This document discusses identity management for APIs, web, and mobile applications. It begins with an overview of trends in cloud computing and APIs. It then discusses how traditional network security is inadequate for these new architectures and that identity has become the new perimeter. The document outlines recommendations for an API identity strategy, including implementing OAuth 2.0 for authorization instead of passwords and leveraging an identity provider to apply enterprise security policies to cloud applications and APIs. It recommends architects design for interoperability across multiple devices, users, locations, and protocols.

1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1
Who’s Knocking?
Identity for APIs, Web and Mobile
Hans Zandbelt - @hanszandbelt
CTO Office - Ping Identity

2. Copyright ©2012 Ping Identity Corporation. All rights reserved.2
Overview
Cloud & APIs: The Trends
- History, state-of-the-art, trends
Identity and APIs
- What, why, how
Recommendations
- API strategy
1
2
4
OAuth 2.0
- Not for Authentication!
3

3. Copyright ©2012 Ping Identity Corporation. All rights reserved.3
CLOUD & APIS: THE TRENDS
[section lead-in]

4. Copyright ©2012 Ping Identity Corporation. All rights reserved.4
Cloud/Mobile Moves: 3 Dimensions of Change
• Users
– Workforce
– Customers/consu
mers
– Partners
– Social
• Devices
– Mobile/fixed
– Browser/app
– BYOD/E-owned
• Location
– Services
– Users
Users
Location(s)
Devices

5. Copyright ©2012 Ping Identity Corporation. All rights reserved.5
Traditional firewall and enterprise domain-based
security cannot deal with Cloud Apps and Mobile
devices and applications.
IDENTITY IS THE NEW PERIMETER
Consequences
FIREWALL

6. Copyright ©2012 Ping Identity Corporation. All rights reserved.6
How it could/should be: Cloud 2.0 (web or mobile)
firewall
APP
APP
database
directory
SaaS
SaaS
SaaS
database

7. Copyright ©2012 Ping Identity Corporation. All rights reserved.7
The API Economy Drivers
• SaaS
– API access to
data/services vs.
browser access
– Cloud, Mobile/Big
Data, BYOD
– Salesforce.com >
60%
• APIs of PaaS
offerings
– Expose own cloud
services
• Clear trend for APIs
towards REST

8. Copyright ©2012 Ping Identity Corporation. All rights reserved.8
IDENTITY & APIS

9. Copyright ©2012 Ping Identity Corporation. All rights reserved.9
The Internet Scale Identity Concept
• Identity Provider
– Authoritative
– Scale
– Manageability
• UNIFORM across
Web SSO & API
Access
• Security AND
Convenience
• How to extend
enterprise security
policies to the cloud:
a MUST have
verify

10. Copyright ©2012 Ping Identity Corporation. All rights reserved.10
Web SSO and API Access Playfield
User Provisioning
Web SSO API Access

11. Copyright ©2012 Ping Identity Corporation. All rights reserved.11
API Access
• HTTP
• SOAP
– WS-Security/WS-
Trust
• REST
– ?
• TOKEN
– Obtain
– Use
– Validate
• Passwords??
CLIENT
SERVICE
SOAP / REST
Token

12. Copyright ©2012 Ping Identity Corporation. All rights reserved.12
Password anti-pattern
• 3rd party client
store user
passwords
• Teaches users to
be indiscriminate
with passwords
• No multi-factor or
federated
authentication
• No granularity
• No differentiation
• No revocation

13. Copyright ©2012 Ping Identity Corporation. All rights reserved.13
Drivers
Lack
Of
Standards
Password
Anti
Pattern
Native
Mobile
Apps
REST
Cloud
APIs

14. Copyright ©2012 Ping Identity Corporation. All rights reserved.14
OAUTH 2.0

15. Copyright ©2012 Ping Identity Corporation. All rights reserved.15
OAuth 2.0
• Secure API
authorization
– simple & standard
– desktop, mobile web
• Auth & Authz for
RESTful APIs
• Delegated
authorization
– mitigates password
anti-pattern
• Issue tokens for
granular access
– Without divulging
your credentials

16. Copyright ©2012 Ping Identity Corporation. All rights reserved.16
OAuth 2.0 Terminology: Roles
• Authorization Server (AS)
A server capable of issuing
tokens, obtaining authorization,
and authenticating resource
owners.
• Resource Owner
An entity (usually an end-
user/person) capable of granting
access to a protected resource.
• Client
An application(!) obtaining
authorization and making
protected resource requests (on
behalf of the resource owner).
• Resource Server (RS)
The server hosting protected
resources.
verify

17. Copyright ©2012 Ping Identity Corporation. All rights reserved.17
A. Client sends Authorization Request
"GET /as/authorization.oauth2?client_id=TunesPartner-
OT&state=TunesPartner-
OT&response_type=code&scope=onetime-a HTTP/1.1” 302 0
B. Service Provider grants Authorization
https://www.tunespartner.com:9031/Partner/callback.jsp?state=
TunesPartner-
OT&code=IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7
C. Client Request Access Token
POST https://idp.idtel.com:9031/as/token.oauth2
---PARAMETERS---
client_id: TunesPartner-OT&
grant_type: authorization_code&
Code: IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7
D. Service Provider grants Access Token
This resulted in the following JSON response containing our
OAuth access_token:
{"token_type":"Bearer",
"expires_in":300,
"access_token":"ivBOdwGpGb3pY3gvPaK6D8W5Ldey”
}
Protocol Workflow

18. Copyright ©2012 Ping Identity Corporation. All rights reserved.18
OAuth 2.0 Benefits
• Security & Usability
– Bearer Tokens
• Revocation
• Granularity
• Use Cases*
• Passwords vs.
OAuth ===
creditcard vs.
checks
Scopes

19. Copyright ©2012 Ping Identity Corporation. All rights reserved.19
OAuth 2.0 is Not for Authentication !!
• Bearer token is about
delegated rights, not
about the user authn
• Bearer token has no
audience restriction
– can’t check if it was
really meant for you
– Not bound to the client
• No guarantee that the
user is present
– no “authn statement”
semantics
• Redirect is not
authenticated or
integrity protected in
any way
– bearer = bearer and
nothing more
validate
client rs + as
user agent
get a token redirect
T
T
user info

20. Copyright ©2012 Ping Identity Corporation. All rights reserved.20
OpenID Connect
• OAuth: general
mechanism to
authorize API access
• OpenID Connect:
profile for sharing
profile information
• Uses the authz code &
implicit grant types –
the pieces of OAuth
optimized for user-
consent scenarios
• Leverages the
authorization & token
endpoints & adds
identity-based params
to core OAuth
messages
Client
(RP)
User
Agent
AS/OP
Resource
Server
UserInfo
a
b
1
3
a
a
2

21. Copyright ©2012 Ping Identity Corporation. All rights reserved.21
SSO for Mobile Apps: Authorization Agent (AZA)
• Aggregate OAuth
flows and logins
• Bootstrap through
WebSSO with
OpenID Connect or
SAML
• Oauth-as-a-Service
+ SAML-as-a-
Service
OAUTH SSO

22. Copyright ©2012 Ping Identity Corporation. All rights reserved.22
RECOMMENDATIONS
[section lead-in]

23. Copyright ©2012 Ping Identity Corporation. All rights reserved.23
Something to think about: Cloud IAM strategy
• Multi-use case,
multi-device, multi-
channel, multi
protocol…
– Identity is the
connector
• Interoperability and
standards
• IAM not just an
internal technical
issue: also a
strategic business
enabler
• Architect for agility

24. Copyright ©2012 Ping Identity Corporation. All rights reserved.24
• Implement your API for:
– externalized authentication and authorization
– tokens instead of passwords
– consumer identity AND enterprise identity
• By leveraging identity we can:
– address API access (server2server, mobile) in the
same way as Web SSO
– reuse existing security and identity policies
– connect your existing identity store
• Possibly implement this in a single system(!)
– And be prepared for OAuth 2.0, OpenID Connect,
SCIM, SAML, …
Identity for APIs strategy

25. Copyright ©2012 Ping Identity Corporation. All rights reserved.25
COME AND SEE US!
Hans Zandbelt
Twitter: @hanszandbelt
www.pingidentity.com