SlideShare une entreprise Scribd logo

OAuth 2.0 Integration Patterns with XACML

Prabath Siriwardena
Prabath Siriwardena

OAuth 2.0 Integration Patterns with XACML

Technologie
1  sur  58
Télécharger pour lire hors ligne
Prabath Siriwardena Senior Architect & Chair, Integration MC
Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
•  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
•  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
•  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
•  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
•  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
Client  Credentials   Authorization  Code   Resource  Owner  Password  Credentials   Implicit  
Scope   OAuth  Handshake  
Confidential  Client  Type     Web  Application   OAuth  Handshake  
BasicAuth   client_id  /  client_secret   Client  Authenticates  to  AuthZ  Server   OAuth  Handshake  
Scope   OAuth  Handshake  
Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
Anonymous  Clients   OAuth  Handshake  
Scope   OAuth  Handshake  
Confidential  Client  Type     OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Scope   OAuth  Handshake  
Confidential  Client  Type     OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Runtime  
Bearer   MAC   Runtime  
Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
Feed   Clean   Take  out   Medication  
Feed   Clean   Take  out   Medication  
¡  The  de-­‐facto  standard  for  authorization   ¡  PAP  /  PDP  /  PEP  /  PIP   ¡  XML  based  policies  
Policy Enforcement Point
OAuth   XACML   Client   Subject   Resource  Owner   Subject   Scope   Action  +  Resource  
Resource     Action   Resource   Owner   Client   Scope  
Only  the  resource  owner  will  be  able  to  access  any  resource   during  weekend  and  after  9  PM  weekdays   Authorization  Rules  
Day  :  Monday   Time  :  4  PM   Scope  =   “Scooby”+”medication”   Client  :  Foo   Resource  :  Bar    
Day  :  Monday   Time  :  4  PM   Scope  =   “Scooby”+”medication”   Client  :  Foo   Resource  :  Bar    
Day  :  Monday   Time  :  10  PM   Scope  =   “Scooby”+”medication”   Client  :  Foo   Resource  :  Bar    
Day  :  Monday   Time  :  10  PM   Scope  =   “Scooby”+”medication”   Resource  Owner  :  Foo   Resource  :  Bar    
Only  the  resource  owner  will  be  able  to  perform  Feed,  Take  Out   action  on  Dog  resource   Authorization  Rules  
Day  :  Monday   Time  :  4  PM   Scope  =  “Scooby”+”feed”   Client  :  Foo   Resource  :  Bar    
Day  :  Monday   Time  :  4  PM   Scope  =  “Scooby”+”feed”   Client  :  Foo   Resource  :  Bar    
Day  :  Monday   Time  :  10  PM   Scope  =  “Scooby”+”feed”   Resource  Owner  :  Foo   Resource  :  Bar    
OAuth 2.0 Integration Patterns with XACML

Recommandé

Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 

Recommandé

Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
Knoldus Inc.
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
Knoldus Inc.
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
Restlet
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Pacu ~ Rhino Security
Pacu ~ Rhino SecurityPacu ~ Rhino Security
Pacu ~ Rhino Security
AWSMeetup
 
Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACML
Prabath Siriwardena
 
Layer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCapsLayer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCaps
CA API Management
 

Contenu connexe

Tendances

Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
SecuRing
 

Tendances (20)

OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Pacu ~ Rhino Security
Pacu ~ Rhino SecurityPacu ~ Rhino Security
Pacu ~ Rhino Security
 

En vedette

Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
WSO2
 

En vedette (13)

Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACML
 
Layer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCapsLayer 7: Enterprise SOA with SecureSpan and JavaCaps
Layer 7: Enterprise SOA with SecureSpan and JavaCaps
 
XACML - XML Amsterdam2011
XACML - XML Amsterdam2011XACML - XML Amsterdam2011
XACML - XML Amsterdam2011
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
 

Similaire à OAuth 2.0 Integration Patterns with XACML

1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
Priyanka Aash
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
Nordic APIs
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
WSO2
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management Platform
Ian Foster
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Wei-Tsung Su
 

Similaire à OAuth 2.0 Integration Patterns with XACML (20)

1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)
 
oauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
 
How to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - IntroductionHow to authenticate users in your apps using FI-WARE Account - Introduction
How to authenticate users in your apps using FI-WARE Account - Introduction
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Facebook data breach and OAuth2
Facebook data breach and OAuth2 Facebook data breach and OAuth2
Facebook data breach and OAuth2
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
OAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army FrameworkOAuth2 - The Swiss Army Framework
OAuth2 - The Swiss Army Framework
 
Id fiware upm-dit
Id fiware upm-ditId fiware upm-dit
Id fiware upm-dit
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Globus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management PlatformGlobus Auth: A Research Identity and Access Management Platform
Globus Auth: A Research Identity and Access Management Platform
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth OpenID Connect
OAuth OpenID ConnectOAuth OpenID Connect
OAuth OpenID Connect
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 

Plus de Prabath Siriwardena

Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
Prabath Siriwardena
 

Plus de Prabath Siriwardena (20)

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

OAuth 2.0 Integration Patterns with XACML

  • 1. Prabath Siriwardena Senior Architect & Chair, Integration MC
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  • 7. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  • 8. Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  • 9. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  • 10. Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. •  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
  • 18. •  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
  • 19. •  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
  • 20. •  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
  • 21. •  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
  • 22.
  • 23. Client  Credentials   Authorization  Code   Resource  Owner  Password  Credentials   Implicit  
  • 25. Confidential  Client  Type     Web  Application   OAuth  Handshake  
  • 26. BasicAuth   client_id  /  client_secret   Client  Authenticates  to  AuthZ  Server   OAuth  Handshake  
  • 28. Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
  • 31. Confidential  Client  Type     OAuth  Handshake  
  • 32. BasicAuth   OAuth  Handshake  
  • 34. Confidential  Client  Type     OAuth  Handshake  
  • 37. Bearer   MAC   Runtime  
  • 38. Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
  • 39. Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
  • 40. Feed   Clean   Take  out   Medication  
  • 41. Feed   Clean   Take  out   Medication  
  • 42. ¡  The  de-­‐facto  standard  for  authorization   ¡  PAP  /  PDP  /  PEP  /  PIP   ¡  XML  based  policies  
  • 43.
  • 45.
  • 46.
  • 47. OAuth   XACML   Client   Subject   Resource  Owner   Subject   Scope   Action  +  Resource  
  • 48. Resource     Action   Resource   Owner   Client   Scope  
  • 49. Only  the  resource  owner  will  be  able  to  access  any  resource   during  weekend  and  after  9  PM  weekdays   Authorization  Rules  
  • 50. Day  :  Monday   Time  :  4  PM   Scope  =   “Scooby”+”medication”   Client  :  Foo   Resource  :  Bar    
  • 51. Day  :  Monday   Time  :  4  PM   Scope  =   “Scooby”+”medication”   Client  :  Foo   Resource  :  Bar    
  • 52. Day  :  Monday   Time  :  10  PM   Scope  =   “Scooby”+”medication”   Client  :  Foo   Resource  :  Bar    
  • 53. Day  :  Monday   Time  :  10  PM   Scope  =   “Scooby”+”medication”   Resource  Owner  :  Foo   Resource  :  Bar    
  • 54. Only  the  resource  owner  will  be  able  to  perform  Feed,  Take  Out   action  on  Dog  resource   Authorization  Rules  
  • 55. Day  :  Monday   Time  :  4  PM   Scope  =  “Scooby”+”feed”   Client  :  Foo   Resource  :  Bar    
  • 56. Day  :  Monday   Time  :  4  PM   Scope  =  “Scooby”+”feed”   Client  :  Foo   Resource  :  Bar    
  • 57. Day  :  Monday   Time  :  10  PM   Scope  =  “Scooby”+”feed”   Resource  Owner  :  Foo   Resource  :  Bar