SlideShare a Scribd company logo

Who’s Knocking? Identity for APIs, Web and Mobile

Nordic APIs
Nordic APIs

Presented by Hans Zandbelt from Ping Identity at Nordic APIs in Copenhagen, 21st of May 2013

Technology
1 of 25
Download to read offline
Copyright ©2012 Ping Identity Corporation. All rights reserved.1 Who’s Knocking? Identity for APIs, Web and Mobile Hans Zandbelt - @hanszandbelt CTO Office - Ping Identity
Copyright ©2012 Ping Identity Corporation. All rights reserved.2 Overview Cloud & APIs: The Trends - History, state-of-the-art, trends Identity and APIs - What, why, how Recommendations - API strategy 1 2 4 OAuth 2.0 - Not for Authentication! 3
Copyright ©2012 Ping Identity Corporation. All rights reserved.3 CLOUD & APIS: THE TRENDS [section lead-in]
Copyright ©2012 Ping Identity Corporation. All rights reserved.4 Cloud/Mobile Moves: 3 Dimensions of Change • Users – Workforce – Customers/consu mers – Partners – Social • Devices – Mobile/fixed – Browser/app – BYOD/E-owned • Location – Services – Users Users Location(s) Devices
Copyright ©2012 Ping Identity Corporation. All rights reserved.5 Traditional firewall and enterprise domain-based security cannot deal with Cloud Apps and Mobile devices and applications. IDENTITY IS THE NEW PERIMETER Consequences FIREWALL
Copyright ©2012 Ping Identity Corporation. All rights reserved.6 How it could/should be: Cloud 2.0 (web or mobile) firewall APP APP database directory SaaS SaaS SaaS database
Copyright ©2012 Ping Identity Corporation. All rights reserved.7 The API Economy Drivers • SaaS – API access to data/services vs. browser access – Cloud, Mobile/Big Data, BYOD – Salesforce.com > 60% • APIs of PaaS offerings – Expose own cloud services • Clear trend for APIs towards REST
Copyright ©2012 Ping Identity Corporation. All rights reserved.8 IDENTITY & APIS
Copyright ©2012 Ping Identity Corporation. All rights reserved.9 The Internet Scale Identity Concept • Identity Provider – Authoritative – Scale – Manageability • UNIFORM across Web SSO & API Access • Security AND Convenience • How to extend enterprise security policies to the cloud: a MUST have verify
Copyright ©2012 Ping Identity Corporation. All rights reserved.10 Web SSO and API Access Playfield User Provisioning Web SSO API Access
Copyright ©2012 Ping Identity Corporation. All rights reserved.11 API Access • HTTP • SOAP – WS-Security/WS- Trust • REST – ? • TOKEN – Obtain – Use – Validate • Passwords?? CLIENT SERVICE SOAP / REST Token
Copyright ©2012 Ping Identity Corporation. All rights reserved.12 Password anti-pattern • 3rd party client store user passwords • Teaches users to be indiscriminate with passwords • No multi-factor or federated authentication • No granularity • No differentiation • No revocation
Copyright ©2012 Ping Identity Corporation. All rights reserved.13 Drivers Lack Of Standards Password Anti Pattern Native Mobile Apps REST Cloud APIs
Copyright ©2012 Ping Identity Corporation. All rights reserved.14 OAUTH 2.0
Copyright ©2012 Ping Identity Corporation. All rights reserved.15 OAuth 2.0 • Secure API authorization – simple & standard – desktop, mobile web • Auth & Authz for RESTful APIs • Delegated authorization – mitigates password anti-pattern • Issue tokens for granular access – Without divulging your credentials
Copyright ©2012 Ping Identity Corporation. All rights reserved.16 OAuth 2.0 Terminology: Roles • Authorization Server (AS) A server capable of issuing tokens, obtaining authorization, and authenticating resource owners. • Resource Owner An entity (usually an end- user/person) capable of granting access to a protected resource. • Client An application(!) obtaining authorization and making protected resource requests (on behalf of the resource owner). • Resource Server (RS) The server hosting protected resources. verify
Copyright ©2012 Ping Identity Corporation. All rights reserved.17 A. Client sends Authorization Request "GET /as/authorization.oauth2?client_id=TunesPartner- OT&state=TunesPartner- OT&response_type=code&scope=onetime-a HTTP/1.1” 302 0 B. Service Provider grants Authorization https://www.tunespartner.com:9031/Partner/callback.jsp?state= TunesPartner- OT&code=IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7 C. Client Request Access Token POST https://idp.idtel.com:9031/as/token.oauth2 ---PARAMETERS--- client_id: TunesPartner-OT& grant_type: authorization_code& Code: IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7 D. Service Provider grants Access Token This resulted in the following JSON response containing our OAuth access_token: {"token_type":"Bearer", "expires_in":300, "access_token":"ivBOdwGpGb3pY3gvPaK6D8W5Ldey” } Protocol Workflow
Copyright ©2012 Ping Identity Corporation. All rights reserved.18 OAuth 2.0 Benefits • Security & Usability – Bearer Tokens • Revocation • Granularity • Use Cases* • Passwords vs. OAuth === creditcard vs. checks Scopes
Copyright ©2012 Ping Identity Corporation. All rights reserved.19 OAuth 2.0 is Not for Authentication !! • Bearer token is about delegated rights, not about the user authn • Bearer token has no audience restriction – can’t check if it was really meant for you – Not bound to the client • No guarantee that the user is present – no “authn statement” semantics • Redirect is not authenticated or integrity protected in any way – bearer = bearer and nothing more validate client rs + as user agent get a token redirect T T user info
Copyright ©2012 Ping Identity Corporation. All rights reserved.20 OpenID Connect • OAuth: general mechanism to authorize API access • OpenID Connect: profile for sharing profile information • Uses the authz code & implicit grant types – the pieces of OAuth optimized for user- consent scenarios • Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages Client (RP) User Agent AS/OP Resource Server UserInfo a b 1 3 a a 2
Copyright ©2012 Ping Identity Corporation. All rights reserved.21 SSO for Mobile Apps: Authorization Agent (AZA) • Aggregate OAuth flows and logins • Bootstrap through WebSSO with OpenID Connect or SAML • Oauth-as-a-Service + SAML-as-a- Service OAUTH SSO
Copyright ©2012 Ping Identity Corporation. All rights reserved.22 RECOMMENDATIONS [section lead-in]
Copyright ©2012 Ping Identity Corporation. All rights reserved.23 Something to think about: Cloud IAM strategy • Multi-use case, multi-device, multi- channel, multi protocol… – Identity is the connector • Interoperability and standards • IAM not just an internal technical issue: also a strategic business enabler • Architect for agility
Copyright ©2012 Ping Identity Corporation. All rights reserved.24 • Implement your API for: – externalized authentication and authorization – tokens instead of passwords – consumer identity AND enterprise identity • By leveraging identity we can: – address API access (server2server, mobile) in the same way as Web SSO – reuse existing security and identity policies – connect your existing identity store • Possibly implement this in a single system(!) – And be prepared for OAuth 2.0, OpenID Connect, SCIM, SAML, … Identity for APIs strategy
Copyright ©2012 Ping Identity Corporation. All rights reserved.25 COME AND SEE US! Hans Zandbelt Twitter: @hanszandbelt www.pingidentity.com

Recommended

Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identityNordic APIs
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)Nordic APIs
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Nordic APIs
 

Recommended

Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
Criticality of identity
Criticality of identityCriticality of identity
Criticality of identityNordic APIs
 
The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)The “I” in API is for Identity (Nordic APIS April 2014)
The “I” in API is for Identity (Nordic APIS April 2014)Nordic APIs
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)Nordic APIs
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Business Impact (Nordic APIS April 2014)
Business Impact (Nordic APIS April 2014)Nordic APIs
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Nordic APIs
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
The end of polling : why and how to transform a REST API into a Data Streamin...
The end of polling : why and how to transform a REST API into a Data Streamin...The end of polling : why and how to transform a REST API into a Data Streamin...
The end of polling : why and how to transform a REST API into a Data Streamin...Audrey Neveu
 
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuthApigee | Google Cloud
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital BusinessAkana
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your MeshAkana
 
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption PatternsAkana
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API CommunitiesAkana
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Tao of security science
Tao of security scienceTao of security science
Tao of security scienceDevSecCon
 

More Related Content

What's hot

Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Nordic APIs
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
The end of polling : why and how to transform a REST API into a Data Streamin...
The end of polling : why and how to transform a REST API into a Data Streamin...The end of polling : why and how to transform a REST API into a Data Streamin...
The end of polling : why and how to transform a REST API into a Data Streamin...Audrey Neveu
 
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...Nordic APIs
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital BusinessAkana
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your MeshAkana
 
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileHitachi, Ltd. OSS Solution Center.
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption PatternsAkana
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API CommunitiesAkana
 

What's hot (20)

Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)
 
Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)Platform Security that will Last for Decades (Travis Spencer)
Platform Security that will Last for Decades (Travis Spencer)
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
The end of polling : why and how to transform a REST API into a Data Streamin...
The end of polling : why and how to transform a REST API into a Data Streamin...The end of polling : why and how to transform a REST API into a Data Streamin...
The end of polling : why and how to transform a REST API into a Data Streamin...
 
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
APIs: What’s in it for me – How can APIs bring value to our Business (Philipp...
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Platform for Secure Digital Business
Platform for Secure Digital BusinessPlatform for Secure Digital Business
Platform for Secure Digital Business
 
Manage Your Mesh
Manage Your MeshManage Your Mesh
Manage Your Mesh
 
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
apidays LIVE London 2021 - Confessions of a Product Geek by Rosemary Missier,...
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
Enterprise API Adoption Patterns
Enterprise API Adoption PatternsEnterprise API Adoption Patterns
Enterprise API Adoption Patterns
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
 
Powering Internal API Communities
Powering Internal API CommunitiesPowering Internal API Communities
Powering Internal API Communities
 

Viewers also liked

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Tao of security science
Tao of security scienceTao of security science
Tao of security scienceDevSecCon
 
Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...
Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...
Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...Jorge Hernan Cárdenas Santamaria
 
Team 8 Business Plan
Team 8 Business PlanTeam 8 Business Plan
Team 8 Business PlanEmma Morgan
 
Revista clara valdes
Revista clara valdes Revista clara valdes
Revista clara valdes Clara Valdes
 
Qualità nutrizionale dell'oliva tenera ascolana
Qualità nutrizionale dell'oliva tenera ascolanaQualità nutrizionale dell'oliva tenera ascolana
Qualità nutrizionale dell'oliva tenera ascolanaGianna Ferretti
 
S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014
S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014
S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014sillitoe
 
cultura
culturacultura
culturasaruky
 
Mixing+messages
Mixing+messagesMixing+messages
Mixing+messagesISSUU48
 
Ecología de especies menos conocidas ojoso colorado
Ecología de especies menos conocidas ojoso coloradoEcología de especies menos conocidas ojoso colorado
Ecología de especies menos conocidas ojoso coloradoEdgar Ponce
 
Catálogo Maletas Gladiator 2016/17
Catálogo Maletas Gladiator 2016/17Catálogo Maletas Gladiator 2016/17
Catálogo Maletas Gladiator 2016/17Sakelo Bags
 
Icp - Infraestructura Culturales y Publicitarias
Icp - Infraestructura Culturales y PublicitariasIcp - Infraestructura Culturales y Publicitarias
Icp - Infraestructura Culturales y Publicitariasicp
 
Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"
Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"
Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"JP KOM GmbH
 
Marketing online Per Le Pmi
Marketing online Per Le PmiMarketing online Per Le Pmi
Marketing online Per Le PmiDML Srl
 
Automating Your Transactions on the Ariba Network
Automating Your Transactions on the Ariba NetworkAutomating Your Transactions on the Ariba Network
Automating Your Transactions on the Ariba NetworkSAP Ariba
 

Viewers also liked (20)

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
Tao of security science
Tao of security scienceTao of security science
Tao of security science
 
02-11-05
02-11-0502-11-05
02-11-05
 
Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...
Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...
Acerca de la sostenibilidad del programa PYME MIDAS y sus aprendizajes para e...
 
Team 8 Business Plan
Team 8 Business PlanTeam 8 Business Plan
Team 8 Business Plan
 
Revista clara valdes
Revista clara valdes Revista clara valdes
Revista clara valdes
 
Qualità nutrizionale dell'oliva tenera ascolana
Qualità nutrizionale dell'oliva tenera ascolanaQualità nutrizionale dell'oliva tenera ascolana
Qualità nutrizionale dell'oliva tenera ascolana
 
S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014
S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014
S6 Margriet Heijdemann - The emotional needs of children - 1 july 2014
 
Caso isil
Caso isil Caso isil
Caso isil
 
cultura
culturacultura
cultura
 
Presentacion Intersun Projects Ref2010 2011rev2
Presentacion Intersun Projects Ref2010 2011rev2Presentacion Intersun Projects Ref2010 2011rev2
Presentacion Intersun Projects Ref2010 2011rev2
 
Mixing+messages
Mixing+messagesMixing+messages
Mixing+messages
 
Buscando en la web
Buscando en la webBuscando en la web
Buscando en la web
 
Catalogue formations-septadec-2012
Catalogue formations-septadec-2012Catalogue formations-septadec-2012
Catalogue formations-septadec-2012
 
Ecología de especies menos conocidas ojoso colorado
Ecología de especies menos conocidas ojoso coloradoEcología de especies menos conocidas ojoso colorado
Ecología de especies menos conocidas ojoso colorado
 
Catálogo Maletas Gladiator 2016/17
Catálogo Maletas Gladiator 2016/17Catálogo Maletas Gladiator 2016/17
Catálogo Maletas Gladiator 2016/17
 
Icp - Infraestructura Culturales y Publicitarias
Icp - Infraestructura Culturales y PublicitariasIcp - Infraestructura Culturales y Publicitarias
Icp - Infraestructura Culturales y Publicitarias
 
Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"
Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"
Social Collaboration: "Stell dir vor, es wird digital und keiner macht mit"
 
Marketing online Per Le Pmi
Marketing online Per Le PmiMarketing online Per Le Pmi
Marketing online Per Le Pmi
 
Automating Your Transactions on the Ariba Network
Automating Your Transactions on the Ariba NetworkAutomating Your Transactions on the Ariba Network
Automating Your Transactions on the Ariba Network
 

Similar to Who’s Knocking? Identity for APIs, Web and Mobile

CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationChristian Glahn
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsJames Tramel
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityMark Diodati
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM Patrick Harding
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconferenceDavid Waite
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big PictureForgeRock
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New BlackWSO2
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New BlackWSO2
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 

Similar to Who’s Knocking? Identity for APIs, Web and Mobile (20)

CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 

More from Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureNordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...Nordic APIs
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLNordic APIs
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogNordic APIs
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifNordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosNordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioNordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyNordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsNordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerNordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...Nordic APIs
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...Nordic APIs
 

More from Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Who’s Knocking? Identity for APIs, Web and Mobile

  • 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1 Who’s Knocking? Identity for APIs, Web and Mobile Hans Zandbelt - @hanszandbelt CTO Office - Ping Identity
  • 2. Copyright ©2012 Ping Identity Corporation. All rights reserved.2 Overview Cloud & APIs: The Trends - History, state-of-the-art, trends Identity and APIs - What, why, how Recommendations - API strategy 1 2 4 OAuth 2.0 - Not for Authentication! 3
  • 3. Copyright ©2012 Ping Identity Corporation. All rights reserved.3 CLOUD & APIS: THE TRENDS [section lead-in]
  • 4. Copyright ©2012 Ping Identity Corporation. All rights reserved.4 Cloud/Mobile Moves: 3 Dimensions of Change • Users – Workforce – Customers/consu mers – Partners – Social • Devices – Mobile/fixed – Browser/app – BYOD/E-owned • Location – Services – Users Users Location(s) Devices
  • 5. Copyright ©2012 Ping Identity Corporation. All rights reserved.5 Traditional firewall and enterprise domain-based security cannot deal with Cloud Apps and Mobile devices and applications. IDENTITY IS THE NEW PERIMETER Consequences FIREWALL
  • 6. Copyright ©2012 Ping Identity Corporation. All rights reserved.6 How it could/should be: Cloud 2.0 (web or mobile) firewall APP APP database directory SaaS SaaS SaaS database
  • 7. Copyright ©2012 Ping Identity Corporation. All rights reserved.7 The API Economy Drivers • SaaS – API access to data/services vs. browser access – Cloud, Mobile/Big Data, BYOD – Salesforce.com > 60% • APIs of PaaS offerings – Expose own cloud services • Clear trend for APIs towards REST
  • 8. Copyright ©2012 Ping Identity Corporation. All rights reserved.8 IDENTITY & APIS
  • 9. Copyright ©2012 Ping Identity Corporation. All rights reserved.9 The Internet Scale Identity Concept • Identity Provider – Authoritative – Scale – Manageability • UNIFORM across Web SSO & API Access • Security AND Convenience • How to extend enterprise security policies to the cloud: a MUST have verify
  • 10. Copyright ©2012 Ping Identity Corporation. All rights reserved.10 Web SSO and API Access Playfield User Provisioning Web SSO API Access
  • 11. Copyright ©2012 Ping Identity Corporation. All rights reserved.11 API Access • HTTP • SOAP – WS-Security/WS- Trust • REST – ? • TOKEN – Obtain – Use – Validate • Passwords?? CLIENT SERVICE SOAP / REST Token
  • 12. Copyright ©2012 Ping Identity Corporation. All rights reserved.12 Password anti-pattern • 3rd party client store user passwords • Teaches users to be indiscriminate with passwords • No multi-factor or federated authentication • No granularity • No differentiation • No revocation
  • 13. Copyright ©2012 Ping Identity Corporation. All rights reserved.13 Drivers Lack Of Standards Password Anti Pattern Native Mobile Apps REST Cloud APIs
  • 14. Copyright ©2012 Ping Identity Corporation. All rights reserved.14 OAUTH 2.0
  • 15. Copyright ©2012 Ping Identity Corporation. All rights reserved.15 OAuth 2.0 • Secure API authorization – simple & standard – desktop, mobile web • Auth & Authz for RESTful APIs • Delegated authorization – mitigates password anti-pattern • Issue tokens for granular access – Without divulging your credentials
  • 16. Copyright ©2012 Ping Identity Corporation. All rights reserved.16 OAuth 2.0 Terminology: Roles • Authorization Server (AS) A server capable of issuing tokens, obtaining authorization, and authenticating resource owners. • Resource Owner An entity (usually an end- user/person) capable of granting access to a protected resource. • Client An application(!) obtaining authorization and making protected resource requests (on behalf of the resource owner). • Resource Server (RS) The server hosting protected resources. verify
  • 17. Copyright ©2012 Ping Identity Corporation. All rights reserved.17 A. Client sends Authorization Request "GET /as/authorization.oauth2?client_id=TunesPartner- OT&state=TunesPartner- OT&response_type=code&scope=onetime-a HTTP/1.1” 302 0 B. Service Provider grants Authorization https://www.tunespartner.com:9031/Partner/callback.jsp?state= TunesPartner- OT&code=IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7 C. Client Request Access Token POST https://idp.idtel.com:9031/as/token.oauth2 ---PARAMETERS--- client_id: TunesPartner-OT& grant_type: authorization_code& Code: IEM_peySP5KvIfVs8fT650FxbgXwjdqN8tHXdyh7 D. Service Provider grants Access Token This resulted in the following JSON response containing our OAuth access_token: {"token_type":"Bearer", "expires_in":300, "access_token":"ivBOdwGpGb3pY3gvPaK6D8W5Ldey” } Protocol Workflow
  • 18. Copyright ©2012 Ping Identity Corporation. All rights reserved.18 OAuth 2.0 Benefits • Security & Usability – Bearer Tokens • Revocation • Granularity • Use Cases* • Passwords vs. OAuth === creditcard vs. checks Scopes
  • 19. Copyright ©2012 Ping Identity Corporation. All rights reserved.19 OAuth 2.0 is Not for Authentication !! • Bearer token is about delegated rights, not about the user authn • Bearer token has no audience restriction – can’t check if it was really meant for you – Not bound to the client • No guarantee that the user is present – no “authn statement” semantics • Redirect is not authenticated or integrity protected in any way – bearer = bearer and nothing more validate client rs + as user agent get a token redirect T T user info
  • 20. Copyright ©2012 Ping Identity Corporation. All rights reserved.20 OpenID Connect • OAuth: general mechanism to authorize API access • OpenID Connect: profile for sharing profile information • Uses the authz code & implicit grant types – the pieces of OAuth optimized for user- consent scenarios • Leverages the authorization & token endpoints & adds identity-based params to core OAuth messages Client (RP) User Agent AS/OP Resource Server UserInfo a b 1 3 a a 2
  • 21. Copyright ©2012 Ping Identity Corporation. All rights reserved.21 SSO for Mobile Apps: Authorization Agent (AZA) • Aggregate OAuth flows and logins • Bootstrap through WebSSO with OpenID Connect or SAML • Oauth-as-a-Service + SAML-as-a- Service OAUTH SSO
  • 22. Copyright ©2012 Ping Identity Corporation. All rights reserved.22 RECOMMENDATIONS [section lead-in]
  • 23. Copyright ©2012 Ping Identity Corporation. All rights reserved.23 Something to think about: Cloud IAM strategy • Multi-use case, multi-device, multi- channel, multi protocol… – Identity is the connector • Interoperability and standards • IAM not just an internal technical issue: also a strategic business enabler • Architect for agility
  • 24. Copyright ©2012 Ping Identity Corporation. All rights reserved.24 • Implement your API for: – externalized authentication and authorization – tokens instead of passwords – consumer identity AND enterprise identity • By leveraging identity we can: – address API access (server2server, mobile) in the same way as Web SSO – reuse existing security and identity policies – connect your existing identity store • Possibly implement this in a single system(!) – And be prepared for OAuth 2.0, OpenID Connect, SCIM, SAML, … Identity for APIs strategy
  • 25. Copyright ©2012 Ping Identity Corporation. All rights reserved.25 COME AND SEE US! Hans Zandbelt Twitter: @hanszandbelt www.pingidentity.com