So you want to use standards to secure your APIs?

Do you? really?

Bertrand CARLIERbertrand.carlier@wavestone.com

@bertrandcarlier

confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017

Tier one clientsleaders in their industry

2,500 professionalsacross 4 continents

Among the leading independentconsultancies in Europe,

n°1 in France

Paris | London | New York | Hong Kong | Singapore* | Dubai*

Brussels | Luxembourg | Geneva | Casablanca

Lyon | Marseille | Nantes

In a world where permanent evolution is key to success, we enlighten and partner our clients in making their most critical business decisions

confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017

Win the digital race with digital trust

PROVEN EXPERTISE

/ Digital Risk Strategy & Compliance/ Safe Business Transformation / Security Design & Program Management/ Identity, Fraud & Trust Services/ Penetration Testing & Incident Response/ Business Continuity & Resilience/ Industrial Control Systems

ACTIONABLE INSIGHTS

/ Industry-specific risk mapping/ AMT Master plan methodology/ Startups & Innovation Radars/ ICS-Attacks demonstrator/ CERT-W & Bug Bounty

Digital trust is a key business enabler that will put you ahead to win the digital transformation race

Wavestone Cybersecurity & Digital Trust

500+Consultants & Expertsin Paris, London, New York & Hong Kong

1,000+Engagements per year

in 20+ countries

Our clientsBoard, Business, CDO, CIO, CISO, BCM

confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017

Obligatory XKCD

confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017

What I do 1/2

User companies (my clients)

Other vendors

My mom

People who use standards but don’t really care

Me

You?

Fellow colleagues & competitors

People who (try to) understand standards and build things

The “industry”

Research scientists

Vendors I like

People who make standards

confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017

What I do 2/2

Gather requirements

Benchmark market

Design target solutions

Deliver solutions

1. Oauth 101

confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017

Implicit and Client CredentialsYOU’VE GOT MAIL

Comparator website

Airline API

Airline API

Airline API

Client

Authorizationserver

Resource server

Access token

Flight comparator

Economy

Direct

Two stops

Business class

Boat

You’ve been accepted!

confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017

Authorization codeARE YOU AUTHORIZED?

Airline website

Airline API

Client

Authorizationserver

Resource server

Access token

Resource owner

confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017

Proof Key for Code ExchangePIXIES

Airline website

Client

Authorizationserver

Resource server

Access token

Resource owner

PKCE (RFC 7636)

confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017

Refresh token(RE)FRESH

Refresh token

Client

Authorizationserver

Resource server

Access token

Resource owner

PKCE (RFC 7636)

Airline website

confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017

20

17

18

76

OAuth2.0 : it’s quite simple

Who’s up for a 130-pages RFC read?

And if you want security, feel free to read the 71 pages « OAuth2 Threat Model and Security Considerations »

Refresh token

Client

Authorizationserver

Resource server

Access token

Resource owner

Proof Key for Code Exchange

2. OAuth Advanced

confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017

OAuth2.0 : Real Life requirements

Adaptive authentication

Application initiated (acr request)

or Authorization Server mandated (adaptive authentication)

APIs federation

REST friendly

Scalable

Modern Web Single Sign-On

Beyond the enterprise perimeter

Browser and mobile friendly

confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017

OpenID ConnectFRENCH CONNECTION

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

PKCE (RFC 7636)

Town’s website

Tax department

API

France Connect

hub

ID token

confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017

Authentication Context Reference (acr)SMS, I KNOW…

Bank API

Bank authorization server

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

OpenID Connect provider

PKCE (RFC 7636)

confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017

JWT Bearer profileONE RING TOKEN TO RULE THEM ALL

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

OpenID Connect provider

PKCE (RFC 7636)

Bank website

Bank & Insurance discount

White label insurance

Bank website

Insurance’sAuthorization server

Insurance’sAPI

1

2

confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017

Oauth2.0 for Native ApplicationsSSO ON THE GO

app app Oauth 2 for native apps

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

PKCE (RFC 7636)

Mobile phone

Bank’s authorization server

OpenID Connect provider

3. OAuth & Beyond

confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017

OAuth : Today’s challenges

Pair with devices Protect from token hijacking Share and Consent Transmit Identity

These are the current use cases that we need to solve now with only draft standards!

confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017

OAuth2 Device Flow2 MINUTES TWICE A DAY

app app Oauth 2 for native apps

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

PKCE (RFC 7636)

OpenID Connect provider

Connected toothbrush

Toothbrush’s cloud services

Toothbrush’s app

2 1 3 4

confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017

Token BindingLATER AGGREGATOR

Bank API

Multi-account aggregator

Bank API

Bank API

app app Oauth 2 for native apps

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

PKCE (RFC 7636)

Token Binding

& Mutual TLS profiles

The “Personal Finance

Manager” usecase

OpenID Connect provider

confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017

User Managed AccessRUN BABY RUN

Token Binding

& Mutual TLS profiles

app app Oauth 2 for native apps

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

PKCE (RFC 7636)Requesting party

Doctor Receptionist

OpenID Connect provider

Receptionist Doctor

Some medical

softwarePersonal health records

Me Authorizationserver

confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017

Token ExchangeWALL STREET

( )

Customer support

CustomerAPI

Token Binding

app app Oauth 2 for native apps

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

PKCE (RFC 7636)Requesting party

Token Exchange

OpenID Connect provider

Micro services

confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017

Not to mention

/ Dynamic Client Registration & Management

/ OIDC/Oauth Discovery

/ Signed request

/ Mobile Connect

/ OIDC Session Management

/ Token revocation

/ …

The big pictureAT LAST

Token Binding

app app Oauth 2 for native apps

Client

Authorizationserver

Resource server

Access token

Resource owner

Refresh token

ID token

PKCE (RFC 7636)Requesting party

Token Exchange

OpenID Connect provider

confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017

“Just saying #OAuth does not do the job”ONE LAST WORD

/ OAuth is a very rich ecosystem

Choose the right specifications

Integrate them carefully within a well-designed architecture

Don’t end up with a flawed API security or afalse sense of security

wavestone.com @wavestone_

riskinsight-wavestone.com@Risk_Insight

securityinsider-solucom.fr@SecuInsider

Bertrand CARLIERSenior Manager

M +33 6 18 64 42 52

bertrand.carlier@wavestone.com

PARIS

LONDON

NEW YORK

HONG KONG

SINGAPORE *

DUBAI *

BRUSSELS

LUXEMBOURG

GENEVA

CASABLANCA

LYON

MARSEILLE

NANTES

* Partenaires stratégiques

PARIS

LONDRES

NEW YORK

HONG KONG

SINGAPORE *

DUBAI *

SAO PAULO *

LUXEMBOURG

MADRID *

MILAN *

BRUXELLES

GENEVE

CASABLANCA

ISTAMBUL *

LYON

MARSEILLE

NANTES

* Partenariats