More Related Content Similar to CIS 2017 - So you want to use standards to secure your APIs? (20) More from Bertrand Carlier (10) CIS 2017 - So you want to use standards to secure your APIs?1. So you want to use standards to secure your APIs?
Do you? really?
Bertrand CARLIER
bertrand.carlier@wavestone.com
@bertrandcarlier
2. confidentiel | © WAVESTONE 2Cloud Identity Summit | Chicago 2017
Tier one clients
leaders in their industry
2,500 professionals
across 4 continents
Among the leading independent
consultancies in Europe,
n°1 in France
Paris | London | New York | Hong Kong | Singapore* | Dubai*
Brussels | Luxembourg | Geneva | Casablanca
Lyon | Marseille | Nantes
In a world where permanent evolution is key to success,
we enlighten and partner our clients in making their most critical business decisions
3. confidentiel | © WAVESTONE 3Cloud Identity Summit | Chicago 2017
Win the digital race
with digital trust
PROVEN EXPERTISE
/ Digital Risk Strategy & Compliance
/ Safe Business Transformation
/ Security Design & Program Management
/ Identity, Fraud & Trust Services
/ Penetration Testing & Incident Response
/ Business Continuity & Resilience
/ Industrial Control Systems
ACTIONABLE INSIGHTS
/ Industry-specific risk mapping
/ AMT Master plan methodology
/ Startups & Innovation Radars
/ ICS-Attacks demonstrator
/ CERT-W & Bug Bounty
Digital trust is a key business enabler that will
put you ahead to win the digital transformation race
Wavestone Cybersecurity & Digital Trust
500+
Consultants & Experts
in Paris, London, New York
& Hong Kong
1,000+
Engagements per year
in 20+ countries
Our clients
Board, Business,
CDO, CIO, CISO, BCM
4. confidentiel | © WAVESTONE 4Cloud Identity Summit | Chicago 2017
Obligatory XKCD
5. confidentiel | © WAVESTONE 5Cloud Identity Summit | Chicago 2017
What I do 1/2
User companies (my clients)
Other vendors
My mom
People who use standards
but don’t really care
Me
You?
Fellow colleagues & competitors
People who (try to) understand
standards and build things
The “industry”
Research scientists
Vendors I like
People who make standards
6. confidentiel | © WAVESTONE 6Cloud Identity Summit | Chicago 2017
What I do 2/2
Gather
requirements
Benchmark
market
Design target
solutions
Deliver solutions
8. confidentiel | © WAVESTONE 8Cloud Identity Summit | Chicago 2017
Implicit and Client Credentials
YOU’VE GOT MAIL
Comparator
website
Airline API
Airline API
Airline API
Client
Authorization
server
Resource
server
Access token
Flight comparator
Economy
Direct
Two stops
Business class
Boat
You’ve been
accepted!
9. confidentiel | © WAVESTONE 9Cloud Identity Summit | Chicago 2017
Authorization code
ARE YOU AUTHORIZED?
Airline
website
Airline API
Client
Authorization
server
Resource
server
Access token
Resource
owner
10. confidentiel | © WAVESTONE 10Cloud Identity Summit | Chicago 2017
Proof Key for Code Exchange
PIXIES
Airline
website
Client
Authorization
server
Resource
server
Access token
Resource
owner
PKCE (RFC 7636)
11. confidentiel | © WAVESTONE 11Cloud Identity Summit | Chicago 2017
Refresh token
(RE)FRESH
Refresh token
Client
Authorization
server
Resource
server
Access token
Resource
owner
PKCE (RFC 7636)
Airline
website
12. confidentiel | © WAVESTONE 12Cloud Identity Summit | Chicago 2017
20
17
18
76
OAuth2.0 : it’s quite simple
Who’s up for a 130-pages RFC read?
And if you want security, feel free to read the 71 pages
« OAuth2 Threat Model and Security Considerations »
Refresh token
Client
Authorization
server
Resource
server
Access token
Resource
owner
Proof Key for Code Exchange
14. confidentiel | © WAVESTONE 14Cloud Identity Summit | Chicago 2017
OAuth2.0 : Real Life requirements
Adaptive authentication
Application initiated (acr request)
or Authorization Server mandated (adaptive authentication)
APIs federation
REST friendly
Scalable
Modern Web Single Sign-On
Beyond the enterprise perimeter
Browser and mobile friendly
15. confidentiel | © WAVESTONE 15Cloud Identity Summit | Chicago 2017
OpenID Connect
FRENCH CONNECTION
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
PKCE (RFC 7636)
Town’s
website
Tax
department
API
France
Connect
hub
ID token
16. confidentiel | © WAVESTONE 16Cloud Identity Summit | Chicago 2017
Authentication Context Reference (acr)
SMS, I KNOW…
Bank API
Bank
authorization
server
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
OpenID
Connect
provider
PKCE (RFC 7636)
17. confidentiel | © WAVESTONE 17Cloud Identity Summit | Chicago 2017
JWT Bearer profile
ONE RING TOKEN TO RULE THEM ALL
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
OpenID
Connect
provider
PKCE (RFC 7636)
Bank
website
Bank & Insurance
discount
White label
insurance
Bank
website
Insurance’s
Authorization
server
Insurance’s
API
1
2
18. confidentiel | © WAVESTONE 18Cloud Identity Summit | Chicago 2017
Oauth2.0 for Native Applications
SSO ON THE GO
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Mobile phone
Bank’s
authorization
server
OpenID
Connect
provider
20. confidentiel | © WAVESTONE 20Cloud Identity Summit | Chicago 2017
OAuth : Today’s challenges
Pair with devices Protect from token hijacking Share and Consent Transmit Identity
These are the current use cases that we need to solve now with only draft standards!
21. confidentiel | © WAVESTONE 21Cloud Identity Summit | Chicago 2017
OAuth2 Device Flow
2 MINUTES TWICE A DAY
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
OpenID
Connect
provider
Connected
toothbrush
Toothbrush’s
cloud services
Toothbrush’s
app
2 1 3 4
22. confidentiel | © WAVESTONE 22Cloud Identity Summit | Chicago 2017
Token Binding
LATER AGGREGATOR
Bank API
Multi-account
aggregator
Bank API
Bank API
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Token
Binding
& Mutual TLS profiles
The “Personal
Finance
Manager”
usecase
OpenID
Connect
provider
23. confidentiel | © WAVESTONE 23Cloud Identity Summit | Chicago 2017
User Managed Access
RUN BABY RUN
Token
Binding
& Mutual TLS profiles
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Requesting
party
Doctor Receptionist
OpenID
Connect
provider
Receptionist Doctor
Some
medical
software
Personal
health
records
Me Authorization
server
24. confidentiel | © WAVESTONE 24Cloud Identity Summit | Chicago 2017
Token Exchange
WALL STREET
( )
Customer
support
Customer
API
Token
Binding
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)
Requesting
party
Token
Exchange
OpenID
Connect
provider
Micro
services
25. confidentiel | © WAVESTONE 25Cloud Identity Summit | Chicago 2017
Not to mention
/ Dynamic Client Registration & Management
/ OIDC/Oauth Discovery
/ Signed request
/ Mobile Connect
/ OIDC Session Management
/ Token revocation
/ …
The big picture
AT LAST
Token
Binding
app app Oauth 2 for
native apps
Client
Authorization
server
Resource
server
Access token
Resource
owner
Refresh
token
ID token
PKCE (RFC 7636)Requesting
party
Token
Exchange
OpenID
Connect
provider
26. confidentiel | © WAVESTONE 26Cloud Identity Summit | Chicago 2017
“Just saying #OAuth does not do the job”
ONE LAST WORD
/ OAuth is a very rich ecosystem
Choose the right specifications
Integrate them carefully within a well-
designed architecture
Don’t end up with a flawed API security or a
false sense of security
28. PARIS
LONDON
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
BRUSSELS
LUXEMBOURG
GENEVA
CASABLANCA
LYON
MARSEILLE
NANTES
* Partenaires stratégiques
PARIS
LONDRES
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
SAO PAULO *
LUXEMBOURG
MADRID *
MILAN *
BRUXELLES
GENEVE
CASABLANCA
ISTAMBUL *
LYON
MARSEILLE
NANTES
* Partenariats