we trust the wrong part? Aftonbladet. Bank example of altered account number. Who can modify the input?
  16. What is trust? We use it all the time. HTTPS.
  17. Subjective = we can define what we trust in our own systems
  18. The issuer The enforcing party The relying party The information sources Trust is subjective, we must create our own limitations and boundaries to make trust mean something https://en.wikipedia.org/wiki/Computational_trust
  19. I can present myself in many ways. If I use this photo as a basis, we could add some basic info that makes sense.
  20. How do you know this is my son?
  21. Two authorities can assert my attributes: The police who issue passports, which includes my name, length and age The tax authority who knows where I live, and that my son is my son. But I don’t always need to prove who I am to the depth of these authorities.
  22. 1 . This would make it pretty pointless to pass data at all since verifying it all the time is cumbersome Usually there are more than one source of data, so more knowledge about where data came from is needed. 2. Trust a common party with the most important data. Two common methods: Ask someone we trust to give it when we need it. How do they know we entitled to get the data? * Sign it.
  23. The issuer The enforcing party The relying party The information sources Trust is subjective, we must create our own limitations and boundaries to make trust mean something https://en.wikipedia.org/wiki/Computational_trust
  24. The issuer The enforcing party The relying party The information sources Trust is subjective, we must create our own limitations and boundaries to make trust mean something https://en.wikipedia.org/wiki/Computational_trust
  25. It’s not the cars that make it safe to drive. It’s the rules
  26. Information sources Limit who can obtain data from valuable sources Here’s the kicker : Only include the data that you know the client will need. A good OIDC/OAuth server will allow you to do this