secure your apis using oauth 2 and openid connect
TRANSCRIPT
![Page 1: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/1.jpg)
Overview of OAuth and OpenID ConnectThe Nuts and Bolts of API Security
By Travis Spencer, CEO@travisspencer, @2botech
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
![Page 2: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/2.jpg)
üAll API ConferencesüAPI CommunityüActive blogosphere
Organizers and founders
![Page 3: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/3.jpg)
Agenda
§ The security challenge in context§ OAuth 2 Fundamentals§ Building OpenID Connect on OAuth§ 2 example use cases
Copyright © 2013-2014 Twobo Technologies AB. All rights reserved
![Page 4: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/4.jpg)
API Security == API Keys
§ Problem solved!
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 5: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/5.jpg)
API Security != API Keys
§ Revocable, un-audienced, non-expiring, bearer access tokens
§ Symmetric keys§ Passwords!
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 6: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/6.jpg)
API Security == OAuth
§ Problem solved for real this time?
Not that easy! Sorry LCopyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 7: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/7.jpg)
Crucial Security Concerns
Enterprise Security API Security Mobile Security
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 8: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/8.jpg)
Identity is Central
MDM MAM
MobileSecurity
APISecurity
EnterpriseSecurity
Identity
Venn diagram by Gunnar Peterson
AuthZ
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 9: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/9.jpg)
The Neo-security Stack
JSON Identity Suite
OpenID Connect
SCIM
OAuth 2
Provisioning
Identities
Federation
Delegated Access
Authorization
U2FAuthentication
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 10: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/10.jpg)
§ OAuth 2 is a protocol of protocols§ Used as the base of other specifications§ OpenID Connect, UMA, HEART, etc.
§ Addresses some important requirements§ Delegated access§ No password sharing§ Revocation of access
OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 11: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/11.jpg)
1. Resource Owner (RO)2. Client3. Authorization Server (AS)4. Resource Server (RS) (i.e., API)
Get
a to
ken
Delegate
RSClient
AS
RO
Use a token
OAuth Actors
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 12: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/12.jpg)
Request, Authenticate & Consent
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 13: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/13.jpg)
The Client Requests Access
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 14: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/14.jpg)
The AS Requires the RO to Authenticate
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 15: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/15.jpg)
The AS Issues the One-time Use Code
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 16: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/16.jpg)
The Client Redeems the One-time Use Code
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 17: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/17.jpg)
The AS Issues the Token
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 18: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/18.jpg)
The Client Presents the Token to the RS
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 19: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/19.jpg)
The RS Validates the Token
Resource Owner (RO)
Resource Server (RS)Client
Authorization Server (AS)
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 20: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/20.jpg)
Access!
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 21: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/21.jpg)
§ Like permissions§ Scopes specify extent of tokens’ usefulness§ Listed on consent UI (if shown)§ No standardized scopes
Scopes
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 22: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/22.jpg)
Kinds of Tokens
Access Tokens
Like a Session
Used to secure API calls
Refresh Tokens
Like a Password
Used to get new access tokens
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 23: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/23.jpg)
Holder of Key
HoK tokens are like credit cards
Profiles of Tokens
Bearer
Bearer tokens are like cash
$
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 24: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/24.jpg)
Types of Tokens
§ WS-Security§ SAML§ Custom
§ Home-grown§ Oracle Access Manager§ SiteMinder
§ JWT
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 25: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/25.jpg)
JWT Tokens
§ Pronounced like the English word “jot”§ Lightweight tokens passed in HTTP headers & query strings§ Akin to SAML tokens
§ Less expressive§ Less security options§ More compact§ Encoded w/ JSON not XML
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 26: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/26.jpg)
Passing Tokens
123XYZ
John Doe
By Value By Reference
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 27: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/27.jpg)
Not for authentication
Not really for authorization
Not for federation
Improper Usage of OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 28: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/28.jpg)
For delegated accessUser to app delegation in particular
Proper Usage of OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 29: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/29.jpg)
• Next generation federation protocol – Based on OAuth 2– Made for mobile– Not backward compatible
• Client & API receive tokens• User info endpoint provided for
client to get user data
OpenID Connect
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 30: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/30.jpg)
Get user info using access token
OpenID Connect Example
OAuth AS / OpenID Provider RP / Client
Browser
Access code
Send code to get access token
Access token & ID token
Check audience restriction of ID token
Request login, providing “openid” scope & user info
scopes
User info
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 31: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/31.jpg)
ID Token is for Client
§ Access token is for API; ID token is for client§ ID token provides client with info about
§ Intended client recipient§ Username § Credential used to login§ Issuer of token§ Expiration time
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 32: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/32.jpg)
User Info Endpoint
§ Token issuance and user discovery endpoint
§ Authenticate using bearer access token issued by OpenID Provider
§ Output depends on requested and authorized scopes
§ sub claim must match sub claim in ID token
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 33: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/33.jpg)
Applying All this to Micro-services
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 34: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/34.jpg)
All Micro-services Accept JWTs
Resource Owner (RO)
But translate!Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 35: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/35.jpg)
Translate from by-ref to by-value in gateway
Resource Owner (RO)123XYZ
API Firewall /Reverse Proxy
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 36: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/36.jpg)
Additional Resources
§ Blog posts§ bit.ly/oauth-deep-dive§ bit.ly/4-api-security-defenses§ bit.ly/building-secure-api§ bit.ly/right-api-armor§ API keys http://bit.ly/2dI9Z7Q
§ Videos§ bit.ly/oauth-in-depth§ bit.ly/micro-services-security§ bit.ly/building-secure-api-video
§ API security insights§ http://nordicapis.com/api-
insights/security/
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
![Page 37: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/37.jpg)
For more information, visit curity.io
![Page 38: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/38.jpg)
Summary
§ API security > API keys & OAuth§ OAuth 2 fundamentals
§ Token types§ Profiles§ Passing tokens
§ Building OpenID Connect on OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
![Page 39: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/39.jpg)
Thank you!
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
![Page 40: Secure your APIs using OAuth 2 and OpenID Connect](https://reader036.vdocuments.net/reader036/viewer/2022062223/5a673c027f8b9a453d8b5453/html5/thumbnails/40.jpg)