SlideShare a Scribd company logo
1 of 16
Building on the Ashes of Past Standards
Securing API Data Models
Jonathan LeBlanc
Head of Developer Evangelism (North America)
Github: http://github.com/jcleblanc
Slides: http://slideshare.net/jcleblanc
Twitter: @jcleblanc
The Ultimate Decision
Security Usability
The Insecure, Unmanageable Start
Very Secure, Long to Implement
Two Currently Widely Used Specs
Fetching a Code
Prepare the Redirect URI
Authorization Endpoint
client_id response_type (code)
scope redirect_uri
nonce state
Browser Redirect
Redirect URI
Fetching the Access Token
Fetch the Access Token
Access Token Endpoint
client_id code (query string)
client_secret grant_type
HTTP POST
Access Token Endpoint
A few implementation differences
Endpoints
Scopes (dynamic / static)
Using the Access Token in a request
How it’s Normally Used
Access user details
Push data through
user social streams
But why?
Access token as a
control structure
Improve Existing
Products
Our showcase:
Seamless Checkout
A Few Code Links
OAuth2 & OpenID Connect Samples
https://github.com/jcleblanc/oauth
https://github.com/paypal/paypal-access
Log in with PayPal
http://bit.ly/loginwithpaypal
http://bit.ly/securing_apis
Thank You! Questions?
Jonathan LeBlanc
Head of Developer Evangelism (North America)
Github: http://github.com/jcleblanc
Slides: http://slideshare.net/jcleblanc
Twitter: @jcleblanc

More Related Content

What's hot

PHP Frameworks & Introduction to CodeIgniter
PHP Frameworks & Introduction to CodeIgniterPHP Frameworks & Introduction to CodeIgniter
PHP Frameworks & Introduction to CodeIgniter
Jamshid Hashimi
 

What's hot (20)

Crucible
CrucibleCrucible
Crucible
 
What do you need to test API's?
What do you need to test API's? What do you need to test API's?
What do you need to test API's?
 
WordPress for iOS - Under the Hood
WordPress for iOS - Under the HoodWordPress for iOS - Under the Hood
WordPress for iOS - Under the Hood
 
Hypermedia API and how to document it effectively
Hypermedia API and how to document it effectivelyHypermedia API and how to document it effectively
Hypermedia API and how to document it effectively
 
PHP Frameworks & Introduction to CodeIgniter
PHP Frameworks & Introduction to CodeIgniterPHP Frameworks & Introduction to CodeIgniter
PHP Frameworks & Introduction to CodeIgniter
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
How to build custom connectors in MuleSOft
How to build custom connectors in MuleSOftHow to build custom connectors in MuleSOft
How to build custom connectors in MuleSOft
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Rest assured
Rest assuredRest assured
Rest assured
 
ATD11_WebAPISecurity
ATD11_WebAPISecurityATD11_WebAPISecurity
ATD11_WebAPISecurity
 
Smartbear: un framework unico per testare API e UI
Smartbear: un framework unico per testare API e UISmartbear: un framework unico per testare API e UI
Smartbear: un framework unico per testare API e UI
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
 
Android security testing
Android security testingAndroid security testing
Android security testing
 
Introduction to API Design: REST and Java
Introduction to API Design: REST and JavaIntroduction to API Design: REST and Java
Introduction to API Design: REST and Java
 
API Virtualization: Mocking on Steroids
API Virtualization: Mocking on SteroidsAPI Virtualization: Mocking on Steroids
API Virtualization: Mocking on Steroids
 
Custom connectorsinmule
Custom connectorsinmuleCustom connectorsinmule
Custom connectorsinmule
 
Apiworld
ApiworldApiworld
Apiworld
 
ColdSpring the basics
ColdSpring the basicsColdSpring the basics
ColdSpring the basics
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
 

Viewers also liked

Comprehensive Support for Self Management of Medications by a Networked Robot...
Comprehensive Support for Self Management of Medications by a Networked Robot...Comprehensive Support for Self Management of Medications by a Networked Robot...
Comprehensive Support for Self Management of Medications by a Networked Robot...
Health Informatics New Zealand
 
Have you been vaccinated
Have you been vaccinatedHave you been vaccinated
Have you been vaccinated
oakke01
 
FinalPresentation_FINAL
FinalPresentation_FINALFinalPresentation_FINAL
FinalPresentation_FINAL
James McKenna
 
Have you been vaccinated
Have you been vaccinatedHave you been vaccinated
Have you been vaccinated
oakke01
 

Viewers also liked (20)

WordPress Visual Editor Mastery
WordPress Visual Editor MasteryWordPress Visual Editor Mastery
WordPress Visual Editor Mastery
 
Comprehensive Support for Self Management of Medications by a Networked Robot...
Comprehensive Support for Self Management of Medications by a Networked Robot...Comprehensive Support for Self Management of Medications by a Networked Robot...
Comprehensive Support for Self Management of Medications by a Networked Robot...
 
101 Ways to Elevate Yourself and Demand Higher Fees
101 Ways to Elevate Yourself and Demand Higher Fees101 Ways to Elevate Yourself and Demand Higher Fees
101 Ways to Elevate Yourself and Demand Higher Fees
 
PayPal on iOS + 9 great free app ideas
PayPal on iOS + 9 great free app ideasPayPal on iOS + 9 great free app ideas
PayPal on iOS + 9 great free app ideas
 
Unihack2016 closing
Unihack2016 closingUnihack2016 closing
Unihack2016 closing
 
Have you been vaccinated
Have you been vaccinatedHave you been vaccinated
Have you been vaccinated
 
The Future of Identification
The Future of IdentificationThe Future of Identification
The Future of Identification
 
FinalPresentation_FINAL
FinalPresentation_FINALFinalPresentation_FINAL
FinalPresentation_FINAL
 
IoTMelb
IoTMelbIoTMelb
IoTMelb
 
Container Days
Container DaysContainer Days
Container Days
 
Building a Dream Team
Building a Dream TeamBuilding a Dream Team
Building a Dream Team
 
Have you been vaccinated
Have you been vaccinatedHave you been vaccinated
Have you been vaccinated
 
Direct Purposeful Experience
Direct Purposeful ExperienceDirect Purposeful Experience
Direct Purposeful Experience
 
IoT Commerce using Ruby, PHP and Arduino
IoT Commerce using Ruby, PHP and Arduino IoT Commerce using Ruby, PHP and Arduino
IoT Commerce using Ruby, PHP and Arduino
 
Internet of Things With PHP
Internet of Things With PHPInternet of Things With PHP
Internet of Things With PHP
 
Rapyuta a cloud robotics platform
Rapyuta a cloud robotics platformRapyuta a cloud robotics platform
Rapyuta a cloud robotics platform
 
Teaching with Visual Symbols
Teaching with Visual SymbolsTeaching with Visual Symbols
Teaching with Visual Symbols
 
Holiday in romania
Holiday in romaniaHoliday in romania
Holiday in romania
 
Building the future as a full stack dev
Building the future as a full stack devBuilding the future as a full stack dev
Building the future as a full stack dev
 
ARTICLE
ARTICLEARTICLE
ARTICLE
 

Similar to Securing API data models

OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Secure visual algorithm simulator
Secure visual algorithm simulatorSecure visual algorithm simulator
Secure visual algorithm simulator
Prachi Singhal
 

Similar to Securing API data models (20)

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
JavaCro'15 - Web UI best practice integration with Java EE 7 - Peter Lehto
JavaCro'15 - Web UI best practice integration with Java EE 7 - Peter LehtoJavaCro'15 - Web UI best practice integration with Java EE 7 - Peter Lehto
JavaCro'15 - Web UI best practice integration with Java EE 7 - Peter Lehto
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIs
 
Building enterprise web applications with spring 3
Building enterprise web applications with spring 3Building enterprise web applications with spring 3
Building enterprise web applications with spring 3
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Security testing
Security testingSecurity testing
Security testing
 
The Ball Launch on 2013 Microsoft TechDays Part 2/2
The Ball Launch on 2013 Microsoft TechDays Part 2/2The Ball Launch on 2013 Microsoft TechDays Part 2/2
The Ball Launch on 2013 Microsoft TechDays Part 2/2
 
Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
A Case Study of Using Selenium IDE and WebDriver_Word Doc
A Case Study of Using Selenium IDE and WebDriver_Word DocA Case Study of Using Selenium IDE and WebDriver_Word Doc
A Case Study of Using Selenium IDE and WebDriver_Word Doc
 
Secure visual algorithm simulator
Secure visual algorithm simulatorSecure visual algorithm simulator
Secure visual algorithm simulator
 

More from Jonathan LeBlanc

More from Jonathan LeBlanc (20)

Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Securing API data models

Editor's Notes

  1. This is where REST and OAuth 2 come in