This document discusses the need for APIs and OAuth in enabling app development while maintaining security. As cloud computing and mobile devices increase, more apps are being created, and APIs allow businesses to participate in this ecosystem. However, traditional security models can hinder rapid app development and adoption. OAuth provides a solution by allowing secure authorization without storing credentials, with only necessary permissions granted on an opt-in basis. An example is given of a trucking company using OAuth to securely enable third party apps to access vehicle and load data. The document promotes SOA Software's OAuth server product as a way to create an open developer platform while maintaining security.
2. A Look Ahead
Two significant forces are changing the face of
business:
3. The Effect of Cloud
• Cloud has lowered the barrier for App
developers and startups
• The number of mobile devices now exceeds
the number of PCs
• The number of connected devices (Internet
of Things) will exceed the number of
mobile devices by 2020
4. Mobile Apps
• Apple Store has over 775,000
apps
• Google Play Store currently
offers over 800,000 and is
predicted to be the first store
to reach the 1 million apps
mark by June 2012
• BlackBerry 10 has 100,000
apps
• Windows Phone Store has
130,000 apps
• According to ABI Research,
56 billion apps will be
downloaded in 2013
5. Why do I need an API?
• Accelerate adoption
through new
channels/devices to
reach:
– Partners
– App Developers
– Employees (BYOD)
• Extend/embed your brand
• Create stickiness
9. Platform Success
• Speed of App Development
– More Apps
– More iteration
– More collaboration
• Speed of App Adoption
– Simple Trust
10. Speedy App Development
• Decouple your business processes from the
App development process.
• Do not bog things down with traditional
security models
– Imagine just the legal agreements
– Storing user credentials is too daunting –
both for App developers and App users
11. Speedy App Adoption
• Businesses contain sensitive information
and enable sensitive transactions
• For high speed App adoption, Customers
need to trust them
12. Platform Security
• You need a way to remove the friction that
security introduces into the equation
• You need to allow Apps to participate in a
secure relationship:
– Opt in ‘Just in Time’
– Without storing credentials
– With only the required permissions
– With the ability to Opt out
13. The Result
• App developers can build without friction
• Businesses don’t need to limit their
ecosystem
Its up to the customer
14. An OAuth Example
• A manufacturer, Trux, produces very advanced ,
highly automated equipment to trucking
companies
15. An OAuth Example
• Trux collects a great deal of confidential
information about the semi and his/her loads
–
–
–
–
–
Personal data
Equipment data
Satellite tracking data
Service, mechanical information
Load types, delivery info
16. An OAuth Example
• Trux would like to create an open platform for App
development
– Apps to be deployed on the semis
– Apps to be sold to the trucking companies
– Apps to be sold to the drivers
17. An OAuth Example
• For example, an App developer wants to build an
App called SafeTrucking that helps the driver
determine the risk of a route based on his:
–
–
–
–
Load
Crime stats
Equipment
Route
18. An OAuth Example
1. Driver downloads the SafeTrucking App and
opens it
2. Driver is directed to Trux, whom he trusts, to log
in with their credentials
3. They are presented with a screen asking if the
SafeTrucking App can retrieve the required data
from Trux
4. If confirmed, Trux issues a token to SafeTrucking
that they can use to retrieve the data securely
5. The driver can view the permissions granted, optout, or increase the permission scope
19. Do you need an OAuth Server?
• Are you trying to create an open platform for App
development?
If so, you need one
20. SOA Software’s OAuth Server
• Integration with most common enterprise identity systems
including LDAP, AD, CA SiteMinder, Oracle Access Manager,
IBM TAM, RSA ClearTrust and more
• Comprehensive support for the OpenID, OAuth 1.0a and
OAuth 2.0 specifications along with a wide array of other
authentication and authorization specifications
• Fully brandable
• Built-in grant management
• Integrated with our Developer
Community and API Gateway for rapid
deployment