SlideShare una empresa de Scribd logo

An OAuth protected platform (Nordic APIS April 2014)

Nordic APIs
Nordic APIs
SoftwareTecnologíaEmpresariales
1 de 22
Descargar para leer sin conexión
An OAuth-protected API Platform for Private, Partner & Public Use By Travis Spencer, CEO! @travisspencer / @2botech
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2 Agenda ▪ Business benefits of APIs! ▪ Associated security challenges! ▪ Requirements to overcome these obstacles ▪ Platform security architecture ! ▪ Delivers business benefits ! ▪ Overcome challenges! ▪ Meets specifications
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3 6 Benefits of APIs Business Benefits of Private APIs modernize organization start api strategy manage supply chain time-to- market internal communica- tion business inteligence analytics ▪ Post by Mark Boyd on Nordic APIs blog! ▪ Same benefits afforded by partner & public APIs! ▪ j.mp/1dpGCX6
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech ▪ Not beginning with a clean slate! ▪ Existing data & systems must be made available in new ways! ▪ Reuse & extend existing infrastructure! ▪ Bridge old & new technologies Starting an API Strategy 4
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 5 ▪ Identity & content must be converted! ▪ Legacy systems must be concealed & abstracted! ▪ Work with all modes of service delivery! ▪ Secure all channels
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Modernize Organization 6 ▪ Core business capabilities are distilled 
 into reusable modules! ▪ Composed together like Legos! ▪ Security will prevent or allow composability LocBlocsLegos
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 7 ▪ Based on open, international standards! ▪ COTS products must be limited to specialized roles! ▪ Apps & Web sites must not perform authentication & authorization
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Manage Supply Chain 8 ▪ Optimization of value across organizational boundaries ! ▪ Massive distribution ! ▪ Automation! ▪ Lack of robust security is a showstopper ! ▪ Users demand seamless access across apps! ▪ API client & end user must be identified! ▪ Rights must be applied to users from other organizations
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 9 ▪ Access control! ▪ Account provisioning! ▪ Web Single Sign-on (SSO) & federation! ▪ Delegated access (a la OAuth)
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth 10 ▪ OAuth 2 is the new protocol of protocols! ▪ Used as the base of other specifications! ▪ OpenID Connect, UMA, etc.! ▪ Addresses some important requirements! ▪ Delegated access! ▪ No password sharing! ▪ Revocation of access!
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth Actors 11 1. Resource Owner (RO)! 2. Client! 3. Authorization Server (AS)! 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Scopes 12 ▪ Like permissions! ▪ Scopes specify extent of tokens’ usefulness! ▪ Listed on consent UI (if shown)! ▪ No standardized scopes
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 13 Not for authentication Not really for authorization Not for federation
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 14 For delegated access
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Ident- ities APIs Entitle- ments Requirements Demand More 15 ▪ Today’s use cases require more than just delegation! ▪ OAuth is important but insufficient
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect 16 ▪ Next generation federation protocol ! ▪ Based on OAuth 2! ▪ Made for mobile! ▪ Not backward compatible ▪ Client & API receive tokens! ▪ Endpoint provided for client to get user data
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect + OAuth Example 17 OpenID Provider RP / Client Browser Access code Redeem access code Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes Get user info using access token Access tokens
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech JSON Identity Suite The Neo-security Stack 18 OpenID Connect SCIM OAuth XACML Provisioning Identities Federation Delegated Access Authorization
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech The Neo-security Platform 19 SCIM JSON Identity Suite OpenID Connect OAuth XACML Entitlement
 Management System Identity Management System API
 Management System
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Summary 20 ▪ APIs offer many benefits! ▪ Security will impede or enable these! ▪ Technology exists to protect your API! ▪ OAuth is not enough! ▪ Need the entire Neo-security Stack! ▪ The Neo-security Platform protects data & delivers benefits
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Questions & Thanks 21 @2botech! @travisspencer! www.twobo.com ?
An OAuth protected platform (Nordic APIS April 2014)

Recomendados

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Calling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APICalling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APITravis Spencer
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 

Recomendados

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Calling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APICalling an OAuth 1.0a API from an OAuth 2.0 API
Calling an OAuth 1.0a API from an OAuth 2.0 APITravis Spencer
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticNordic APIs
 
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloCentralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloNordic APIs
 
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchSession Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchNordic APIs
 
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftAPIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftNordic APIs
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 

Más contenido relacionado

Más de Nordic APIs

The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticNordic APIs
 
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloCentralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloNordic APIs
 
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchSession Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchNordic APIs
 
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftAPIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftNordic APIs
 

Más de Nordic APIs (20)

The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMaticcURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
cURL to SDK: Navigating the API Adoption Chasm - Sidney Maestre, APIMatic
 
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, ApolloCentralize Data Access Control with GraphQL - Andrew Carlson, Apollo
Centralize Data Access Control with GraphQL - Andrew Carlson, Apollo
 
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42CrunchSession Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
Session Slides: You’ve Had an API Breach, Now What? by Axel Grosse, 42Crunch
 
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, MicrosoftAPIs at Scale with TypeSpec by Mandy Whaley, Microsoft
APIs at Scale with TypeSpec by Mandy Whaley, Microsoft
 

Último

Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profileakrivarotava
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 

Último (20)

Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profile
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 

An OAuth protected platform (Nordic APIS April 2014)

  • 1. An OAuth-protected API Platform for Private, Partner & Public Use By Travis Spencer, CEO! @travisspencer / @2botech
  • 2. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2 Agenda ▪ Business benefits of APIs! ▪ Associated security challenges! ▪ Requirements to overcome these obstacles ▪ Platform security architecture ! ▪ Delivers business benefits ! ▪ Overcome challenges! ▪ Meets specifications
  • 3. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3 6 Benefits of APIs Business Benefits of Private APIs modernize organization start api strategy manage supply chain time-to- market internal communica- tion business inteligence analytics ▪ Post by Mark Boyd on Nordic APIs blog! ▪ Same benefits afforded by partner & public APIs! ▪ j.mp/1dpGCX6
  • 4. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech ▪ Not beginning with a clean slate! ▪ Existing data & systems must be made available in new ways! ▪ Reuse & extend existing infrastructure! ▪ Bridge old & new technologies Starting an API Strategy 4
  • 5. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 5 ▪ Identity & content must be converted! ▪ Legacy systems must be concealed & abstracted! ▪ Work with all modes of service delivery! ▪ Secure all channels
  • 6. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Modernize Organization 6 ▪ Core business capabilities are distilled 
 into reusable modules! ▪ Composed together like Legos! ▪ Security will prevent or allow composability LocBlocsLegos
  • 7. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 7 ▪ Based on open, international standards! ▪ COTS products must be limited to specialized roles! ▪ Apps & Web sites must not perform authentication & authorization
  • 8. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Manage Supply Chain 8 ▪ Optimization of value across organizational boundaries ! ▪ Massive distribution ! ▪ Automation! ▪ Lack of robust security is a showstopper ! ▪ Users demand seamless access across apps! ▪ API client & end user must be identified! ▪ Rights must be applied to users from other organizations
  • 9. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Neo-security Requirements 9 ▪ Access control! ▪ Account provisioning! ▪ Web Single Sign-on (SSO) & federation! ▪ Delegated access (a la OAuth)
  • 10. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth 10 ▪ OAuth 2 is the new protocol of protocols! ▪ Used as the base of other specifications! ▪ OpenID Connect, UMA, etc.! ▪ Addresses some important requirements! ▪ Delegated access! ▪ No password sharing! ▪ Revocation of access!
  • 11. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OAuth Actors 11 1. Resource Owner (RO)! 2. Client! 3. Authorization Server (AS)! 4. Resource Server (RS) (i.e., API) Getatoken Delegate RSClient AS RO Use a token
  • 12. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Scopes 12 ▪ Like permissions! ▪ Scopes specify extent of tokens’ usefulness! ▪ Listed on consent UI (if shown)! ▪ No standardized scopes
  • 13. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 13 Not for authentication Not really for authorization Not for federation
  • 14. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Usage of OAuth 14 For delegated access
  • 15. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Ident- ities APIs Entitle- ments Requirements Demand More 15 ▪ Today’s use cases require more than just delegation! ▪ OAuth is important but insufficient
  • 16. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect 16 ▪ Next generation federation protocol ! ▪ Based on OAuth 2! ▪ Made for mobile! ▪ Not backward compatible ▪ Client & API receive tokens! ▪ Endpoint provided for client to get user data
  • 17. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech OpenID Connect + OAuth Example 17 OpenID Provider RP / Client Browser Access code Redeem access code Access token & ID token Check audience restriction of ID token Request login, providing “openid” scope & user info scopes Get user info using access token Access tokens
  • 18. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech JSON Identity Suite The Neo-security Stack 18 OpenID Connect SCIM OAuth XACML Provisioning Identities Federation Delegated Access Authorization
  • 19. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech The Neo-security Platform 19 SCIM JSON Identity Suite OpenID Connect OAuth XACML Entitlement
 Management System Identity Management System API
 Management System
  • 20. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Summary 20 ▪ APIs offer many benefits! ▪ Security will impede or enable these! ▪ Technology exists to protect your API! ▪ OAuth is not enough! ▪ Need the entire Neo-security Stack! ▪ The Neo-security Platform protects data & delivers benefits
  • 21. Copyright 2014 Twobo Technologies AB @travisspencer / @2botech Questions & Thanks 21 @2botech! @travisspencer! www.twobo.com ?