An OAuth protected platform (Nordic APIS April 2014)

An OAuth-protected API Platform for Private, Partner & Public UseBy Travis Spencer, CEO!@travisspencer / @2botech

http://www.twitter.com/travisspencer

http://www.twitter.com/2botech

Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2

Agenda

▪ Business benefits of APIs!▪ Associated security challenges!▪ Requirements to overcome these

obstacles

▪ Platform security architecture !▪ Delivers business benefits !▪ Overcome challenges!▪ Meets specifications



Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3

6 Benefits of APIs

Business Benefits of Private APIs

modernize organization

start api strategy

manage supply chain

time-to-market

internal communica-tion

business inteligence analytics

▪ Post by Mark Boyd on Nordic APIs blog!

▪ Same benefits afforded by partner & public APIs!

▪ j.mp/1dpGCX6



http://j.mp/1dpGCX6

Copyright 2014 Twobo Technologies AB @travisspencer / @2botech

▪ Not beginning with a clean slate!▪ Existing data & systems must be made

available in new ways!▪ Reuse & extend existing infrastructure!▪ Bridge old & new technologies

Starting an API Strategy

4




Neo-security Requirements

5

▪ Identity & content must be converted!▪ Legacy systems must be concealed & abstracted!▪ Work with all modes of service delivery!▪ Secure all channels




Modernize Organization

6

▪ Core business capabilities are distilled into reusable modules!

▪ Composed together like Legos!▪ Security will prevent or allow composability

Loc

Bloc

sLe

gos





7

▪ Based on open, international standards!▪ COTS products must be limited to

specialized roles!▪ Apps & Web sites must not perform

authentication & authorization




Manage Supply Chain

8

▪ Optimization of value across organizational boundaries !▪ Massive distribution !▪ Automation!

▪ Lack of robust security is a showstopper !▪ Users demand seamless access across apps!▪ API client & end user must be identified!▪ Rights must be applied to users from other organizations





9

▪ Access control!▪ Account provisioning!▪ Web Single Sign-on (SSO) & federation!▪ Delegated access (a la OAuth)




OAuth

10

▪ OAuth 2 is the new protocol of protocols!▪ Used as the base of other specifications!▪ OpenID Connect, UMA, etc.!

▪ Addresses some important requirements!▪ Delegated access!▪ No password sharing!▪ Revocation of access!




OAuth Actors

11

1. Resource Owner (RO)!2. Client!3. Authorization Server (AS)!4. Resource Server (RS) (i.e., API)

Get

a to

ken

Delegate

RSClient

AS

RO

Use a token




Scopes

12

▪ Like permissions!▪ Scopes specify extent of tokens’ usefulness!▪ Listed on consent UI (if shown)!▪ No standardized scopes




Usage of OAuth

13

Not for authentication

Not really for authorization

Not for federation




Usage of OAuth

14

For delegated access




Iden

t-iti

esAP

IsEn

title

-m

ents

Requirements Demand More

15

▪ Today’s use cases require more than just delegation!

▪ OAuth is important but insufficient




OpenID Connect

16

▪ Next generation federation protocol !▪ Based on OAuth 2!▪ Made for mobile!▪ Not backward compatible

▪ Client & API receive tokens!▪ Endpoint provided for client to

get user data




OpenID Connect + OAuth Example

17

OpenID Provider RP / Client

Browser

Access code

Redeem access code

Access token & ID token

Check audience restriction of ID token

Request login, providing “openid” scope & user info

scopes

Get user info using access token

Access tokens




JSON Identity Suite

The Neo-security Stack

18

OpenID Connect

SCIM

OAuth

XAC

ML

Provisioning

Identities

Federation

Delegated Access

Authorization




The Neo-security Platform

19

SCIM JSON Identity Suite

OpenID Connect OAuth XACML

EntitlementManagement

System

Identity Management

System

APIManagement

System




Summary

20

▪ APIs offer many benefits!▪ Security will impede or enable these!▪ Technology exists to protect your API!

▪ OAuth is not enough!▪ Need the entire Neo-security Stack!

▪ The Neo-security Platform protects data & delivers benefits




Questions & Thanks

21

@2botech!@travisspencer!www.twobo.com

?





http://www.twobo.com/

An OAuth protected platform (Nordic APIS April 2014)

Software

Transcript of An OAuth protected platform (Nordic APIS April 2014)