CIS 2017 - So you want to use standards to secure your APIs?
-
Upload
bertrand-carlier -
Category
Technology
-
view
357 -
download
4
Transcript of CIS 2017 - So you want to use standards to secure your APIs?
So you want to use standards to secure your APIs?
Do you? really?
Bertrand [email protected]
@bertrandcarlier
confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017
Tier one clientsleaders in their industry
2,500 professionalsacross 4 continents
Among the leading independentconsultancies in Europe,
n°1 in France
Paris | London | New York | Hong Kong | Singapore* | Dubai*
Brussels | Luxembourg | Geneva | Casablanca
Lyon | Marseille | Nantes
In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions
confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017
Win the digital race with digital trust
PROVEN EXPERTISE
/ Digital Risk Strategy & Compliance/ Safe Business Transformation / Security Design & Program Management/ Identity, Fraud & Trust Services/ Penetration Testing & Incident Response/ Business Continuity & Resilience/ Industrial Control Systems
ACTIONABLE INSIGHTS
/ Industry-specific risk mapping/ AMT Master plan methodology/ Startups & Innovation Radars/ ICS-Attacks demonstrator/ CERT-W & Bug Bounty
Digital trust is a key business enabler that will put you ahead to win the digital transformation race
Wavestone Cybersecurity & Digital Trust
500+Consultants & Expertsin Paris, London, New York & Hong Kong
1,000+Engagements per year
in 20+ countries
Our clientsBoard, Business, CDO, CIO, CISO, BCM
confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017
Obligatory XKCD
confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017
What I do 1/2
User companies (my clients)
Other vendors
My mom
People who use standards but don’t really care
Me
You?
Fellow colleagues & competitors
People who (try to) understand standards and build things
The “industry”
Research scientists
Vendors I like
People who make standards
confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017
What I do 2/2
Gather requirements
Benchmark market
Design target solutions
Deliver solutions
1. Oauth 101
confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017
Implicit and Client CredentialsYOU’VE GOT MAIL
Comparator website
Airline API
Airline API
Airline API
Client
Authorizationserver
Resource server
Access token
Flight comparator
Economy
Direct
Two stops
Business class
Boat
You’ve been accepted!
confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017
Authorization codeARE YOU AUTHORIZED?
Airline website
Airline API
Client
Authorizationserver
Resource server
Access token
Resource owner
confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017
Proof Key for Code ExchangePIXIES
Airline website
Client
Authorizationserver
Resource server
Access token
Resource owner
PKCE (RFC 7636)
confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017
Refresh token(RE)FRESH
Refresh token
Client
Authorizationserver
Resource server
Access token
Resource owner
PKCE (RFC 7636)
Airline website
confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017
20
17
18
76
OAuth2.0 : it’s quite simple
Who’s up for a 130-pages RFC read?
And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations »
Refresh token
Client
Authorizationserver
Resource server
Access token
Resource owner
Proof Key for Code Exchange
2. OAuth Advanced
confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017
OAuth2.0 : Real Life requirements
Adaptive authentication
Application initiated (acr request)
or Authorization Server mandated (adaptive authentication)
APIs federation
REST friendly
Scalable
Modern Web Single Sign-On
Beyond the enterprise perimeter
Browser and mobile friendly
confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017
OpenID ConnectFRENCH CONNECTION
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
PKCE (RFC 7636)
Town’s website
Tax department
API
France Connect
hub
ID token
confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017
Authentication Context Reference (acr)SMS, I KNOW…
Bank API
Bank authorization server
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
OpenID Connect provider
PKCE (RFC 7636)
confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017
JWT Bearer profileONE RING TOKEN TO RULE THEM ALL
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
OpenID Connect provider
PKCE (RFC 7636)
Bank website
Bank & Insurance discount
White label insurance
Bank website
Insurance’sAuthorization server
Insurance’sAPI
1
2
confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017
Oauth2.0 for Native ApplicationsSSO ON THE GO
app app Oauth 2 for native apps
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
PKCE (RFC 7636)
Mobile phone
Bank’s authorization server
OpenID Connect provider
3. OAuth & Beyond
confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017
OAuth : Today’s challenges
Pair with devices Protect from token hijacking Share and Consent Transmit Identity
These are the current use cases that we need to solve now with only draft standards!
confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017
OAuth2 Device Flow2 MINUTES TWICE A DAY
app app Oauth 2 for native apps
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
PKCE (RFC 7636)
OpenID Connect provider
Connected toothbrush
Toothbrush’s cloud services
Toothbrush’s app
2 1 3 4
confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017
Token BindingLATER AGGREGATOR
Bank API
Multi-account aggregator
Bank API
Bank API
app app Oauth 2 for native apps
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
PKCE (RFC 7636)
Token Binding
& Mutual TLS profiles
The “Personal Finance
Manager” usecase
OpenID Connect provider
confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017
User Managed AccessRUN BABY RUN
Token Binding
& Mutual TLS profiles
app app Oauth 2 for native apps
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
PKCE (RFC 7636)Requesting party
Doctor Receptionist
OpenID Connect provider
Receptionist Doctor
Some medical
softwarePersonal health records
Me Authorizationserver
confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017
Token ExchangeWALL STREET
( )
Customer support
CustomerAPI
Token Binding
app app Oauth 2 for native apps
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
PKCE (RFC 7636)Requesting party
Token Exchange
OpenID Connect provider
Micro services
confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017
Not to mention
/ Dynamic Client Registration & Management
/ OIDC/Oauth Discovery
/ Signed request
/ Mobile Connect
/ OIDC Session Management
/ Token revocation
/ …
The big pictureAT LAST
Token Binding
app app Oauth 2 for native apps
Client
Authorizationserver
Resource server
Access token
Resource owner
Refresh token
ID token
PKCE (RFC 7636)Requesting party
Token Exchange
OpenID Connect provider
confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017
“Just saying #OAuth does not do the job”ONE LAST WORD
/ OAuth is a very rich ecosystem
Choose the right specifications
Integrate them carefully within a well-designed architecture
Don’t end up with a flawed API security or afalse sense of security
wavestone.com @wavestone_
riskinsight-wavestone.com@Risk_Insight
securityinsider-solucom.fr@SecuInsider
Bertrand CARLIERSenior Manager
M +33 6 18 64 42 52
PARIS
LONDON
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
BRUSSELS
LUXEMBOURG
GENEVA
CASABLANCA
LYON
MARSEILLE
NANTES
* Partenaires stratégiques
PARIS
LONDRES
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
SAO PAULO *
LUXEMBOURG
MADRID *
MILAN *
BRUXELLES
GENEVE
CASABLANCA
ISTAMBUL *
LYON
MARSEILLE
NANTES
* Partenariats