SlideShare une entreprise Scribd logo

Securing APIs with OAuth and SAML

Télécharger en tant que PPTX, PDF
WSO2
WSO2

A document discusses various patterns for securing RESTful APIs in enterprise environments. It presents 12 problem statements describing different scenarios for accessing APIs, including scenarios where APIs need to be accessed by employees only, via single or multiple web applications, across departments, regions, and where some users are external partners. The document discusses using technologies like OAuth, OpenID Connect, SAML, and Active Directory for authentication and authorization in these different patterns.

Technologie
1  sur  36
Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath
Perception
Perception
Perception
Correctness
C-I- A Confidentiality Integrity Availability Correctness
The Weakest Link
Insider Attacks
Defense In Depth
Threat Modeling
Pattern 01 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application passes logged in user’s identifier to the backend APIs and retrieves data related to the user.
Pattern 02 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user.
Pattern 03 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
Pattern 04 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. All the users are in a Windows domain and once they are logged into their workstations – they should not be asked to provide credentials at any point for any other application.
Pattern 05 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees as well as employees from trusted partners via multiple web applications. All the internal user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
Pattern 06 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to an OpenID Connect Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
Pattern 07 Problem Statement A medium-scale enterprise in the finance industry needs to expose an API to its customers through a mobile application. One major requirement is that all the API calls should support non-repudiation.
Pattern 08 Problem Statement A medium-scale enterprise that sells bottled water has a RESTful API (Water API), which can be used to update the amount of water consumed by a registered user. These APIs should be accessed by any registered user via any client application - could be an android app, an iOS app or even a web application. The company only provides APIs and anyone can develop client applications to consume those. All the user data are stored in an Active Directory. Client applications should not be able to access the API directly and query about users. Only registered users can access the API – and they also should not be able to see other users information. At the same time for each update by the user – the Water API must also update user’s health care record maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it too exposes an API (MyHealth API). The Water API has to call MyHealth API to update user record, on be half of the user.
Pattern 09 Problem Statement A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different departments and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall – irrespective of the department they belong to. All the user data are stored in a centralized Active Directory and all the web applications are connected to a centralized OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. These APIs may come from different departments – having their own authorization servers. The company also has a centralized OAuth authorization server and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department.
Pattern 10 Problem Statement A global organization has APIs and API clients distributed across different regions. Each region operates independent from each other. Currently both the clients and the APIs are non-secured. Need to secure the APIs without doing any changes either at the API end or at the client end.
Pattern 11 Problem Statement A company wants to expose an API to its own employees. But the user credentials must not ever go over the wire.
Pattern 12 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user. The backend API must authorize the user.
Contact us !

Recommandé

Confessions of-a-gadget-holic
Confessions of-a-gadget-holicConfessions of-a-gadget-holic
Confessions of-a-gadget-holicTyrell Perera
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
Opening Our Platform to Developers: PayPal's New Application Model and Develo...
Opening Our Platform to Developers: PayPal's New Application Model and Develo...Opening Our Platform to Developers: PayPal's New Application Model and Develo...
Opening Our Platform to Developers: PayPal's New Application Model and Develo...PayPalX Developer Network
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
What is the need of API Development solutions?
What is the need of API Development solutions? What is the need of API Development solutions?
What is the need of API Development solutions? Chetu
 
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case Study
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case StudyWSO2Con ASIA 2016: Service Governance Meets API Governance: A Case Study
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case StudyWSO2
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Case study for free advertising platform for businesses with ios & android ap...
Case study for free advertising platform for businesses with ios & android ap...Case study for free advertising platform for businesses with ios & android ap...
Case study for free advertising platform for businesses with ios & android ap...Mike Taylor
 

Recommandé

Confessions of-a-gadget-holic
Confessions of-a-gadget-holicConfessions of-a-gadget-holic
Confessions of-a-gadget-holicTyrell Perera
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
Opening Our Platform to Developers: PayPal's New Application Model and Develo...
Opening Our Platform to Developers: PayPal's New Application Model and Develo...Opening Our Platform to Developers: PayPal's New Application Model and Develo...
Opening Our Platform to Developers: PayPal's New Application Model and Develo...PayPalX Developer Network
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
What is the need of API Development solutions?
What is the need of API Development solutions? What is the need of API Development solutions?
What is the need of API Development solutions? Chetu
 
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case Study
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case StudyWSO2Con ASIA 2016: Service Governance Meets API Governance: A Case Study
WSO2Con ASIA 2016: Service Governance Meets API Governance: A Case StudyWSO2
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Case study for free advertising platform for businesses with ios & android ap...
Case study for free advertising platform for businesses with ios & android ap...Case study for free advertising platform for businesses with ios & android ap...
Case study for free advertising platform for businesses with ios & android ap...Mike Taylor
 
Mobile DevOps
Mobile DevOpsMobile DevOps
Mobile DevOpsApteligent
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Mobile DevOps for Mobile App Excellence
Mobile DevOps for Mobile App ExcellenceMobile DevOps for Mobile App Excellence
Mobile DevOps for Mobile App ExcellenceAlex Gaber
 
#APIOps- Agile API Development powered by API Connect
#APIOps- Agile API Development powered by API Connect#APIOps- Agile API Development powered by API Connect
#APIOps- Agile API Development powered by API Connectpramodvallanur
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Mulesoft intergrate for android app
Mulesoft intergrate for android appMulesoft intergrate for android app
Mulesoft intergrate for android appSon Nguyen
 
Startup application trends spring 2013
Startup application trends spring 2013Startup application trends spring 2013
Startup application trends spring 2013Mukund Mohan
 
Enabling Business Success Using APIs
Enabling Business Success Using APIsEnabling Business Success Using APIs
Enabling Business Success Using APIsCA API Management
 
SharePoint 2013 Apps and the App Model
SharePoint 2013 Apps and the App ModelSharePoint 2013 Apps and the App Model
SharePoint 2013 Apps and the App ModelJames Tramel
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Amundsen's Dogs, Information Halos, and APIs
Amundsen's Dogs, Information Halos, and APIsAmundsen's Dogs, Information Halos, and APIs
Amundsen's Dogs, Information Halos, and APIsSam Ramji
 
A Secure Insurance Business App for iPhone and Android
A Secure Insurance Business App for iPhone and AndroidA Secure Insurance Business App for iPhone and Android
A Secure Insurance Business App for iPhone and AndroidHarbinger Systems - HRTech Builder of Choice
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Intro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
Intro to Salesforce Mobile SDK: Building Hybrid Apps WebinarIntro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
Intro to Salesforce Mobile SDK: Building Hybrid Apps WebinarSalesforce Developers
 
Free advertising platform for businesses with IOS & Android Apps development
Free advertising platform for businesses with IOS & Android Apps developmentFree advertising platform for businesses with IOS & Android Apps development
Free advertising platform for businesses with IOS & Android Apps developmentMike Taylor
 
SlideShare Test-1
SlideShare Test-1SlideShare Test-1
SlideShare Test-1Michael Maverick
 
IRJET- Agriculture Business to Business Website
IRJET- Agriculture Business to Business WebsiteIRJET- Agriculture Business to Business Website
IRJET- Agriculture Business to Business WebsiteIRJET Journal
 
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDKQuickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDKMichael Welburn
 
Rajendra Thota CV
Rajendra Thota CVRajendra Thota CV
Rajendra Thota CVRajendra Thota
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing InsecurePrabath Siriwardena
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API ManagementJames Farley-Sutton
 
API Best Practices
API Best PracticesAPI Best Practices
API Best PracticesSai Koppala
 

Contenu connexe

Tendances

Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Mobile DevOps for Mobile App Excellence
Mobile DevOps for Mobile App ExcellenceMobile DevOps for Mobile App Excellence
Mobile DevOps for Mobile App ExcellenceAlex Gaber
 
#APIOps- Agile API Development powered by API Connect
#APIOps- Agile API Development powered by API Connect#APIOps- Agile API Development powered by API Connect
#APIOps- Agile API Development powered by API Connectpramodvallanur
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Mulesoft intergrate for android app
Mulesoft intergrate for android appMulesoft intergrate for android app
Mulesoft intergrate for android appSon Nguyen
 
Startup application trends spring 2013
Startup application trends spring 2013Startup application trends spring 2013
Startup application trends spring 2013Mukund Mohan
 
Enabling Business Success Using APIs
Enabling Business Success Using APIsEnabling Business Success Using APIs
Enabling Business Success Using APIsCA API Management
 
SharePoint 2013 Apps and the App Model
SharePoint 2013 Apps and the App ModelSharePoint 2013 Apps and the App Model
SharePoint 2013 Apps and the App ModelJames Tramel
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Amundsen's Dogs, Information Halos, and APIs
Amundsen's Dogs, Information Halos, and APIsAmundsen's Dogs, Information Halos, and APIs
Amundsen's Dogs, Information Halos, and APIsSam Ramji
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Intro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
Intro to Salesforce Mobile SDK: Building Hybrid Apps WebinarIntro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
Intro to Salesforce Mobile SDK: Building Hybrid Apps WebinarSalesforce Developers
 
Free advertising platform for businesses with IOS & Android Apps development
Free advertising platform for businesses with IOS & Android Apps developmentFree advertising platform for businesses with IOS & Android Apps development
Free advertising platform for businesses with IOS & Android Apps developmentMike Taylor
 
IRJET- Agriculture Business to Business Website
IRJET- Agriculture Business to Business WebsiteIRJET- Agriculture Business to Business Website
IRJET- Agriculture Business to Business WebsiteIRJET Journal
 
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDKQuickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDKMichael Welburn
 

Tendances (19)

Mobile DevOps
Mobile DevOpsMobile DevOps
Mobile DevOps
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Mobile DevOps for Mobile App Excellence
Mobile DevOps for Mobile App ExcellenceMobile DevOps for Mobile App Excellence
Mobile DevOps for Mobile App Excellence
 
#APIOps- Agile API Development powered by API Connect
#APIOps- Agile API Development powered by API Connect#APIOps- Agile API Development powered by API Connect
#APIOps- Agile API Development powered by API Connect
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Mulesoft intergrate for android app
Mulesoft intergrate for android appMulesoft intergrate for android app
Mulesoft intergrate for android app
 
Startup application trends spring 2013
Startup application trends spring 2013Startup application trends spring 2013
Startup application trends spring 2013
 
Enabling Business Success Using APIs
Enabling Business Success Using APIsEnabling Business Success Using APIs
Enabling Business Success Using APIs
 
SharePoint 2013 Apps and the App Model
SharePoint 2013 Apps and the App ModelSharePoint 2013 Apps and the App Model
SharePoint 2013 Apps and the App Model
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Amundsen's Dogs, Information Halos, and APIs
Amundsen's Dogs, Information Halos, and APIsAmundsen's Dogs, Information Halos, and APIs
Amundsen's Dogs, Information Halos, and APIs
 
A Secure Insurance Business App for iPhone and Android
A Secure Insurance Business App for iPhone and AndroidA Secure Insurance Business App for iPhone and Android
A Secure Insurance Business App for iPhone and Android
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
 
Intro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
Intro to Salesforce Mobile SDK: Building Hybrid Apps WebinarIntro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
Intro to Salesforce Mobile SDK: Building Hybrid Apps Webinar
 
Free advertising platform for businesses with IOS & Android Apps development
Free advertising platform for businesses with IOS & Android Apps developmentFree advertising platform for businesses with IOS & Android Apps development
Free advertising platform for businesses with IOS & Android Apps development
 
SlideShare Test-1
SlideShare Test-1SlideShare Test-1
SlideShare Test-1
 
IRJET- Agriculture Business to Business Website
IRJET- Agriculture Business to Business WebsiteIRJET- Agriculture Business to Business Website
IRJET- Agriculture Business to Business Website
 
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDKQuickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
Quickly Build a Native Mobile App for your Community using Salesforce Mobile SDK
 
Rajendra Thota CV
Rajendra Thota CVRajendra Thota CV
Rajendra Thota CV
 

Similaire à Securing APIs with OAuth and SAML

API Best Practices
API Best PracticesAPI Best Practices
API Best PracticesSai Koppala
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationApigee | Google Cloud
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewayZuaib
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API ManagementRich Graham
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDhanik Sahni
 
Meetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdfMeetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdfLuca Mattia Ferrari
 
Vertical APIs as Core Product
Vertical APIs as Core ProductVertical APIs as Core Product
Vertical APIs as Core ProductZak Schwarzman
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIsReda Hmeid MBCS
 
Managing micro services for your company
Managing micro services for your companyManaging micro services for your company
Managing micro services for your companyJustin Lovell
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)IndusfacePvtLtd
 
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516Tanjina Prema
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit
 

Similaire à Securing APIs with OAuth and SAML (20)

Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
 
Securely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gatewaySecurely expose protected resources as ap is with app42 api gateway
Securely expose protected resources as ap is with app42 api gateway
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
Deep dive into Salesforce Connected App
Deep dive into Salesforce Connected AppDeep dive into Salesforce Connected App
Deep dive into Salesforce Connected App
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
 
Meetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdfMeetup 2022 - API Gateway landscape.pdf
Meetup 2022 - API Gateway landscape.pdf
 
Vertical APIs as Core Product
Vertical APIs as Core ProductVertical APIs as Core Product
Vertical APIs as Core Product
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Practical guide to building public APIs
Practical guide to building public APIsPractical guide to building public APIs
Practical guide to building public APIs
 
Managing micro services for your company
Managing micro services for your companyManaging micro services for your company
Managing micro services for your company
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Api economy and why effective security is important (1)
Api economy and why effective security is important (1)Api economy and why effective security is important (1)
Api economy and why effective security is important (1)
 
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
 

Plus de WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

Plus de WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Dernier

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Dernier (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Securing APIs with OAuth and SAML

  • 1. Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath
  • 11. Pattern 01 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application passes logged in user’s identifier to the backend APIs and retrieves data related to the user.
  • 12.
  • 13.
  • 14. Pattern 02 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user.
  • 15.
  • 16.
  • 17. Pattern 03 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
  • 18.
  • 19. Pattern 04 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. All the users are in a Windows domain and once they are logged into their workstations – they should not be asked to provide credentials at any point for any other application.
  • 20.
  • 21. Pattern 05 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees as well as employees from trusted partners via multiple web applications. All the internal user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
  • 22.
  • 23. Pattern 06 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to an OpenID Connect Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.
  • 24.
  • 25. Pattern 07 Problem Statement A medium-scale enterprise in the finance industry needs to expose an API to its customers through a mobile application. One major requirement is that all the API calls should support non-repudiation.
  • 26.
  • 27. Pattern 08 Problem Statement A medium-scale enterprise that sells bottled water has a RESTful API (Water API), which can be used to update the amount of water consumed by a registered user. These APIs should be accessed by any registered user via any client application - could be an android app, an iOS app or even a web application. The company only provides APIs and anyone can develop client applications to consume those. All the user data are stored in an Active Directory. Client applications should not be able to access the API directly and query about users. Only registered users can access the API – and they also should not be able to see other users information. At the same time for each update by the user – the Water API must also update user’s health care record maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it too exposes an API (MyHealth API). The Water API has to call MyHealth API to update user record, on be half of the user.
  • 28.
  • 29. Pattern 09 Problem Statement A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different departments and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall – irrespective of the department they belong to. All the user data are stored in a centralized Active Directory and all the web applications are connected to a centralized OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. These APIs may come from different departments – having their own authorization servers. The company also has a centralized OAuth authorization server and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department.
  • 30.
  • 31. Pattern 10 Problem Statement A global organization has APIs and API clients distributed across different regions. Each region operates independent from each other. Currently both the clients and the APIs are non-secured. Need to secure the APIs without doing any changes either at the API end or at the client end.
  • 32.
  • 33. Pattern 11 Problem Statement A company wants to expose an API to its own employees. But the user credentials must not ever go over the wire.
  • 34. Pattern 12 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user. The backend API must authorize the user.
  • 35.