This slide deck explores how Identity APIs have evolved over the time to cater the consumer and enterprise requirements, and real-world scenarios where tough identity challenges have been successfully tackled by using them. Learn more: https://wso2.com/library/conference/2018/08/wso2con-asia-2018-identity-apis-is-the-new-black/

1. Identity APIs is the New Black
Technical Lead, WSO2
Ishara Karunarathna

2. Story of Kermit Corporation
LDAP
HR Application Payroll Application License Application
AD RDB
Kermit Corp
John John
Li
JohnL

3. ● Same physical user digitally represented in different siloes
with different credentials
● No single sign-on across silos
● Higher probability of identity mismanagement
● Identity integrations across department/enterprise borders
are difficult or impossible
IAM Challenges in Kermit Corp

4. Story of Kermit Corporation
Dave

5. Siloed IAM - Centralized but Proprietary
Payroll
Application
Identity
Provider
HR
Application
License
Application
Kermit Corp FinOrg
CRM
Application
Kermit
Proprietary
Kermit
Proprietary
Kermit
Proprietary

6. Centralized IAM - Standard APIs
Payroll
Application
Identity
Provider
HR
Application
License
Application
Kermit Corp FinOrg
CRM
Application
SAML SSO /
SCIM / OAuth
OpenID Connect
/ SCIM
WS-Fed / SCIM
OpenID Connect
/ SCIM

7. Dave is Not Happy
Yet!

8. Customer (is the king!) IAM
● Social login and BYOI
● Seamless experience across devices (Omnichannel)
● Privacy
○ Consent management
○ Ownership of user information
● Party-to-party delegation

9. Self Care
Portal
Identity
Provider
Retail
Application
Cloud
OIDC
OpenID Connect /
SCIM / Consent
Receipt
Customer
CRM
SCIM
Kermit Corp
CIAM at a Glance

10. Business Success
Seamless Experience
Customer Satisfaction
Identity Integrations
Identity APIs

11. Dave is Happy !!

12. Next Big Challenge -> Identity of Things
● Dynamic device registration
● Device to device authentication
● Delegation of device access

13. Modern Identity APIs

14. User Provisioning with SCIM
Self Care
Portal
Identity
Provider
Foo Org Zee Org
Identity
Provider
Bar Org
Identity
Provider
SCIM
SCIM SCIM
Inbound Outbound
Inbound

15. SCIM 2.0 Payloads
User Creation
Group Creation
curl --user admin:admin --data
'{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"
userName":"kim","password":"kimwso2","emails":[{"primary":true,"va
lue":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.c
om","type":"work"}]}' --header "Content-Type:application/json"
https://localhost:9443/scim2/Users
curl --user admin:admin --data '{"displayName":"manager"}'
--header "Content-Type:application/json"
https://localhost:9443/scim2/Groups

16. Delegated Authorization with OAuth 2.0
Authorization Code Grant
Suitable for web applications
SAML Bearer Grant
Suitable for apps already using SAML SSO for authentication
JWT Grant
Suitable for apps already using a JWT mechanism for authentication
Client Credentials Grant
Suitable to retrieve data not specific to end users - e.g. Weather/Stocks -
and for machine-to-machine communications

17. Application (OAuth
Client)
OAuth
Authorization
Server
2
3
4
1
5
6
7
8
Authz Code Grant Flow
OAuth
Resource
Server
Introspect
Authenticate +
Consent
302
Access
Token Rq
Access Token
Access Token
Access Token
Resource Request
Prerequisite
Client application
registered with the
Authz Server manually
or via Dynamic Client
Registration
Resource
Owner
Authz Code

18. Authentication with OIDC
● OpenID Connect was created on top of OAuth 2.0 to provide
an identity layer
● Introduces a new scope named “openid”
● Introduces a new token named ID Token, containing user
claims
● Introduces a new endpoint named ‘userinfo’, to fetch
additional user claims

19. OIDC Flow
Application (OAuth
Client)
OAuth Authorization
Server
Resource
Owner
2
3
4
1
5
6
9
OAuth
Resource
Server
Introspect
Authz Code
302
Access
Token Rq
Access Token
ID Token
User Info Request
7
Access Token
Access Token
8
Access Token
Resource Request
scope=openid
Authenticate +
Consent

20. Party-to-party Delegation with UMA 2.0
● Developed on top of OAuth 2.0
● Introduces an entity named ‘Requesting Party’, and two
access tokens named ‘Protection API token’ (PAT) and
‘Requesting Party Token’ (RPT)
● Lots of use cases in CIAM and IoT:
○ E.g. A patient granting access to Doctor and Insurer to their health
records
○ E.g. Homeowner granting rotate access of the CCTV camera to the
housemaid

21. UMA 2.0 in Action
OAuth
Resource
Server
Application (OAuth
Client)
Resource
Owner
Requesting
Party
Protection API
Authorization API
OAuth Authorization
Server
Register
Resource
Access
Protected
Resource
Request
Authorization
Authorize to
register
resources
Define policies
Introspection API
Validate RPT
Result: RPT
Result: PAT

22. Fine-grained Authorization with XACML
● Standard for attribute based access control
● Decouples authorization logic from the application code by
introducing XML based policies
● Consists of 4 key components:
○ Policy Administration Point
○ Policy Decision Point
○ Policy Information Point
○ Policy Enforcement Point

23. Policy
Store
Policy Administration
Point
Policy Decision Point
Identity Provider
HR Application
Policy Enforcement
Point
End-user
Policy Information Point
XACML in Action
Entitlement
Administrator
CRUD Policies
Do operation
XACML Request

24. Open Policy Agent (OPA)
Enforcement API : Service requests
decisions
Management API : Management
pushes updates
Service
OPA
Query Decision
Data
Policy

25. User Consent Management
Change Consent Self Care Portal
Consent Mgt API
Identity Provider
ConsentStorages
End-user

26. User Data Exposure
Export PII Self Care Portal
PII Exposure API
Identity Provider
PIIStorages
End-user
Claims
Security questions
Consent receipts

27. THANK YOU
wso2.com