SlideShare una empresa de Scribd logo

Securing APIs With WSO2 Identity Server

WSO2
WSO2

In today’s API economy, APIs are an integral part of every organization. APIs play a key role in enabling organizations to connect seamlessly with customers, partners, and employees. With the growth of API usage and the number of APIs, organizations increasingly rely on API management solutions to manage API usage. Given today’s threat landscape, API security is a key consideration and a major component of an API management solution. In this webinar, you will learn how API management solutions can leverage identity and access management (IAM) capabilities of WSO2 Identity Server to enhance the security of managed APIs. DURING THE WEBINAR, WE WILL COVER: Importance of API security Introduction to WSO2 Identity Server OAuth 2.0 API security capabilities of WSO2 Identity Server Demo of integrating WSO2 Identity Server with WSO2 API Manager Watch the OD webinar: https://wso2.com/library/webinars/securing-apis-with-wso2-identity-server/

Tecnología
1 de 35
Descargar para leer sin conexión
Securing APIs With WSO2 Identity Server Thursday, November 05, 2020
Hello! Janak Amarasena Isura Karunaratne Senior Software Engineer isura@wso2.com janak@wso2.com Technical Lead
About ‘API Security and Beyond’ Webinar Series 3
4 Addresses full API lifecycle management operations. Open, extensible, customizable. 200K+ APIs for 20K+ Orgs Hybrid integration platform for quick, iterative integration of any application, data, or system. 6 Trillion Transactions/yr Federates and manages identities across both cloud service and enterprise environments. 250M+ identities managed WSO2 API MANAGER WSO2 IDENTITY SERVERWSO2 ENTERPRISE INTEGRATOR WSO2 Integration Platform
5 WSO2 Identity Server is a strong performer among the 13 CIAM providers that matter most according to Forrester Research, Inc.. ● Highest scores possible in customer authentication, self service, business integration, reporting and dashboarding, and privacy & consent management in the Product Offering category ● Highest scores for commercial model in strategy and authentication plans WSO2 Identity Server has been recognized as a strong performer
API Economy
100% of revenue comes through API calls Source https://www.information-age.com/organisations-advantage-api-economy-123485729/ APIs and API Economy 7
Akamai Survey Report 2019 “Our survey of API traffic surprised us by revealing that 83% of the hits we see there are API driven. ” “For security practitioners, this is vitally important.” Source - (https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security-retail-attacks-and-api-traffic-report-2 019.pdf) APIs and API Economy 8
Importance of API security
APIs will become the #1 Attack vector by 2022 10
● Facebook Security breach ⦾ 50 million affected users ● Google plus security breach ⦾ Over 50 million affected users ● An average Application or API has 26.7 vulnerabilities. ● 81% of confirmed data breaches have used stolen valid credentials. Importance of API security 11 Source - (https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html, https://www.wired.com/story/google-plus-bug-52-million-users-data-exposed, https://techbeacon.com/app-dev-testing/post-equifax-why-api-security-should-be-priority)
Failure of API security can affect on ● Operation level disruptions ● Negative publicity ● Legal problems ● Repeat attacks Importance of API security 12
Role of API Key Manager
Role of API Key Manager 14
Introduction to WSO2 Identity Server
16 Key Capabilities ● Identity federation and SSO ● Identity bridging ● MFA and adaptive authentication ● Managing access to APIs ● Fine-grained access control ● Consent management ● Accounts management ● Progressive profiling ● RESTful APIs for integration ● Regulatory compliance ● Identity analytics WSO2 Identity Server Capabilities
17 Key Capabilities ● Extended Access Delegation Capabilities ● Strong and Adaptive Authentication ● Cross Protocol Single Sign-On / Sign-Out ● Enforce authorization ● End-User Identity Management ● Privacy management Why IAM is important in API Management
API Security capabilities of WSO2 Identity Server
Leveraging OAuth 2.0 capabilities ● Generating access tokens with various grant types and flows ⦿ Authorization Code grant ⦿ Client Credentials grant ⦿ Implicit grant | Discouraged in OAuth 2.0 Security BCP document ⦿ Password grant | Deprecated in OAuth 2.0 Security BCP document ⦿ JWT Bearer grant ⦿ SAML2 Bearer grant ⦿ OIDC hybrid flow ⦿ Several other grant types and flows ⦿ Extension points to easily deploy custom grants and flows ● Support for security best practices ⦿ PKCE flow for authorization code grant ⦿ Refresh token rotation ⦿ Encryption/Hashing of client secret 19
Leveraging OAuth 2.0 capabilities contd. ● Token introspection ⦿ Checking the validity of the token received to the API Gateway ● Revoking tokens ⦿ Supports token revocation via standard API ⦿ Auto token revocation when a user state changes (locked, deleted, credential change, etc) ⦿ Auto token revocation when a application state changes (disabled, deleted, etc.) ⦿ Extension points to add token revocation based on events ⦿ Firing events when token revocation happens 20
Easy integration of capabilities ● Fully API enabled ⦿ Support for standard APIs ● Service discovery via standard APIs ⦿ Webfinger ⦿ Discovery ⦿ JWKS ● DCR and DCRM API support for client application registration and management via APIs 21
Scope validation ● Scope is a mechanism in OAuth 2.0 to limit the application's access to a user's protected resources ● Able to define scope validators to validate the scopes being assigned to a access token ● OOTB scope validators ⦿ Roles based ⦿ XACML based ● Extension point to easily deploy a custom scope validator ● REST API to manage scopes 22
Fine-grained access control ● Includes a fully fledged XACML engine ● API enabled. Invoke XACML policy checks via APIs. ● Integration support with a Open Policy Agent(OPA) engine for policy evaluation at user authentication for token generation 23
Event notifications and extensibility ● Eventing framework that fires events ⦿ Several examples; ⦾ Alerts on user such claim updates ⦾ Alerts on user getting locked ● Extension points to easily deploy event listeners to listen on required events and relay information to the API Manager ⦾ Ex: Clear gateway token related cache when a token revocation happens ● Extension points to add custom components and extend product capabilities according to business needs ⦿ Several examples; ⦾ Adding a custom token type ⦾ Adding custom token validation at introspection ⦾ Introducing a new grant type 24
Demo
Setup 26
Scenario 01 - Secured API calls Generate an access token with user John using the Authorization Code grant to make a secured API call ● Generate a token ● Invoke introspection endpoint ● Invoke the [GET] /menu API 27
Scenario 02 - Implicit token revocation Update user Johns’ credentials and try to invoke a API with the previously generated token ● Invoke introspection endpoint ● Update user Johns’ credentials ● Invoke the [GET] /menu API ● Invoke introspection endpoint 28
Scenario 03 - Role based scope validation Obtain a token with the “add” scope to call the [POST]/order API ● Check role required for the scope “add” ● Try to generate a token with user John ● Generate a token with user Jane ● Invoke the [POST] /order API 29
Scenario 04 - Explicit token revocation Call the OAuth token revocation endpoint and revoke an access token ● Invoke introspection endpoint ● Invoke token revocation endpoint ● Invoke the [POST] /order API ● Invoke introspection endpoint 30
Scenario 05 - Fine-grained access control with XACML Invoke the XACML policy decision point for a [POST]/order API call ● XACML configuration ● Generate an access token with client credentials grant ● Invoke XACML PDP 31
Let’s Recap 32 ● API Economy ● Importance of API security ● Role of API Key Manager ● Introduction to WSO2 Identity Server ● API Security capabilities of WSO2 Identity Server ● Demo
Question Time! 33
Next in the Series 34
wso2.com Thanks!

Recomendados

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 

Recomendados

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 
API Revisions - WSO2 API Manager Community Call (10/27/2021)
API Revisions - WSO2 API Manager Community Call (10/27/2021)API Revisions - WSO2 API Manager Community Call (10/27/2021)
API Revisions - WSO2 API Manager Community Call (10/27/2021)WSO2
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...WSO2
 
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It![ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!WSO2
 
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital EcosystemWSO2
 
[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAMWSO2
 
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...WSO2
 
[apidays Live Australia] How does leveraging de-centralised architecture impr...
[apidays Live Australia] How does leveraging de-centralised architecture impr...[apidays Live Australia] How does leveraging de-centralised architecture impr...
[apidays Live Australia] How does leveraging de-centralised architecture impr...WSO2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Más contenido relacionado

Más de WSO2

Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 
API Revisions - WSO2 API Manager Community Call (10/27/2021)
API Revisions - WSO2 API Manager Community Call (10/27/2021)API Revisions - WSO2 API Manager Community Call (10/27/2021)
API Revisions - WSO2 API Manager Community Call (10/27/2021)WSO2
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...WSO2
 
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It![ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!WSO2
 
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital EcosystemWSO2
 
[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAMWSO2
 
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...WSO2
 
[apidays Live Australia] How does leveraging de-centralised architecture impr...
[apidays Live Australia] How does leveraging de-centralised architecture impr...[apidays Live Australia] How does leveraging de-centralised architecture impr...
[apidays Live Australia] How does leveraging de-centralised architecture impr...WSO2
 

Más de WSO2 (20)

Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 
API Revisions - WSO2 API Manager Community Call (10/27/2021)
API Revisions - WSO2 API Manager Community Call (10/27/2021)API Revisions - WSO2 API Manager Community Call (10/27/2021)
API Revisions - WSO2 API Manager Community Call (10/27/2021)
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
 
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It![ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
[ICT Spring 2021] - Managed Crowd: The Future of Business as We Know It!
 
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
[EIC 2021] Securing the Digital Double - The Path to a Trusted Digital Ecosystem
 
[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM
 
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
CSV and JSON Transformation in WSO2 Micro Integrator 4.0 - WSO2 APIM Communit...
 
[apidays Live Australia] How does leveraging de-centralised architecture impr...
[apidays Live Australia] How does leveraging de-centralised architecture impr...[apidays Live Australia] How does leveraging de-centralised architecture impr...
[apidays Live Australia] How does leveraging de-centralised architecture impr...
 

Último

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Securing APIs With WSO2 Identity Server

  • 1. Securing APIs With WSO2 Identity Server Thursday, November 05, 2020
  • 2. Hello! Janak Amarasena Isura Karunaratne Senior Software Engineer isura@wso2.com janak@wso2.com Technical Lead
  • 3. About ‘API Security and Beyond’ Webinar Series 3
  • 4. 4 Addresses full API lifecycle management operations. Open, extensible, customizable. 200K+ APIs for 20K+ Orgs Hybrid integration platform for quick, iterative integration of any application, data, or system. 6 Trillion Transactions/yr Federates and manages identities across both cloud service and enterprise environments. 250M+ identities managed WSO2 API MANAGER WSO2 IDENTITY SERVERWSO2 ENTERPRISE INTEGRATOR WSO2 Integration Platform
  • 5. 5 WSO2 Identity Server is a strong performer among the 13 CIAM providers that matter most according to Forrester Research, Inc.. ● Highest scores possible in customer authentication, self service, business integration, reporting and dashboarding, and privacy & consent management in the Product Offering category ● Highest scores for commercial model in strategy and authentication plans WSO2 Identity Server has been recognized as a strong performer
  • 7. 100% of revenue comes through API calls Source https://www.information-age.com/organisations-advantage-api-economy-123485729/ APIs and API Economy 7
  • 8. Akamai Survey Report 2019 “Our survey of API traffic surprised us by revealing that 83% of the hits we see there are API driven. ” “For security practitioners, this is vitally important.” Source - (https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security-retail-attacks-and-api-traffic-report-2 019.pdf) APIs and API Economy 8
  • 9. Importance of API security
  • 10. APIs will become the #1 Attack vector by 2022 10
  • 11. ● Facebook Security breach ⦾ 50 million affected users ● Google plus security breach ⦾ Over 50 million affected users ● An average Application or API has 26.7 vulnerabilities. ● 81% of confirmed data breaches have used stolen valid credentials. Importance of API security 11 Source - (https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html, https://www.wired.com/story/google-plus-bug-52-million-users-data-exposed, https://techbeacon.com/app-dev-testing/post-equifax-why-api-security-should-be-priority)
  • 12. Failure of API security can affect on ● Operation level disruptions ● Negative publicity ● Legal problems ● Repeat attacks Importance of API security 12
  • 13. Role of API Key Manager
  • 14. Role of API Key Manager 14
  • 15. Introduction to WSO2 Identity Server
  • 16. 16 Key Capabilities ● Identity federation and SSO ● Identity bridging ● MFA and adaptive authentication ● Managing access to APIs ● Fine-grained access control ● Consent management ● Accounts management ● Progressive profiling ● RESTful APIs for integration ● Regulatory compliance ● Identity analytics WSO2 Identity Server Capabilities
  • 17. 17 Key Capabilities ● Extended Access Delegation Capabilities ● Strong and Adaptive Authentication ● Cross Protocol Single Sign-On / Sign-Out ● Enforce authorization ● End-User Identity Management ● Privacy management Why IAM is important in API Management
  • 18. API Security capabilities of WSO2 Identity Server
  • 19. Leveraging OAuth 2.0 capabilities ● Generating access tokens with various grant types and flows ⦿ Authorization Code grant ⦿ Client Credentials grant ⦿ Implicit grant | Discouraged in OAuth 2.0 Security BCP document ⦿ Password grant | Deprecated in OAuth 2.0 Security BCP document ⦿ JWT Bearer grant ⦿ SAML2 Bearer grant ⦿ OIDC hybrid flow ⦿ Several other grant types and flows ⦿ Extension points to easily deploy custom grants and flows ● Support for security best practices ⦿ PKCE flow for authorization code grant ⦿ Refresh token rotation ⦿ Encryption/Hashing of client secret 19
  • 20. Leveraging OAuth 2.0 capabilities contd. ● Token introspection ⦿ Checking the validity of the token received to the API Gateway ● Revoking tokens ⦿ Supports token revocation via standard API ⦿ Auto token revocation when a user state changes (locked, deleted, credential change, etc) ⦿ Auto token revocation when a application state changes (disabled, deleted, etc.) ⦿ Extension points to add token revocation based on events ⦿ Firing events when token revocation happens 20
  • 21. Easy integration of capabilities ● Fully API enabled ⦿ Support for standard APIs ● Service discovery via standard APIs ⦿ Webfinger ⦿ Discovery ⦿ JWKS ● DCR and DCRM API support for client application registration and management via APIs 21
  • 22. Scope validation ● Scope is a mechanism in OAuth 2.0 to limit the application's access to a user's protected resources ● Able to define scope validators to validate the scopes being assigned to a access token ● OOTB scope validators ⦿ Roles based ⦿ XACML based ● Extension point to easily deploy a custom scope validator ● REST API to manage scopes 22
  • 23. Fine-grained access control ● Includes a fully fledged XACML engine ● API enabled. Invoke XACML policy checks via APIs. ● Integration support with a Open Policy Agent(OPA) engine for policy evaluation at user authentication for token generation 23
  • 24. Event notifications and extensibility ● Eventing framework that fires events ⦿ Several examples; ⦾ Alerts on user such claim updates ⦾ Alerts on user getting locked ● Extension points to easily deploy event listeners to listen on required events and relay information to the API Manager ⦾ Ex: Clear gateway token related cache when a token revocation happens ● Extension points to add custom components and extend product capabilities according to business needs ⦿ Several examples; ⦾ Adding a custom token type ⦾ Adding custom token validation at introspection ⦾ Introducing a new grant type 24
  • 25. Demo
  • 27. Scenario 01 - Secured API calls Generate an access token with user John using the Authorization Code grant to make a secured API call ● Generate a token ● Invoke introspection endpoint ● Invoke the [GET] /menu API 27
  • 28. Scenario 02 - Implicit token revocation Update user Johns’ credentials and try to invoke a API with the previously generated token ● Invoke introspection endpoint ● Update user Johns’ credentials ● Invoke the [GET] /menu API ● Invoke introspection endpoint 28
  • 29. Scenario 03 - Role based scope validation Obtain a token with the “add” scope to call the [POST]/order API ● Check role required for the scope “add” ● Try to generate a token with user John ● Generate a token with user Jane ● Invoke the [POST] /order API 29
  • 30. Scenario 04 - Explicit token revocation Call the OAuth token revocation endpoint and revoke an access token ● Invoke introspection endpoint ● Invoke token revocation endpoint ● Invoke the [POST] /order API ● Invoke introspection endpoint 30
  • 31. Scenario 05 - Fine-grained access control with XACML Invoke the XACML policy decision point for a [POST]/order API call ● XACML configuration ● Generate an access token with client credentials grant ● Invoke XACML PDP 31
  • 32. Let’s Recap 32 ● API Economy ● Importance of API security ● Role of API Key Manager ● Introduction to WSO2 Identity Server ● API Security capabilities of WSO2 Identity Server ● Demo
  • 34. Next in the Series 34