SlideShare ist ein Scribd-Unternehmen logo

Gluecon oauth-03

Paul Madsen
Paul Madsen
Technologie
1 von 64
Downloaden Sie, um offline zu lesen
OAuth  –  authen+ca+on  &  authoriza+on   framework  for  REST  APIs   Paul  Madsen   Ping  Iden+ty  
Authen+ca+on  for  SOAP   •  The  SOAP  world  has  long  had  standards  related  to   authen+ca+on  &  authoriza+on  of  web  services   •  WS-­‐Trust  defines  a  protocol  by  which  a  SOAP  client   can  obtain  a  security  token(typically  a  SAML   asser+on)   •  WS-­‐Security  s+pulates  how  to  aKach  the  token   (SAML  asser+on)  to  a  SOAP  request  
But  …..  
1)  REST  authen+ca+on   •  REST  world  has  not  had  comparable  standards   •  Nothing  comparable  to  WS-­‐Security  -­‐  mish  mash  of   HTTP  Basic,  HTTP  Digest,  password,  and  SSL  for   message  authen+ca+on     •  Nothing  comparable  to  WS-­‐Trust  –  consequently   client  bears  burden  of  managing  creden+als  &  trust  
2)  Password  an+-­‐paKern     Site  asks  YOU  for  your  GOOGLE  password  so  it   can  access  your  Google  stuff.  
Tsk  tsk!   •  Teaches  users  to  be  indiscriminate   with  their  passwords   •  Doesn’t  support  granular   permissions,  e.g.  X  can  read  but  not   write   •  Doesn’t  support  (easy)  revoca+on  –   to  be  sure  of  turning  off  access   users  must  change  password  
Importance  of  revoca+on   This  is  shiny!!!!!   I  should  use  that  more   WTF  is  this  thing?  
3)  Cloud  APIs   •  Within  move  towards  SaaS  –  trend  towards  API  access   to  data/services  to  supplement/replace  browser   access   •  Salesforce.com expects that within the next year – only 1/3 of access will be via browser   •  APIs  of  PaaS  offerings  allow  the  customer  to  expose  its   own  cloud  services   •  Clear  trend  for  these  APIs  is  towards  REST  
Cloud  cures  everything  
4)  Na+ve  mobile  apps  
Drivers   Password   Lack  of   an+-­‐ standards   paKern   OAuth   Na+ve   mobile   Cloud  APIs   Applica+ons  
OAuth 2.0 •  Defines  authoriza+on  &  authen+ca+on   framework  for  RESTful  APIs   •  Approaching  final  standardiza+on  in  IETF   •  Applied  to  delegated  authoriza+on  –  mi+gates   password  an+-­‐paKern  -­‐  archetypical  use  case   •  Also  applicable  to  many  other  scenarios  –   even  those  with  no  users   •  Notable  for  its  op+miza+ons  for  mobile  
Mobile  app  IdM  architecture    
Na+ve  vs  web  apps   •  Not  going  to  try  to  predict  winner  –  expect  both   •  Authen+ca+on  &  authoriza+on  should  be  consistent   across  both  models,  so  that   –  Users  are  not  confused,  eg  use  different   creden+als  and/or  authen+ca+on  ceremony  for   the  two  models,  even  if  accessing  the  same   applica+on   –  Service  Providers  aren’t  forced  to  implement   duplicate  &  incompa+ble  security  frameworks   for  the  two  models  
Federa+on   •  Federa+on  abstracts  away  from  applica+ons   specifics  of  authen+ca+on  &  authoriza+on  –   outsourced  to  specialized  providers   •  Complexity  hidden  by  token  issuance  &  valida+on   •  Federa+on  standards  define   –  Token  formats   –  How  clients  obtain  tokens   –  How  clients  present  tokens  to  applica+on   providers    
Tokens   •  Federated  authen+ca+on  for  both  web  and   na+ve  mobile  applica+ons  is  based  on  exchange   and  delivery  of  tokens  to  the  applica+on   •  Tokens  carry  (or  point  to)  security  informa+on   (like  aKributes  or  authoriza+ons)  for  user  trying   to  access  the  applica+on.     •  Clients  typically  exchange  creden+als  for  tokens   -­‐  easier/safer  to  share  the  token  across  the   network  rather  than  the  original  creden+als   •  When  token  is  subsequently  presented  to  an   applica+on  provider,  they  serve  to  authen+cate   and/or  authorize  the  request  
Federa+on  takes  different  forms   For  web  apps,  tokens  carry   Browser   app   AKributes  for  authen+ca+on   For  na+ve  apps,  tokens  carry   app   data   Authoriza+on  for  aKributes  
Tokens  for  mobile  web  applica+ons   •  Federa+on  for  web  applica+ons  manifests  as   SSO  from  some  IdP  to  the  applica+on  provider   •  SSO  especially  relevant  for  mobile   •  Tokens  aKes+ng  to  the  user’s  iden+ty  and/or   authen+ca+on  status  delivered  through  (as   redirects)  the  browser  from  IdP  to  the   applica+on  provider   •  Applica+on  provider  validates  token  and   extracts  iden+ty  aKributes  from  within  in  order   to  create  local  session    
Tokens  for  web  applica+ons   Iden+ty  provider   Service  provider   1.  User  trades   creden+als  for  a   token  from  IdP   SAML   2.  Token  delivered   OpenID   Applica+on   through  the   browser  to  SP   3.  SP  validates  token,   and  delivers   applica+on  HTML   Pwd   HTML   to  browser   Token   Device   Browser  
Best  prac+ces   •  Standards   –  OpenID  2.0  for  consumer  scenarios   –  SAML  2.0  for  enterprise  &  cloud   –  WS-­‐Federa+on  for  homogeneous  MSFT   •  IdP  Discovery   –  In  consumer  space,  consider  Nascar  with  email-­‐ based  supplement   –  In  cloud  space,  consider  email-­‐based   •  Both  IdP  (portal)  and  SP  (deep-­‐linking)  ini+ated   are  relevant   •  Mobile  browser  constraints  may  recommend   ar+fact  model  in  SAML  
Tokens  for  na+ve  applica+ons   •  Na+ve  applica+ons  authen+cate  to  REST  APIs  by   presen+ng  a  token  on  the  call   •  The  precursor  act  of  the  na+ve  applica+on  obtaining  a   token  is  oeen  called  ‘authoriza+on’  (par+cularly  in   those  cases  when  the  API  fronts  user  info,  eg  profile,   tweets,  etc)   •  User  authorizes  (or  consents)  to  the  na+ve  applica+on   having  access  to  the  API  (and  their  data)  –  the   authoriza+on  is  manifested  as  the  issuance  of  a  token  to   the  na+ve  app   •  OAuth  2.0  dominant  protocol  by  which  a  na+ve  app   obtains  the  desired  authoriza+ons  and  the   corresponding  token  (and  then  uses  against  API)  
Mobile  authn  op+ons   • Pwd  shared  with  3rd  party   Embedded  browser   Inline   • App  owns  UI   • No  need  to  leave  app   • Custom  scheme   • Enables  SSO   • Enables  strong  authn   • AS  owns  UI   • Visual  trust  cues   • Can  leverage  stored  pwds   External  browser  
Tokens  for  na+ve  applica+ons   Service  provider   1.  User  trades  creden+als  for  a  token   2.  Token  delivered  through  the  browser   to  na+ve  applica+on   Applica+on   3.  Na+ve  applica+on  presents  token  on   API  calls   4.  Applica+on  returns  applica+on  data   as  JSON   Pwd   Token   JSON/XML   Device   Browser   Applica+on   OAuth  
Best  prac+ces   •  Use  the  browser  to  authen+cate  the  user  to  the  AS,   don’t  collect  user  passwords  within  na+ve  applica+on   itself   •  A  separate  browser  window  preferred  to  embedded  –   gives  user  the  visual  trust  cues  trained  to  look  for   •  OAuth  authoriza+on  code  grant  type  is  relevant  –  allows   a  refresh  token  to  be  delivered  to  the  na+ve  applica+on   (obviates  need  to  con+nually  reauthorize)   •  Use  browser  for  IdP  discovery  if  doing  SSO  (rather  than   within  na+ve  applica+on  itself)   •  Na+ve  applica+on  should  register  custom  scheme  on   install,  to  enable  subsequent  passing    of  token  from   browser  back  to  na+ve  applica+on  
Walk  through   •  Walk  through  scenario  of  an  employee  using  a   na+ve  app  on  their  phone/tablet  to  interact   with  a  SaaS  provider   •  SAML  provides   –  Authen+ca+on  of  employee  to  SaaS  provider   •  OAuth  provides   –  authoriza+on  of  na+ve  app  to  access  SaaS  APIs   –  Issuance  of  tokens  from  SaaS  to  na+ve  app  
Walk  through                                                                                                                      OAuth                                                                                                            SAML                                                                                                                                                OAuth  
Load  authz  page  
Load  authz  page  
Load  authz  page   GET  /as/authoriza+on.oauth2? client_id=mobileapp&state=abc123&redirect_uri=mobileapp:// redirect_here&response_type=code  HTTP/1.1   Note   -­‐ -­‐  No  client  pwd   -­‐ -­‐  custom  scheme  on  redirect  URL   -­‐ -­‐  response  type  of  ‘code’  
IdP  Discovery  
IdP  Discovery  
IdP  discovery  
SSO  Request  
SSO  request  
SSO  Request   <form  method="post"  ac+on="hKps://idp.example.org/SAML2/SSO/POST"  >   <input  type="hidden"  name="SAMLRequest"  value="request"  />   <input  type="submit"  value="Submit"  />   </form>     <samlp:AuthnRequest    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"   xmlns:saml="urn:oasis:names:tc:SAML:2.0:asser+on"  ID="aaf23196-­‐1773-­‐2113-­‐474a-­‐ fe114412ab72"  Version="2.0"  IssueInstant="2004-­‐12-­‐05T09:21:59Z”>      <saml:Issuer>hKps://sp.example.com/SAML2</saml:Issuer>    <samlp:NameIDPolicy   AllowCreate="true"    Format="urn:oasis:names:tc:SAML: 2.0:nameid:format:persistent"/>   </samlp:AuthnRequest>  
User  authen+ca+on  
User  authen+ca+on  
User  authen+ca+on  
SSO  response  
SSO  Response  
SSO  Response   <saml:Asser+on>   <saml:Issuer>hKps://idp.example.org/SAML2</saml:Issuer>   <ds:Signature  xmlns:ds="hKp://www.w3.org/2000/09/xmldsig#">...</ds:Signature>   <saml:Subject>  <saml:NameID  Format="urn:oasis:names:tc:SAML:2.0:nameid-­‐format:persistent">   3f7b3dcf-­‐1674-­‐4ecd-­‐92c8-­‐1544f346baf8  </saml:NameID></saml:Subject>   <saml:AKributeStatement>   <saml:AKribute  Name=“email”  >   <saml:AKributeValue  xsi:type="xs:string">pmadsen@pingiden+ty.com</saml:AKributeValue>     </saml:AKribute>     </saml:AKributeStatement>     </saml:Asser+on>    
Response  with  code  
Response  with  code  
Response  with  code   HTTP/1.1  302  Found   Loca+on:  mobileapp://redirect_here?    state=abc123&    code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g   Content-­‐Length:  0  
Trade  code  for  token  
Trade  code  for  token  
Trade  code  for  token   GET  /as/token.oauth2?client_id=a&redirect_uri=mobileapp:// redirecthere&grant_type=authoriza+on_code&code=wizJmaSTPAf0wqSeB3vmDx2 mNSZK6g  HTTP/1.1   Host:  as.com   Accept:  */*   HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8   {"token_type":"Bearer","expires_in":"60","refresh_token":"oQWqwMUIL2ndeMHsWEy FO0GyalvKSvc2QI4YuG82RMGkM","access_token":"lSBbci4Jg8MsjiSqZLBrzEXgd4m KUNhOkyF"}  
Client  calls  API  
Client  calls  API  
Client  calls  API   hKps://graph.facebook.com/paul.e.madsen/ friends/? access_token=lSBbci4Jg8MsjiSqZLBrzEXgd4mK UNhOkyF  
Verify  token  
Verify  token  
Verify  token   GET  /as/token.oauth2? client_id=b&client_secret=pwd&grant_type=urn:ping:validate&token=lSBbci4Jg8MsjiSqZLBrzEXgd4mKUNhOkyF   HTTP/1.1   Host:  as.com   Accept:  */*    HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8     Not  OAuth  defined  
Return  Data  
Return  Data  
Return  data   HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8  
Time  passes  
Refresh  token  
Refresh  token  
Refresh  token   GET  /as/token.oauth2? client_id=a&grant_type=refresh_token&refresh_token=oQWqwMUIL2nde MHsWEyFO0GyalvKSvc2QI4YuG82RMGkM  HTTP/1.1   Host:  localhost:9031   Accept:  */*   HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8   {"token_type":"Bearer","expires_in":"60","refresh_token":"JZ7Qa4yH5C8E3Cik vcZZsd4ZLUgVyYnieXqybAFjObQpz","access_token":"49BPI5LuNM310o7h bB9m9cIzImT5M8gcRjE"}  
Thanks   Paul  Madsen   @paulmadsen  

Empfohlen

ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26BIWUG
 
SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz Kjell-Sverre Jerijærvi
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 

Empfohlen

ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010Fabrizio Volpe
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26Thomas vochten claims-spsbe26
Thomas vochten claims-spsbe26BIWUG
 
SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz SharePoint 2010 anywhere access uag vs dmz
SharePoint 2010 anywhere access uag vs dmz Kjell-Sverre Jerijærvi
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Microsoft TechNet - Belgium and Luxembourg
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to findDan Diephouse
 
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super BowlPerformance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowlnatematias
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Amazon Web Services
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...CA API Management
 
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...Kamal Spring
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security AvalancheMichele Leroux Bustamante
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodIJCERT
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
AWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideAWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideRobert Senktas
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to findDan Diephouse
 
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super BowlPerformance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowlnatematias
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)Phil Windley
 
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Amazon Web Services
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...CA API Management
 
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...Kamal Spring
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodIJCERT
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
AWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideAWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideRobert Senktas
 

Was ist angesagt? (20)

Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon Cognito
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
 
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super BowlPerformance Testing and Instrumenting the KGB SMS Service for the Super Bowl
Performance Testing and Instrumenting the KGB SMS Service for the Super Bowl
 
Context Automation (with video demos)
Context Automation (with video demos)Context Automation (with video demos)
Context Automation (with video demos)
 
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
 
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
Seasonal Burst Handling Using Hybrid Cloud Infrastructure from Cloud Security...
 
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
Eplq Efficient Privacy-Preserving Location-based Query over Outsourced Encryp...
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Efficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication MethodEfficient Multi Server Authentication and Hybrid Authentication Method
Efficient Multi Server Authentication and Hybrid Authentication Method
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
AWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideAWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical Guide
 

Ähnlich wie Gluecon oauth-03

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Leveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsLeveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsMarcel de Vries
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bBruce O'Dell
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Hammad Rajjoub
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Michael Collier
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesIntuit Developer
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"Chris Munns
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 

Ähnlich wie Gluecon oauth-03 (20)

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Leveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsLeveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile apps
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10b
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Middleware in the cloud platform-v2
Middleware in the cloud platform-v2Middleware in the cloud platform-v2
Middleware in the cloud platform-v2
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Api security
Api security Api security
Api security
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
AWS NYC Meetup - May 2017 - "AWS IoT and Greengrass"
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 

Mehr von Paul Madsen

Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoTPaul Madsen
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOnPaul Madsen
 
BYOD - it's an identity thing
BYOD - it's an identity thingBYOD - it's an identity thing
BYOD - it's an identity thingPaul Madsen
 
Madsen byod-csa-02
Madsen byod-csa-02Madsen byod-csa-02
Madsen byod-csa-02Paul Madsen
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMPaul Madsen
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01Paul Madsen
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04Paul Madsen
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkPaul Madsen
 
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLProxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLPaul Madsen
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01Paul Madsen
 

Mehr von Paul Madsen (12)

Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoT
 
Native application Single SignOn
Native application Single SignOnNative application Single SignOn
Native application Single SignOn
 
BYOD - it's an identity thing
BYOD - it's an identity thingBYOD - it's an identity thing
BYOD - it's an identity thing
 
Madsen byod-csa-02
Madsen byod-csa-02Madsen byod-csa-02
Madsen byod-csa-02
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
Saas webinar-dec6-01
Saas webinar-dec6-01Saas webinar-dec6-01
Saas webinar-dec6-01
 
Jan19 scim webinar-04
Jan19 scim webinar-04Jan19 scim webinar-04
Jan19 scim webinar-04
 
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision FrameworkMobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
 
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAMLProxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAML
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
Oauth 01
Oauth 01Oauth 01
Oauth 01
 
Iiw2007b Madsen 01
Iiw2007b Madsen 01Iiw2007b Madsen 01
Iiw2007b Madsen 01
 

Kürzlich hochgeladen

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Kürzlich hochgeladen (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Gluecon oauth-03

  • 1. OAuth  –  authen+ca+on  &  authoriza+on   framework  for  REST  APIs   Paul  Madsen   Ping  Iden+ty  
  • 2.
  • 3.
  • 4. Authen+ca+on  for  SOAP   •  The  SOAP  world  has  long  had  standards  related  to   authen+ca+on  &  authoriza+on  of  web  services   •  WS-­‐Trust  defines  a  protocol  by  which  a  SOAP  client   can  obtain  a  security  token(typically  a  SAML   asser+on)   •  WS-­‐Security  s+pulates  how  to  aKach  the  token   (SAML  asser+on)  to  a  SOAP  request  
  • 6. 1)  REST  authen+ca+on   •  REST  world  has  not  had  comparable  standards   •  Nothing  comparable  to  WS-­‐Security  -­‐  mish  mash  of   HTTP  Basic,  HTTP  Digest,  password,  and  SSL  for   message  authen+ca+on     •  Nothing  comparable  to  WS-­‐Trust  –  consequently   client  bears  burden  of  managing  creden+als  &  trust  
  • 7. 2)  Password  an+-­‐paKern     Site  asks  YOU  for  your  GOOGLE  password  so  it   can  access  your  Google  stuff.  
  • 8. Tsk  tsk!   •  Teaches  users  to  be  indiscriminate   with  their  passwords   •  Doesn’t  support  granular   permissions,  e.g.  X  can  read  but  not   write   •  Doesn’t  support  (easy)  revoca+on  –   to  be  sure  of  turning  off  access   users  must  change  password  
  • 9. Importance  of  revoca+on   This  is  shiny!!!!!   I  should  use  that  more   WTF  is  this  thing?  
  • 10. 3)  Cloud  APIs   •  Within  move  towards  SaaS  –  trend  towards  API  access   to  data/services  to  supplement/replace  browser   access   •  Salesforce.com expects that within the next year – only 1/3 of access will be via browser   •  APIs  of  PaaS  offerings  allow  the  customer  to  expose  its   own  cloud  services   •  Clear  trend  for  these  APIs  is  towards  REST  
  • 12. 4)  Na+ve  mobile  apps  
  • 13. Drivers   Password   Lack  of   an+-­‐ standards   paKern   OAuth   Na+ve   mobile   Cloud  APIs   Applica+ons  
  • 14. OAuth 2.0 •  Defines  authoriza+on  &  authen+ca+on   framework  for  RESTful  APIs   •  Approaching  final  standardiza+on  in  IETF   •  Applied  to  delegated  authoriza+on  –  mi+gates   password  an+-­‐paKern  -­‐  archetypical  use  case   •  Also  applicable  to  many  other  scenarios  –   even  those  with  no  users   •  Notable  for  its  op+miza+ons  for  mobile  
  • 15.
  • 16. Mobile  app  IdM  architecture    
  • 17. Na+ve  vs  web  apps   •  Not  going  to  try  to  predict  winner  –  expect  both   •  Authen+ca+on  &  authoriza+on  should  be  consistent   across  both  models,  so  that   –  Users  are  not  confused,  eg  use  different   creden+als  and/or  authen+ca+on  ceremony  for   the  two  models,  even  if  accessing  the  same   applica+on   –  Service  Providers  aren’t  forced  to  implement   duplicate  &  incompa+ble  security  frameworks   for  the  two  models  
  • 18. Federa+on   •  Federa+on  abstracts  away  from  applica+ons   specifics  of  authen+ca+on  &  authoriza+on  –   outsourced  to  specialized  providers   •  Complexity  hidden  by  token  issuance  &  valida+on   •  Federa+on  standards  define   –  Token  formats   –  How  clients  obtain  tokens   –  How  clients  present  tokens  to  applica+on   providers    
  • 19. Tokens   •  Federated  authen+ca+on  for  both  web  and   na+ve  mobile  applica+ons  is  based  on  exchange   and  delivery  of  tokens  to  the  applica+on   •  Tokens  carry  (or  point  to)  security  informa+on   (like  aKributes  or  authoriza+ons)  for  user  trying   to  access  the  applica+on.     •  Clients  typically  exchange  creden+als  for  tokens   -­‐  easier/safer  to  share  the  token  across  the   network  rather  than  the  original  creden+als   •  When  token  is  subsequently  presented  to  an   applica+on  provider,  they  serve  to  authen+cate   and/or  authorize  the  request  
  • 20. Federa+on  takes  different  forms   For  web  apps,  tokens  carry   Browser   app   AKributes  for  authen+ca+on   For  na+ve  apps,  tokens  carry   app   data   Authoriza+on  for  aKributes  
  • 21. Tokens  for  mobile  web  applica+ons   •  Federa+on  for  web  applica+ons  manifests  as   SSO  from  some  IdP  to  the  applica+on  provider   •  SSO  especially  relevant  for  mobile   •  Tokens  aKes+ng  to  the  user’s  iden+ty  and/or   authen+ca+on  status  delivered  through  (as   redirects)  the  browser  from  IdP  to  the   applica+on  provider   •  Applica+on  provider  validates  token  and   extracts  iden+ty  aKributes  from  within  in  order   to  create  local  session    
  • 22. Tokens  for  web  applica+ons   Iden+ty  provider   Service  provider   1.  User  trades   creden+als  for  a   token  from  IdP   SAML   2.  Token  delivered   OpenID   Applica+on   through  the   browser  to  SP   3.  SP  validates  token,   and  delivers   applica+on  HTML   Pwd   HTML   to  browser   Token   Device   Browser  
  • 23. Best  prac+ces   •  Standards   –  OpenID  2.0  for  consumer  scenarios   –  SAML  2.0  for  enterprise  &  cloud   –  WS-­‐Federa+on  for  homogeneous  MSFT   •  IdP  Discovery   –  In  consumer  space,  consider  Nascar  with  email-­‐ based  supplement   –  In  cloud  space,  consider  email-­‐based   •  Both  IdP  (portal)  and  SP  (deep-­‐linking)  ini+ated   are  relevant   •  Mobile  browser  constraints  may  recommend   ar+fact  model  in  SAML  
  • 24. Tokens  for  na+ve  applica+ons   •  Na+ve  applica+ons  authen+cate  to  REST  APIs  by   presen+ng  a  token  on  the  call   •  The  precursor  act  of  the  na+ve  applica+on  obtaining  a   token  is  oeen  called  ‘authoriza+on’  (par+cularly  in   those  cases  when  the  API  fronts  user  info,  eg  profile,   tweets,  etc)   •  User  authorizes  (or  consents)  to  the  na+ve  applica+on   having  access  to  the  API  (and  their  data)  –  the   authoriza+on  is  manifested  as  the  issuance  of  a  token  to   the  na+ve  app   •  OAuth  2.0  dominant  protocol  by  which  a  na+ve  app   obtains  the  desired  authoriza+ons  and  the   corresponding  token  (and  then  uses  against  API)  
  • 25. Mobile  authn  op+ons   • Pwd  shared  with  3rd  party   Embedded  browser   Inline   • App  owns  UI   • No  need  to  leave  app   • Custom  scheme   • Enables  SSO   • Enables  strong  authn   • AS  owns  UI   • Visual  trust  cues   • Can  leverage  stored  pwds   External  browser  
  • 26. Tokens  for  na+ve  applica+ons   Service  provider   1.  User  trades  creden+als  for  a  token   2.  Token  delivered  through  the  browser   to  na+ve  applica+on   Applica+on   3.  Na+ve  applica+on  presents  token  on   API  calls   4.  Applica+on  returns  applica+on  data   as  JSON   Pwd   Token   JSON/XML   Device   Browser   Applica+on   OAuth  
  • 27. Best  prac+ces   •  Use  the  browser  to  authen+cate  the  user  to  the  AS,   don’t  collect  user  passwords  within  na+ve  applica+on   itself   •  A  separate  browser  window  preferred  to  embedded  –   gives  user  the  visual  trust  cues  trained  to  look  for   •  OAuth  authoriza+on  code  grant  type  is  relevant  –  allows   a  refresh  token  to  be  delivered  to  the  na+ve  applica+on   (obviates  need  to  con+nually  reauthorize)   •  Use  browser  for  IdP  discovery  if  doing  SSO  (rather  than   within  na+ve  applica+on  itself)   •  Na+ve  applica+on  should  register  custom  scheme  on   install,  to  enable  subsequent  passing    of  token  from   browser  back  to  na+ve  applica+on  
  • 28. Walk  through   •  Walk  through  scenario  of  an  employee  using  a   na+ve  app  on  their  phone/tablet  to  interact   with  a  SaaS  provider   •  SAML  provides   –  Authen+ca+on  of  employee  to  SaaS  provider   •  OAuth  provides   –  authoriza+on  of  na+ve  app  to  access  SaaS  APIs   –  Issuance  of  tokens  from  SaaS  to  na+ve  app  
  • 29. Walk  through                                                                                                                      OAuth                                                                                                            SAML                                                                                                                                                OAuth  
  • 32. Load  authz  page   GET  /as/authoriza+on.oauth2? client_id=mobileapp&state=abc123&redirect_uri=mobileapp:// redirect_here&response_type=code  HTTP/1.1   Note   -­‐ -­‐  No  client  pwd   -­‐ -­‐  custom  scheme  on  redirect  URL   -­‐ -­‐  response  type  of  ‘code’  
  • 38. SSO  Request   <form  method="post"  ac+on="hKps://idp.example.org/SAML2/SSO/POST"  >   <input  type="hidden"  name="SAMLRequest"  value="request"  />   <input  type="submit"  value="Submit"  />   </form>     <samlp:AuthnRequest    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"   xmlns:saml="urn:oasis:names:tc:SAML:2.0:asser+on"  ID="aaf23196-­‐1773-­‐2113-­‐474a-­‐ fe114412ab72"  Version="2.0"  IssueInstant="2004-­‐12-­‐05T09:21:59Z”>      <saml:Issuer>hKps://sp.example.com/SAML2</saml:Issuer>    <samlp:NameIDPolicy   AllowCreate="true"    Format="urn:oasis:names:tc:SAML: 2.0:nameid:format:persistent"/>   </samlp:AuthnRequest>  
  • 44. SSO  Response   <saml:Asser+on>   <saml:Issuer>hKps://idp.example.org/SAML2</saml:Issuer>   <ds:Signature  xmlns:ds="hKp://www.w3.org/2000/09/xmldsig#">...</ds:Signature>   <saml:Subject>  <saml:NameID  Format="urn:oasis:names:tc:SAML:2.0:nameid-­‐format:persistent">   3f7b3dcf-­‐1674-­‐4ecd-­‐92c8-­‐1544f346baf8  </saml:NameID></saml:Subject>   <saml:AKributeStatement>   <saml:AKribute  Name=“email”  >   <saml:AKributeValue  xsi:type="xs:string">pmadsen@pingiden+ty.com</saml:AKributeValue>     </saml:AKribute>     </saml:AKributeStatement>     </saml:Asser+on>    
  • 47. Response  with  code   HTTP/1.1  302  Found   Loca+on:  mobileapp://redirect_here?    state=abc123&    code=wizJmaSTPAf0wqSeB3vmDx2mNSZK6g   Content-­‐Length:  0  
  • 48. Trade  code  for  token  
  • 49. Trade  code  for  token  
  • 50. Trade  code  for  token   GET  /as/token.oauth2?client_id=a&redirect_uri=mobileapp:// redirecthere&grant_type=authoriza+on_code&code=wizJmaSTPAf0wqSeB3vmDx2 mNSZK6g  HTTP/1.1   Host:  as.com   Accept:  */*   HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8   {"token_type":"Bearer","expires_in":"60","refresh_token":"oQWqwMUIL2ndeMHsWEy FO0GyalvKSvc2QI4YuG82RMGkM","access_token":"lSBbci4Jg8MsjiSqZLBrzEXgd4m KUNhOkyF"}  
  • 53. Client  calls  API   hKps://graph.facebook.com/paul.e.madsen/ friends/? access_token=lSBbci4Jg8MsjiSqZLBrzEXgd4mK UNhOkyF  
  • 56. Verify  token   GET  /as/token.oauth2? client_id=b&client_secret=pwd&grant_type=urn:ping:validate&token=lSBbci4Jg8MsjiSqZLBrzEXgd4mKUNhOkyF   HTTP/1.1   Host:  as.com   Accept:  */*    HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8     Not  OAuth  defined  
  • 59. Return  data   HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8  
  • 63. Refresh  token   GET  /as/token.oauth2? client_id=a&grant_type=refresh_token&refresh_token=oQWqwMUIL2nde MHsWEyFO0GyalvKSvc2QI4YuG82RMGkM  HTTP/1.1   Host:  localhost:9031   Accept:  */*   HTTP/1.1  200  OK   Content-­‐Type:  applica+on/json;  charset=UTF-­‐8   {"token_type":"Bearer","expires_in":"60","refresh_token":"JZ7Qa4yH5C8E3Cik vcZZsd4ZLUgVyYnieXqybAFjObQpz","access_token":"49BPI5LuNM310o7h bB9m9cIzImT5M8gcRjE"}  
  • 64. Thanks   Paul  Madsen   @paulmadsen