SlideShare una empresa de Scribd logo

Extended Security with WSO2 API Management Platform

Descargar como PPTX, PDF
WSO2
WSO2

Uvindra Jayasinha from WSO2 presented on extending security with the WSO2 API Management platform. He covered best practices for OAuth 2.0 access tokens, adding SAML single sign-on, federated identity with third-party providers, enforcing fine-grained entitlement policies, and accessing user attributes. The presentation explained key OAuth concepts like grant types, actors, and tokens. It also described using SAML assertions, XACML policies, and JWT claims to pass user information and control access.

Tecnología
1 de 20
WSO2 Uvindra Dias Jayasinha Extended Security with WSO2 API Management Platform 30th April, 2015
** About the Presenter Uvindra joined WSO2 in November 2013. He is a Senior Software Engineer in the WSO2 API Manager Team. He has a background in Telecom Billing Systems and Financial Trading systems, including High Performance Software development
** Agenda ● Best practices when requesting OAuth 2.0 Access Tokens ● Adding SAML based Single Sign On (SSO) capabilities to API management and leveraging SAML2 Bearer Tokens to request OAuth 2.0 Access Tokens ● Federated identity: How to use a third-party identity provider with API Manager ● Enforcing fine-grained entitlement policies at the API management layer ● Accessing API user's attributes to make decisions
** APIs and Security Exposing Services as APIs means we need to address how those APIs are going to be secured ● Primarily protecting APIs via API Access Tokens ● But also so much more than that…... ❏ Forced to deal with different kinds of users and applications ❏ One size does not fit all when it comes to security
** OAuth 2.0 - The Cornerstone OAuth definition from the OAuth 2.0 IETF specification - "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." [1] [1] http://tools.ietf.org/html/rfc6749
** OAuth 2.0 - Grant Types Depending on the trustworthiness of the application that is trying to access the API, oauth provides different methods that can be used for granting access ● Authorization Code ● Password(Resource Owner Credentials) ● Client Credentials ● Implicit
** Understanding the actors involved Resource owner The Person who owns the data or has rights to the data that will be exposed by the Service via an API Resource Server The server that hosts the actual Service/API that exposes the data Application Considered as the ‘client’ in OAuth circles. The one requesting access to the API Auth Server Grants access to the Application after authenticating it with the Resource Owner
** Key OAuth concepts Client ID A unique string representing an Application registered with the Auth Server Client Secret A secret password that is used by the Auth Server to authenticate if the Application is an authorized Application Access Token A key provided by the Auth Server to the Application which allows access to a given API for a limited amount of time. After the time expires the key will be considered invalid Refresh Token A secondary key that can be used by the Application to request a new Access Token from the Auth Server
** Authorization Code Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides remotely from the Resource Owner ● Resource Owner gets involved initially to decide if the Auth Server should grant API access to the Application ● ‘Auth Code’ is returned by Auth Server to the Application which uses it to request Access + Refresh Tokens from the Auth Server ● The Application may store the Access + Refresh Tokens and reuse them to access the API, no longer needing intervention from the Resource Owner ● Considered the most secure grant type
** Implicit Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides locally to the Resource Owner(eg: Web browser, Mobile device) ● A simplified version of the Authorization Code grant type with the elimination of the Auth Code issuing step ● Since Resource Owner is present in proximity to App there is nothing to be gained by issuing an Auth Code ● Once Resource Owner approves App, Auth Server provides Access Token directly to App ● Access Token validity periods should be relatively short, no Refresh Token is issued ● App should rely on the Resource Owner to get involved again to get a new Access Token
** Password Grant Type Category of Application - 3rd Party trusted ● Since the App is trusted the Resource Owner is able to share their own username and password directly with the App ● By providing their credentials to the App, the Resource Owner is delegating authority to the App to authenticate itself with the Auth Server and get Access + Refresh Tokens
** Client Credentials Grant Type Category of Application - Resource Owners App ● Since the App belongs to the Resource Owner there is no need to authenticate the App via the Resource Owners credentials or require that the Resource Owner get involved to help the Auth Server decide if access should be granted ● All that is required by the Auth Server is to identify if the App requesting the Access Token is in fact the Resource Owners App ● The App only needs to provide the Client ID and Client Secret to the Auth Server to get the Access Token
** Single Sign On ● The WSO2 API Management platform can be configured to support SAML 2.0 based SSO ● Security Assertion Markup Language 2.0 - XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider ● SAML is a widely established means of identity federation in enterprises.
** Advantage of SAML based SSO ● Provides convenience when working with multiple store/publisher web applications ● Reduces password fatigue ● Able to exchange the SAML token issued by the Identity Provider for an OAuth 2.0 access token, avoiding the need to explicitly be authenticated by an Auth 2.0 Auth Server. This is an advantage for enterprises that already have an existing SAML identity provider
** Federated Identity ● Demo Scenario - Using Facebook as a Federated identity provider to act as a Auth Server to obtain a API Access Token
** Fine-grained entitlement policies ● API Manager supports Auth 2.0 scopes to restrict access to API resources based on user roles ● But when more fine grained entitlement policies are required XACML policies can be used ● XACML stands for "eXtensible Access Control Markup Language", which defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate access requests according to the rules defined in policies.
** Accessing API users attributes to make decisions ● Its often useful for the API hosting service to make decisions based on information associated with the user who initiated the API invocation such as, ○ Username of end user ○ The organization the end user is associated with ○ The email of the end user ○ The gender of the end user
** Passing Claims via JWT ● Claim - user attribute that is mapped to the underlying user store ● Claim dialect - A set of predefined claims ● API Manager can be configured to pass a Claim Dialect via a JSON Web Token[1] to the back end API along with the API invocation [1] http://openid.net/specs/draft-jones-json-web-token-07.html#anchor3
** Resources ● [Article] OAuth2 Grant Types and Need For Implicit Grant for JavaScript and Mobile Applications http://wso2.com/library/articles/2014/12/article- oauth2-grant-types-and-need-for-implicit-grant-for-javascript-mobile-applications/ ● What is the purpose of the implicit grant authorization type in OAuth 2? http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2 ● Enforcing fine grained entitlement policies With XACML http://xacmlinfo.org/2014/10/24/authorization-for-apis-with-xacml-and-oauth-2-0/
Contact us !

Recomendados

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerWSO2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 

Recomendados

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerWSO2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACEHannes Tschofenig
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementWSO2
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryCombining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryWSO2
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayWSO2
 

Más contenido relacionado

La actualidad más candente

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementWSO2
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
 

La actualidad más candente (20)

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API Management
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
 

Destacado

Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryCombining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryWSO2
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayWSO2
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2
 
Implementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformImplementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformWSO2
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESBWSO2
 
WSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementWSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementEdgar Silva
 
Open Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service BusOpen Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service Bussumedha.r
 
How to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API EcosystemHow to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API EcosystemWSO2
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2
 
CAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemplesCAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemplesClément OUDOT
 
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery ChannelWSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery ChannelWSO2
 
API designing with WSO2 API Manager
API designing with WSO2 API ManagerAPI designing with WSO2 API Manager
API designing with WSO2 API ManagerWSO2
 
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital EnterpriseWSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital EnterpriseWSO2
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API ManagementWSO2
 
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemplesCAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemplesClément OUDOT
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 

Destacado (19)

Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryCombining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
 
Implementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformImplementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management Platform
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
 
WSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementWSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API Management
 
Open Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service BusOpen Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service Bus
 
How to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API EcosystemHow to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API Ecosystem
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
CAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemplesCAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemples
 
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery ChannelWSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery Channel
 
API designing with WSO2 API Manager
API designing with WSO2 API ManagerAPI designing with WSO2 API Manager
API designing with WSO2 API Manager
 
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital EnterpriseWSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API Management
 
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemplesCAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 

Similar a Extended Security with WSO2 API Management Platform

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauthPriyanka Aash
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays
 

Similar a Extended Security with WSO2 API Management Platform (20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
OAuth
OAuthOAuth
OAuth
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
 
OAuth
OAuthOAuth
OAuth
 

Más de WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

Más de WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Último

Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Último (20)

Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

Extended Security with WSO2 API Management Platform

  • 1. WSO2 Uvindra Dias Jayasinha Extended Security with WSO2 API Management Platform 30th April, 2015
  • 2. ** About the Presenter Uvindra joined WSO2 in November 2013. He is a Senior Software Engineer in the WSO2 API Manager Team. He has a background in Telecom Billing Systems and Financial Trading systems, including High Performance Software development
  • 3. ** Agenda ● Best practices when requesting OAuth 2.0 Access Tokens ● Adding SAML based Single Sign On (SSO) capabilities to API management and leveraging SAML2 Bearer Tokens to request OAuth 2.0 Access Tokens ● Federated identity: How to use a third-party identity provider with API Manager ● Enforcing fine-grained entitlement policies at the API management layer ● Accessing API user's attributes to make decisions
  • 4. ** APIs and Security Exposing Services as APIs means we need to address how those APIs are going to be secured ● Primarily protecting APIs via API Access Tokens ● But also so much more than that…... ❏ Forced to deal with different kinds of users and applications ❏ One size does not fit all when it comes to security
  • 5. ** OAuth 2.0 - The Cornerstone OAuth definition from the OAuth 2.0 IETF specification - "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." [1] [1] http://tools.ietf.org/html/rfc6749
  • 6. ** OAuth 2.0 - Grant Types Depending on the trustworthiness of the application that is trying to access the API, oauth provides different methods that can be used for granting access ● Authorization Code ● Password(Resource Owner Credentials) ● Client Credentials ● Implicit
  • 7. ** Understanding the actors involved Resource owner The Person who owns the data or has rights to the data that will be exposed by the Service via an API Resource Server The server that hosts the actual Service/API that exposes the data Application Considered as the ‘client’ in OAuth circles. The one requesting access to the API Auth Server Grants access to the Application after authenticating it with the Resource Owner
  • 8. ** Key OAuth concepts Client ID A unique string representing an Application registered with the Auth Server Client Secret A secret password that is used by the Auth Server to authenticate if the Application is an authorized Application Access Token A key provided by the Auth Server to the Application which allows access to a given API for a limited amount of time. After the time expires the key will be considered invalid Refresh Token A secondary key that can be used by the Application to request a new Access Token from the Auth Server
  • 9. ** Authorization Code Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides remotely from the Resource Owner ● Resource Owner gets involved initially to decide if the Auth Server should grant API access to the Application ● ‘Auth Code’ is returned by Auth Server to the Application which uses it to request Access + Refresh Tokens from the Auth Server ● The Application may store the Access + Refresh Tokens and reuse them to access the API, no longer needing intervention from the Resource Owner ● Considered the most secure grant type
  • 10. ** Implicit Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides locally to the Resource Owner(eg: Web browser, Mobile device) ● A simplified version of the Authorization Code grant type with the elimination of the Auth Code issuing step ● Since Resource Owner is present in proximity to App there is nothing to be gained by issuing an Auth Code ● Once Resource Owner approves App, Auth Server provides Access Token directly to App ● Access Token validity periods should be relatively short, no Refresh Token is issued ● App should rely on the Resource Owner to get involved again to get a new Access Token
  • 11. ** Password Grant Type Category of Application - 3rd Party trusted ● Since the App is trusted the Resource Owner is able to share their own username and password directly with the App ● By providing their credentials to the App, the Resource Owner is delegating authority to the App to authenticate itself with the Auth Server and get Access + Refresh Tokens
  • 12. ** Client Credentials Grant Type Category of Application - Resource Owners App ● Since the App belongs to the Resource Owner there is no need to authenticate the App via the Resource Owners credentials or require that the Resource Owner get involved to help the Auth Server decide if access should be granted ● All that is required by the Auth Server is to identify if the App requesting the Access Token is in fact the Resource Owners App ● The App only needs to provide the Client ID and Client Secret to the Auth Server to get the Access Token
  • 13. ** Single Sign On ● The WSO2 API Management platform can be configured to support SAML 2.0 based SSO ● Security Assertion Markup Language 2.0 - XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider ● SAML is a widely established means of identity federation in enterprises.
  • 14. ** Advantage of SAML based SSO ● Provides convenience when working with multiple store/publisher web applications ● Reduces password fatigue ● Able to exchange the SAML token issued by the Identity Provider for an OAuth 2.0 access token, avoiding the need to explicitly be authenticated by an Auth 2.0 Auth Server. This is an advantage for enterprises that already have an existing SAML identity provider
  • 15. ** Federated Identity ● Demo Scenario - Using Facebook as a Federated identity provider to act as a Auth Server to obtain a API Access Token
  • 16. ** Fine-grained entitlement policies ● API Manager supports Auth 2.0 scopes to restrict access to API resources based on user roles ● But when more fine grained entitlement policies are required XACML policies can be used ● XACML stands for "eXtensible Access Control Markup Language", which defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate access requests according to the rules defined in policies.
  • 17. ** Accessing API users attributes to make decisions ● Its often useful for the API hosting service to make decisions based on information associated with the user who initiated the API invocation such as, ○ Username of end user ○ The organization the end user is associated with ○ The email of the end user ○ The gender of the end user
  • 18. ** Passing Claims via JWT ● Claim - user attribute that is mapped to the underlying user store ● Claim dialect - A set of predefined claims ● API Manager can be configured to pass a Claim Dialect via a JSON Web Token[1] to the back end API along with the API invocation [1] http://openid.net/specs/draft-jones-json-web-token-07.html#anchor3
  • 19. ** Resources ● [Article] OAuth2 Grant Types and Need For Implicit Grant for JavaScript and Mobile Applications http://wso2.com/library/articles/2014/12/article- oauth2-grant-types-and-need-for-implicit-grant-for-javascript-mobile-applications/ ● What is the purpose of the implicit grant authorization type in OAuth 2? http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2 ● Enforcing fine grained entitlement policies With XACML http://xacmlinfo.org/2014/10/24/authorization-for-apis-with-xacml-and-oauth-2-0/