SlideShare une entreprise Scribd logo

An OAuth protected platform (Nordic APIS April 2014)

Nordic APIs
Nordic APIs
LogicielsTechnologieBusiness
1  sur  22
Télécharger pour lire hors ligne
An OAuth-protected API Platform for Private, Partner & Public Use By Travis Spencer, CEO! @travisspencer / @2botech
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2 Agenda ▪ Business benefits of APIs! ▪ Associated security challenges! ▪ Requirements to overcome these obstacles ▪ Platform security architecture ! ▪ Delivers business benefits ! ▪ Overcome challenges! ▪ Meets specifications
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3 6 Benefits of APIs Business Benefits of Private APIs modernize organization start api strategy manage supply chain time-to- market internal communica- tion business inteligence analytics ▪ Post by Mark Boyd on Nordic APIs blog! ▪ Same benefits afforded by partner & public APIs! ▪ j.mp/1dpGCX6
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech ▪ Not beginning with a clean slate! ▪ Existing data & systems must be made available in new ways! ▪ Reuse & extend existing infrastructure! ▪ Bridge old & new technologies Starting an API Strategy 4
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 5 ▪ Identity & content must be converted! ▪ Legacy systems must be concealed & abstracted! ▪ Work with all modes of service delivery! ▪ Secure all channels
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Modernize Organization 6 ▪ Core business capabilities are distilled 
 into reusable modules! ▪ Composed together like Legos! ▪ Security will prevent or allow composability LocBlocsLegos
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 7 ▪ Based on open, international standards! ▪ COTS products must be limited to specialized roles! ▪ Apps & Web sites must not perform authentication & authorization
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Manage Supply Chain 8 ▪ Optimization of value across organizational boundaries ! ▪ Massive distribution ! ▪ Automation! ▪ Lack of robust security is a showstopper ! ▪ Users demand seamless access across apps! ▪ API client & end user must be identified! ▪ Rights must be applied to users from other organizations
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 9 ▪ Access control! ▪ Account provisioning! ▪ Web Single Sign-on (SSO) & federation! ▪ Delegated access (a la OAuth)
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth 10 ▪ OAuth 2 is the new protocol of protocols! ▪ Used as the base of other specifications! ▪ OpenID Connect, UMA, etc.! ▪ Addresses some important requirements! ▪ Delegated access! ▪ No password sharing! ▪ Revocation of access!
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth Actors 11 1. Resource Owner (RO)! 2. Client! 3. Authorization Server (AS)! 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Scopes 12 ▪ Like permissions! ▪ Scopes specify extent of tokens’ usefulness! ▪ Listed on consent UI (if shown)! ▪ No standardized scopes
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 13 Not for authentication Not really for authorization Not for federation
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 14 For delegated access
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Ident- ities APIs Entitle- ments Requirements Demand More 15 ▪ Today’s use cases require more than just delegation! ▪ OAuth is important but insufficient
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect 16 ▪ Next generation federation protocol ! ▪ Based on OAuth 2! ▪ Made for mobile! ▪ Not backward compatible ▪ Client & API receive tokens! ▪ Endpoint provided for client to get user data
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect + OAuth Example 17 OpenID Provider RP / Client Browser Access code Redeem access code Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes Get user info using access token Access tokens
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech JSON Identity Suite The Neo-security Stack 18 OpenID Connect SCIM OAuth XACML Provisioning Identities Federation Delegated Access Authorization
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech The Neo-security Platform 19 SCIM JSON Identity Suite OpenID Connect OAuth XACML Entitlement
 Management System Identity Management System API
 Management System
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Summary 20 ▪ APIs offer many benefits! ▪ Security will impede or enable these! ▪ Technology exists to protect your API! ▪ OAuth is not enough! ▪ Need the entire Neo-security Stack! ▪ The Neo-security Platform protects data & delivers benefits
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Questions & Thanks 21 @2botech! @travisspencer! www.twobo.com ?
An OAuth protected platform (Nordic APIS April 2014)

Recommandé

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Calling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APICalling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APITravis Spencer
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 

Recommandé

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Calling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APICalling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APITravis Spencer
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticNordic APIs
 
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloCentralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloNordic APIs
 
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchSession Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchNordic APIs
 
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftAPIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftNordic APIs
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 

Contenu connexe

Plus de Nordic APIs

The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticNordic APIs
 
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloCentralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloNordic APIs
 
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchSession Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchNordic APIs
 
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftAPIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftNordic APIs
 

Plus de Nordic APIs (20)

The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
 
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloCentralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
 
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchSession Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
 
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftAPIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
 

Dernier

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 

Dernier (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 

An OAuth protected platform (Nordic APIS April 2014)

  • 1. An OAuth-protected API Platform for Private, Partner & Public Use By Travis Spencer, CEO! @travisspencer / @2botech
  • 2. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2 Agenda ▪ Business benefits of APIs! ▪ Associated security challenges! ▪ Requirements to overcome these obstacles ▪ Platform security architecture ! ▪ Delivers business benefits ! ▪ Overcome challenges! ▪ Meets specifications
  • 3. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3 6 Benefits of APIs Business Benefits of Private APIs modernize organization start api strategy manage supply chain time-to- market internal communica- tion business inteligence analytics ▪ Post by Mark Boyd on Nordic APIs blog! ▪ Same benefits afforded by partner & public APIs! ▪ j.mp/1dpGCX6
  • 4. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech ▪ Not beginning with a clean slate! ▪ Existing data & systems must be made available in new ways! ▪ Reuse & extend existing infrastructure! ▪ Bridge old & new technologies Starting an API Strategy 4
  • 5. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 5 ▪ Identity & content must be converted! ▪ Legacy systems must be concealed & abstracted! ▪ Work with all modes of service delivery! ▪ Secure all channels
  • 6. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Modernize Organization 6 ▪ Core business capabilities are distilled 
 into reusable modules! ▪ Composed together like Legos! ▪ Security will prevent or allow composability LocBlocsLegos
  • 7. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 7 ▪ Based on open, international standards! ▪ COTS products must be limited to specialized roles! ▪ Apps & Web sites must not perform authentication & authorization
  • 8. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Manage Supply Chain 8 ▪ Optimization of value across organizational boundaries ! ▪ Massive distribution ! ▪ Automation! ▪ Lack of robust security is a showstopper ! ▪ Users demand seamless access across apps! ▪ API client & end user must be identified! ▪ Rights must be applied to users from other organizations
  • 9. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 9 ▪ Access control! ▪ Account provisioning! ▪ Web Single Sign-on (SSO) & federation! ▪ Delegated access (a la OAuth)
  • 10. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth 10 ▪ OAuth 2 is the new protocol of protocols! ▪ Used as the base of other specifications! ▪ OpenID Connect, UMA, etc.! ▪ Addresses some important requirements! ▪ Delegated access! ▪ No password sharing! ▪ Revocation of access!
  • 11. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth Actors 11 1. Resource Owner (RO)! 2. Client! 3. Authorization Server (AS)! 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token
  • 12. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Scopes 12 ▪ Like permissions! ▪ Scopes specify extent of tokens’ usefulness! ▪ Listed on consent UI (if shown)! ▪ No standardized scopes
  • 13. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 13 Not for authentication Not really for authorization Not for federation
  • 14. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 14 For delegated access
  • 15. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Ident- ities APIs Entitle- ments Requirements Demand More 15 ▪ Today’s use cases require more than just delegation! ▪ OAuth is important but insufficient
  • 16. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect 16 ▪ Next generation federation protocol ! ▪ Based on OAuth 2! ▪ Made for mobile! ▪ Not backward compatible ▪ Client & API receive tokens! ▪ Endpoint provided for client to get user data
  • 17. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect + OAuth Example 17 OpenID Provider RP / Client Browser Access code Redeem access code Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes Get user info using access token Access tokens
  • 18. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech JSON Identity Suite The Neo-security Stack 18 OpenID Connect SCIM OAuth XACML Provisioning Identities Federation Delegated Access Authorization
  • 19. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech The Neo-security Platform 19 SCIM JSON Identity Suite OpenID Connect OAuth XACML Entitlement
 Management System Identity Management System API
 Management System
  • 20. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Summary 20 ▪ APIs offer many benefits! ▪ Security will impede or enable these! ▪ Technology exists to protect your API! ▪ OAuth is not enough! ▪ Need the entire Neo-security Stack! ▪ The Neo-security Platform protects data & delivers benefits
  • 21. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Questions & Thanks 21 @2botech! @travisspencer! www.twobo.com ?