The “Neo-security Stack”
Securing APIs using the new stack of RESTful technologies
By Travis Spencer, CEO
@travisspencer, @2botech
Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda
The security challenge in context
Neo-security stack
OAuth Basics
Overview of other layers
Copyright © 2013 Twobo Technologies AB. All rights reserved
Crucial Security Concerns
Copyright © 2013 Twobo Technologies AB. All rights reserved
Enterprise
Security
API
Security
Mobile
Security
Identity is Central
Copyright © 2013 Twobo Technologies AB. All rights reserved
MDM MAM
AuthZ
Mobile
Security
API
Security
Enterprise
Security
Identity
Venn diagram by Gunnar Peterson
SAML / OpenID Connect
SCIM
JSON Identity Suite
OAuth
The Neo-security Stack
Copyright © 2013 Twobo Technologies AB. All rights reserved
Federation Provisioning
Identity Authorization
SAML
SAML: proven
technology for
identity federation
and Web SSO
Profiles, bindings,
protocols, assertions
& metadata
V. 2.1 in
the works
Copyright © 2013 Twobo Technologies AB. All rights reserved
Service
Provider (SP)
Identity Provider (IdP)
OpenID Connect
New federation protocol that builds on OAuth 2
Adds identity inputs/outputs to OAuth messages
Related to prior OpenID versions in name only
Compact messages for mobile scenerios
RP / client can determine info about end user
Tokens are JWTs
UserInfo endpoint to get user data
Copyright © 2013 Twobo Technologies AB. All rights reserved
Grandpa SAML
& junior
Overview of SCIM
Defines RESTful API to manage users & groups
Specifies core user & group schemas
Supports bulk updates for ingest
Binding for SAML and eventually OpenID Connect
Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth
OAuth 2 is the new protocol of
protocols
Composed in useful ways
Like WS-Trust of old
Addresses old requirements and
solves new ones
Delegated access
No password sharing
Revocation of access
Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth Actors
Client
Authorization Server (AS)
Resource Server (RS) (i.e., API)
Resource Owner (RO)
Copyright © 2013 Twobo Technologies AB. All rights reserved
Get
a t
oken
User a token
RS Client
AS
Access Tokens Refresh Tokens
Types of Tokens
Copyright © 2013 Twobo Technologies AB. All rights reserved
Like a Session
Used to secure API calls
Like a Password
Used to get new access
tokens
By Value By Reference
Classes of Tokens
Copyright © 2013 Twobo Technologies AB. All rights reserved
123XYZ
123XYZ
User attributes are in the
token
User attributes are
referenced by an identifier
Scopes
Like permissions
Scopes specify extent of
tokens’ usefulness
Listed on consent UI (if shown)
Issued tokens may have
narrower scope than requested
No standardized scopes
Copyright © 2013 Twobo Technologies AB. All rights reserved
OAuth Web Server Flow
Copyright © 2013 Twobo Technologies AB. All rights reserved
Usage of OAuth
Copyright © 2013 Twobo Technologies AB. All rights reserved
Not for authentication
Not really for authorization
For delegation
JSON Identity Protocol Suite
Suite of JSON-based identity protocols
Tokens (JWT) ▪ Encryption (JWE)
Keys (JWK) ▪ Signatures (JWS)
Algorithms (JWA)
Bearer Token spec explains how to use w/ OAuth
Being defined in IETF
Copyright © 2013 Twobo Technologies AB. All rights reserved
JWT Tokens
Pronounced like the English word “jot”
Lightweight tokens passed in HTTP headers &
query strings
Akin to SAML tokens
Less expressive
Less security options
More compact
Encoded w/ JSON not XML
Copyright © 2013 Twobo Technologies AB. All rights reserved
Authentication & Federation
How you authenticate to AS is undefined
Use SAML or OpenID Connect for SSO to AS
Relay OAuth token in SAML messages
Copyright © 2013 Twobo Technologies AB. All rights reserved
Push Tokens & Pull Data
Copyright © 2013 Twobo Technologies AB. All rights reserved
IdP & API Provider SaaS App
Browser
Access token in
federation message
Get Data
Data
SCIM + OAuth
Use OAuth to secure SCIM API calls
Use SCIM to create accounts needed to access
APIs secured using OAuth
Copyright © 2013 Twobo Technologies AB. All rights reserved
SCIM + SAML/OIDC
Carry SCIM attributes in SAML assertions
(bindings for SCIM)
Enables JIT provisioning
Supplements SCIM API & schema
Provisioning accounts using SCIM API to be
updated before/after logon
Copyright © 2013 Twobo Technologies AB. All rights reserved
User Managed Access
Also extends OAuth 2
Allows users to centrally control
distribution of their identity data
Used with Personal Data
Stores (PDS) to create “identity
data lockers”
Copyright © 2013 Twobo Technologies AB. All rights reserved
Questions & Thanks
@2botech
@travisspencer
www.2botech.com
travisspencer.com Copyright © 2013 Twobo Technologies AB. All rights reserved
Top Related