protecting apps and apis using nordic eids
TRANSCRIPT
Erik Wahlström
Technology Strategist
9/19/20131
Erik Wahlström
Technology Strategist
9/19/20132
Protecting your Applications and
APIs with Nordic e-IDs
Erik Wahlström
Technology Strategist
9/19/20133
Todays topics
eIDs is in the news.
What is an eID?
What are the Nordic eID?
Three ways to use your eIDs to protect apps and APIs.
Erik Wahlström
Technology Strategist
9/19/20134
What is a eID?
Digital passport to authenticate and sign.
Issued or trusted by governments.
Legally binding.
Erik Wahlström
Technology Strategist
9/19/20135
Erik Wahlström
Technology Strategist
9/19/20136
Smartcards or eIDs on file
Erik Wahlström
Technology Strategist
9/19/20137
Software based OTPs.
Erik Wahlström
Technology Strategist
9/19/20138
Tupas.
Erik Wahlström
Technology Strategist
9/19/20139
API based.
Erik Wahlström
Technology Strategist
9/19/201310
What’s up next?
New platform for Swedish BankID.
SAML based identity federations like eID2.
New projects in Norway and Finland.
Erik Wahlström
Technology Strategist
9/19/201311
How to protect an API using eID?
Web based APIs.
Protocol handlers.
Use browsers and OAuth2.
A token can be anything.
Alternatives to call an API:
Swedish Mobile BankID.
OAuth2 to authenticate using any other type of eID.
Bind two devices together to use smartcards on
smartphones.
Erik Wahlström
Technology Strategist
9/19/201312
Alternative one – Swedish Mobile BankID
Erik Wahlström
Technology Strategist
9/19/201313
Erik Wahlström
Technology Strategist
9/19/201314
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Erik Wahlström
Technology Strategist
9/19/201315
Erik Wahlström
Technology Strategist
9/19/201316
nexus://state=xyz
Erik Wahlström
Technology Strategist
9/19/201317
Erik Wahlström
Technology Strategist
9/19/201318
Swedish Mobile BankID
Deep dive
Erik Wahlström
Technology Strategist
9/19/201319
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201320
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201321
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201322
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201323
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201324
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201325
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201326
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201327
nexus://state=xyz
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201328
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201329
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201330
Alternative two – Others eIDs
Erik Wahlström
Technology Strategist
9/19/201331
Use your browser to authenticate
using any eID
OAuth2 industry standard to protect APIs.
Define a way to get a authorization to use an API.
A token or two is good.
Use the token to access the API.
Use OAuth2 and a browser dance to authenticate.
Enables any method and eIDaaS.
Erik Wahlström
Technology Strategist
9/19/201332
Erik Wahlström
Technology Strategist
9/19/201333
https://example.com/oauth2?
response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F%
2Fauthorization&scope=api&state=xyz
Erik Wahlström
Technology Strategist
9/19/201334
Erik Wahlström
Technology Strategist
9/19/201335
nexus://authorization?code=oauth2grant&stat
e=xyz
Erik Wahlström
Technology Strategist
9/19/201336
Other eIDs
Deep dive
Erik Wahlström
Technology Strategist
9/19/201337
Token
Question
Erik Wahlström
Technology Strategist
9/19/201338
Token
Question
Erik Wahlström
Technology Strategist
9/19/201339
Token
Question
Erik Wahlström
Technology Strategist
9/19/201340
Alternative three – eID on other device
Erik Wahlström
Technology Strategist
9/19/201341
Use an eID on another device
Put the rather sad user to work.
Connect two devices.
Refresh tokens makes it usable.
Erik Wahlström
Technology Strategist
9/19/201342
Erik Wahlström
Technology Strategist
9/19/201343
Erik Wahlström
Technology Strategist
9/19/201344
Erik Wahlström
Technology Strategist
9/19/201345
Final words
Erik Wahlström
Technology Strategist
9/19/201346
Final words
BYOD and consumerization.
eIDaaS and OAuth2 for best coverage.
Refresh tokens is not always ok.
WebCrypto is cool.
