SlideShare une entreprise Scribd logo

CIS 2017 - So you want to use standards to secure your APIs?

Bertrand Carlier
Bertrand Carlier

The document discusses OAuth and identity management standards for securing APIs. It provides an overview of OAuth concepts like authorization codes, refresh tokens, and OpenID Connect. It also discusses current challenges around pairing devices, protecting tokens from hijacking, sharing access and consent, and transmitting identity. The document emphasizes that OAuth is a rich ecosystem and to choose the right specifications, integrate them carefully, and avoid a flawed security architecture or false sense of security.

Technologie
1  sur  28
Télécharger pour lire hors ligne
So you want to use standards to secure your APIs? Do you? really? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017 Tier one clients leaders in their industry 2,500 professionals across 4 continents Among the leading independent consultancies in Europe, n°1 in France Paris | London | New York | Hong Kong | Singapore* | Dubai* Brussels | Luxembourg | Geneva | Casablanca Lyon | Marseille | Nantes In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017 Win the digital race with digital trust PROVEN EXPERTISE / Digital Risk Strategy & Compliance / Safe Business Transformation / Security Design & Program Management / Identity, Fraud & Trust Services / Penetration Testing & Incident Response / Business Continuity & Resilience / Industrial Control Systems ACTIONABLE INSIGHTS / Industry-specific risk mapping / AMT Master plan methodology / Startups & Innovation Radars / ICS-Attacks demonstrator / CERT-W & Bug Bounty Digital trust is a key business enabler that will put you ahead to win the digital transformation race Wavestone Cybersecurity & Digital Trust 500+ Consultants & Experts in Paris, London, New York & Hong Kong 1,000+ Engagements per year in 20+ countries Our clients Board, Business, CDO, CIO, CISO, BCM
confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017 Obligatory XKCD
confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017 What I do 1/2 User companies (my clients) Other vendors My mom People who use standards but don’t really care Me You? Fellow colleagues & competitors People who (try to) understand standards and build things The “industry” Research scientists Vendors I like People who make standards
confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017 What I do 2/2 Gather requirements Benchmark market Design target solutions Deliver solutions
1. Oauth 101
confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017 Implicit and Client Credentials YOU’VE GOT MAIL Comparator website Airline API Airline API Airline API Client Authorization server Resource server Access token Flight comparator Economy Direct Two stops Business class Boat You’ve been accepted!
confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017 Authorization code ARE YOU AUTHORIZED? Airline website Airline API Client Authorization server Resource server Access token Resource owner
confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017 Proof Key for Code Exchange PIXIES Airline website Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636)
confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017 Refresh token (RE)FRESH Refresh token Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636) Airline website
confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017 20 17 18 76 OAuth2.0 : it’s quite simple Who’s up for a 130-pages RFC read? And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations » Refresh token Client Authorization server Resource server Access token Resource owner Proof Key for Code Exchange
2. OAuth Advanced
confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017 OAuth2.0 : Real Life requirements Adaptive authentication Application initiated (acr request) or Authorization Server mandated (adaptive authentication) APIs federation REST friendly Scalable Modern Web Single Sign-On Beyond the enterprise perimeter Browser and mobile friendly
confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017 OpenID Connect FRENCH CONNECTION Client Authorization server Resource server Access token Resource owner Refresh token PKCE (RFC 7636) Town’s website Tax department API France Connect hub ID token
confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017 Authentication Context Reference (acr) SMS, I KNOW… Bank API Bank authorization server Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636)
confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017 JWT Bearer profile ONE RING TOKEN TO RULE THEM ALL Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636) Bank website Bank & Insurance discount White label insurance Bank website Insurance’s Authorization server Insurance’s API 1 2
confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017 Oauth2.0 for Native Applications SSO ON THE GO app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Mobile phone Bank’s authorization server OpenID Connect provider
3. OAuth & Beyond
confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017 OAuth : Today’s challenges Pair with devices Protect from token hijacking Share and Consent Transmit Identity These are the current use cases that we need to solve now with only draft standards!
confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017 OAuth2 Device Flow 2 MINUTES TWICE A DAY app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) OpenID Connect provider Connected toothbrush Toothbrush’s cloud services Toothbrush’s app 2 1 3 4
confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017 Token Binding LATER AGGREGATOR Bank API Multi-account aggregator Bank API Bank API app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Token Binding & Mutual TLS profiles The “Personal Finance Manager” usecase OpenID Connect provider
confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017 User Managed Access RUN BABY RUN Token Binding & Mutual TLS profiles app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Doctor Receptionist OpenID Connect provider Receptionist Doctor Some medical software Personal health records Me Authorization server
confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017 Token Exchange WALL STREET ( ) Customer support Customer API Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Token Exchange OpenID Connect provider Micro services
confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017 Not to mention / Dynamic Client Registration & Management / OIDC/Oauth Discovery / Signed request / Mobile Connect / OIDC Session Management / Token revocation / … The big picture AT LAST Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636)Requesting party Token Exchange OpenID Connect provider
confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017 “Just saying #OAuth does not do the job” ONE LAST WORD / OAuth is a very rich ecosystem  Choose the right specifications  Integrate them carefully within a well- designed architecture  Don’t end up with a flawed API security or a false sense of security
wavestone.com @wavestone_ riskinsight-wavestone.com @Risk_Insight securityinsider-solucom.fr @SecuInsider Bertrand CARLIER Senior Manager M +33 6 18 64 42 52 bertrand.carlier@wavestone.com
PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * BRUSSELS LUXEMBOURG GENEVA CASABLANCA LYON MARSEILLE NANTES * Partenaires stratégiques PARIS LONDRES NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILAN * BRUXELLES GENEVE CASABLANCA ISTAMBUL * LYON MARSEILLE NANTES * Partenariats

Recommandé

Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiBertrand Carlier
 
External collaboration with Azure B2B
External collaboration with Azure B2BExternal collaboration with Azure B2B
External collaboration with Azure B2BSjoukje Zaal
 
Deployment Patterns in WSO2 Enterprise Integrator
Deployment Patterns in WSO2 Enterprise IntegratorDeployment Patterns in WSO2 Enterprise Integrator
Deployment Patterns in WSO2 Enterprise IntegratorWSO2
 
Getting started with azure event hubs and stream analytics services
Getting started with azure event hubs and stream analytics servicesGetting started with azure event hubs and stream analytics services
Getting started with azure event hubs and stream analytics servicesEastBanc Tachnologies
 
Xactly Sales Compensation for Dummies_02_05_2007
Xactly Sales Compensation for Dummies_02_05_2007Xactly Sales Compensation for Dummies_02_05_2007
Xactly Sales Compensation for Dummies_02_05_2007ThreatMetrix
 
Introduction to Azure Functions
Introduction to Azure FunctionsIntroduction to Azure Functions
Introduction to Azure FunctionsCallon Campbell
 
WSO2 Open Banking: Digital Transformation Through PSD2
WSO2 Open Banking: Digital Transformation Through PSD2WSO2 Open Banking: Digital Transformation Through PSD2
WSO2 Open Banking: Digital Transformation Through PSD2WSO2
 
Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Aventis Systems, Inc.
 

Recommandé

Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiBertrand Carlier
 
External collaboration with Azure B2B
External collaboration with Azure B2BExternal collaboration with Azure B2B
External collaboration with Azure B2BSjoukje Zaal
 
Deployment Patterns in WSO2 Enterprise Integrator
Deployment Patterns in WSO2 Enterprise IntegratorDeployment Patterns in WSO2 Enterprise Integrator
Deployment Patterns in WSO2 Enterprise IntegratorWSO2
 
Getting started with azure event hubs and stream analytics services
Getting started with azure event hubs and stream analytics servicesGetting started with azure event hubs and stream analytics services
Getting started with azure event hubs and stream analytics servicesEastBanc Tachnologies
 
Xactly Sales Compensation for Dummies_02_05_2007
Xactly Sales Compensation for Dummies_02_05_2007Xactly Sales Compensation for Dummies_02_05_2007
Xactly Sales Compensation for Dummies_02_05_2007ThreatMetrix
 
Introduction to Azure Functions
Introduction to Azure FunctionsIntroduction to Azure Functions
Introduction to Azure FunctionsCallon Campbell
 
WSO2 Open Banking: Digital Transformation Through PSD2
WSO2 Open Banking: Digital Transformation Through PSD2WSO2 Open Banking: Digital Transformation Through PSD2
WSO2 Open Banking: Digital Transformation Through PSD2WSO2
 
Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Aventis Systems, Inc.
 
Azure camp
Azure campAzure camp
Azure campMICProductivity
 
Building Azure Logic Apps
Building Azure Logic AppsBuilding Azure Logic Apps
Building Azure Logic AppsBizTalk360
 
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...Alan McSweeney
 
Azure serverless computing
Azure serverless computingAzure serverless computing
Azure serverless computingUdaiappa Ramachandran
 
Microservices using .Net core
Microservices using .Net coreMicroservices using .Net core
Microservices using .Net coregirish goudar
 
Stream based mobile and web event tracking backed by aws kinesis
Stream based mobile and web event tracking backed by aws kinesisStream based mobile and web event tracking backed by aws kinesis
Stream based mobile and web event tracking backed by aws kinesisSebastian Schleicher
 
DevOps Implementation Roadmap
DevOps Implementation RoadmapDevOps Implementation Roadmap
DevOps Implementation RoadmapSofiaCarter4
 
Webinar: Practical use-cases to monetize Open Banking APIs
Webinar: Practical use-cases to monetize Open Banking APIsWebinar: Practical use-cases to monetize Open Banking APIs
Webinar: Practical use-cases to monetize Open Banking APIsShubaS4
 
Serverless Computing in Azure
Serverless Computing in AzureServerless Computing in Azure
Serverless Computing in AzureDaniel Toomey
 
Health monitoring and dependency injection - CNUG November 2019
Health monitoring and dependency injection - CNUG November 2019Health monitoring and dependency injection - CNUG November 2019
Health monitoring and dependency injection - CNUG November 2019Alex Thissen
 
Nandan Nilekani: Identity, Payments, Data empowerment 2019
Nandan Nilekani: Identity, Payments, Data empowerment 2019Nandan Nilekani: Identity, Payments, Data empowerment 2019
Nandan Nilekani: Identity, Payments, Data empowerment 2019ProductNation/iSPIRT
 
INTERFACE, by apidays - The UK Open Banking Story
INTERFACE, by apidays - The UK Open Banking StoryINTERFACE, by apidays - The UK Open Banking Story
INTERFACE, by apidays - The UK Open Banking Storyapidays
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open BankingBase Camp
 
gcp-cheat-sheet.pdf
gcp-cheat-sheet.pdfgcp-cheat-sheet.pdf
gcp-cheat-sheet.pdfSaikiran M
 
Salesforce Application for Retail Business
Salesforce Application for Retail BusinessSalesforce Application for Retail Business
Salesforce Application for Retail BusinessMayur Mane
 
App Modernization with Microsoft Azure
App Modernization with Microsoft AzureApp Modernization with Microsoft Azure
App Modernization with Microsoft AzureMicrosoft Tech Community
 
ERP software architecture
ERP software architectureERP software architecture
ERP software architectureYuliia Makarenko
 
Netflix API - Separation of Concerns
Netflix API - Separation of ConcernsNetflix API - Separation of Concerns
Netflix API - Separation of ConcernsDaniel Jacobson
 
Modern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsModern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsGlobalLogic Ukraine
 
Azure Logic Apps
Azure Logic AppsAzure Logic Apps
Azure Logic AppsBizTalk360
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014Andrew Ames
 

Contenu connexe

Tendances

Building Azure Logic Apps
Building Azure Logic AppsBuilding Azure Logic Apps
Building Azure Logic AppsBizTalk360
 
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...Alan McSweeney
 
Microservices using .Net core
Microservices using .Net coreMicroservices using .Net core
Microservices using .Net coregirish goudar
 
Stream based mobile and web event tracking backed by aws kinesis
Stream based mobile and web event tracking backed by aws kinesisStream based mobile and web event tracking backed by aws kinesis
Stream based mobile and web event tracking backed by aws kinesisSebastian Schleicher
 
DevOps Implementation Roadmap
DevOps Implementation RoadmapDevOps Implementation Roadmap
DevOps Implementation RoadmapSofiaCarter4
 
Webinar: Practical use-cases to monetize Open Banking APIs
Webinar: Practical use-cases to monetize Open Banking APIsWebinar: Practical use-cases to monetize Open Banking APIs
Webinar: Practical use-cases to monetize Open Banking APIsShubaS4
 
Serverless Computing in Azure
Serverless Computing in AzureServerless Computing in Azure
Serverless Computing in AzureDaniel Toomey
 
Health monitoring and dependency injection - CNUG November 2019
Health monitoring and dependency injection - CNUG November 2019Health monitoring and dependency injection - CNUG November 2019
Health monitoring and dependency injection - CNUG November 2019Alex Thissen
 
Nandan Nilekani: Identity, Payments, Data empowerment 2019
Nandan Nilekani: Identity, Payments, Data empowerment 2019Nandan Nilekani: Identity, Payments, Data empowerment 2019
Nandan Nilekani: Identity, Payments, Data empowerment 2019ProductNation/iSPIRT
 
INTERFACE, by apidays - The UK Open Banking Story
INTERFACE, by apidays - The UK Open Banking StoryINTERFACE, by apidays - The UK Open Banking Story
INTERFACE, by apidays - The UK Open Banking Storyapidays
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open BankingBase Camp
 
gcp-cheat-sheet.pdf
gcp-cheat-sheet.pdfgcp-cheat-sheet.pdf
gcp-cheat-sheet.pdfSaikiran M
 
Salesforce Application for Retail Business
Salesforce Application for Retail BusinessSalesforce Application for Retail Business
Salesforce Application for Retail BusinessMayur Mane
 
Netflix API - Separation of Concerns
Netflix API - Separation of ConcernsNetflix API - Separation of Concerns
Netflix API - Separation of ConcernsDaniel Jacobson
 
Modern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsModern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsGlobalLogic Ukraine
 
Azure Logic Apps
Azure Logic AppsAzure Logic Apps
Azure Logic AppsBizTalk360
 

Tendances (20)

Azure camp
Azure campAzure camp
Azure camp
 
Building Azure Logic Apps
Building Azure Logic AppsBuilding Azure Logic Apps
Building Azure Logic Apps
 
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
Introduction To Server Virtualisation Planning And Implementing A Virtualisat...
 
Azure serverless computing
Azure serverless computingAzure serverless computing
Azure serverless computing
 
Microservices using .Net core
Microservices using .Net coreMicroservices using .Net core
Microservices using .Net core
 
Stream based mobile and web event tracking backed by aws kinesis
Stream based mobile and web event tracking backed by aws kinesisStream based mobile and web event tracking backed by aws kinesis
Stream based mobile and web event tracking backed by aws kinesis
 
DevOps Implementation Roadmap
DevOps Implementation RoadmapDevOps Implementation Roadmap
DevOps Implementation Roadmap
 
Webinar: Practical use-cases to monetize Open Banking APIs
Webinar: Practical use-cases to monetize Open Banking APIsWebinar: Practical use-cases to monetize Open Banking APIs
Webinar: Practical use-cases to monetize Open Banking APIs
 
Serverless Computing in Azure
Serverless Computing in AzureServerless Computing in Azure
Serverless Computing in Azure
 
Health monitoring and dependency injection - CNUG November 2019
Health monitoring and dependency injection - CNUG November 2019Health monitoring and dependency injection - CNUG November 2019
Health monitoring and dependency injection - CNUG November 2019
 
Nandan Nilekani: Identity, Payments, Data empowerment 2019
Nandan Nilekani: Identity, Payments, Data empowerment 2019Nandan Nilekani: Identity, Payments, Data empowerment 2019
Nandan Nilekani: Identity, Payments, Data empowerment 2019
 
INTERFACE, by apidays - The UK Open Banking Story
INTERFACE, by apidays - The UK Open Banking StoryINTERFACE, by apidays - The UK Open Banking Story
INTERFACE, by apidays - The UK Open Banking Story
 
DBX Open Banking
DBX Open BankingDBX Open Banking
DBX Open Banking
 
gcp-cheat-sheet.pdf
gcp-cheat-sheet.pdfgcp-cheat-sheet.pdf
gcp-cheat-sheet.pdf
 
Salesforce Application for Retail Business
Salesforce Application for Retail BusinessSalesforce Application for Retail Business
Salesforce Application for Retail Business
 
App Modernization with Microsoft Azure
App Modernization with Microsoft AzureApp Modernization with Microsoft Azure
App Modernization with Microsoft Azure
 
ERP software architecture
ERP software architectureERP software architecture
ERP software architecture
 
Netflix API - Separation of Concerns
Netflix API - Separation of ConcernsNetflix API - Separation of Concerns
Netflix API - Separation of Concerns
 
Modern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsModern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOps
 
Azure Logic Apps
Azure Logic AppsAzure Logic Apps
Azure Logic Apps
 

Similaire à CIS 2017 - So you want to use standards to secure your APIs?

Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014Andrew Ames
 
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseThe ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseForgeRock
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Startup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo PlatformsStartup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo PlatformsThe Digital Insurer
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Codemotion
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container EnvironmentsTwistlock
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
SECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMSECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMiQHub
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCA Technologies
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?Vignesh Ganesan I Microsoft MVP
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Ping Identity
 

Similaire à CIS 2017 - So you want to use standards to secure your APIs? (20)

Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014SSO Agility Made Possible - November 2014
SSO Agility Made Possible - November 2014
 
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseThe ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Startup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo PlatformsStartup InsurTech Award - Galileo Platforms
Startup InsurTech Award - Galileo Platforms
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
 
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
Domenico Maracci, Stefano Sali - Secure Continuous Delivery - Sicurezza e Dev...
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
SECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORMSECURED NEW E-MOBILITY PLATFORM
SECURED NEW E-MOBILITY PLATFORM
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
apidays LIVE JAKARTA - Take control of your microservices with App Mesh by Ak...
 
What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?What's new in Azure Active Directory and what's coming new ?
What's new in Azure Active Directory and what's coming new ?
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
Open Banking APIs on AWS
Open Banking APIs on AWSOpen Banking APIs on AWS
Open Banking APIs on AWS
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 

Plus de Bertrand Carlier

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM projectBertrand Carlier
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsBertrand Carlier
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsBertrand Carlier
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsBertrand Carlier
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestoneDSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestoneBertrand Carlier
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Bertrand Carlier
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoTBertrand Carlier
 

Plus de Bertrand Carlier (9)

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
 
OAuth2 stands overview
OAuth2 stands overviewOAuth2 stands overview
OAuth2 stands overview
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestoneDSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestone
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoT
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

CIS 2017 - So you want to use standards to secure your APIs?

  • 1. So you want to use standards to secure your APIs? Do you? really? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
  • 2. confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017 Tier one clients leaders in their industry 2,500 professionals across 4 continents Among the leading independent consultancies in Europe, n°1 in France Paris | London | New York | Hong Kong | Singapore* | Dubai* Brussels | Luxembourg | Geneva | Casablanca Lyon | Marseille | Nantes In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
  • 3. confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017 Win the digital race with digital trust PROVEN EXPERTISE / Digital Risk Strategy & Compliance / Safe Business Transformation / Security Design & Program Management / Identity, Fraud & Trust Services / Penetration Testing & Incident Response / Business Continuity & Resilience / Industrial Control Systems ACTIONABLE INSIGHTS / Industry-specific risk mapping / AMT Master plan methodology / Startups & Innovation Radars / ICS-Attacks demonstrator / CERT-W & Bug Bounty Digital trust is a key business enabler that will put you ahead to win the digital transformation race Wavestone Cybersecurity & Digital Trust 500+ Consultants & Experts in Paris, London, New York & Hong Kong 1,000+ Engagements per year in 20+ countries Our clients Board, Business, CDO, CIO, CISO, BCM
  • 4. confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017 Obligatory XKCD
  • 5. confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017 What I do 1/2 User companies (my clients) Other vendors My mom People who use standards but don’t really care Me You? Fellow colleagues & competitors People who (try to) understand standards and build things The “industry” Research scientists Vendors I like People who make standards
  • 6. confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017 What I do 2/2 Gather requirements Benchmark market Design target solutions Deliver solutions
  • 8. confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017 Implicit and Client Credentials YOU’VE GOT MAIL Comparator website Airline API Airline API Airline API Client Authorization server Resource server Access token Flight comparator Economy Direct Two stops Business class Boat You’ve been accepted!
  • 9. confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017 Authorization code ARE YOU AUTHORIZED? Airline website Airline API Client Authorization server Resource server Access token Resource owner
  • 10. confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017 Proof Key for Code Exchange PIXIES Airline website Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636)
  • 11. confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017 Refresh token (RE)FRESH Refresh token Client Authorization server Resource server Access token Resource owner PKCE (RFC 7636) Airline website
  • 12. confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017 20 17 18 76 OAuth2.0 : it’s quite simple Who’s up for a 130-pages RFC read? And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations » Refresh token Client Authorization server Resource server Access token Resource owner Proof Key for Code Exchange
  • 14. confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017 OAuth2.0 : Real Life requirements Adaptive authentication Application initiated (acr request) or Authorization Server mandated (adaptive authentication) APIs federation REST friendly Scalable Modern Web Single Sign-On Beyond the enterprise perimeter Browser and mobile friendly
  • 15. confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017 OpenID Connect FRENCH CONNECTION Client Authorization server Resource server Access token Resource owner Refresh token PKCE (RFC 7636) Town’s website Tax department API France Connect hub ID token
  • 16. confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017 Authentication Context Reference (acr) SMS, I KNOW… Bank API Bank authorization server Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636)
  • 17. confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017 JWT Bearer profile ONE RING TOKEN TO RULE THEM ALL Client Authorization server Resource server Access token Resource owner Refresh token ID token OpenID Connect provider PKCE (RFC 7636) Bank website Bank & Insurance discount White label insurance Bank website Insurance’s Authorization server Insurance’s API 1 2
  • 18. confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017 Oauth2.0 for Native Applications SSO ON THE GO app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Mobile phone Bank’s authorization server OpenID Connect provider
  • 19. 3. OAuth & Beyond
  • 20. confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017 OAuth : Today’s challenges Pair with devices Protect from token hijacking Share and Consent Transmit Identity These are the current use cases that we need to solve now with only draft standards!
  • 21. confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017 OAuth2 Device Flow 2 MINUTES TWICE A DAY app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) OpenID Connect provider Connected toothbrush Toothbrush’s cloud services Toothbrush’s app 2 1 3 4
  • 22. confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017 Token Binding LATER AGGREGATOR Bank API Multi-account aggregator Bank API Bank API app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Token Binding & Mutual TLS profiles The “Personal Finance Manager” usecase OpenID Connect provider
  • 23. confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017 User Managed Access RUN BABY RUN Token Binding & Mutual TLS profiles app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Doctor Receptionist OpenID Connect provider Receptionist Doctor Some medical software Personal health records Me Authorization server
  • 24. confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017 Token Exchange WALL STREET ( ) Customer support Customer API Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636) Requesting party Token Exchange OpenID Connect provider Micro services
  • 25. confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017 Not to mention / Dynamic Client Registration & Management / OIDC/Oauth Discovery / Signed request / Mobile Connect / OIDC Session Management / Token revocation / … The big picture AT LAST Token Binding app app Oauth 2 for native apps Client Authorization server Resource server Access token Resource owner Refresh token ID token PKCE (RFC 7636)Requesting party Token Exchange OpenID Connect provider
  • 26. confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017 “Just saying #OAuth does not do the job” ONE LAST WORD / OAuth is a very rich ecosystem  Choose the right specifications  Integrate them carefully within a well- designed architecture  Don’t end up with a flawed API security or a false sense of security
  • 28. PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * BRUSSELS LUXEMBOURG GENEVA CASABLANCA LYON MARSEILLE NANTES * Partenaires stratégiques PARIS LONDRES NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILAN * BRUXELLES GENEVE CASABLANCA ISTAMBUL * LYON MARSEILLE NANTES * Partenariats