SlideShare a Scribd company logo

Making Sense of API Access Control

Download as PPTX, PDF
CA API Management
CA API Management

Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that connect your applications with your business partners? Recent trends and standards are creating a new generation of API-focused identity patterns. Learn how to: • Apply API access control patterns with existing identity infrastructure • Support emerging standards such as OAuth, Open ID Connect • Empower developers to create APIs that reach out to your organisation’s target audience

TechnologyBusiness
1 of 25
Making Sense of API Access Control OAuth, OpenID Connect and Token Mechanics Francois Lascelles Chief Architect
Making Sense of API Access Control Authentication Handshake OAuth Token issuing Token verification API consumption Authorization Token revocation Token/session management OpenID connect Token monitoring Federated identity
Anatomy of an OAuth handshake (one of many possible grant types illustrated) OAuth Authorization Server Subscriber (resource owner) consent 1 Authorization endpoint 1 +autz code 2 Token endpoint Application (client) +access token This is a shared secret
Why exchange a secret with an OAuth authorization server in the first place? OAuth Provider  A: In order to consume an API OAuth Authorization Server Consume REST API OAuth Resource Server With access token from handshake API endpoint
Alternative handshakes (grant types)  Authorization code (2 slides ago)  Implicit +access token - Like autz code, but simpler - No code, just an access token  Resource owner password credentials +access token - Client gets credentials from resource owner directly - No Redirection  Client credentials +access token - Simple, two way handshake
Different handshakes, different situations  Example: external/internal apps Provider Same API, different scopes Autz code Client creds Internal application not acting on behalf of a particular subscriber
 APIs and identity federation
Opaque / Interpreted tokens  Opaque  Interpreted - Tiny - Medium to huge - Easy - For more „capable‟ relying parties - HTTPS based trust - Self contained trust - Callback issuer to get more info - Less dependent on server session <saml2:Assertion ...> <saml2:Issuer>francomacbook.l7tech.com</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <!--lots of fun stuff here --> </ds:Signature> <saml2:Subject> dBjfP[WHATEVER]OEjXk <!-- somwhere a subject name --> </saml2:Subject> <saml2:Conditions NotBefore="2007-12-11T12:23:00.000Z" NotOnOrAfter="2007-12- 11T12:45:28.529Z"></saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2007-12-11T12:25:28.527Z"> <!-- blah blah --> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="isStruggling" NameFormat="something"> <saml2:AttributeValue>yes</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>
JSON Web Tokens (JWT)  JSON formatted token  Compact, API friendly  Claims – reserved, public, private  JWS signed and or JWE encrypted  No subject confirmation {"typ":"JWT", "alg":"HS256"} eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 . { eyJpc3MiOiJodHRwOlwvXC9zZXJ2ZXIuZXhhbXBs "iss":"http:server.example.com", ZS5jb20iLCJ1c2VyX2lkIjoiMjQ4Mjg5NzYxMDAxIiwi "user_id":"248289761001”, b64urlencode YXVkIjoiaHR0cDpcL1wvY2xpZW50LmV4YW1wbG "aud":"http:client.example.com", UuY29tIiwiZXhwIjoxMzExMjgxOTcwfQ "exp":1311281970 . } eDesUD0vzD…EPNXVtaazNQ JWS
Old-school identity federation – SAML Web browser SSO  Great for sophisticated relying parties - Parse rich, verbose content SP - Cert based trust I trust what - Interpret SAML, SAML-P, XML dSig, … IdP says  Common interop challenges - Subject confirmations - Key Reference, Sig Reference I assert to have authenticated I don‟t have a shared User secret with SP but I still want to create a session with it. SAML IdP redirect
Federation – Web Social Login Style  User picks an identity broker (“NASCAR” login)  OAuth 2.0 handshake - User authorizes SP to discover basic information about itself Web/Cloud/Mobile - Get an access token - Opaque, no complex interpretation needed  SP discovers information about user - Using token issued to consume an API providing this information OAuth 2.0 + Fbook connect Example: Facebook connect
OpenID Connect: the love child of SAML and OAuth 2.0? XML, dsig Verbose OpenID Connect Issues claims, statements Subject confirmations SAMLp SAML OAuth 2.0  What does it inherit from its mother? from its father? RESTful Handshakes - Has endpoints Endpoints Bearer, opaque tokens - Is API-friendly (REST) JSON - JSON - Issues token with claims (JWT) - Lots of specs
OpenID Connect Basic Client Profile  OAuth handshake - Scope= openid [profile, email, address, phone]  Two tokens - Access token - JWT id token, can be treated as opaque or not  UserInfo Endpoint - Input: ID token - Output: get back back JSON-formatted identity  CheckID Endpoint - Input: Access token, request additional attributes - Output: id attributes attributes
OpenID Connect Flows 1/2 OpenID Connect Provider OAuth 2.0 handshake, scope: openid HTTP/1.1 302 Found OAuth Authorization Server Location: https://client.example.com/cb# access_token=SlAV32hkKG&token_type=bearer &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu …ZXso&expires_in=3600&state=af0ifjsldkj id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0 { "iss": "https://server.example.com", CheckID Endpoint "user_id": "248289761001”, "aud": "s6BhdRkqt3”, "nonce": "n-0S6_WzA2Mj”, "exp": 1311281970, "iat": 1311280970, "at_hash": "ndrWKF5oXv8QulucTs1Bvg” } UserInfo Endpoint  Avoid decoding JWT, checking signature by relying party
OpenID Connect Flows 2/2  Discover additional information about OpenID Connect Provider end-user OAuth Authorization Server access_token Request GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG CheckID Endpoint Response { "user_id": "248289761001”, "name": "Jane Doe”, "given_name": "Jane”, "family_name": "Doe”, "email": janedoe@example.com, "picture": "http://example.com/janedoe/me.jpg" UserInfo Endpoint }
When should you use OAuth only, with OpenID Connect?  OAuth is used when an application needs to consume an API (sometimes on behalf of a user)  OpenID Connect is used when an application wants to federate the authentication of and discover information about a user - Through API calls SP1 SP2 SP1 SP2 Subscribes to both providers, Subscribes to one provider, wants them to act on its behalf wants to use another
 Token Mechanics
Componentized OAuth provider OAuth Authorization Server abc123 abc123 OAuth Resource Server Which subscriber? What is the scope? Which app? Still valid? Etc
Token lifecycle  Token Management - Facilitate token lifecycle (create, check, expire, revoke) - Store information associated to tokens - Preferably, an API Token Management OAuth Authorization Server Create new, refresh OAuth Resource Server Validate, query
Reusing tokens across APIs Token Management OAuth Authorization Server Create new, refresh OAuth Resource Server Validate, query API A ? ? OAuth Resource Server When is it ok to do this? API B
Managing and revoking tokens  Challenge: enable the right parties to monitor and affect the right tokens - Multiple applications X multiple subscribers X multiple APIs API Based Token Management Look for unusual revoke usage Revoke! patterns Dev portal BI API Provider Subscriber portal FAIL! exploit compromise
Leverage existing SSO  API Management - Get SSO cookie, integrate with policy server (web agent) <handshake> - Associate SSO cookie with access token SSO token Check SSO session Maintain my SSO experience!  SSO Policy Server
Leverage existing identity attributes  Authorization based on - Group memberships - Contract, plan, arbitrary attributes - Lookup directory, lookup database, lookup API  API Management - Lookup identity attributes - Check that requested scope should be <handshake> allowed - Remember attributes for later use My credentials ((cn=subcriber)(permission=foo))
Authorization checks, when? 1. During original 2. At each refresh 3. At runtime handshake Days, hours, … Minutes, seconds, … Real time Token Management OAuth Resource Server Subscriber for token abc123?  Lookup scope Get /different_resource Access Token = abc123  Lookup identity, attributes ((cn=subcriber)(newattribute=foo))  Lookup sso token  Lookup saml assertion  Lookup other associated token …
 Thank you

Recommended

Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 

Recommended

Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンスTakahiro Toku
 
Resilient manager-gary-hogman-111025
Resilient manager-gary-hogman-111025Resilient manager-gary-hogman-111025
Resilient manager-gary-hogman-111025Chartered Management Institute
 

More Related Content

What's hot

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Jonathan LeBlanc
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 

What's hot (20)

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 

Viewers also liked

読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンスTakahiro Toku
 
Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...
Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...
Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...Caféine.Studio
 
Nigel Girling launches National Centre for Strategic Leadership
Nigel Girling launches National Centre for Strategic LeadershipNigel Girling launches National Centre for Strategic Leadership
Nigel Girling launches National Centre for Strategic LeadershipChartered Management Institute
 
Une Approche d'aide pour l'analyse des besoins informationnels dans les pme
Une Approche d'aide pour l'analyse des besoins informationnels dans les pmeUne Approche d'aide pour l'analyse des besoins informationnels dans les pme
Une Approche d'aide pour l'analyse des besoins informationnels dans les pmeespenel
 
L'analyse du Besoin, c'est HAS-BEEN
L'analyse du Besoin, c'est HAS-BEENL'analyse du Besoin, c'est HAS-BEEN
L'analyse du Besoin, c'est HAS-BEENVincent HOLLEY
 
E-commerce Use case NFE102
E-commerce Use case NFE102E-commerce Use case NFE102
E-commerce Use case NFE102MRamo2s
 
Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...
Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...
Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...PMI-Montréal
 
Conception et developpement d'une application mobile Android e-location
Conception et developpement d'une application mobile Android e-locationConception et developpement d'une application mobile Android e-location
Conception et developpement d'une application mobile Android e-locationALALSYSE
 
Fiche 04a - Analyse des clientèles et de leurs besoins
Fiche 04a - Analyse des clientèles et de leurs besoinsFiche 04a - Analyse des clientèles et de leurs besoins
Fiche 04a - Analyse des clientèles et de leurs besoinsSocial Business Models
 
Modelisation agile 03122011
Modelisation agile 03122011Modelisation agile 03122011
Modelisation agile 03122011agnes_crepet
 
Ergonomie et modélisation des utilisateurs d'une ihm 2014
Ergonomie et modélisation des utilisateurs d'une ihm 2014Ergonomie et modélisation des utilisateurs d'une ihm 2014
Ergonomie et modélisation des utilisateurs d'une ihm 2014Atelier IHM Polytech Nice Sophia
 
Odoo OpenERP 7 Fleet and Route Management
Odoo OpenERP 7 Fleet and Route ManagementOdoo OpenERP 7 Fleet and Route Management
Odoo OpenERP 7 Fleet and Route Managementpragmatic123
 
La Gouvernance des Données
La Gouvernance des DonnéesLa Gouvernance des Données
La Gouvernance des DonnéesSoft Computing
 
Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)
Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)
Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)Ardesi Midi-Pyrénées
 
Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解都元ダイスケ Miyamoto
 

Viewers also liked (20)

読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
読書感想文 20140615 医療機器ソフトウェア_検証・妥当性確認・およびコンプライアンス
 
Resilient manager-gary-hogman-111025
Resilient manager-gary-hogman-111025Resilient manager-gary-hogman-111025
Resilient manager-gary-hogman-111025
 
Use Case examples
Use Case examplesUse Case examples
Use Case examples
 
Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...
Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...
Présentation du rapport intermédiaire de la recherche « MOOC Afrique : Analys...
 
Nigel Girling launches National Centre for Strategic Leadership
Nigel Girling launches National Centre for Strategic LeadershipNigel Girling launches National Centre for Strategic Leadership
Nigel Girling launches National Centre for Strategic Leadership
 
Une Approche d'aide pour l'analyse des besoins informationnels dans les pme
Une Approche d'aide pour l'analyse des besoins informationnels dans les pmeUne Approche d'aide pour l'analyse des besoins informationnels dans les pme
Une Approche d'aide pour l'analyse des besoins informationnels dans les pme
 
L'analyse du Besoin, c'est HAS-BEEN
L'analyse du Besoin, c'est HAS-BEENL'analyse du Besoin, c'est HAS-BEEN
L'analyse du Besoin, c'est HAS-BEEN
 
E-commerce Use case NFE102
E-commerce Use case NFE102E-commerce Use case NFE102
E-commerce Use case NFE102
 
Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...
Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...
Symposium CONF. 102 L’analyse de la valeur : Processus de gestion des attente...
 
Conception et developpement d'une application mobile Android e-location
Conception et developpement d'une application mobile Android e-locationConception et developpement d'une application mobile Android e-location
Conception et developpement d'une application mobile Android e-location
 
Fiche 04a - Analyse des clientèles et de leurs besoins
Fiche 04a - Analyse des clientèles et de leurs besoinsFiche 04a - Analyse des clientèles et de leurs besoins
Fiche 04a - Analyse des clientèles et de leurs besoins
 
Modelisation agile 03122011
Modelisation agile 03122011Modelisation agile 03122011
Modelisation agile 03122011
 
7 diagramme de cas d'utilisation
7 diagramme de cas d'utilisation7 diagramme de cas d'utilisation
7 diagramme de cas d'utilisation
 
Chapter 7 Use Case Model
Chapter 7 Use Case ModelChapter 7 Use Case Model
Chapter 7 Use Case Model
 
Ergonomie et modélisation des utilisateurs d'une ihm 2014
Ergonomie et modélisation des utilisateurs d'une ihm 2014Ergonomie et modélisation des utilisateurs d'une ihm 2014
Ergonomie et modélisation des utilisateurs d'une ihm 2014
 
Odoo OpenERP 7 Fleet and Route Management
Odoo OpenERP 7 Fleet and Route ManagementOdoo OpenERP 7 Fleet and Route Management
Odoo OpenERP 7 Fleet and Route Management
 
La Gouvernance des Données
La Gouvernance des DonnéesLa Gouvernance des Données
La Gouvernance des Données
 
Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)
Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)
Réussir son analyse des besoins dans la conduite d'un projet informatique (2007)
 
OpenERP / Odoo Fleet management
OpenERP / Odoo Fleet managementOpenERP / Odoo Fleet management
OpenERP / Odoo Fleet management
 
Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解Spring Day 2016 - Web API アクセス制御の最適解
Spring Day 2016 - Web API アクセス制御の最適解
 

Similar to Making Sense of API Access Control

A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMPaul Madsen
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?Dave Syer
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...CA API Management
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationErick Belluci Tedeschi
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladoresLuis Ruiz Pavón
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App EnablementCA API Management
 
2012-03 MultiFactor Not Just For Auditors
2012-03 MultiFactor Not Just For Auditors2012-03 MultiFactor Not Just For Auditors
2012-03 MultiFactor Not Just For AuditorsRaleigh ISSA
 

Similar to Making Sense of API Access Control (20)

A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
API Management and Mobile App Enablement
API Management and Mobile App EnablementAPI Management and Mobile App Enablement
API Management and Mobile App Enablement
 
2012-03 MultiFactor Not Just For Auditors
2012-03 MultiFactor Not Just For Auditors2012-03 MultiFactor Not Just For Auditors
2012-03 MultiFactor Not Just For Auditors
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Recently uploaded

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Recently uploaded (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

Making Sense of API Access Control

  • 1. Making Sense of API Access Control OAuth, OpenID Connect and Token Mechanics Francois Lascelles Chief Architect
  • 2. Making Sense of API Access Control Authentication Handshake OAuth Token issuing Token verification API consumption Authorization Token revocation Token/session management OpenID connect Token monitoring Federated identity
  • 3. Anatomy of an OAuth handshake (one of many possible grant types illustrated) OAuth Authorization Server Subscriber (resource owner) consent 1 Authorization endpoint 1 +autz code 2 Token endpoint Application (client) +access token This is a shared secret
  • 4. Why exchange a secret with an OAuth authorization server in the first place? OAuth Provider  A: In order to consume an API OAuth Authorization Server Consume REST API OAuth Resource Server With access token from handshake API endpoint
  • 5. Alternative handshakes (grant types)  Authorization code (2 slides ago)  Implicit +access token - Like autz code, but simpler - No code, just an access token  Resource owner password credentials +access token - Client gets credentials from resource owner directly - No Redirection  Client credentials +access token - Simple, two way handshake
  • 6. Different handshakes, different situations  Example: external/internal apps Provider Same API, different scopes Autz code Client creds Internal application not acting on behalf of a particular subscriber
  • 7.  APIs and identity federation
  • 8. Opaque / Interpreted tokens  Opaque  Interpreted - Tiny - Medium to huge - Easy - For more „capable‟ relying parties - HTTPS based trust - Self contained trust - Callback issuer to get more info - Less dependent on server session <saml2:Assertion ...> <saml2:Issuer>francomacbook.l7tech.com</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <!--lots of fun stuff here --> </ds:Signature> <saml2:Subject> dBjfP[WHATEVER]OEjXk <!-- somwhere a subject name --> </saml2:Subject> <saml2:Conditions NotBefore="2007-12-11T12:23:00.000Z" NotOnOrAfter="2007-12- 11T12:45:28.529Z"></saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2007-12-11T12:25:28.527Z"> <!-- blah blah --> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="isStruggling" NameFormat="something"> <saml2:AttributeValue>yes</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>
  • 9. JSON Web Tokens (JWT)  JSON formatted token  Compact, API friendly  Claims – reserved, public, private  JWS signed and or JWE encrypted  No subject confirmation {"typ":"JWT", "alg":"HS256"} eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 . { eyJpc3MiOiJodHRwOlwvXC9zZXJ2ZXIuZXhhbXBs "iss":"http:server.example.com", ZS5jb20iLCJ1c2VyX2lkIjoiMjQ4Mjg5NzYxMDAxIiwi "user_id":"248289761001”, b64urlencode YXVkIjoiaHR0cDpcL1wvY2xpZW50LmV4YW1wbG "aud":"http:client.example.com", UuY29tIiwiZXhwIjoxMzExMjgxOTcwfQ "exp":1311281970 . } eDesUD0vzD…EPNXVtaazNQ JWS
  • 10. Old-school identity federation – SAML Web browser SSO  Great for sophisticated relying parties - Parse rich, verbose content SP - Cert based trust I trust what - Interpret SAML, SAML-P, XML dSig, … IdP says  Common interop challenges - Subject confirmations - Key Reference, Sig Reference I assert to have authenticated I don‟t have a shared User secret with SP but I still want to create a session with it. SAML IdP redirect
  • 11. Federation – Web Social Login Style  User picks an identity broker (“NASCAR” login)  OAuth 2.0 handshake - User authorizes SP to discover basic information about itself Web/Cloud/Mobile - Get an access token - Opaque, no complex interpretation needed  SP discovers information about user - Using token issued to consume an API providing this information OAuth 2.0 + Fbook connect Example: Facebook connect
  • 12. OpenID Connect: the love child of SAML and OAuth 2.0? XML, dsig Verbose OpenID Connect Issues claims, statements Subject confirmations SAMLp SAML OAuth 2.0  What does it inherit from its mother? from its father? RESTful Handshakes - Has endpoints Endpoints Bearer, opaque tokens - Is API-friendly (REST) JSON - JSON - Issues token with claims (JWT) - Lots of specs
  • 13. OpenID Connect Basic Client Profile  OAuth handshake - Scope= openid [profile, email, address, phone]  Two tokens - Access token - JWT id token, can be treated as opaque or not  UserInfo Endpoint - Input: ID token - Output: get back back JSON-formatted identity  CheckID Endpoint - Input: Access token, request additional attributes - Output: id attributes attributes
  • 14. OpenID Connect Flows 1/2 OpenID Connect Provider OAuth 2.0 handshake, scope: openid HTTP/1.1 302 Found OAuth Authorization Server Location: https://client.example.com/cb# access_token=SlAV32hkKG&token_type=bearer &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu …ZXso&expires_in=3600&state=af0ifjsldkj id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0 { "iss": "https://server.example.com", CheckID Endpoint "user_id": "248289761001”, "aud": "s6BhdRkqt3”, "nonce": "n-0S6_WzA2Mj”, "exp": 1311281970, "iat": 1311280970, "at_hash": "ndrWKF5oXv8QulucTs1Bvg” } UserInfo Endpoint  Avoid decoding JWT, checking signature by relying party
  • 15. OpenID Connect Flows 2/2  Discover additional information about OpenID Connect Provider end-user OAuth Authorization Server access_token Request GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKG CheckID Endpoint Response { "user_id": "248289761001”, "name": "Jane Doe”, "given_name": "Jane”, "family_name": "Doe”, "email": janedoe@example.com, "picture": "http://example.com/janedoe/me.jpg" UserInfo Endpoint }
  • 16. When should you use OAuth only, with OpenID Connect?  OAuth is used when an application needs to consume an API (sometimes on behalf of a user)  OpenID Connect is used when an application wants to federate the authentication of and discover information about a user - Through API calls SP1 SP2 SP1 SP2 Subscribes to both providers, Subscribes to one provider, wants them to act on its behalf wants to use another
  • 18. Componentized OAuth provider OAuth Authorization Server abc123 abc123 OAuth Resource Server Which subscriber? What is the scope? Which app? Still valid? Etc
  • 19. Token lifecycle  Token Management - Facilitate token lifecycle (create, check, expire, revoke) - Store information associated to tokens - Preferably, an API Token Management OAuth Authorization Server Create new, refresh OAuth Resource Server Validate, query
  • 20. Reusing tokens across APIs Token Management OAuth Authorization Server Create new, refresh OAuth Resource Server Validate, query API A ? ? OAuth Resource Server When is it ok to do this? API B
  • 21. Managing and revoking tokens  Challenge: enable the right parties to monitor and affect the right tokens - Multiple applications X multiple subscribers X multiple APIs API Based Token Management Look for unusual revoke usage Revoke! patterns Dev portal BI API Provider Subscriber portal FAIL! exploit compromise
  • 22. Leverage existing SSO  API Management - Get SSO cookie, integrate with policy server (web agent) <handshake> - Associate SSO cookie with access token SSO token Check SSO session Maintain my SSO experience!  SSO Policy Server
  • 23. Leverage existing identity attributes  Authorization based on - Group memberships - Contract, plan, arbitrary attributes - Lookup directory, lookup database, lookup API  API Management - Lookup identity attributes - Check that requested scope should be <handshake> allowed - Remember attributes for later use My credentials ((cn=subcriber)(permission=foo))
  • 24. Authorization checks, when? 1. During original 2. At each refresh 3. At runtime handshake Days, hours, … Minutes, seconds, … Real time Token Management OAuth Resource Server Subscriber for token abc123?  Lookup scope Get /different_resource Access Token = abc123  Lookup identity, attributes ((cn=subcriber)(newattribute=foo))  Lookup sso token  Lookup saml assertion  Lookup other associated token …