An OAuth-protected API Platform for Private, Partner & Public UseBy Travis Spencer, CEO!@travisspencer / @2botech
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 2
Agenda
▪ Business benefits of APIs!▪ Associated security challenges!▪ Requirements to overcome these
obstacles
▪ Platform security architecture !▪ Delivers business benefits !▪ Overcome challenges!▪ Meets specifications
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech 3
6 Benefits of APIs
Business Benefits of Private APIs
modernize organization
start api strategy
manage supply chain
time-to-market
internal communica-tion
business inteligence analytics
▪ Post by Mark Boyd on Nordic APIs blog!
▪ Same benefits afforded by partner & public APIs!
▪ j.mp/1dpGCX6
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
▪ Not beginning with a clean slate!▪ Existing data & systems must be made
available in new ways!▪ Reuse & extend existing infrastructure!▪ Bridge old & new technologies
Starting an API Strategy
4
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Neo-security Requirements
5
▪ Identity & content must be converted!▪ Legacy systems must be concealed & abstracted!▪ Work with all modes of service delivery!▪ Secure all channels
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Modernize Organization
6
▪ Core business capabilities are distilled into reusable modules!
▪ Composed together like Legos!▪ Security will prevent or allow composability
Loc
Bloc
sLe
gos
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Neo-security Requirements
7
▪ Based on open, international standards!▪ COTS products must be limited to
specialized roles!▪ Apps & Web sites must not perform
authentication & authorization
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Manage Supply Chain
8
▪ Optimization of value across organizational boundaries !▪ Massive distribution !▪ Automation!
▪ Lack of robust security is a showstopper !▪ Users demand seamless access across apps!▪ API client & end user must be identified!▪ Rights must be applied to users from other organizations
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Neo-security Requirements
9
▪ Access control!▪ Account provisioning!▪ Web Single Sign-on (SSO) & federation!▪ Delegated access (a la OAuth)
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OAuth
10
▪ OAuth 2 is the new protocol of protocols!▪ Used as the base of other specifications!▪ OpenID Connect, UMA, etc.!
▪ Addresses some important requirements!▪ Delegated access!▪ No password sharing!▪ Revocation of access!
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OAuth Actors
11
1. Resource Owner (RO)!2. Client!3. Authorization Server (AS)!4. Resource Server (RS) (i.e., API)
Get
a to
ken
Delegate
RSClient
AS
RO
Use a token
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Scopes
12
▪ Like permissions!▪ Scopes specify extent of tokens’ usefulness!▪ Listed on consent UI (if shown)!▪ No standardized scopes
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Usage of OAuth
13
Not for authentication
Not really for authorization
Not for federation
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Usage of OAuth
14
For delegated access
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Iden
t-iti
esAP
IsEn
title
-m
ents
Requirements Demand More
15
▪ Today’s use cases require more than just delegation!
▪ OAuth is important but insufficient
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OpenID Connect
16
▪ Next generation federation protocol !▪ Based on OAuth 2!▪ Made for mobile!▪ Not backward compatible
▪ Client & API receive tokens!▪ Endpoint provided for client to
get user data
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
OpenID Connect + OAuth Example
17
OpenID Provider RP / Client
Browser
Access code
Redeem access code
Access token & ID token
Check audience restriction of ID token
Request login, providing “openid” scope & user info
scopes
Get user info using access token
Access tokens
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
JSON Identity Suite
The Neo-security Stack
18
OpenID Connect
SCIM
OAuth
XAC
ML
Provisioning
Identities
Federation
Delegated Access
Authorization
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
The Neo-security Platform
19
SCIM JSON Identity Suite
OpenID Connect OAuth XACML
EntitlementManagement
System
Identity Management
System
APIManagement
System
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Summary
20
▪ APIs offer many benefits!▪ Security will impede or enable these!▪ Technology exists to protect your API!
▪ OAuth is not enough!▪ Need the entire Neo-security Stack!
▪ The Neo-security Platform protects data & delivers benefits
Copyright 2014 Twobo Technologies AB @travisspencer / @2botech
Questions & Thanks
21
@2botech!@travisspencer!www.twobo.com
?