OAuth: The API Gatekeeper

•

3 recomendaciones•2,334 vistas

Now that you have built your API, how do you let the right people have access to the right API at the right time? This talk covers the basics of API access management and then does a deep dive into modern authorization architectures.

Tecnología Empresariales

The API Gatekeeper
Dick Hardt

Monday, November 4, 13

Agenda
•Access Control Overview

2
Monday, November 4, 13

Agenda
•Access Control Overview
•OAuth History

2
Monday, November 4, 13

Agenda
•Access Control Overview
•OAuth History
•OAuth Flows

2
Monday, November 4, 13

Agenda
•Access Control Overview
•OAuth History
•OAuth Flows
•Implementation Steps

2
Monday, November 4, 13

Agenda
•Access Control Overview
•OAuth History
•OAuth Flows
•Implementation Steps
•What can go wrong?

2
Monday, November 4, 13

Agenda
•Access Control Overview
•OAuth History
•OAuth Flows
•Implementation Steps
•What can go wrong?
•Q & A
2
Monday, November 4, 13

Authorization Code

3
Monday, November 4, 13

Authorization Code
•key into database

3
Monday, November 4, 13

Authorization Code
•key into database
–user, scope, app id, expiry (5 min)

3
Monday, November 4, 13

Authorization Code
•key into database
–user, scope, app id, expiry (5 min)
•token (self contained)

3
Monday, November 4, 13

Authorization Code
•key into database
–user, scope, app id, expiry (5 min)
•token (self contained)
–user, scope, app id, expiry (5 min)

3
Monday, November 4, 13

Authorization Code
•key into database
–user, scope, app id, expiry (5 min)
•token (self contained)
–user, scope, app id, expiry (5 min)
–JWT

3
Monday, November 4, 13

Access Token Lifecycle

4
Monday, November 4, 13

Access Token Lifecycle
•key into database

4
Monday, November 4, 13

Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status

4
Monday, November 4, 13

Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)

4
Monday, November 4, 13

Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app id, expiry (60 minutes)

4
Monday, November 4, 13

Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app id, expiry (60 minutes)
–JWT

4
Monday, November 4, 13

Access Token Lifecycle
•key into database
–user, scope, app id, expiry, status
•token (self contained)
–user, scope, app id, expiry (60 minutes)
–JWT
•Refresh token

4
Monday, November 4, 13

API Authorization Middleware
implementation dependent

Monday, November 4, 13

X-RateLimit-Limit: 500
X-RateLimit-Remaining: 432

Monday, November 4, 13

Developer Documentation /
Sandbox

Monday, November 4, 13

What can go wrong?

8
Monday, November 4, 13

What can go wrong?
•Compromise of client secret

8
Monday, November 4, 13

What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)

8
Monday, November 4, 13

What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret

8
Monday, November 4, 13

What can go wrong?
•Compromise of client secret
•Compromise of access tokens (server)
–Developer rests client secret
–All access tokens are invalidated

8
Monday, November 4, 13

Más contenido relacionado

Destacado

API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...

CA API Management

Implementing OAuth with PHP

Lorna Mitchell

Secure, govern and mediate integrations between enterprise applications and Cloud services Overview For Best Buy, the public Cloud provides a strategic way to dynamically scale consumer and partner-facing Web and API assets. The Cloud lets Best Buy accommodate peaks in demand without overbuilding, while isolating sensitive data from the public. Best Buy also needs a consistent way to control what information is shared with applications in the Cloud, while simultaneously insulating development teams from the vagaries of security, management and mediation challenges that arise when implementing a hybrid Cloud solution. This Webinar, presented by Best Buy, Amazon Web Services and Layer 7 Technologies, looks at a specific example of the Best Buy API Developer Portal and share best practices for security, governance and mediation of enterprise services with applications in the Cloud.

Secure and Govern Integration between the Enterprise & the Cloud

CA API Management

The bring-your-own-device (BYOD) trend is in full swing as the growth of mobile devices within the enterprise explodes. How do you enable secure data access for mobile applications? How do you deal with user authentication? How do you allow broader adoption of enterprise applications on user owned devices? CA and Layer 7 outline solutions to these issues, explore different approaches to mobile security, and use case studies to illustrate how others have solved these problems. This workshop was all about: • The latest mobile trends and opportunities • Emerging mobile risks and how these can be addressed • A reference architecture for secure enterprise mobility

Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...

CA API Management

Make OAuth implementation simple for your organization OAuth is an emerging Web standard that lets users grant third-party clients restricted access to resources they own. In the past, it was common to ask a user to share username and password information with the client. OAuth is more secure as it allows the user to grant restricted access to applications and data, by issuing a token with limited capabilities. OAuth is rapidly becoming a foundation of the modern Web and has grown far beyond its social media roots. This evolution is being driven by the corporate need to support increasingly diverse clients – particularly mobile devices. Organizations are aggressively deploying APIs to service the mobile delivery channel and OAuth is the best practice for API authorization. However, OAuth is only one component of a full API access control and security solution. It is important not to lose sight of the big picture of API management—including user management, auditing, throttling and threat detection. APIs are often a direct conduit to mission-critical enterprise applications. They need a full, enterprise-class security solution to protect them. This white paper describes: What OAuth is and how it fits into a complete API security solution Why implementing OAuth can be complex How you can make OAuth implementation simple for your organization

A How-to Guide to OAuth & API Security

CA API Management

OAuth is taking off as a standard way for apps and websites to handle authentication. But OAuth is a fast moving spec that can be hard to pin down. Why should you use OAuth and what are the business and operational benefits? What's the story with all of the different versions and which one should you choose? Watch this webinar with Apigee's CTO Gregory Brail and Sr. Architect Brian Pagano for 'big picture straight talk' on these OAuth questions and more.

OAuth for your API - The Big Picture

Apigee | Google Cloud

Open API Ecosystem Overview: December 2010

John Musser

Whitebase : Assault Carrier for Micro-Services

Jaewoo Ahn

OAuth - Open API Authentication

leahculver

Oracle API Gateway

Rakesh Gujjarlapudi

REST API Security: OAuth 2.0, JWTs, and More!

Stormpath

An Introduction to OAuth 2

Aaron Parecki

Api gateway : To be or not to be

Jaewoo Ahn

Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.

(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

Amazon Web Services

Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure and monitor APIs at any scale. In this session, you’ll find out how you can quickly declare an API interface and connect it to any public HTTP endpoint, existing web service running on Amazon Elastic Compute Cloud (Amazon EC2) or code running on AWS Lambda. Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. Join us for this introductory session to Amazon API Gateway.

Build and Manage Your APIs with Amazon API Gateway

Amazon Web Services

Secure Your REST API (The Right Way)

Stormpath

Destacado (16)

API Management and OAuth for Web, Mobile and the Cloud: Scott Morrison's Pres...

Implementing OAuth with PHP

Secure and Govern Integration between the Enterprise & the Cloud

Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...

A How-to Guide to OAuth & API Security

OAuth for your API - The Big Picture

Open API Ecosystem Overview: December 2010

Whitebase : Assault Carrier for Micro-Services

OAuth - Open API Authentication

Oracle API Gateway

REST API Security: OAuth 2.0, JWTs, and More!

An Introduction to OAuth 2

Api gateway : To be or not to be

(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs

Build and Manage Your APIs with Amazon API Gateway

Secure Your REST API (The Right Way)

Similar a OAuth: The API Gatekeeper

John DaSilva, Identity Architect, Ping Identity Brian Campbell, Portfolio Architect, Ping Identity If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...

CloudIDSummit

Next Generation Memory Forensics

Andrew Case

2016 TTL Security Gap Analysis with Kali Linux

Jason Murray

Introduction to Lectures in Apple iClub at DA-IICT

Nitesh Bhatia

BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...

Aditya K Sood

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

Chris Gates

Introduction to OWASP & Web Application Security

ethical Hack

Wm4

Wm4

Cambodia CERT Seminar: Incident response for ransomeware attacks

APNIC

Open Source Search Andreas Pesenhofer (max.recall, Austria) Helmut Berger (max.recall, Austria Open source search technologies receive more and more attention for a growing range of applications. While initially being developed for the sole purpose of search, they are increasingly being used to power analytics applications with the purpose of performing complex operations on large amounts of complex data. With the ever-increasing amount of data being available on many levels (e.g. personal, team- or company-wide, or global), search often is the only way to get access to the information actually needed. Given the value of this information, the more important it is to have full control over how it is indexed, a fundamental property open source search technologies are able to provide in contrast to many proprietary solutions. This presentation provides an overview of what can be done with Lucene and Lucene-based search engines like Solr and - recently receiving more attention in the light of cloud-based scale-out solutions - ElasticSearch. These open source projects have reached a state of maturity and commercial support that enabled them to compete with and already replace proprietary solutions of established vendors.

ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall

Dr. Haxel Consult

Thick client pentesting_the-hackers_meetup_version1.0pptx

Anurag Srivastava

Incident response before:after breach

Sumedt Jitpukdebodin

Logging & Docker - Season 2

Christian Beedgen

Butler - Security Lessons Learned from an Ezproxy Admin

National Information Standards Organization (NISO)

Limiting application security tests to a single attacking host has left the industry using phrases such as “an attacker could” or “an attacker may be able to,” when referencing common attacks such as online attacks against user credentials, application-level denial of service and username enumeration. Attacks from a single host are not practical, and do not model real-world threats. The aforementioned tasks would benefit greatly from the ability to distribute across different hosts to properly demonstrate impact. Httpillage is a tool designed to distribute HTTP(s) based attacks across multiple nodes, in similar fashion to a traditional botnet C&C server. Common attacks such as online password brute-force, denial of service, and application enumeration are entirely possible to distribute, increasing speed and effectiveness. This talk will demonstrate the use of httpillage to launch common attacks across multiple nodes, including the ability to brute-force time-based password reset tokens. We’ll walk through scenarios that demonstrate how to provide proper impact demonstration, launching attacks that would not be successful during a traditional pentest.

Httpillage lascon-2015

forcedrequest

Pentest: footprinting & scan

JUNIOR SORO

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...

Michael Pirnat

Burp suite

Yashar Shahinzadeh

Similar a OAuth: The API Gatekeeper (20)

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...

Next Generation Memory Forensics

2016 TTL Security Gap Analysis with Kali Linux

Introduction to Lectures in Apple iClub at DA-IICT

BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

Introduction to OWASP & Web Application Security

ethical Hack

Wm4

Cambodia CERT Seminar: Incident response for ransomeware attacks

ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall

Thick client pentesting_the-hackers_meetup_version1.0pptx

Incident response before:after breach

Logging & Docker - Season 2

Butler - Security Lessons Learned from an Ezproxy Admin

Httpillage lascon-2015

Pentest: footprinting & scan

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...

Burp suite

Más de Apigee | Google Cloud

How Secure Are Your APIs?

Apigee | Google Cloud

Magazine Luiza at a glance (1)

Apigee | Google Cloud

Do you want to scale your API program? Do you want to create new business opportunities with developers and partners? If so, monetization might be the right strategy for you. Monetization is influencing how APIs are delivered. It provides the flexibility to generate different API consumption models for developers, and it opens opportunities to derive value from APIs, for developers and for partners. Learn about: - Monetization trends and best practices - The industries that leverage API monetization today - The future of monetization

Monetization: Unlock More Value from Your APIs

Apigee | Google Cloud

Watch the live demo of Apigee's API platform to learn how to: - easily configure and manage new APIs and enforce security with minimal impact to backend services - create, manage and monetize API products - extend API Services to increase flexibility and tailor to business requirements with JavaScript, Java, Python, and Node.js - provide developers easy, yet secure access to explore, test, and deploy APIs - use end-to-end visibility across the digital value chain to monitor, measure, and manage success

Apigee Demo: API Platform Overview

Apigee | Google Cloud

Ticketmaster at a glance

Apigee | Google Cloud

AccuWeather: Recasting API Experiences in a Developer-First World

Apigee | Google Cloud

App modernization projects are hard. Enterprises are looking to cloud-native platforms like Pivotal Cloud Foundry to run their applications, but they’re worried about the risks inherent to any replatforming effort. Fortunately, several repeatable patterns of successful incremental migration have emerged. In this webcast, Google Cloud’s Prithpal Bhogill and Pivotal’s Shaun Anderson will discuss best practices for app modernization and securely and seamlessly routing traffic between legacy stacks and Pivotal Cloud Foundry.

Which Application Modernization Pattern Is Right For You?

Apigee | Google Cloud

Apigee's Ed Anuff and Bala Kasiviswanathan will discuss how these forces inform and drive the Apigee product roadmap. Join Ed and Bala for a preview of how Apigee will deliver on its product goals, including a common stack that enables us to address our customers' multi-cloud opportunity. Learn how we'll help companies transition to the PaaS/cloud-native future, how we'll leverage Google's OSS presence, and how we will continue to emphasize the needs of developers.

Apigee Product Roadmap Part 2

Apigee | Google Cloud

The Four Transformative Forces of the API Management Market

Apigee | Google Cloud

Walgreens at a glance

Apigee | Google Cloud

Apigee Edge: Intro to Microgateway

Apigee | Google Cloud

Dive into a reference architecture that demonstrates the patterns and practices for securely connecting microservices together using Apigee Edge integration for Pivotal Cloud Foundry. We will discuss: - basics for building cloud-native applications as microservices on - Pivotal Cloud Foundry using Spring Boot and Spring Cloud Services - patterns and practices that are enabling small autonomous microservice teams to provision backing services for their applications - how to securely expose microservices over HTTP using Apigee Edge for PCF Watch the webcast here: https://youtu.be/ETT6WP-3me0

Managing the Complexity of Microservices Deployments

Apigee | Google Cloud

Pitney Bowes at a glance

Apigee | Google Cloud

Microservices Done Right: Key Ingredients for Microservices Success

Apigee | Google Cloud

Adapt or Die: Opening Keynote with Chet Kapoor

Apigee | Google Cloud

Adapt or Die: Keynote with Greg Brail

Apigee | Google Cloud

Adapt or Die: Keynote with Anant Jhingran

Apigee | Google Cloud

London Adapt or Die: Opening Keynot

Apigee | Google Cloud

London Adapt or Die: Lunch keynote

Apigee | Google Cloud

London Adapt or Die: Closing Keynote — Adapt Now!

Apigee | Google Cloud

Más de Apigee | Google Cloud (20)

How Secure Are Your APIs?

Magazine Luiza at a glance (1)

Monetization: Unlock More Value from Your APIs

Apigee Demo: API Platform Overview

Ticketmaster at a glance

AccuWeather: Recasting API Experiences in a Developer-First World

Which Application Modernization Pattern Is Right For You?

Apigee Product Roadmap Part 2

The Four Transformative Forces of the API Management Market

Walgreens at a glance

Apigee Edge: Intro to Microgateway

Managing the Complexity of Microservices Deployments

Pitney Bowes at a glance

Microservices Done Right: Key Ingredients for Microservices Success

Adapt or Die: Opening Keynote with Chet Kapoor

Adapt or Die: Keynote with Greg Brail

Adapt or Die: Keynote with Anant Jhingran

London Adapt or Die: Opening Keynot

London Adapt or Die: Lunch keynote

London Adapt or Die: Closing Keynote — Adapt Now!

Último

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Evaluating the top large language models.pdf

ChristopherTHyatt

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

CNv6 Instructor Chapter 6 Quality of Service

giselly40

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

OAuth: The API Gatekeeper

1. The API Gatekeeper Dick Hardt Monday, November 4, 13

2. Agenda 2 Monday, November 4, 13

3. Agenda •Access Control Overview 2 Monday, November 4, 13

4. Agenda •Access Control Overview •OAuth History 2 Monday, November 4, 13

5. Agenda •Access Control Overview •OAuth History •OAuth Flows 2 Monday, November 4, 13

6. Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps 2 Monday, November 4, 13

7. Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps •What can go wrong? 2 Monday, November 4, 13

8. Agenda •Access Control Overview •OAuth History •OAuth Flows •Implementation Steps •What can go wrong? •Q & A 2 Monday, November 4, 13

9. Authorization Code 3 Monday, November 4, 13

10. Authorization Code •key into database 3 Monday, November 4, 13

11. Authorization Code •key into database –user, scope, app id, expiry (5 min) 3 Monday, November 4, 13

12. Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) 3 Monday, November 4, 13

13. Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) –user, scope, app id, expiry (5 min) 3 Monday, November 4, 13

14. Authorization Code •key into database –user, scope, app id, expiry (5 min) •token (self contained) –user, scope, app id, expiry (5 min) –JWT 3 Monday, November 4, 13

15. Access Token Lifecycle 4 Monday, November 4, 13

16. Access Token Lifecycle •key into database 4 Monday, November 4, 13

17. Access Token Lifecycle •key into database –user, scope, app id, expiry, status 4 Monday, November 4, 13

18. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) 4 Monday, November 4, 13

19. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) 4 Monday, November 4, 13

20. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT 4 Monday, November 4, 13

21. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token 4 Monday, November 4, 13

22. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token –user, scope, app id, expiry / status 4 Monday, November 4, 13

23. Access Token Lifecycle •key into database –user, scope, app id, expiry, status •token (self contained) –user, scope, app id, expiry (60 minutes) –JWT •Refresh token –user, scope, app id, expiry / status –JWT 4 Monday, November 4, 13

24. API Authorization Middleware implementation dependent Monday, November 4, 13

25. X-RateLimit-Limit: 500 X-RateLimit-Remaining: 432 Monday, November 4, 13

26. Developer Documentation / Sandbox Monday, November 4, 13

27. Developer Documentation / Sandbox Monday, November 4, 13

28. What can go wrong? 8 Monday, November 4, 13

29. What can go wrong? •Compromise of client secret 8 Monday, November 4, 13

30. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) 8 Monday, November 4, 13

31. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret 8 Monday, November 4, 13

32. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated 8 Monday, November 4, 13

33. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret 8 Monday, November 4, 13

34. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) 8 Monday, November 4, 13

35. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) –User revokes authorization 8 Monday, November 4, 13

36. What can go wrong? •Compromise of client secret •Compromise of access tokens (server) –Developer rests client secret –All access tokens are invalidated –Refresh tokens still work, but require new secret •Compromise of access token (client) –User revokes authorization •Resolution is self service 8 Monday, November 4, 13

OAuth: The API Gatekeeper

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (16)

Similar a OAuth: The API Gatekeeper

Similar a OAuth: The API Gatekeeper (20)

Más de Apigee | Google Cloud

Más de Apigee | Google Cloud (20)

Último

Último (20)

OAuth: The API Gatekeeper