SlideShare una empresa de Scribd logo

OAuth in the Real World featuring Webshell

CA API Management
CA API Management

Find out how today’s authorization experts are getting maximum value from OAuth OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.

Tecnología
1 de 72
Descargar para leer sin conexión
© 2014 CA. All rights reserved. OAuth In The Real World How today’s authorization experts get maximum value from OAuth K. Scott Morrison Senior Vice President and Distinguished Engineer April 2014 Mehdi Medjaoul Co-Founder & Executive Director of Webshell
2 © 2014 CA. All rights reserved. Housekeeping Layer 7 @layer7 layer7.com/blogs layer7.com Chat questions into the sidebar or use hashtag: #L7webinar Webshell.io @Webshell_
3 © 2014 CA. All rights reserved. Today’s Talk  Why OAuth is more than just another security token  The basic OAuth architecture  What’s your grant type?  Token revocation and the implications for scaling  Managing dangerous windows of opportunity  Where should tokens reside?  Scopes, privileges and consent  OAuth facades over existing IAM systems  OAuth integration with legacy HTML login pages
4 © 2014 CA. All rights reserved. Basic OAuth 2.0 Client Authorization Server Resource Server Resource Owner Acquire Tokens Use Access Token
5 © 2014 CA. All rights reserved. A Fundamental Shift Is Occurring In Identity and Access Control The Old Enterprise The New Modern Enterprise This is the secret to achieve scale and agile federation
6 © 2014 CA. All rights reserved. What’s Your Grant Type? Do you need to authenticate the end user? No Yes Client Credentials Grant Type Asking the right questions will lead to the right answer
7 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Do you control the user’s credentials? Yes No Password Grant Type
8 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Can clients keep secrets? Yes No Authorization Code Grant Type Implicit Flow, response_type=token These are usually JavaScript clients. Note that you can’t secure clients here!
9 © 2014 CA. All rights reserved. What Kind Of Scale Are We Talking? 1000s of validated transactions per second Millions of active sessions
10 © 2014 CA. All rights reserved. Token Validation and the Question of Revocation Will you ever need to revoke access tokens? No Yes Easy street Tough Road Tokens have a lifetime. But will you ever need to cut this short? Tokens can be signed and self- contained (incl. expiration time, scope, and other attributes). Tokens need a central validation service
11 © 2014 CA. All rights reserved. No Revocation – The Simple Case Very simple distributed auth architecture  Authorization Server (AS) keeps refresh tokens locally for issuance of new access tokens  Resource Server (RS) validates access tokens according to trust model  Need signed tokens  Kind of like SAML Enterprise Network Informal, API-driven integrations Firewall Mobile Devices Clouds, Webapps, etc Authorization Server Key DB Directory Protected Resource Servers Trust Refresh tokens only. Low transaction rate (eg: 10 mins for each active session)
12 © 2014 CA. All rights reserved. Revocation – The Much Harder Scenario More Complex distributed architecture  Authorization Server (AS) keeps refresh and access tokens  Resource Server (RS) validates access tokens live (various options for this)  Scalable DB needed  Security model for token storage Enterprise Network Firewall Mobile Devices Authorization Server Key DB Directory Protected Resource Servers Validates Admin This is where scale and reliability become important requirements.
13 © 2014 CA. All rights reserved. Managing Dangerous Windows of Opportunity Time t=10 minutes time-to-live for access token No Revocation Token hijack 10 min Time t=10 minutes time-to-live for access token With Revocation Token hijack 4 min 5 min 10 min Validation cache time out Revoke tokens
14 © 2014 CA. All rights reserved. Where Should The Tokens Reside? Enterprise Network Firewall 1 Authorization Server Directory Validates Admin Key DB Firewall 2 Protected Resource Servers DB Inside Secure Zone  Tokens do not reside in DMZ  Remember: Bearer tokens are dangerous!  RDBMS vs NoSQL  Token maintenance issues  Authorization Server (AS) manages access and refresh tokens using JDBC/ODBC or noSQL  Resource Server (RS) validates access tokens using JDBC/ODBC or noSQL Case 1: Just use a DB
15 © 2014 CA. All rights reserved. Where Should The Tokens Reside (cont.)? Enterprise Network Firewall 1 Authorization Server Directory Admin Key DB Firewall 2 DB Inside Secure Zone  Tokens do not reside in DMZ  Authorization Server (AS) accesses access and refresh tokens using simple CRUD APIs  Resource Server (RS) validates access tokens using validation API or OpenID Connect UserInfo Case 2: API server fronting DB Validate Key CRUD Protected Resource Servers
16 © 2014 CA. All rights reserved. Scopes and Privileges  Scopes are critical in OAuth – But developers too often overlook their power  Attach scope to an access token based on user privileges – Same endpoint, but different capabilities  The OpenID Connect UserInfo endpoint is like this  We are seeing scope being differentiated based on how an access token was acquired – Eg: If the access token derives from an immediate authentication event, it is of higher relative “value” than if it comes from a refresh  Continuous authentication is an important trend in security  Scope is the key to integrating risk-based evaluation, step-up authentication, idle time mgmt, privileged action mgmt, etc The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued.
17 © 2014 CA. All rights reserved. Consent  This remains very black and white – It is the responsibility of the OAuth (and API) provider to seek consent expression and reflect this in the scopes granted to a session – You still can’t choose what you agree to  But watch this space – This is the new frontier for OAuth and related technologies Do you agree to let application foo: Records on your behalf?  Create  Retrieve  Update  Delete No Yes
18 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: Proxy Model - OAuth Facades over legacy IAM Infrastructure Simple, drop-in virtual or hardware gateway  Acts as both Authorization Server (AS) and Resource Server (RS)  Advanced security on all APIs Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources SecureSpan Gateway as AS IAM System SecureSpan Gateway Protecting RS Token can encapsulate legacy sessionID or gateway can manage mapping AS is Mapping to Internal Security Models/Tokens ➠ Simple Username/passwd ➠ Kerberos ➠ X.509v3 certificates ➠ SAML, etc
19 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: OAuth Integration With Existing Web Authentication Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources not shown for clarity SecureSpan Gateway as AS Leverage Existing Auth Pages ➠ Redirect to web authentication server ➠ Authentication user, redirect back to OAuth authorization server ➠ Validate returned “legacy” session ➠ Issue standard access and refresh tokens (or encapsulate) Legacy Directory Web Auth Page Validate session Redirects This is interesting because it decouples authentication and consent
20 © 2014 CA. All rights reserved. Summary  You can tell OAuth is mature because its boundaries are being pushed.  But there is still considerable misunderstanding about how to use OAuth effectively.  Scalability and reliability remain difficult  We highly recommend you use proven solutions rather than trying to cobble together a solution.
@medjawii OAuth.io@medjawii APIscene.com
Are you getting the maximum from OAuth? OAuth.io@medjawii
Identity provider Identity consumer (Application) User OAuth.io@medjawii
OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
OAuth.io@medjawii
OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
The business value data is concentrated mainly on the provider and the consumer OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
OAuth enables to concentrate the business value data on the provider side. OAuth.io@medjawii
The tale of 2 OAuth... OAuth.io@medjawii
OAuth 1.0/1.a - Released in October 2007 - Revised in June 2009 (Revision A) - Hard to implement with signatures, no expiration of tokens, no control the level of access requested. Some implementations have tried to get around these problems, which causes interoperability issues OAuth.io@medjawii
OAuth 2.0 - Non-backward compatible alternative. - Several drafts from January 2010 and October 2012 where published as RFC 6749 - Facebook and many others implemented it when not final - OAuth 2.0 is more flexible, wide range of non-interoperable implementations - less secure than OAuth 1.0, relying on SSL connections rather than signatures to protect the user’s access token, - Easier to install when developing clients OAuth.io@medjawii
The tale of 2 OAuth... OAuth.io@medjawii
The tale of too many OAuth... OAuth.io@medjawii
10 OAuth implementations you can’t guess… that differ from RFC6949 OAuth.io@medjawii
Facebook : Refresh_token grant_type: "refresh_token" => grant_type: "fb_exchange_token" refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}" scope “notation”: friends_actions.music, friends_actions.video Separator is a “,” instead of “%20“ OAuth.io@medjawii
Deezer client_id -> app_id=... scope -> perms=email,read_friendlists... state=... [non documented] response_type=code [useless] “Facebook is the standard” OAuth.io@medjawii
Google : More parameters options for the authorization form: access_type: to choose to send a refresh_token or not approval_prompt to force the popup even if we are already connected login_hint to select an account or prefill the email address include_granted_scopes to add more authorizations “incremental authorization” OAuth.io@medjawii
Foursquare : - Some OAuth libraries expect to pass the OAuth token as access_token instead of oauth_token, since this is the expectation created by Facebook, at odds with earlier versions of the OAuth spec. We may add support for both parameter names, depending on feedback, but for now know that this may come up. - No scope. OAuth.io@medjawii
Salesforce : Added custom authorization parameters: immediate: whether the user should be prompted for login and approval display: template web, mobile, popup login_hint: to prefill an email prompt: prompt the user for reauthorization or reapproval the authorization returns custom fields: - “instance_url”: the api url binded to a resource server, this is the only way to receive the domain - a signature: can be used to verify the identity URL was not modified (id & date signed with a private key) - issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration duration - id_token: to support openid UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form) OAuth.io@medjawii
VK: Added authorizations parameters v: API version The authorization returns the user id, that is needed to call the api relative to the authorized user (there is no /me/..., /self/... or so) Instead of access_token: xxx /user/me?access_token=xxx You have access_token: xxx user_id: yyy /user/yyy?access_token=xxx OAuth.io@medjawii
23ANDME: scope “notation”: profile:write profile:read OAuth.io@medjawii
Tencent weibo: Authorization parameters : chinese language only oauth_version=2.a (useless parameter) Extra : Chinese/English documentation for OAuth1.0 but Chinese documentation only for OAuth2.0 OAuth.io@medjawii
This was just non exhaustive. OAuth.io@medjawii
API calls Authorization api.provider.com/path/action?access_token=TOKEN api.provider.com/path/action?oauth_token=TOKEN api.provider.com/path/action?token=TOKEN Authorization HTTP header: Bearer TOKEN Authorization HTTP Header: OAuth TOKEN OAuth.io@medjawii
Scope scope=email%20publish scope=email,publish scope=email;publish scope=email:publish scope=email|publish scope=read_only or scope=read_write OAuth.io@medjawii
The "state" param ● inexistent (dailymotion, eventbrite...) so you have to put it in the callback ● undocumented (wordpress, deezer...) ● impossible (angelist.co) “fixed callback url” OAuth.io@medjawii
What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
April fool: Introducing OAuth 3:0 - “0 token” paradigm - No more secret key, everything public The huge majority did not understand... OAuth.io@medjawii
What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
Even if you are right, 3rd party developers will be lost… because of others providers already did it wrong before you OAuth.io@medjawii
What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
“In a design perspective, documentation is a bug, not a feature” It is the most important but the last place to find information OAuth.io@medjawii
OAuth.io@medjawii Devil’s in the details.
OAuth.io@medjawii OAuth.io
100+ providers unified and simplified OAuth.io@medjawii
OAuth.io@medjawii To retrieve you token
OAuth.io@medjawii - Register on oauth.io - Click on the OAuth provider you want in the list - Share you credentials - Click on “try me“ That’s it, you have your token. 90seconds after signup.
OAuth.io@medjawii And for generating the pop- up?
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('facebook', function(err) { if (err) { // do something with error }
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('twitter', function(err) { if (err) { // do something with error }
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('salesforce', function(err) { if (err) { // do something with error }
OAuth.io@medjawii OAuth.initialize("OAUTHIO_KEY"); OAuth.popup('yourcompany', function(err) { if (err) { // do something with error }
OAuth.io@medjawii And for deeper APIs calls?
OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) })
OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) }) No need to call your own server and to sign your API request and send it back No more access token management, it’s now completely abstracted It feels lighter right?
For web and mobile
Open source : oauthd for on premises implementation to consume your own oauth https://github.com/oauth-io/oauthd Easy contributions process, with a small JSON to fill on github
Questions?
Scott.Morrison@ca.com @KScottMorrison slideshare.net/CAinc linkedin.com/KScottMorrison ca.com K. Scott Morrison Distinguished Engineer
23 Copyright © 2014 CA. All rights reserved. © Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis. notices

Recomendados

Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for MobileCA API Management
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonCA API Management
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 

Recomendados

Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
 
Single Sign-On for Mobile
Single Sign-On for MobileSingle Sign-On for Mobile
Single Sign-On for MobileCA API Management
 
Trends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonTrends in Web APIs Layer 7 API Management Workshop London
Trends in Web APIs Layer 7 API Management Workshop LondonCA API Management
 
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...
Truth, Lies & APIs - Ross Garrett, Director Product Marketing, CA Layer 7 @ G...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
CA API Gateway
CA API GatewayCA API Gateway
CA API GatewayJames Farley-Sutton
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API ManagementJames Farley-Sutton
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelCA Technologies
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014CA API Management
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...Akana
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
 
API Management
API ManagementAPI Management
API ManagementProlifics
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management WSO2
 
Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudCA API Management
 
Coordenadas089 wifi
Coordenadas089 wifiCoordenadas089 wifi
Coordenadas089 wifiOsvaldo Pablo Ivani
 

Más contenido relacionado

La actualidad más candente

5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer AppsCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management SolutionCA API Management
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumCA Technologies
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelCA Technologies
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014CA API Management
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...Akana
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays
 
API Management
API ManagementAPI Management
API ManagementProlifics
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management WSO2
 

La actualidad más candente (20)

5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps5 Steps for End-to-End Mobile Security with Consumer Apps
5 Steps for End-to-End Mobile Security with Consumer Apps
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
CA API Gateway
CA API GatewayCA API Gateway
CA API Gateway
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
Your New Digital Business & APIs
Your New Digital Business & APIs Your New Digital Business & APIs
Your New Digital Business & APIs
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 
How to Choose the Right API Management Solution
How to Choose the Right API Management SolutionHow to Choose the Right API Management Solution
How to Choose the Right API Management Solution
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
 
Lessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at UnumLessons Learned From Four Years of API Management Implementation Success at Unum
Lessons Learned From Four Years of API Management Implementation Success at Unum
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next LevelMobile Risk Analysis: Take Your Mobile App Security to the Next Level
Mobile Risk Analysis: Take Your Mobile App Security to the Next Level
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014APIs: State of the Union - Ross Garrett @ AppsWorld 2014
APIs: State of the Union - Ross Garrett @ AppsWorld 2014
 
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
A New Breed of Technical Leaders: The 101 to Defining Your API Business Stra...
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
apidays LIVE JAKARTA - Enterprise API management in agile integration by Ragh...
 
API Management
API ManagementAPI Management
API Management
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
 

Destacado

Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudCA API Management
 
Ringers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protectionRingers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protectionProject Sales Corp
 
Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas. Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas. ProColombia
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeIgal Assaf
 
2008111807581919
20081118075819192008111807581919
2008111807581919psy101618
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010Michael Jones
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?seltzoid
 
Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)Sara Truscott
 
Blackwell Esteem AFSL
Blackwell Esteem AFSLBlackwell Esteem AFSL
Blackwell Esteem AFSLsamueltay77
 
Caldwell recognition-2012
Caldwell recognition-2012Caldwell recognition-2012
Caldwell recognition-2012ryanatsofa
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Shao-Chuan Wang
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statisticsRanjeet Dubey
 
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri LankaCilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri LankaMaersk Line
 
Is she a good student
Is she a good studentIs she a good student
Is she a good studentpaku_sol
 
Ikp'ko;b0yp
Ikp'ko;b0ypIkp'ko;b0yp
Ikp'ko;b0ypnoylove
 

Destacado (19)

Secure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the CloudSecure and Govern Integration between the Enterprise & the Cloud
Secure and Govern Integration between the Enterprise & the Cloud
 
Coordenadas089 wifi
Coordenadas089 wifiCoordenadas089 wifi
Coordenadas089 wifi
 
Ringers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protectionRingers cut 5 knit for pinch point and knuckle impact protection
Ringers cut 5 knit for pinch point and knuckle impact protection
 
Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas. Inspección de flores, etiquetas y facturas.
Inspección de flores, etiquetas y facturas.
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neige
 
2008111807581919
20081118075819192008111807581919
2008111807581919
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?
 
Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)
 
Blackwell Esteem AFSL
Blackwell Esteem AFSLBlackwell Esteem AFSL
Blackwell Esteem AFSL
 
Caldwell recognition-2012
Caldwell recognition-2012Caldwell recognition-2012
Caldwell recognition-2012
 
Pk std
Pk stdPk std
Pk std
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
 
Abc learning-annual-report-2006
Abc learning-annual-report-2006Abc learning-annual-report-2006
Abc learning-annual-report-2006
 
Earth moon statistics
Earth moon statisticsEarth moon statistics
Earth moon statistics
 
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri LankaCilmatic Risk Assessment Of Southern Express Way in Sri Lanka
Cilmatic Risk Assessment Of Southern Express Way in Sri Lanka
 
Aitana
AitanaAitana
Aitana
 
Is she a good student
Is she a good studentIs she a good student
Is she a good student
 
Ikp'ko;b0yp
Ikp'ko;b0ypIkp'ko;b0yp
Ikp'ko;b0yp
 

Similar a OAuth in the Real World featuring Webshell

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...CA Technologies
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionMichele Leroux Bustamante
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 

Similar a OAuth in the Real World featuring Webshell (20)

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure API
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 

Más de CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...CA API Management
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014CA API Management
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...CA API Management
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?CA API Management
 
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureMapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureCA API Management
 
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...CA API Management
 
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...CA API Management
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...CA API Management
 

Más de CA API Management (19)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ... Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
Panel Session: Security & Privacy for Connected Cars w/ Scott Morrison, SVP ...
 
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
Clients Matter, Services Don't - Mike Amundsen's talk from QCon New York 2014
 
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
The Connected Car UX Through APIs - Francois Lascelles, VP Solutions Architec...
 
Is there an API in that (IoT)?
Is there an API in that (IoT)?Is there an API in that (IoT)?
Is there an API in that (IoT)?
 
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API ArchitectureMapping the API Landscape - Mike Amundsen, Director of API Architecture
Mapping the API Landscape - Mike Amundsen, Director of API Architecture
 
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
Lean API Strategy - Holger Reinhardt, Snr Principal Business Unit Strategy, L...
 
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
Your Journey to Agility using APIs - Tyson Whitten, Director of Solutions Mar...
 
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
Enterprise on the Go - Devon Winkworth, Snr. Principal Consultant, Layer 7 @ ...
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

OAuth in the Real World featuring Webshell

  • 1. © 2014 CA. All rights reserved. OAuth In The Real World How today’s authorization experts get maximum value from OAuth K. Scott Morrison Senior Vice President and Distinguished Engineer April 2014 Mehdi Medjaoul Co-Founder & Executive Director of Webshell
  • 2. 2 © 2014 CA. All rights reserved. Housekeeping Layer 7 @layer7 layer7.com/blogs layer7.com Chat questions into the sidebar or use hashtag: #L7webinar Webshell.io @Webshell_
  • 3. 3 © 2014 CA. All rights reserved. Today’s Talk  Why OAuth is more than just another security token  The basic OAuth architecture  What’s your grant type?  Token revocation and the implications for scaling  Managing dangerous windows of opportunity  Where should tokens reside?  Scopes, privileges and consent  OAuth facades over existing IAM systems  OAuth integration with legacy HTML login pages
  • 4. 4 © 2014 CA. All rights reserved. Basic OAuth 2.0 Client Authorization Server Resource Server Resource Owner Acquire Tokens Use Access Token
  • 5. 5 © 2014 CA. All rights reserved. A Fundamental Shift Is Occurring In Identity and Access Control The Old Enterprise The New Modern Enterprise This is the secret to achieve scale and agile federation
  • 6. 6 © 2014 CA. All rights reserved. What’s Your Grant Type? Do you need to authenticate the end user? No Yes Client Credentials Grant Type Asking the right questions will lead to the right answer
  • 7. 7 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Do you control the user’s credentials? Yes No Password Grant Type
  • 8. 8 © 2014 CA. All rights reserved. What’s Your Grant Type (cont.)? Can clients keep secrets? Yes No Authorization Code Grant Type Implicit Flow, response_type=token These are usually JavaScript clients. Note that you can’t secure clients here!
  • 9. 9 © 2014 CA. All rights reserved. What Kind Of Scale Are We Talking? 1000s of validated transactions per second Millions of active sessions
  • 10. 10 © 2014 CA. All rights reserved. Token Validation and the Question of Revocation Will you ever need to revoke access tokens? No Yes Easy street Tough Road Tokens have a lifetime. But will you ever need to cut this short? Tokens can be signed and self- contained (incl. expiration time, scope, and other attributes). Tokens need a central validation service
  • 11. 11 © 2014 CA. All rights reserved. No Revocation – The Simple Case Very simple distributed auth architecture  Authorization Server (AS) keeps refresh tokens locally for issuance of new access tokens  Resource Server (RS) validates access tokens according to trust model  Need signed tokens  Kind of like SAML Enterprise Network Informal, API-driven integrations Firewall Mobile Devices Clouds, Webapps, etc Authorization Server Key DB Directory Protected Resource Servers Trust Refresh tokens only. Low transaction rate (eg: 10 mins for each active session)
  • 12. 12 © 2014 CA. All rights reserved. Revocation – The Much Harder Scenario More Complex distributed architecture  Authorization Server (AS) keeps refresh and access tokens  Resource Server (RS) validates access tokens live (various options for this)  Scalable DB needed  Security model for token storage Enterprise Network Firewall Mobile Devices Authorization Server Key DB Directory Protected Resource Servers Validates Admin This is where scale and reliability become important requirements.
  • 13. 13 © 2014 CA. All rights reserved. Managing Dangerous Windows of Opportunity Time t=10 minutes time-to-live for access token No Revocation Token hijack 10 min Time t=10 minutes time-to-live for access token With Revocation Token hijack 4 min 5 min 10 min Validation cache time out Revoke tokens
  • 14. 14 © 2014 CA. All rights reserved. Where Should The Tokens Reside? Enterprise Network Firewall 1 Authorization Server Directory Validates Admin Key DB Firewall 2 Protected Resource Servers DB Inside Secure Zone  Tokens do not reside in DMZ  Remember: Bearer tokens are dangerous!  RDBMS vs NoSQL  Token maintenance issues  Authorization Server (AS) manages access and refresh tokens using JDBC/ODBC or noSQL  Resource Server (RS) validates access tokens using JDBC/ODBC or noSQL Case 1: Just use a DB
  • 15. 15 © 2014 CA. All rights reserved. Where Should The Tokens Reside (cont.)? Enterprise Network Firewall 1 Authorization Server Directory Admin Key DB Firewall 2 DB Inside Secure Zone  Tokens do not reside in DMZ  Authorization Server (AS) accesses access and refresh tokens using simple CRUD APIs  Resource Server (RS) validates access tokens using validation API or OpenID Connect UserInfo Case 2: API server fronting DB Validate Key CRUD Protected Resource Servers
  • 16. 16 © 2014 CA. All rights reserved. Scopes and Privileges  Scopes are critical in OAuth – But developers too often overlook their power  Attach scope to an access token based on user privileges – Same endpoint, but different capabilities  The OpenID Connect UserInfo endpoint is like this  We are seeing scope being differentiated based on how an access token was acquired – Eg: If the access token derives from an immediate authentication event, it is of higher relative “value” than if it comes from a refresh  Continuous authentication is an important trend in security  Scope is the key to integrating risk-based evaluation, step-up authentication, idle time mgmt, privileged action mgmt, etc The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued.
  • 17. 17 © 2014 CA. All rights reserved. Consent  This remains very black and white – It is the responsibility of the OAuth (and API) provider to seek consent expression and reflect this in the scopes granted to a session – You still can’t choose what you agree to  But watch this space – This is the new frontier for OAuth and related technologies Do you agree to let application foo: Records on your behalf?  Create  Retrieve  Update  Delete No Yes
  • 18. 18 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: Proxy Model - OAuth Facades over legacy IAM Infrastructure Simple, drop-in virtual or hardware gateway  Acts as both Authorization Server (AS) and Resource Server (RS)  Advanced security on all APIs Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources SecureSpan Gateway as AS IAM System SecureSpan Gateway Protecting RS Token can encapsulate legacy sessionID or gateway can manage mapping AS is Mapping to Internal Security Models/Tokens ➠ Simple Username/passwd ➠ Kerberos ➠ X.509v3 certificates ➠ SAML, etc
  • 19. 19 © 2014 CA. All rights reserved. What We Are Seeing Everywhere: OAuth Integration With Existing Web Authentication Enterprise Network Informal, API-driven integrations Mobile Devices Clouds, Webapps, etc Protected Resources not shown for clarity SecureSpan Gateway as AS Leverage Existing Auth Pages ➠ Redirect to web authentication server ➠ Authentication user, redirect back to OAuth authorization server ➠ Validate returned “legacy” session ➠ Issue standard access and refresh tokens (or encapsulate) Legacy Directory Web Auth Page Validate session Redirects This is interesting because it decouples authentication and consent
  • 20. 20 © 2014 CA. All rights reserved. Summary  You can tell OAuth is mature because its boundaries are being pushed.  But there is still considerable misunderstanding about how to use OAuth effectively.  Scalability and reliability remain difficult  We highly recommend you use proven solutions rather than trying to cobble together a solution.
  • 22. Are you getting the maximum from OAuth? OAuth.io@medjawii
  • 25.
  • 28. The business value data is concentrated mainly on the provider and the consumer OAuth.io@medjawii OAuth provider OAuth consumer (Application) User
  • 29. OAuth enables to concentrate the business value data on the provider side. OAuth.io@medjawii
  • 30. The tale of 2 OAuth... OAuth.io@medjawii
  • 31. OAuth 1.0/1.a - Released in October 2007 - Revised in June 2009 (Revision A) - Hard to implement with signatures, no expiration of tokens, no control the level of access requested. Some implementations have tried to get around these problems, which causes interoperability issues OAuth.io@medjawii
  • 32. OAuth 2.0 - Non-backward compatible alternative. - Several drafts from January 2010 and October 2012 where published as RFC 6749 - Facebook and many others implemented it when not final - OAuth 2.0 is more flexible, wide range of non-interoperable implementations - less secure than OAuth 1.0, relying on SSL connections rather than signatures to protect the user’s access token, - Easier to install when developing clients OAuth.io@medjawii
  • 33. The tale of 2 OAuth... OAuth.io@medjawii
  • 34. The tale of too many OAuth... OAuth.io@medjawii
  • 35. 10 OAuth implementations you can’t guess… that differ from RFC6949 OAuth.io@medjawii
  • 36. Facebook : Refresh_token grant_type: "refresh_token" => grant_type: "fb_exchange_token" refresh_token: "{{refresh_token}}" => fb_exchange_token: "{{refresh_token}}" scope “notation”: friends_actions.music, friends_actions.video Separator is a “,” instead of “%20“ OAuth.io@medjawii
  • 37. Deezer client_id -> app_id=... scope -> perms=email,read_friendlists... state=... [non documented] response_type=code [useless] “Facebook is the standard” OAuth.io@medjawii
  • 38. Google : More parameters options for the authorization form: access_type: to choose to send a refresh_token or not approval_prompt to force the popup even if we are already connected login_hint to select an account or prefill the email address include_granted_scopes to add more authorizations “incremental authorization” OAuth.io@medjawii
  • 39. Foursquare : - Some OAuth libraries expect to pass the OAuth token as access_token instead of oauth_token, since this is the expectation created by Facebook, at odds with earlier versions of the OAuth spec. We may add support for both parameter names, depending on feedback, but for now know that this may come up. - No scope. OAuth.io@medjawii
  • 40. Salesforce : Added custom authorization parameters: immediate: whether the user should be prompted for login and approval display: template web, mobile, popup login_hint: to prefill an email prompt: prompt the user for reauthorization or reapproval the authorization returns custom fields: - “instance_url”: the api url binded to a resource server, this is the only way to receive the domain - a signature: can be used to verify the identity URL was not modified (id & date signed with a private key) - issued_at instead of expires_in : salesforce prefers to give the issued time instead of the expiration duration - id_token: to support openid UX for creating an app (4 not-so-easy to find mouseclicks between login & the app creation form) OAuth.io@medjawii
  • 41. VK: Added authorizations parameters v: API version The authorization returns the user id, that is needed to call the api relative to the authorized user (there is no /me/..., /self/... or so) Instead of access_token: xxx /user/me?access_token=xxx You have access_token: xxx user_id: yyy /user/yyy?access_token=xxx OAuth.io@medjawii
  • 42. 23ANDME: scope “notation”: profile:write profile:read OAuth.io@medjawii
  • 43. Tencent weibo: Authorization parameters : chinese language only oauth_version=2.a (useless parameter) Extra : Chinese/English documentation for OAuth1.0 but Chinese documentation only for OAuth2.0 OAuth.io@medjawii
  • 44. This was just non exhaustive. OAuth.io@medjawii
  • 47. The "state" param ● inexistent (dailymotion, eventbrite...) so you have to put it in the callback ● undocumented (wordpress, deezer...) ● impossible (angelist.co) “fixed callback url” OAuth.io@medjawii
  • 48. What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
  • 49. April fool: Introducing OAuth 3:0 - “0 token” paradigm - No more secret key, everything public The huge majority did not understand... OAuth.io@medjawii
  • 50. What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
  • 51. Even if you are right, 3rd party developers will be lost… because of others providers already did it wrong before you OAuth.io@medjawii
  • 52. What you should not tell yourself about OAuth - “OAuth is not so hard to understand” - “It will be easier to it in this non-standard way” - “Developers just have to read our documentation” OAuth.io@medjawii
  • 53. “In a design perspective, documentation is a bug, not a feature” It is the most important but the last place to find information OAuth.io@medjawii
  • 54.
  • 57. 100+ providers unified and simplified OAuth.io@medjawii
  • 59. OAuth.io@medjawii - Register on oauth.io - Click on the OAuth provider you want in the list - Share you credentials - Click on “try me“ That’s it, you have your token. 90seconds after signup.
  • 66. OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) })
  • 67. OAuth.io@medjawii OAuth.popup('twitter', function(err, res) { if (err) { // do something with error } res.get('/1.1/account/verify_credentials.json') .done(function(data) { alert('Hello ' + data.name) }) }) No need to call your own server and to sign your API request and send it back No more access token management, it’s now completely abstracted It feels lighter right?
  • 68. For web and mobile
  • 69. Open source : oauthd for on premises implementation to consume your own oauth https://github.com/oauth-io/oauthd Easy contributions process, with a small JSON to fill on github
  • 72. 23 Copyright © 2014 CA. All rights reserved. © Copyright CA 2013. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis. notices