Building on the Ashes of Past Standards

Securing API Data Models

Jonathan LeBlancHead of Developer Evangelism (North

America)Github: http://github.com/jcleblanc

Slides: http://slideshare.net/jcleblancTwitter: @jcleblanc

The Ultimate Decision

Security Usability

The Path

to th

e Sta

ndard

The Insecure, Unmanageable Start

Very Secure, Long to Implement

Two Currently Widely Used Specs

Auth in

Pra

ctice

Fetching a Code

Prepare the Redirect URIAuthorization Endpointclient_id response_type (code)scope redirect_urinonce state

Browser RedirectRedirect URI

Fetching the Access Token

Fetch the Access TokenAccess Token Endpointclient_id code (query string)client_secret grant_type

HTTP POSTAccess Token Endpoint

A few implementation differences

Endpoints

Scopes (dynamic / static)

Using the Access Token in a request

Using th

e Ske

leto

n Key

How it’s Normally Used

Access user details

Push data throughuser social streams

But why?

Access token as a control structure

Improve Existing Products

Our showcase: Seamless Checkout

A Few Code Links

OAuth2 & OpenID Connect Sampleshttps://github.com/jcleblanc/oauthhttps://github.com/paypal/paypal-access

Log in with PayPalhttp://bit.ly/loginwithpaypal

http://bit.ly/securing_apis

Thank You! Questions?

Jonathan LeBlancHead of Developer Evangelism (North

America)Github: http://github.com/jcleblanc

Slides: http://slideshare.net/jcleblancTwitter: @jcleblanc