Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
®
MODERN WEB
APPS
API INTEGRATION WITH OAUTH AND TRADITIONAL WEB
SESSION MANAGEMENT
MASTERCLASS
®
Why are we here?
• Unprecedented changes in service
consumption (B2B / B2C)
• Mobile
• IoT
• Social
• DPA
• Bot
• Enterp...
®
Agenda / Outline
• Introduction
• Web App & Hosting Evolution
• Web Access Management Evolution
• OAuth 2.0 Primer
• Pro...
®
Architectural evolution of Web Apps
Micro services + SPA
Rise of APIs
SOA
Three-Tier
Client-Server
1990s
1980s
2000
2010...
Web Apps hosting
Physical
Machines
Virtual
Machines
Cloud +
Orchestration
Containers
Sun, HP, IBM VMware, Hyper-V,
Virtual...
®
Enterprise
Users
TRUSTED
UNTRUSTED
THREAT
On Prem App
Threat landscape
THREAT
THREAT
Legacy WAM depends on security peri...
Traditional WAM
Internet DMZ Enterprise network
Web
services
Web
SSO
Web
servers
Web servers
+ agents
WS gateway
WAM
provi...
®
Modern WAM
PC user Mobile/API Cloud/APIPartner/API
SAML
SAML
SAML
SAML
SaaS
Agent
FED + WAM
Policy server
App
DBS
User
L...
®
Modern WAM
PC user Mobile/API Cloud/APIPartner/API
SAML
SAML
SAML
SAML
SaaS
Agent
FED + WAM
Policy server
App
DBS
User
L...
®
Target state characteristics
Light weight and Cloud -Ready
Supports modern standards
Co-exist with Legacy Systems
Centra...
®
OAuth 2.0 API security
Give applications access using tokens without
sharing password:
— Tokens are shared, passwords ar...
®
Access and refresh tokens
Access token
Carry the necessary information to
access a resource directly.
— Usually has an e...
®
The password anti-pattern
Email
Scheduling
Application
Gmail
Google
Drive
Google
Wallet
®
The password anti-pattern – Fixed with
OAuth
Application/
client
Authorization
server
Resource
server
1
Resource
owner
M...
®
Should we be concerned?
Telco Alerts 2.3 Million Customers of Data Breach Tied to Leaky
API
• Source: Threatpost website...
®
The Problem Statement
Web App API
Mobile App API
WA
M
AGENT
Internet DMZ Enterprise Network
API Gateway/Proxy
WAM
Servic...
®
It worsens further….
API
API
API
API
What if
APIs need users to
log in?
Multiple API
providers?
Different Token type
for...
®
Disconnect between Web & API
resources
Use of WAM sessions to access APIs
No granular control on APIs
Logout – Revocatio...
®
Single page application + Microservice
• SPA invokes and orchestrates multiple API calls to microservices to paint a
com...
®
Single page application + Microservice
®
Solution with PingIdentity ecosystem
®
Solving it the modern way
PingFederate
PingAccess API Endpoint
1. Access token Authorization endpoint.
2. Validate crede...
®
Demo
• PingFederate / PingAccess protecting API and Web resources
with a SPA
®
Final thoughts
POV
®
Q&A
Towards the end
®
Thank you
®
The information contained herein is of a general nature and is not intended to address the circumstances of
any particul...
®
Nächste SlideShare
Wird geladen in …5
×

2019 | KPMG Presents: API Integration with OAuth and traditional Web Session Management | Identiverse | Day 1, June 25

111 Aufrufe

Veröffentlicht am

Web applications have moved on from a traditional web protection and authorization model. Modern web applications present a few challenges for authentication that are difficult to solve using conventional methods. Modern web applications often deploy in an AJAX / Single Page Application (SPA) model and leverage a complex combination of microservices APIs and standard web URL calls. The integration of traditional web sessions with OAuth tokens introduces a number of functional disconnects with respect to centralized session management, OAuth JWT token management, error handling, logout handling, and cross-origin resource sharing (CORS). This session will delve into the functional models and demonstrate some of the common failures that can arise. With examples using PingFederate and PingAccess, KPMG will provide some leading practices for the creation and integration of modern web application components into a secure infrastructure.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

2019 | KPMG Presents: API Integration with OAuth and traditional Web Session Management | Identiverse | Day 1, June 25

  1. 1. ® MODERN WEB APPS API INTEGRATION WITH OAUTH AND TRADITIONAL WEB SESSION MANAGEMENT MASTERCLASS
  2. 2. ® Why are we here? • Unprecedented changes in service consumption (B2B / B2C) • Mobile • IoT • Social • DPA • Bot • Enterprises required to deal with legacy and modern ways of securing services • Coexistence & interoperability comes with a set of challenges
  3. 3. ® Agenda / Outline • Introduction • Web App & Hosting Evolution • Web Access Management Evolution • OAuth 2.0 Primer • Problem – Disconnect between Web and API resources • Solution approach within Ping ecosystem • Demo • Q & A
  4. 4. ® Architectural evolution of Web Apps Micro services + SPA Rise of APIs SOA Three-Tier Client-Server 1990s 1980s 2000 2010 Today
  5. 5. Web Apps hosting Physical Machines Virtual Machines Cloud + Orchestration Containers Sun, HP, IBM VMware, Hyper-V, VirtualBox AWS, Azure, GCP Docker, OpenShift, CoreOS
  6. 6. ® Enterprise Users TRUSTED UNTRUSTED THREAT On Prem App Threat landscape THREAT THREAT Legacy WAM depends on security perimeters Modern apps reside in as well as outside the intranet TRUSTED On Premise Enterprise SaaS Apps Users THREAT On Prem App IoT
  7. 7. Traditional WAM Internet DMZ Enterprise network Web services Web SSO Web servers Web servers + agents WS gateway WAM provider Proxy Enterprise applications Enterprise applications User and entitlement stores
  8. 8. ® Modern WAM PC user Mobile/API Cloud/APIPartner/API SAML SAML SAML SAML SaaS Agent FED + WAM Policy server App DBS User LDAP API STS/API gateway IDM process Partners Enterprise AWS, Azure, GCP
  9. 9. ® Modern WAM PC user Mobile/API Cloud/APIPartner/API SAML SAML SAML SAML SaaS Agent FED + WAM Policy server App DBS User LDAP API STS/API gateway IDM process Partners Enterprise Access to globally scoped session cookie Security Issue Proprietary session validation and transformation because solution is not standards based. Globally scoped sessions failing audits Globally scoped sessions failing audits and taking precious cookie space. Piecemeal support of industry standard OAuth Misusing Cookie via REST or added as proprietary header in Web services Hack to use proprietary session data Hack to use proprietary session data AWS, Azure, GCP
  10. 10. ® Target state characteristics Light weight and Cloud -Ready Supports modern standards Co-exist with Legacy Systems Centralized security for Web , Mobile and API Reduced time to market
  11. 11. ® OAuth 2.0 API security Give applications access using tokens without sharing password: — Tokens are shared, passwords are not — Tokens can be revoked Open protocol standard for Web API authorization Framework to secure RESTFul API OAuth 2.0 : API security
  12. 12. ® Access and refresh tokens Access token Carry the necessary information to access a resource directly. — Usually has an expiration date — Short lived Refresh token Used to get new access tokens. — Must be secured securely — Long lived
  13. 13. ® The password anti-pattern Email Scheduling Application Gmail Google Drive Google Wallet
  14. 14. ® The password anti-pattern – Fixed with OAuth Application/ client Authorization server Resource server 1 Resource owner Mobile browser 2 4 3 5 7 6
  15. 15. ® Should we be concerned? Telco Alerts 2.3 Million Customers of Data Breach Tied to Leaky API • Source: Threatpost website (August 24, 2018) Social media app security breach allowed hackers to control the accounts of up to 50 million users • Source: CNBC.com, (September 28, 2018) Fast casual restaurant data breach puts attention on risks of loyalty programs • Source: Washington Post (April 4, 2018)
  16. 16. ® The Problem Statement Web App API Mobile App API WA M AGENT Internet DMZ Enterprise Network API Gateway/Proxy WAM Services Client
  17. 17. ® It worsens further…. API API API API What if APIs need users to log in? Multiple API providers? Different Token type for APIs? Twitter Google Facebook
  18. 18. ® Disconnect between Web & API resources Use of WAM sessions to access APIs No granular control on APIs Logout – Revocation of tokens Audit – Disparate logging systems 1 2 3 4
  19. 19. ® Single page application + Microservice • SPA invokes and orchestrates multiple API calls to microservices to paint a complete picture on the browser/mobile. • Each API call (stateless) requires a mechanism to authenticate the inbound caller in order to form the user context necessary for the required output. • Not all APIs are standard based and often need different tokens (OAuth, OpenToken, Kerberos, Basic auth) for access. • WAM protected applications also needs access to the APIs
  20. 20. ® Single page application + Microservice
  21. 21. ® Solution with PingIdentity ecosystem
  22. 22. ® Solving it the modern way PingFederate PingAccess API Endpoint 1. Access token Authorization endpoint. 2. Validate credentials. 3. Respond with Access token to the client. 4. Client makes a request for the API with the access token 5. PingAccess Validates the access token 6. PingAccess redirects to the Resource API server. 7. Resource API server sends the response back to PingAccess 8. PingAccess provides access to the API. Web Endpoint
  23. 23. ® Demo • PingFederate / PingAccess protecting API and Web resources with a SPA
  24. 24. ® Final thoughts POV
  25. 25. ® Q&A Towards the end
  26. 26. ® Thank you
  27. 27. ® The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. © 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.
  28. 28. ®

×