SlideShare ist ein Scribd-Unternehmen logo
1 von 38
Downloaden Sie, um offline zu lesen
Ed Olson-Morgan (he/his), Tuesday March 14th 2023
OAuth, OIDC and protecting
third party credentials
APIsecure 2023
Photo by Danil Aksenov on Unsplash
Ed Olson-Morgan
• Engineer -> management
consultant -> engineer
• Part of the founding team of two
digital consulting practices
• ADAPT@Bain
• Oliver Wyman Digital
• Core API & Innovation Lead at
Marsh McLennan since 2021
About me
Agenda for today
• Explain the business problem we’re trying to solve: protecting third party
credentials when working with vendors and multiple development teams
• Discuss the credential abstraction pattern and how it helps us here
• Review some of the issues that came up and how OAuth / OIDC standards
helped us solve them
• Talk through some of the technical implementation details
• Show how we put it all together to better protect our environments
• Share what we’re looking at doing next
Our business problem
Who is Marsh McLennan?
• Big, global professional services
fi
rm: insurance and reinsurance broking,
human resources and bene
fi
ts consulting, management consulting
• Celebrated 150th anniversary last year; over $20BB in revenue
• Four main operating companies (Marsh, Mercer, Guy Carpenter, Oliver
Wyman)
• Central technology capability (MMC Tech) established in 2020; accelerate and
standardize the adoption of technology throughout the business
APIs are at the heart of our reuse strategy
The “reuse taxonomy”
• We build software for ourselves, our clients, our clients’ employees and our
clients’ clients across multiple lines of business
• Doing so e
ff
ectively requires focusing on solving the unique problems of each
application and reusing common solutions everywhere else
Templates
Code snippets Libraries APIs
Increasingly e
ffi
cient to reuse and maintain; decreased developer
fl
exibility
• Part of reuse is also not creating
things in the
fi
rst place: there are
many technology areas that are
not core to our business
• As such, we partner with over a
hundred SaaS providers (from
household names like Microsoft
and Docusign to boutique
providers) to support our work
• In most cases, this requires
some form of shared trust
(single-sign-on, shared
credentials etc.)
Working with SaaS partners
Photo by Cytonn Photography on Unsplash
• One particular challenge we face is
sharing long-lived credentials with
our vendors
• This broadens the attack surface
if these credentials are leaked or
otherwise compromised
• When these credentials are for
another vendor / third-party (e.g.
Microsoft Graph API), we also risk
issues with security miscon
fi
guration
or excessive authorization
• We use credential abstraction
patterns to reduce this risk
Protecting our credentials
Photo by Markus Winkler on Unsplash
Credential abstraction
Calling
application
Authentication
service
Intermediate proxy
1
Validate caller
credentials
Underlying
service
Obtain service
credentials
Rewrite URI
2
3 4 5
Communicate
response
6
7
Credential abstraction: an overview
• Using a credential abstraction
pattern requires providing an
alternative method for callers to
authenticate themselves
• Because these are typically
service-to-service calls, we use
the OAuth Client Credentials
grant to generate short-lived
tokens for the calling
applications to use
• We’ll come back to some of the
challenges this posed later
Authenticating the application
Photo by Volodymyr Kondriianenko on Unsplash
• The calling application then
presents the short-lived credentials
to the credential abstraction
service
• The abstraction service is then
responsible for validating these
with the issuer before allowing the
call to proceed any further
• When using OAuth, this should
make a call back to the credential
issuer to make sure that the
provided credentials are still valid,
rather than just validating the
token using the provided signature
Validating application credentials
Photo by Levi Ventura on Unsplash
• The abstraction service then reviews
the request being made to the
underlying service
• Each calling application should be
granted least-privilege permissions
at the endpoint/method level
• If this check is passed, the abstraction
service then removes the credentials
supplied by the application and
replaces those with valid credentials
for the underlying service
• Where possible, these credentials
should be application-speci
fi
c and
tightly scoped
Obtaining service credentials
Photo by Maria Ziegler on Unsplash
• The abstraction service then
needs to re-write the URI so that
the request can be passed onto
the underlying service
• This may also involve adding in
incremental headers or other
components (query parameters,
message body elements etc.)
needed to meet the requirements
of the underlying service
Rewrite the URI
Photo by Luca Bravo on Unsplash
• After the call has been made to
the underlying service, the
abstraction service needs to
pass on the response
• All secrets and sensitives still
attached to the call should be
removed prior to returning it to
the calling application
• Errors should be handled and
replaced / masked where
necessary
Communicate the response
Photo by Diana Light on Unsplash
Improving our authentication
approach
• OAuth is not an authentication standard
- but it does suggest authentication
methods to use (https://www.rfc-
editor.org/rfc/rfc6749#section-2.3.1)
• Over time, those have become
ubiquitous - either using HTTP basic
authentication methods or providing
credentials in the body of a request
• While the standard requires TLS, this
becomes vulnerable to man-in-the-
middle attacks, inadvertent logging,
early TLS termination …
OAuth 2.0
to the rescue?
• Section 9 of OIDC Core 1.0 lists out
four recommended approaches for
client authentication
• The two methods from the OAuth
standard, now called
client_secret_basic and
client_secret_post
• Two new methods: client_secret_jwt
and private_key_jwt
• The two new methods no longer require
sending your client secret as part of
your token request
OIDC Core 1.0
Using symmetric secrets
• The client_secret_jwt authentication approach
is the simpler of the two options
• Clients / calling applications are still given a
client ID and client secret, but instead of
providing those in the request, the calling
application generates a JWT containing the
client ID and signs it with the client secret
• Because the authentication server has both of
these elements, it can verify the JWT and then
return a token if successful
• The main downside here is that a shared
secret is still required between the client and
authentication server
• This secret needs to be passed out of
band between the two environments
client_secret_jwt
Photo by Robin Spielmann on Unsplash
Using asymmetric keys
• In private_key_jwt, the calling application uses
asymmetric cryptography to protect the
request instead
• The calling application generates a key pair
and signs the request with the private key
• It then shares the public key with the API
server
• The API server can then use the public key
to verify the signature
• In addition, if the calling application shares a
URL rather than the key itself, any updates
required to the key pair are shared
automatically
private_key_jwt
Photo by Johannes Ortner on Unsplash
• Open ID Connect also provides
lightweight guidance on how to
handle custom claims in the auth
request
“The JWT MAY contain other
Claims. Any Claims used that are
not understood MUST be ignored.”
• We implement this feature by
embedding a list of authorized
claims within the con
fi
guration of
each calling application, and then
embedding those in the returned
token if they are found in the
request
Embedding custom claims
Photo by Theodor Vasile on Unsplash
For our purposes, we made the tradeoff
to use client_secret_jwt as it was easier
for clients to build into their applications
Some implementation details
• We use Apigee Hybrid as our API gateway,
and this already served as our OAuth token
issuer for machine-to-machine calls
• Unfortunately Apigee’s standard policies
only accommodated the older
authentication approaches
(client_secret_basic and client_secret_post)
that we were trying to avoid
Leveraging our API gateway
Photo by Piyush Wadhwa on Unsplash
• We decided to enhance the
authentication components of
our proxy so that it could
validate and transform the call
into a form that Apigee could
then validate as standard
From this …
… to this
Enhancements
1 2 3
The proxy extracts
the supplied JWT
from the request and
decodes it to extract
the client id from the
token
The proxy veri
fi
es the
client ID is valid,
looks up the
corresponding client
secret and uses that
to verify the token’s
signature
The proxy then
checks that the jti
value supplied with
the token is unique,
and if so assigns the
credentials to the
request body
Client support
We have sample libraries available in common languages to support adoption
• We implemented the remainder of the
credential abstraction pattern inside of
Apigee Hybrid as well, using it to validate
the JWT, substitute in the credentials for
the underlying service and do any rewriting
of the URL that is required
Applying credential abstraction
Photo by Meghan Rodgers on Unsplash
Putting it all together
Example 1
• Third-party billing provider
required ability to send e-mails
and review e-mail inboxes for
replies using Marsh McLennan
identities
• Implemented credential facade in
front of Microsoft Graph APIs in
Apigee Hybrid, using
client_secret_jwt to authenticate
request for OAuth Client
Credentials token
APAC healthcare provider
Photo by Sincerely Media on Unsplash
Example 2
• Third-party HR software required
ability to send e-mails using
Marsh McLennan identities
• Implemented credential facade in
front of Microsoft Graph APIs in
Apigee Hybrid, using
client_secret_jwt to authenticate
request for OAuth Client
Credentials token
EMEA HR Vendor
Photo by Christina @ wocintechchat.com on Unsplash
Example 3
• Client bank had embedded
Marsh digital broking services
inside of a combined auto loan /
insurance product
• Implemented client_secret_jwt to
authenticate request for OAuth
Client Credentials token, using
custom claims to provide
additional veri
fi
ed data about the
customer
EMEA Bank
Photo by Matthew Henry on Unsplash
What comes next?
• We still see private_key_jwt as
the better of the two new
methods provided by OIDC
Core, and are looking to support
key-pair signed tokens for auth
credentials
• We also want to create a signing
infrastructure for our internal
developers so that they don’t
need to stand up their own
capabilities and key
management
Adding private_key_jwt
Photo by regularguy.eth on Unsplash
• To date, we’ve been using
common patterns to solve speci
fi
c
client or internal challenges but
not reusing the underlying code
• We’re starting to see some shared
patterns (such as the MS Graph
API) that we think we can solve
once for many users
• This will involve moving towards
increased con
fi
guration for each
new application that is onboarded,
rather than copies and
customization
Create standardized facades
Photo by Mika Baumeister on Unsplash
Thanks and acknowledgements
• Core API team: Brian Geoghegan, Hugh Greenish, Arushi Goel, Susanne Hart and Kambui
Nurse
• MMC Enterprise Architecture: Richard Giles, Mike Coe, Jason Bent, Steve Mycock
• MMC Information Security: Mike Nepomnyashy, Ben Cheng, AJ Colangelo, Mark Mittendorf
• MMC Tech community: Ray Taylor, Thomas Siu
• Jamie Tanna, whose blog (https://www.jvt.me/posts/2021/11/09/avoid-client-secret/) set me
o
ff
down this road
• Apidays and APIsecure 2023 for having me here
• All the artists on Unsplash who provided visuals for this talk

Weitere ähnliche Inhalte

Was ist angesagt?

Why API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOpsWhy API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOpsJohn Musser
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureApigee | Google Cloud
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyWSO2
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service MeshKnoldus Inc.
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...apidays
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Kai Wähner
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API PlatformJohannes Ridderstedt
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementBizTalk360
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakYuichi Nakamura
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy PresentationLawrence Coburn
 

Was ist angesagt? (20)

Why API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOpsWhy API Ops is the Next Wave of DevOps
Why API Ops is the Next Wave of DevOps
 
Building APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft AzureBuilding APIs with Apigee Edge and Microsoft Azure
Building APIs with Apigee Edge and Microsoft Azure
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...INTERFACE by apidays 2023 - Everything you need to know about API security, T...
INTERFACE by apidays 2023 - Everything you need to know about API security, T...
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
 
API Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API ManagementAPI Management Part 1 - An Introduction to Azure API Management
API Management Part 1 - An Introduction to Azure API Management
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
 
API Strategy Presentation
API Strategy PresentationAPI Strategy Presentation
API Strategy Presentation
 
API Management in Azure
API Management in AzureAPI Management in Azure
API Management in Azure
 
Istio a service mesh
Istio   a service meshIstio   a service mesh
Istio a service mesh
 

Ähnlich wie APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson Morgan (Marsh McLennan)

Governance and Security Solution Patterns
Governance and Security Solution Patterns Governance and Security Solution Patterns
Governance and Security Solution Patterns WSO2
 
Leverage your application architecture with azure services
Leverage your application architecture with azure servicesLeverage your application architecture with azure services
Leverage your application architecture with azure servicesSammani Palansuriya
 
Global azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure LighthouseGlobal azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure LighthouseIvo Andreev
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Mark Adcock
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App DevelopmentJoonas Westlin
 
Transform IT Operations and Management
Transform IT Operations and ManagementTransform IT Operations and Management
Transform IT Operations and ManagementAmazon Web Services
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityMphasis
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 

Ähnlich wie APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson Morgan (Marsh McLennan) (20)

Governance and Security Solution Patterns
Governance and Security Solution Patterns Governance and Security Solution Patterns
Governance and Security Solution Patterns
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Leverage your application architecture with azure services
Leverage your application architecture with azure servicesLeverage your application architecture with azure services
Leverage your application architecture with azure services
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
Unit 5
Unit 5Unit 5
Unit 5
 
Global azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure LighthouseGlobal azure virtual 2021 - Azure Lighthouse
Global azure virtual 2021 - Azure Lighthouse
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
 
Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3Secure Development on the Salesforce Platform - Part 3
Secure Development on the Salesforce Platform - Part 3
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Presentation
PresentationPresentation
Presentation
 
Super charged prototyping
Super charged prototypingSuper charged prototyping
Super charged prototyping
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Transform IT Operations and Management
Transform IT Operations and ManagementTransform IT Operations and Management
Transform IT Operations and Management
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud Security
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
AbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptxAbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptx
 

Mehr von apidays

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 

Mehr von apidays (20)

apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...apidays Australia 2023 - A programmatic approach to API success including Ope...
apidays Australia 2023 - A programmatic approach to API success including Ope...
 
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
apidays Singapore 2023 - Securing and protecting our digital way of life, Ver...
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
Apidays Paris 2023 - Building APIs That Developers Love: Feedback Collection ...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 

Kürzlich hochgeladen

Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 

Kürzlich hochgeladen (20)

Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 

APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson Morgan (Marsh McLennan)

  • 1. Ed Olson-Morgan (he/his), Tuesday March 14th 2023 OAuth, OIDC and protecting third party credentials APIsecure 2023
  • 2. Photo by Danil Aksenov on Unsplash
  • 3. Ed Olson-Morgan • Engineer -> management consultant -> engineer • Part of the founding team of two digital consulting practices • ADAPT@Bain • Oliver Wyman Digital • Core API & Innovation Lead at Marsh McLennan since 2021 About me
  • 4. Agenda for today • Explain the business problem we’re trying to solve: protecting third party credentials when working with vendors and multiple development teams • Discuss the credential abstraction pattern and how it helps us here • Review some of the issues that came up and how OAuth / OIDC standards helped us solve them • Talk through some of the technical implementation details • Show how we put it all together to better protect our environments • Share what we’re looking at doing next
  • 6. Who is Marsh McLennan? • Big, global professional services fi rm: insurance and reinsurance broking, human resources and bene fi ts consulting, management consulting • Celebrated 150th anniversary last year; over $20BB in revenue • Four main operating companies (Marsh, Mercer, Guy Carpenter, Oliver Wyman) • Central technology capability (MMC Tech) established in 2020; accelerate and standardize the adoption of technology throughout the business
  • 7. APIs are at the heart of our reuse strategy The “reuse taxonomy” • We build software for ourselves, our clients, our clients’ employees and our clients’ clients across multiple lines of business • Doing so e ff ectively requires focusing on solving the unique problems of each application and reusing common solutions everywhere else Templates Code snippets Libraries APIs Increasingly e ffi cient to reuse and maintain; decreased developer fl exibility
  • 8. • Part of reuse is also not creating things in the fi rst place: there are many technology areas that are not core to our business • As such, we partner with over a hundred SaaS providers (from household names like Microsoft and Docusign to boutique providers) to support our work • In most cases, this requires some form of shared trust (single-sign-on, shared credentials etc.) Working with SaaS partners Photo by Cytonn Photography on Unsplash
  • 9. • One particular challenge we face is sharing long-lived credentials with our vendors • This broadens the attack surface if these credentials are leaked or otherwise compromised • When these credentials are for another vendor / third-party (e.g. Microsoft Graph API), we also risk issues with security miscon fi guration or excessive authorization • We use credential abstraction patterns to reduce this risk Protecting our credentials Photo by Markus Winkler on Unsplash
  • 11. Calling application Authentication service Intermediate proxy 1 Validate caller credentials Underlying service Obtain service credentials Rewrite URI 2 3 4 5 Communicate response 6 7 Credential abstraction: an overview
  • 12. • Using a credential abstraction pattern requires providing an alternative method for callers to authenticate themselves • Because these are typically service-to-service calls, we use the OAuth Client Credentials grant to generate short-lived tokens for the calling applications to use • We’ll come back to some of the challenges this posed later Authenticating the application Photo by Volodymyr Kondriianenko on Unsplash
  • 13. • The calling application then presents the short-lived credentials to the credential abstraction service • The abstraction service is then responsible for validating these with the issuer before allowing the call to proceed any further • When using OAuth, this should make a call back to the credential issuer to make sure that the provided credentials are still valid, rather than just validating the token using the provided signature Validating application credentials Photo by Levi Ventura on Unsplash
  • 14. • The abstraction service then reviews the request being made to the underlying service • Each calling application should be granted least-privilege permissions at the endpoint/method level • If this check is passed, the abstraction service then removes the credentials supplied by the application and replaces those with valid credentials for the underlying service • Where possible, these credentials should be application-speci fi c and tightly scoped Obtaining service credentials Photo by Maria Ziegler on Unsplash
  • 15. • The abstraction service then needs to re-write the URI so that the request can be passed onto the underlying service • This may also involve adding in incremental headers or other components (query parameters, message body elements etc.) needed to meet the requirements of the underlying service Rewrite the URI Photo by Luca Bravo on Unsplash
  • 16. • After the call has been made to the underlying service, the abstraction service needs to pass on the response • All secrets and sensitives still attached to the call should be removed prior to returning it to the calling application • Errors should be handled and replaced / masked where necessary Communicate the response Photo by Diana Light on Unsplash
  • 18.
  • 19. • OAuth is not an authentication standard - but it does suggest authentication methods to use (https://www.rfc- editor.org/rfc/rfc6749#section-2.3.1) • Over time, those have become ubiquitous - either using HTTP basic authentication methods or providing credentials in the body of a request • While the standard requires TLS, this becomes vulnerable to man-in-the- middle attacks, inadvertent logging, early TLS termination … OAuth 2.0
  • 20. to the rescue? • Section 9 of OIDC Core 1.0 lists out four recommended approaches for client authentication • The two methods from the OAuth standard, now called client_secret_basic and client_secret_post • Two new methods: client_secret_jwt and private_key_jwt • The two new methods no longer require sending your client secret as part of your token request OIDC Core 1.0
  • 21. Using symmetric secrets • The client_secret_jwt authentication approach is the simpler of the two options • Clients / calling applications are still given a client ID and client secret, but instead of providing those in the request, the calling application generates a JWT containing the client ID and signs it with the client secret • Because the authentication server has both of these elements, it can verify the JWT and then return a token if successful • The main downside here is that a shared secret is still required between the client and authentication server • This secret needs to be passed out of band between the two environments client_secret_jwt Photo by Robin Spielmann on Unsplash
  • 22. Using asymmetric keys • In private_key_jwt, the calling application uses asymmetric cryptography to protect the request instead • The calling application generates a key pair and signs the request with the private key • It then shares the public key with the API server • The API server can then use the public key to verify the signature • In addition, if the calling application shares a URL rather than the key itself, any updates required to the key pair are shared automatically private_key_jwt Photo by Johannes Ortner on Unsplash
  • 23. • Open ID Connect also provides lightweight guidance on how to handle custom claims in the auth request “The JWT MAY contain other Claims. Any Claims used that are not understood MUST be ignored.” • We implement this feature by embedding a list of authorized claims within the con fi guration of each calling application, and then embedding those in the returned token if they are found in the request Embedding custom claims Photo by Theodor Vasile on Unsplash
  • 24. For our purposes, we made the tradeoff to use client_secret_jwt as it was easier for clients to build into their applications
  • 26. • We use Apigee Hybrid as our API gateway, and this already served as our OAuth token issuer for machine-to-machine calls • Unfortunately Apigee’s standard policies only accommodated the older authentication approaches (client_secret_basic and client_secret_post) that we were trying to avoid Leveraging our API gateway Photo by Piyush Wadhwa on Unsplash • We decided to enhance the authentication components of our proxy so that it could validate and transform the call into a form that Apigee could then validate as standard
  • 27. From this … … to this
  • 28. Enhancements 1 2 3 The proxy extracts the supplied JWT from the request and decodes it to extract the client id from the token The proxy veri fi es the client ID is valid, looks up the corresponding client secret and uses that to verify the token’s signature The proxy then checks that the jti value supplied with the token is unique, and if so assigns the credentials to the request body
  • 29. Client support We have sample libraries available in common languages to support adoption
  • 30. • We implemented the remainder of the credential abstraction pattern inside of Apigee Hybrid as well, using it to validate the JWT, substitute in the credentials for the underlying service and do any rewriting of the URL that is required Applying credential abstraction Photo by Meghan Rodgers on Unsplash
  • 31. Putting it all together
  • 32. Example 1 • Third-party billing provider required ability to send e-mails and review e-mail inboxes for replies using Marsh McLennan identities • Implemented credential facade in front of Microsoft Graph APIs in Apigee Hybrid, using client_secret_jwt to authenticate request for OAuth Client Credentials token APAC healthcare provider Photo by Sincerely Media on Unsplash
  • 33. Example 2 • Third-party HR software required ability to send e-mails using Marsh McLennan identities • Implemented credential facade in front of Microsoft Graph APIs in Apigee Hybrid, using client_secret_jwt to authenticate request for OAuth Client Credentials token EMEA HR Vendor Photo by Christina @ wocintechchat.com on Unsplash
  • 34. Example 3 • Client bank had embedded Marsh digital broking services inside of a combined auto loan / insurance product • Implemented client_secret_jwt to authenticate request for OAuth Client Credentials token, using custom claims to provide additional veri fi ed data about the customer EMEA Bank Photo by Matthew Henry on Unsplash
  • 36. • We still see private_key_jwt as the better of the two new methods provided by OIDC Core, and are looking to support key-pair signed tokens for auth credentials • We also want to create a signing infrastructure for our internal developers so that they don’t need to stand up their own capabilities and key management Adding private_key_jwt Photo by regularguy.eth on Unsplash
  • 37. • To date, we’ve been using common patterns to solve speci fi c client or internal challenges but not reusing the underlying code • We’re starting to see some shared patterns (such as the MS Graph API) that we think we can solve once for many users • This will involve moving towards increased con fi guration for each new application that is onboarded, rather than copies and customization Create standardized facades Photo by Mika Baumeister on Unsplash
  • 38. Thanks and acknowledgements • Core API team: Brian Geoghegan, Hugh Greenish, Arushi Goel, Susanne Hart and Kambui Nurse • MMC Enterprise Architecture: Richard Giles, Mike Coe, Jason Bent, Steve Mycock • MMC Information Security: Mike Nepomnyashy, Ben Cheng, AJ Colangelo, Mark Mittendorf • MMC Tech community: Ray Taylor, Thomas Siu • Jamie Tanna, whose blog (https://www.jvt.me/posts/2021/11/09/avoid-client-secret/) set me o ff down this road • Apidays and APIsecure 2023 for having me here • All the artists on Unsplash who provided visuals for this talk