Secure your APIs &Microservices with OAuth &OpenID ConnectBy Travis Spencer, CEO@travisspencer, @curityioCopyright 2018 Curity AB
Organizersand foundersü All API Conferencesü API Communityü Active blogosphereAustin API SummitJune 11 – 13 Austin, Texas2018 Platform SummitOctober 22 - 24 Stockholm, Sweden
API Security API Keys Problem Solved!@travis / @curityioCopyright 2018 Curity AB
API Security ! API Keys Revocable, non-expiring, bearer access tokens Symmetric keys Passwords!@travis / @curityioCopyright 2018 Curity AB
API Security OAuth Problem solved for real this time?Not that easy! Sorry L@travis / @curityioCopyright 2018 Curity AB
Crucial Security ConcernsEnterprise SecurityAPI Security@travis / @curityioCopyright 2018 Curity ABMobile Security
Identity is APISecurity@travis / @curityioCopyright 2018 Curity AB
The Neo-security ON Identity SuiteFederationOpenID ConnectDelegated AccessOAuth 2Authorization@travis / @curityioCopyright 2018 Curity AB
OAuth OAuth 2 is the new protocol of protocols Used as the base of other specifications OpenID Connect, UMA, HEART, etc. Addresses some important requirements Delegated access No password sharing Revocation of access@travis / @curityioCopyright 2018 Curity AB
OAuth Actors1. Resource Owner (RO)2. Client3. Authorization Server (AS)Get a token4. Resource Server (RS) (i.e., API)Use a token@travis / @curityioCopyright 2018 Curity AB
Request, Authenticate & ConsentLoginRequest Access@travis / @curityioConsentCopyright 2018 Curity AB
Code FlowUser is redirected toOAuth serverAPIs & microservices@travis / @curityioCopyright 2018 Curity AB
Code FlowUser logs in anddelegates accessAPIs & microservices@travis / @curityioCopyright 2018 Curity AB
Code FlowShort-lived access codeis issued to clientAPIs & microservices@travis / @curityioCopyright 2018 Curity AB
Code FlowCode is exchanged for anaccess tokenAPIs & microservices@travis / @curityioCopyright 2018 Curity AB
Code FlowAccess token can beused to call APIsAPIs & microservices@travis / @curityioCopyright 2018 Curity AB
Scopes Like permissions Scopes specify extent of tokens’ usefulness Listed on consent UI (if shown) No standardized scopes@travis / @curityioCopyright 2018 Curity AB
Kinds of TokensAccess TokensRefresh TokensLike a sessionLike a PasswordUsed to secure API callsUsed to get new access tokens@travis / @curityioCopyright 2018 Curity AB
Profiles of TokensBearerHolder of Key Bearer tokens are likecash@travis / @curityioHoK tokens are likecredit cardsCopyright 2018 Curity AB
Types of Tokens WS-Security & SAML Custom Home-grown Oracle Access Manager SiteMinder CBOR Web Tokens (CWT) JWT@travis / @curityioCopyright 2018 Curity AB
JWT Type Tokens Pronounced like the English word “jot” Lightweight tokens passed in HTTP headers & query strings Encoded as JSON Compact Encrypted, signed, or neither Not the only kind of token allowed by OAuth@travis / @curityioCopyright 2018 Curity AB
Passing TokensBy ValueBy ReferenceUser attributes are inthe tokenUser attributes arereferenced by anidentifier@travis / @curityioCopyright 2018 Curity AB
Improper Usage of OAuthNot for authenticationNot for federationNot really for authorization@travis / @curityioCopyright 2018 Curity AB
Proper Usage or OAuthFor delegation@travis / @curityioCopyright 2018 Curity AB
OpenID Connect Next generation federationprotocol Based on OAuth 2 Made for mobile Not backward compatible@travis / @curityio Client & API receive tokens User info endpoint provided forclient to get user dataCopyright 2018 Curity AB
OpenID Connect ExamplesOAuth AS / OpenIDProviderAccess token & ID tokenRP / ClientUser infoGetuserinfo tousingSendcodegetaccessaccesstokentokenRequest login,providing “openid”scope & user infoAccess codescopesCheck audiencerestriction of ID tokenBrowser@travis / @curityioCopyright 2018 Curity AB
ID Token is for the Client Access token is for API ID token is for client ID token provides client with info about Intended client recipientUsernameCredential used to loginIssuer of tokenExpiration time@travis / @curityioCopyright 2018 Curity AB
User Info Endpoint Token issuance and user discovery endpoint Authenticate using access token issued byOpenID Provider Output depends on requested andauthorized scopes sub claim must match sub claim in ID token@travis / @curityioCopyright 2018 Curity AB
Applied toMicroservicesand APIs@travis / @curityioCopyright 2018
A Traditional Service@travis / @curityioCopyright 2018 Curity AB
With Traditional SubsystemsComponent AComponent CComponent BComponent D@travis / @curityioCopyright 2018 Curity AB
and traditional scalability@travis / @curityioCopyright 2018 Curity AB
But this is not always how we build systems@travis / @curityioCopyright 2018 Curity AB
One Microservice@travis / @curityioCopyright 2018 Curity AB
Many Microservices@travis / @curityioCopyright 2018 Curity AB
Scaling Microservices@travis / @curityioCopyright 2018 Curity AB
Securing Traditional Services@travis / @curityioCopyright 2018 Curity AB
Securing Traditional ServicesUser repository@travis / @curityioCopyright 2018 Curity AB
So for microservices that would mean User repository@travis / @curityioCopyright 2018 Curity AB
Remember our two token passing methods?By ValueBy ReferenceUser attributes are inthe tokenUser attributes arereferenced by anidentifier@travis / @curityioCopyright 2018 Curity AB
By ReferenceContains NO information outside the network@travis / @curityioCopyright 2018 Curity AB
By ValueContains ALL necessary information@travis / @curityioCopyright 2018 Curity AB
External vs. InternalBy ReferenceAPI Firewall /Reverse ProxyBy ValueAPIs &ServicesInside the networkOutside the network@travis / @curityioCopyright 2018 Curity AB
Token TranslationBy ReferenceAPI Firewall /Reverse ProxyBy ValueAPIs &ServicesInside the networkOutside the network@travis / @curityioCopyright 2018 Curity AB
Demo@travis / @curityioCopyright 2018 Curity AB
Additional Resources Blog posts § -armorhttps://bit.ly/2qn8Jj4@travis / ervices-securitybit.ly/building-secure-api-video§ Whitepaper at our booth§ ght 2018 Curity AB
Summary API security API keys & OAuth OAuth 2 fundamentals Token types Profiles Passing tokens Building OpenID Connect on OAuth Using those with microservices & for user-based delegation@travis / @curityioCopyright 2018 Curity AB
Visit curity.io and stop by our booth@travis / @curityioCopyright 2018 Curity AB
OpenID Connect Examples Get user info using access token OAuth AS / OpenID Provider RP / Client Browser Access code Send code to get access token Access token & ID token Check audience restriction of ID token Request login, providing “
structures. RPGLE source members are not provided for all APIs, most notably the UNIX-Type APIs. Types of APIs There are three general types of available APIs: Original Program Model (OPM) Integrated Language Environment (ILE) UNIX-Type You can call all three types of APIs from an ILE program, but you can only call OPM APIs from an OPM program.
7. Refactoring a Monolith into Microservices – In a perfect world, we would always get . building, and deploying microservices You will learn about the microservices approach and . large number of developers over many years to create such a beast. Once your application h
Enterprise Mobile Integration with Salesforce 2. Configure API Management Policies 4. 3scale manages APIs monitors and secure 5. Microservices are created consuming APIs to feed mobile app 6. RHMAP features add functionality to the app and build app for multiple mobile platforms Red Hat Fuse 1. Integrate With Salesforce 3. RESTful APIs of .
service-oriented thinking, we have found that this . Microservices adoption moved quickly from an emerging concept to the . de facto. . One of the key drivers for microservices architecture is the ability to scale horizontally and dynamically. Microservices granularity levels.
applications. However, the advent of Microservices in the recent past has been so great and capable that organizations across the globe have started to implement Microservices in order to re-build their existing applications. According to the Red Hat 2017 Microservices Survey, "According to 67% Middleware customers and 79% Openshift
To be cloud native, applications need to have the following architecture elements: Microservices Service Oriented Architecture has evolved into a more loosely coupled microservices architecture. Modern architecture is microservices-oriented and based on the 12 factor app principles. Microservices enable greater agility and speed,
Microservices are an approach to distributed systems that promote the use of finely grained services with their own lifecycles, which collaborate together. Because microservices are primarily modeled around business domains, they avoid the problems of traditional tiered architectures. Microservices also integrate new technologies and
YoY cost savings of more than 20% on enterprise IT budgets for API/microservices adoption. Software reuse via microservices adoption reduces TCO by 25-30%. New services adoption time reduced by more than 90%. End-to end business agility established through DevOps/Cloud Ops methodologies which are tailor-made for microservices implementation.