Building a Secure API

Overview of techniques and technologies needed to launch a secure API

By Travis Spencer, CEO

@travisspencer, @2botech

Copyright © 2013 Twobo Technologies AB. All rights reserved

Agenda

The security challenge in context

Neo-security stack

OAuth Basics

Overview of other layers

Copyright © 2013 Twobo Technologies AB. All rights reserved

Crucial Security Concerns

Copyright © 2013 Twobo Technologies AB. All rights reserved

Enterprise

Security

API

Security

Mobile

Security

Identity is Central

Copyright © 2013 Twobo Technologies AB. All rights reserved

MDM MAM

AuthZ

Mobile

Security

API

Security

Enterprise

Security

Identity

Venn diagram by Gunnar Peterson

Neo-security Stack

SCIM, SAML, OAuth, and JWT are the new

standards-based cloud security stack

OAuth 2 is the new meta-protocol defining how

tokens are handled

These address old requirements, solves new

problems & are composed

in useful ways

Copyright © 2013 Twobo Technologies AB. All rights reserved

Grandpa SAML

& junior

WS- again? Yep

OpenID Connect

OAuth Actors

Client

Authorization Server (AS)

Resource Server (RS) (i.e., API)

Resource Owner (RO)

Copyright © 2013 Twobo Technologies AB. All rights reserved

Get

a t

oken

User a token

RS Client

AS

OAuth Web Server Flow

Copyright © 2013 Twobo Technologies AB. All rights reserved

What OAuth is and is not for

Copyright © 2013 Twobo Technologies AB. All rights reserved

Not for authentication

Not really for authorization

For delegation

Authentication & Federation

How you authenticate to AS is undefined

Use SAML or OpenID Connect for SSO to AS

Relay OAuth token in SAML messages

Copyright © 2013 Twobo Technologies AB. All rights reserved

Push Tokens & Pull Data

Copyright © 2013 Twobo Technologies AB. All rights reserved

IdP & API Provider SaaS App

Browser

Access token in

federation message

Get Data

Data

Overview of OpenID Connect

Builds on OAuth for profile sharing

Uses the flows optimized for user-consent

scenarios

Adds identity-based inputs/outputs to core OAuth

messages

Tokens are JWTs

Copyright © 2013 Twobo Technologies AB. All rights reserved

Overview of SCIM

Defines RESTful API to manage users & groups

Specifies core user & group schemas

Supports bulk updates for ingest

Binding for SAML and eventually OpenID Connect

Copyright © 2013 Twobo Technologies AB. All rights reserved

Overview of JSON Identity Suite

Suite of JSON-based identity protocols

Tokens (JWT) ▪ Encryption (JWE)

Keys (JWK) ▪ Signatures (JWS)

Algorithms (JWA)

Bearer Token spec explains how to use w/ OAuth

Being defined in IETF

Copyright © 2013 Twobo Technologies AB. All rights reserved

Overview of JWT

Pronounced like the English word “jot”

Lightweight tokens passed in HTTP headers &

query strings

Akin to SAML tokens

Less expressive

Less security options

More compact

Encoded w/ JSON not XML

Copyright © 2013 Twobo Technologies AB. All rights reserved

SCIM + OAuth

Use OAuth to secure SCIM API calls

Use SCIM to create accounts needed to access

APIs secured using OAuth

Copyright © 2013 Twobo Technologies AB. All rights reserved

SCIM + SAML/OIC

Carry SCIM attributes in SAML assertions

(bindings for SCIM)

Enables JIT provisioning

Supplements SCIM API & schema

Provisioning accounts using SCIM API to be

updated before/after logon

Copyright © 2013 Twobo Technologies AB. All rights reserved

Questions & Thanks

@2botech

@travisspencer

www.2botech.com

travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved