Neo-security Stack

The “Neo-security Stack”

Securing APIs using the new stack of RESTful technologies

By Travis Spencer, CEO

@travisspencer, @2botech

Copyright © 2013 Twobo Technologies AB. All rights reserved

twitter.com/travisspencer

twitter.com/2botech

Agenda

The security challenge in context

Neo-security stack

OAuth Basics

Overview of other layers


Crucial Security Concerns


Enterprise

Security

API

Security

Mobile

Security

Identity is Central


MDM MAM

AuthZ

Mobile

Security

API

Security

Enterprise

Security

Identity

Venn diagram by Gunnar Peterson

http://1raindrop.typepad.com/

SAML / OpenID Connect

SCIM

JSON Identity Suite

OAuth

The Neo-security Stack


Federation Provisioning

Identity Authorization

SAML

SAML: proven

technology for

identity federation

and Web SSO

Profiles, bindings,

protocols, assertions

& metadata

V. 2.1 in

the works


Service

Provider (SP)

Identity Provider (IdP)

OpenID Connect

New federation protocol that builds on OAuth 2

Adds identity inputs/outputs to OAuth messages

Related to prior OpenID versions in name only

Compact messages for mobile scenerios

RP / client can determine info about end user

Tokens are JWTs

UserInfo endpoint to get user data


Grandpa SAML

& junior

Overview of SCIM

Defines RESTful API to manage users & groups

Specifies core user & group schemas

Supports bulk updates for ingest

Binding for SAML and eventually OpenID Connect


OAuth

OAuth 2 is the new protocol of

protocols

Composed in useful ways

Like WS-Trust of old

Addresses old requirements and

solves new ones

Delegated access

No password sharing

Revocation of access


OAuth Actors

Client

Authorization Server (AS)

Resource Server (RS) (i.e., API)

Resource Owner (RO)


Get

a t

oken

User a token

RS Client

AS

Access Tokens Refresh Tokens

Types of Tokens


Like a Session

Used to secure API calls

Like a Password

Used to get new access

tokens

By Value By Reference

Classes of Tokens


123XYZ

123XYZ

User attributes are in the

token

User attributes are

referenced by an identifier

Scopes

Like permissions

Scopes specify extent of

tokens’ usefulness

Listed on consent UI (if shown)

Issued tokens may have

narrower scope than requested

No standardized scopes


OAuth Web Server Flow


Usage of OAuth


Not for authentication

Not really for authorization

For delegation

JSON Identity Protocol Suite

Suite of JSON-based identity protocols

Tokens (JWT) ▪ Encryption (JWE)

Keys (JWK) ▪ Signatures (JWS)

Algorithms (JWA)

Bearer Token spec explains how to use w/ OAuth

Being defined in IETF


JWT Tokens

Pronounced like the English word “jot”

Lightweight tokens passed in HTTP headers &

query strings

Akin to SAML tokens

Less expressive

Less security options

More compact

Encoded w/ JSON not XML


Authentication & Federation

How you authenticate to AS is undefined

Use SAML or OpenID Connect for SSO to AS

Relay OAuth token in SAML messages


Push Tokens & Pull Data


IdP & API Provider SaaS App

Browser

Access token in

federation message

Get Data

Data

SCIM + OAuth

Use OAuth to secure SCIM API calls

Use SCIM to create accounts needed to access

APIs secured using OAuth


SCIM + SAML/OIDC

Carry SCIM attributes in SAML assertions

(bindings for SCIM)

Enables JIT provisioning

Supplements SCIM API & schema

Provisioning accounts using SCIM API to be

updated before/after logon


User Managed Access

Also extends OAuth 2

Allows users to centrally control

distribution of their identity data

Used with Personal Data

Stores (PDS) to create “identity

data lockers”


Questions & Thanks

@2botech

@travisspencer

www.2botech.com

travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved

http://www.twitter.com/2botech

http://twitter.com/travisspencer

http://www.2botech.com/

http://www.travisspencer.com/

Neo-security Stack

Technology

Transcript of Neo-security Stack