NYC Identity Summit Tech Day: Best Practices for API Security

Best Practices for API Security

Ludovic Poitou, Product Management Director

API Security

Example:

ForgeRockIdentity Gateway

ForgeRockAccess Management

Throttling

Authorization

API Key• Use OAuth2 Tokens• Issued & managed centrally• Standard based• Access tokens are short-lived

and revocable• Scopes for finer permissions

Protecting against Disclosure• Secure End to End

• Between Client and Gateway• Between Gateway and API

• TLS• Certificate based

Authentication

Protect Against Misuse and DOS• Throttle the incoming traffic

• Overall• Per API• Per Client

• Also a monetization strategy!

https://www.flickr.com/photos/telstar/

Policy Decision and Enforcement Point

• Centralized policy management

• Introspect Token• Call ForgeRock Access

Management PDP• Border enforcement

• Specific rules and conditions• Not Found vs Forbidden

https://www.flickr.com/photos/yannickgar/

Monitoring and Auditing• Monitoring

• Status• Throughput and Response

Times statistics• Auditing

• Logs• Reporting• Billing

Summary

Throttling

Message Transformation Monitoring

Session Management Token Exchange

Scripting

Relying Party Authentication Authorization Federation (SAML /

Password Capture & Replay

Protected Resources

Identity Providers Data Stores

Web Applications

Services Layer

Access Layer HTTP / HTTPS OAuth2.0 | OpenID Connect | SAMLv2

External LayerDatabases

Directories

ForgeRock Identity Platform: Identity Gateway

Best Practices for API Security

Ludovic Poitou – Product Management DirectorLudovic.Poitou@ForgeRock.com

@ludomp

NYC Identity Summit Tech Day: Best Practices for API Security

Software

Transcript of NYC Identity Summit Tech Day: Best Practices for API Security

INTERACTIVE API TO INTEGRATE BORDER CONTROL PROCESSES · ILKER DUZGOREN Manager, Aviation Facilitation IATA . Advance Passenger Information (API) • Identity Information available

Financial-grade API (FAPI) and CIBA · 2019-09-19 · OAuth 2.0 API authorization OpenID Connect (OIDC) verifiable user identity Financial-grade API (FAPI) higher security The Financial-grade

Using API calls for Session Management - Cisco · 2-6 Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 Chapter 2 Using API Calls for Session Management

Designing for Others- Commercial API Design (NYC Code Camp)

Cisco Identity Services Engine API Reference Guide, …...Contents v Cisco Identity Services Engine API Reference Guide, Release 1.2 OL-26134-01 AcctStatus API Call Data 3-13 CHAPTER

Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013

A Common API & UI for Building Next Generation Identity Services

CLOUD NATIVE CONNECTED CARS. · Web Gateway User Mgmt Identity Store Weather Office News Main Core BMW Online Vehicle API Gen 5 In-Vehicle API Web REST API Clients Gateways Frontends

Digital Printing Company NYC - Neon Signs NYC - Awnings NYC - Banners

OpenID Connect & OAuth 2.0 Server for the Enterprise · API access management identity provision identity ... Modern token based security for web, ... User authentication

NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy

WSO2Con USA 2017: Rise to the Challenge with WSO2 Identity Server and WSO2 API Manager

An API Between US - LeanUX15 NYC

The API Economy: API Provider Perspective / European Identity Summit 2012

ingFederate Server 9.1 - docs.pingidentity.com · identity security, API security, and social identity integration. Browser-based SSO extends employee, customer and partner identities

Identity in an API Economy KuppingerCole Webinar Sponsored by Layer 7

SoundCloud API Learnings @ Startup Weekend NYC 2011

KONSTANTIN HYPPÖNEN Open Mobile Identity - UEFepublications.uef.fi/pub/urn_isbn_978-951-27-0112-4/urn_isbn_978... · KONSTANTIN HYPPÖNEN Open Mobile Identity ... API application

Raw API Documentation API Documentation.pdf · Digital Identity ApS, Bakkedraget 1, 8362 Hørning 3 / 58 4.11.2 Response ..... 38

Event Source API & Semantic Logging (Talk at NYC Code camp Sep 2014)