Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | twobo-technologies |
View: | 2,145 times |
Download: | 1 times |
Building a Secure API
Overview of techniques and technologies needed to launch a secure API
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda
The security challenge in context
Neo-security stack
OAuth Basics
Overview of other layers
Copyright © 2013 Twobo Technologies AB. All rights reserved
Crucial Security Concerns
Copyright © 2013 Twobo Technologies AB. All rights reserved
Enterprise
Security
API
Security
Mobile
Security
Identity is Central
Copyright © 2013 Twobo Technologies AB. All rights reserved
MDM MAM
AuthZ
Mobile
Security
API
Security
Enterprise
Security
Identity
Venn diagram by Gunnar Peterson
Neo-security Stack
SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
OAuth 2 is the new meta-protocol defining how
tokens are handled
These address old requirements, solves new
problems & are composed
in useful ways
Copyright © 2013 Twobo Technologies AB. All rights reserved
Grandpa SAML
& junior
WS- again? Yep
OpenID Connect
OAuth Actors
Client
Authorization Server (AS)
Resource Server (RS) (i.e., API)
Resource Owner (RO)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Get
a t
oken
User a token
RS Client
AS
OAuth Web Server Flow
Copyright © 2013 Twobo Technologies AB. All rights reserved
What OAuth is and is not for
Copyright © 2013 Twobo Technologies AB. All rights reserved
Not for authentication
Not really for authorization
For delegation
Authentication & Federation
How you authenticate to AS is undefined
Use SAML or OpenID Connect for SSO to AS
Relay OAuth token in SAML messages
Copyright © 2013 Twobo Technologies AB. All rights reserved
Push Tokens & Pull Data
Copyright © 2013 Twobo Technologies AB. All rights reserved
IdP & API Provider SaaS App
Browser
Access token in
federation message
Get Data
Data
Overview of OpenID Connect
Builds on OAuth for profile sharing
Uses the flows optimized for user-consent
scenarios
Adds identity-based inputs/outputs to core OAuth
messages
Tokens are JWTs
Copyright © 2013 Twobo Technologies AB. All rights reserved
Overview of SCIM
Defines RESTful API to manage users & groups
Specifies core user & group schemas
Supports bulk updates for ingest
Binding for SAML and eventually OpenID Connect
Copyright © 2013 Twobo Technologies AB. All rights reserved
Overview of JSON Identity Suite
Suite of JSON-based identity protocols
Tokens (JWT) ▪ Encryption (JWE)
Keys (JWK) ▪ Signatures (JWS)
Algorithms (JWA)
Bearer Token spec explains how to use w/ OAuth
Being defined in IETF
Copyright © 2013 Twobo Technologies AB. All rights reserved
Overview of JWT
Pronounced like the English word “jot”
Lightweight tokens passed in HTTP headers &
query strings
Akin to SAML tokens
Less expressive
Less security options
More compact
Encoded w/ JSON not XML
Copyright © 2013 Twobo Technologies AB. All rights reserved
SCIM + OAuth
Use OAuth to secure SCIM API calls
Use SCIM to create accounts needed to access
APIs secured using OAuth
Copyright © 2013 Twobo Technologies AB. All rights reserved
SCIM + SAML/OIC
Carry SCIM attributes in SAML assertions
(bindings for SCIM)
Enables JIT provisioning
Supplements SCIM API & schema
Provisioning accounts using SCIM API to be
updated before/after logon
Copyright © 2013 Twobo Technologies AB. All rights reserved
Questions & Thanks
@2botech
@travisspencer
www.2botech.com
travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved