An OAuth protected platform (Nordic APIS April 2014)
1. An OAuth-protected API Platform for Private, Partner &
Public Use
By Travis Spencer, CEO!
@travisspencer / @2botech
2. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2
Agenda
▪ Business benefits of APIs!
▪ Associated security challenges!
▪ Requirements to overcome these
obstacles
▪ Platform security architecture !
▪ Delivers business benefits !
▪ Overcome challenges!
▪ Meets specifications
3. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3
6 Benefits of APIs
Business Benefits
of Private APIs
modernize
organization
start api
strategy
manage
supply chain
time-to-
market
internal
communica-
tion
business
inteligence
analytics
▪ Post by Mark
Boyd on Nordic
APIs blog!
▪ Same benefits
afforded by
partner & public
APIs!
▪ j.mp/1dpGCX6
4. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
▪ Not beginning with a clean slate!
▪ Existing data & systems must be made
available in new ways!
▪ Reuse & extend existing infrastructure!
▪ Bridge old & new technologies
Starting an API Strategy
4
5. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Neo-security Requirements
5
▪ Identity & content must be converted!
▪ Legacy systems must be concealed & abstracted!
▪ Work with all modes of service delivery!
▪ Secure all channels
6. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Modernize Organization
6
▪ Core business capabilities are distilled
into reusable modules!
▪ Composed together like Legos!
▪ Security will prevent or allow composability
LocBlocsLegos
7. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Neo-security Requirements
7
▪ Based on open, international standards!
▪ COTS products must be limited to
specialized roles!
▪ Apps & Web sites must not perform
authentication & authorization
8. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Manage Supply Chain
8
▪ Optimization of value across organizational boundaries !
▪ Massive distribution !
▪ Automation!
▪ Lack of robust security is a showstopper !
▪ Users demand seamless access across apps!
▪ API client & end user must be identified!
▪ Rights must be applied to users from other organizations
9. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Neo-security Requirements
9
▪ Access control!
▪ Account provisioning!
▪ Web Single Sign-on (SSO) & federation!
▪ Delegated access (a la OAuth)
10. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OAuth
10
▪ OAuth 2 is the new protocol of protocols!
▪ Used as the base of other specifications!
▪ OpenID Connect, UMA, etc.!
▪ Addresses some important requirements!
▪ Delegated access!
▪ No password sharing!
▪ Revocation of access!
11. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OAuth Actors
11
1. Resource Owner (RO)!
2. Client!
3. Authorization Server (AS)!
4. Resource Server (RS) (i.e., API)
Getatoken
Delegate
RSClient
AS
RO
Use a token
12. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Scopes
12
▪ Like permissions!
▪ Scopes specify extent of tokens’ usefulness!
▪ Listed on consent UI (if shown)!
▪ No standardized scopes
13. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Usage of OAuth
13
Not for authentication
Not really for authorization
Not for federation
14. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Usage of OAuth
14
For delegated access
15. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Ident-
ities
APIs
Entitle-
ments
Requirements Demand More
15
▪ Today’s use cases require more
than just delegation!
▪ OAuth is important but insufficient
16. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OpenID Connect
16
▪ Next generation federation
protocol !
▪ Based on OAuth 2!
▪ Made for mobile!
▪ Not backward compatible
▪ Client & API receive tokens!
▪ Endpoint provided for client to
get user data
17. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OpenID Connect + OAuth Example
17
OpenID
Provider
RP / Client
Browser
Access code
Redeem access
code
Access token & ID token
Check audience
restriction of ID token
Request login,
providing “openid”
scope & user info
scopes
Get user info using
access token
Access tokens
18. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
JSON Identity Suite
The Neo-security Stack
18
OpenID Connect
SCIM
OAuth
XACML
Provisioning
Identities
Federation
Delegated Access
Authorization
19. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
The Neo-security Platform
19
SCIM
JSON
Identity Suite
OpenID
Connect
OAuth XACML
Entitlement
Management
System
Identity
Management
System
API
Management
System
20. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Summary
20
▪ APIs offer many benefits!
▪ Security will impede or enable these!
▪ Technology exists to protect your API!
▪ OAuth is not enough!
▪ Need the entire Neo-security Stack!
▪ The Neo-security Platform protects data & delivers benefits