SlideShare a Scribd company logo

Enterprise Access Control Patterns for Rest and Web APIs

Download as PPTX, PDF
CA API Management
CA API Management

RSA Conference presentation by Francois Lascelles of Layer 7 Technologies discussing REST access control patterns and OAuth 2.0

TechnologyBusiness
1 of 22
Enterprise Access Control Patterns For REST and Web APIs Francois Lascelles Layer 7 Technologies Session ID: STAR-402 Session Classification: intermediate
Today’s enterprise API drivers SAAS distributed enterprise SOA Integration partner APIs! IAAS/PAAS Cloud APIs! enterprise boundary B2B APIs! Access control? B2C APIs! • Sensitive data, apps • Mission critical • ID authority • Legacy developer mobile
REST access control standards gap  WS-* web services have rich security standards and authentication/authorization mechanisms  Web API, RESTful web services tend to use proprietary tokens, point-to-point solutions  What are the common patterns in use?  Which standards are emerging?  How to use specialized infrastructure to implement access control?  How to accommodate requesting party technical capabilities?
Pattern 1: API Keys in URI parameters https://host/api/resource?keyid=foo&keysecret=bar …  Simplest thing, common practice  Shared secret in a URL parameter based authentication, no signature involved  Equivalent to https://host/api/resource?username=franco&pass word=mysecret  Why not use HTTP Basic instead?
Pattern 2: HMAC PUT /api/resource … Authorization: AWS keyid:fr0t5AzM6qT3S40pBPmfrTLJwMuZurA8= …  Prove possession of share secret using HMAC sig (shared secret not actually sent)  Payload covered by signature -> message integrity  Timestamp covered by signature -> less susceptible to replay  Used by AWS, Azure, core to OAuth 1.0  Requires agreement for normalized request string 5
Pattern 3: OAuth  Specifies a handshake to grant an access token to an application (REST client)  Access token is then used to consume REST service Retrieve resource with OAuth access token (REST exchange) Application Service Do something Yes, I authorize it with my resource Resource owner
OAuth 2.0  4 core grant types (handshakes) to address different use cases  Authorization code, implicit, password, client credentials  SAML extension grant type (draft-ietf-oauth-saml2- bearer-03)  Different token types  Bearer (easy, like cookies)  MAC (integrity, more secure)  OAuth 2.0 is rich, fills the standards gap
Authorization code grant type  Resource owner redirected between OAuth authorization server and client application  Both resource owner and client authenticated as part of handshake  Supports refresh 2. Get access token 1. Get authz code 8
Implicit grant type  Also 3-legged but simpler  Client is not authenticated  redirection URI must be registered to avoid fishing  No refresh 1. Get access token 9
Resource owner password credentials grant type  Resource owner provides credentials to client  Client uses it to get access token  Both client and res owner identities authenticated  Can be refreshed 1. Provide credentials 2. Get access token 10
Client credentials grant type  Two-legged handshake  Client application authenticated only  No refresh tokens 1. Get access token 11
2 vs. 3 Legged Spectrum Two Three legged legged 12
Step-by-step enterprise API access control (from an OAuth perspective) 13
Starting Point enterprise/provider admin I need REST API more OAuth FAIL! OAuth Client (application)
OAuth Clients Provisioning, Management  Provide a portal for developers to register, generate shared secrets  Enable approval flow (administrative)  Store API keys, redirection URIs  List existing clients, record usage statistics app developer register approve OAuth Client Management provision API dev portal
Runtime Policy Modeling, Integration  Declare API endpoints in the resource server  Integrate identity providers for runtime authentication  Granular access control rules  Which API, which identities, which grant types, … Runtime Policy Modeling API endpoints configure Resource Server id providers, API keys PEP
OAuth Handshake  Enable handshake  Lookup policy, authenticate identities, enable flow  Create ‘OAuth Session’ Token Management persist Token Endpoint Authorization Endpoint get token OAuth Authorization Server authorize redirect
Runtime API Call  OAuth resource server enables API call  Lookup and verify incoming OAuth access token  Authorize based on OAuth session attributes  Route to API endpoint, return resource to client app  Record consumption statistics Token Management consume Resource Server
Token Refresh  OAuth authorization server enables refresh  Authenticate client  Lookup and validate refresh token  Create new access token  Update ‘OAuth session’ Token Management refresh Token Endpoint
Token Revocation  Minimize impact of compromised tokens  Enable revocation for subscribers and API providers  Management GUI, links Token Management Revocation interface revoke check Resource Server FAIL! compromise
Comprehensive API Access Control  Apply OAuth-enabling infrastructure:  Token management (lifecycle, revocation)  Developer portal (client provisioning, client management)  OAuth resource server (API proxy, PEP)  OAuth authorization server (authorization endpoint, token endpoint)  Runtime policy modeling  Reporting, monitoring interface
Thank you For more information: info@layer7.com 22

Recommended

Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 

Recommended

Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Api security
Api security Api security
Api security teodorcotruta
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンスTakahiro Toku
 

More Related Content

What's hot

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API SecurityMuleSoft
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 

What's hot (20)

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 
Api security
Api security Api security
Api security
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 

Viewers also liked

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンスTakahiro Toku
 
Building a kick-ass community web site in less than a month
Building a kick-ass community web site in less than a monthBuilding a kick-ass community web site in less than a month
Building a kick-ass community web site in less than a monthUri Cohen
 
Authorization Enterprise Design Pattern
Authorization Enterprise Design PatternAuthorization Enterprise Design Pattern
Authorization Enterprise Design PatternNick Bogden
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access ControlChandra Sharma
 
SINY: Authorization & AJAX.
SINY: Authorization & AJAX.SINY: Authorization & AJAX.
SINY: Authorization & AJAX.Matthew Gerrior
 

Viewers also liked (8)

Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
 
Building a kick-ass community web site in less than a month
Building a kick-ass community web site in less than a monthBuilding a kick-ass community web site in less than a month
Building a kick-ass community web site in less than a month
 
Authorization Enterprise Design Pattern
Authorization Enterprise Design PatternAuthorization Enterprise Design Pattern
Authorization Enterprise Design Pattern
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
 
SINY: Authorization & AJAX.
SINY: Authorization & AJAX.SINY: Authorization & AJAX.
SINY: Authorization & AJAX.
 
Gohan
GohanGohan
Gohan
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 

Similar to Enterprise Access Control Patterns for Rest and Web APIs

API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asankaWSO2
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityLayer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityCA API Management
 

Similar to Enterprise Access Control Patterns for Rest and Web APIs (20)

API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Authentication Server
Authentication ServerAuthentication Server
Authentication Server
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka
 
Layer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth SecurityLayer 7: 2010 RSA Presentation on REST and Oauth Security
Layer 7: 2010 RSA Presentation on REST and Oauth Security
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 

Recently uploaded

Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Recently uploaded (20)

Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Enterprise Access Control Patterns for Rest and Web APIs

  • 1. Enterprise Access Control Patterns For REST and Web APIs Francois Lascelles Layer 7 Technologies Session ID: STAR-402 Session Classification: intermediate
  • 2. Today’s enterprise API drivers SAAS distributed enterprise SOA Integration partner APIs! IAAS/PAAS Cloud APIs! enterprise boundary B2B APIs! Access control? B2C APIs! • Sensitive data, apps • Mission critical • ID authority • Legacy developer mobile
  • 3. REST access control standards gap  WS-* web services have rich security standards and authentication/authorization mechanisms  Web API, RESTful web services tend to use proprietary tokens, point-to-point solutions  What are the common patterns in use?  Which standards are emerging?  How to use specialized infrastructure to implement access control?  How to accommodate requesting party technical capabilities?
  • 4. Pattern 1: API Keys in URI parameters https://host/api/resource?keyid=foo&keysecret=bar …  Simplest thing, common practice  Shared secret in a URL parameter based authentication, no signature involved  Equivalent to https://host/api/resource?username=franco&pass word=mysecret  Why not use HTTP Basic instead?
  • 5. Pattern 2: HMAC PUT /api/resource … Authorization: AWS keyid:fr0t5AzM6qT3S40pBPmfrTLJwMuZurA8= …  Prove possession of share secret using HMAC sig (shared secret not actually sent)  Payload covered by signature -> message integrity  Timestamp covered by signature -> less susceptible to replay  Used by AWS, Azure, core to OAuth 1.0  Requires agreement for normalized request string 5
  • 6. Pattern 3: OAuth  Specifies a handshake to grant an access token to an application (REST client)  Access token is then used to consume REST service Retrieve resource with OAuth access token (REST exchange) Application Service Do something Yes, I authorize it with my resource Resource owner
  • 7. OAuth 2.0  4 core grant types (handshakes) to address different use cases  Authorization code, implicit, password, client credentials  SAML extension grant type (draft-ietf-oauth-saml2- bearer-03)  Different token types  Bearer (easy, like cookies)  MAC (integrity, more secure)  OAuth 2.0 is rich, fills the standards gap
  • 8. Authorization code grant type  Resource owner redirected between OAuth authorization server and client application  Both resource owner and client authenticated as part of handshake  Supports refresh 2. Get access token 1. Get authz code 8
  • 9. Implicit grant type  Also 3-legged but simpler  Client is not authenticated  redirection URI must be registered to avoid fishing  No refresh 1. Get access token 9
  • 10. Resource owner password credentials grant type  Resource owner provides credentials to client  Client uses it to get access token  Both client and res owner identities authenticated  Can be refreshed 1. Provide credentials 2. Get access token 10
  • 11. Client credentials grant type  Two-legged handshake  Client application authenticated only  No refresh tokens 1. Get access token 11
  • 12. 2 vs. 3 Legged Spectrum Two Three legged legged 12
  • 13. Step-by-step enterprise API access control (from an OAuth perspective) 13
  • 14. Starting Point enterprise/provider admin I need REST API more OAuth FAIL! OAuth Client (application)
  • 15. OAuth Clients Provisioning, Management  Provide a portal for developers to register, generate shared secrets  Enable approval flow (administrative)  Store API keys, redirection URIs  List existing clients, record usage statistics app developer register approve OAuth Client Management provision API dev portal
  • 16. Runtime Policy Modeling, Integration  Declare API endpoints in the resource server  Integrate identity providers for runtime authentication  Granular access control rules  Which API, which identities, which grant types, … Runtime Policy Modeling API endpoints configure Resource Server id providers, API keys PEP
  • 17. OAuth Handshake  Enable handshake  Lookup policy, authenticate identities, enable flow  Create ‘OAuth Session’ Token Management persist Token Endpoint Authorization Endpoint get token OAuth Authorization Server authorize redirect
  • 18. Runtime API Call  OAuth resource server enables API call  Lookup and verify incoming OAuth access token  Authorize based on OAuth session attributes  Route to API endpoint, return resource to client app  Record consumption statistics Token Management consume Resource Server
  • 19. Token Refresh  OAuth authorization server enables refresh  Authenticate client  Lookup and validate refresh token  Create new access token  Update ‘OAuth session’ Token Management refresh Token Endpoint
  • 20. Token Revocation  Minimize impact of compromised tokens  Enable revocation for subscribers and API providers  Management GUI, links Token Management Revocation interface revoke check Resource Server FAIL! compromise
  • 21. Comprehensive API Access Control  Apply OAuth-enabling infrastructure:  Token management (lifecycle, revocation)  Developer portal (client provisioning, client management)  OAuth resource server (API proxy, PEP)  OAuth authorization server (authorization endpoint, token endpoint)  Runtime policy modeling  Reporting, monitoring interface
  • 22. Thank you For more information: info@layer7.com 22

Editor's Notes

  1. Example problem: shared secrets that end up on traffic logs
  2. This relies on an agreed upon method for constructing string to sign (what is covered, in which order, etc).
  3. OAuth is resource oriented, perfect for restBenefit: password remains secret
  4. Grant types (flows)Authorization codeImplicitResource owner password credentialsClient credentialsSAMLFoo
  5. OAuth client is for example a webapp, an iOS app
  6. Showing authorization code grant type situationNote that theoauth client store is used to authorize the client (token endpoint)
  7. An application is compromised, a subscriber loses him mobile deviceLink?: when a subscriber issues authorization, he receives a confirmation email with a link to later revoke if needeManagement GUI: administration interface