Open APIs - Risks and Rewards (Øredev 2013)

Open APIs - Risks & Rewards

Hampus BrynolfAndreas Krohn

Travis Spencer

Open APIs - Risks & Rewards

Andreas Krohndopter

Application Programming

Interface

API

API

‣ HTTP Request

‣ Machine readable response

‣ JSON

‣ XML

API

‣ HTTP Methods

‣ GET, POST etc

‣ HTTP Headers

‣ URI

‣ Query Parameters

‣ Body

Open API‣ “Not closed”

‣ Anyone can use it

‣ Free or paid

https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow

https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow

https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow

https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow

https://api.stackexchange.com/2.1/questions?order=desc&sort=activity&tagged=api&site=stackoverflow

Open APIs - Risks & Rewards

Hampus Brynolfintellecta

TWITTER IN SWEDEN

Not

Fin

nish

?

Method

Finnish? 2. Check language

3. Save

1. Get from

queueBlock

4. Add friends

and followers

Language analysis

• N-gram-based text-categorization– Searches for three letter combinations in

words– Considered stable–Worse result with few tweets

– http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.9367

Some data…

• 6,171,929 accounts analyzed• < 100 tweets per account analyzed• 15,410,436 swedish tweets identified

and downloaded

600 000

46%active

17%very active

Registrations per month

Words in description

Force atlas graph

Danmark

Sweden

Finland

celebs

sport

teens

IT/techmedia & politics

education

manga/anime

sports

entertainment

IT/business/media

media & politics

churches

librarians

celebs

sport

entertainment

IT/tech

media & politics

Gamers

nationalist

Hiphop

regional clusters

TACK @dreadnallen // Christofer Laurin

10.000+ available

Open APIs

‣ Google

‣ Salesforce

‣ Paypal

‣ Amazon

‣ ProgrammableWeb

why?

Open APIs

‣ External Innovation

‣ Enable Partnerships

‣ Make Money

‣ Save Money

‣ Marketing

Internal APIs

‣ More common than Open APIs

‣ System Architecture

‣ Partnerships

‣ Speed to Market

‣ Mobile Applications

more than just http

Package an API

‣ Security concerns

‣ Statistics

‣ Developer Portal

‣ Documentation

‣ Community

‣ Pricing & Legal

all but the data

API Management

‣ Security

‣ Developer Portal

‣ Monetization

‣ Statistics

‣ Layer 7, 3scale, Apigee, Mashery...

Open APIs - Risks & Rewards

Travis Spencertwobo technologies

Agenda

Problem: the risks & security challenges

Solution:  the  “Neo-security  Stack” Result: a secure platform for data access

Copyright © 2013 Twobo Technologies AB. All rights reserved

Threats, Dangers & Challenges

Copyright © 2013 Twobo Technologies AB. All rights reserved

Identity is Central to a Solution

Copyright © 2013 Twobo Technologies AB. All rights reserved

Mobile Security

API Security

Enterprise Security

Identity

Venn diagram by Gunnar Peterson

SAML / OpenID Connect

SCIM

JSON Identity Suite

OAuth

XACML

Federation

Provisioning

Identity

Delegated Access

Authorization

The Neo-security Stack

Copyright © 2013 Twobo Technologies AB. All rights reserved

SAML / OpenID Connect

SCIM

JSON Identity Suite

OAuth

XACML

The Neo-security Stack

Copyright © 2013 Twobo Technologies AB. All rights reserved

SAML

SAML: proven technology for identity federation and Web SSO

Profiles, bindings, protocols, assertions & metadata

V. 2.1 in the works

Copyright © 2013 Twobo Technologies AB. All rights reserved

Service Provider (SP)

Identity Provider (IdP)

OpenID Connect

New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenerios RP / client can determine info about end user Tokens are JWTs UserInfo endpoint to get user data

Copyright © 2013 Twobo Technologies AB. All rights reserved

Grandpa SAML & junior

SCIM

Defines RESTful API to manage users & groups Specifies core user & group schemas Supports bulk updates for ingest Binding for SAML and eventually OpenID Connect

Copyright © 2013 Twobo Technologies AB. All rights reserved

OAuth

OAuth 2 is the new protocol of protocols

Composed in useful ways Addresses old requirements and

solves new ones Delegated access No password sharing Revocation of access

Copyright © 2013 Twobo Technologies AB. All rights reserved

JSON Identity Protocol Suite

Suite of JSON-based identity protocols Tokens (JWT) ▪ Encryption (JWE) Keys (JWK) ▪ Signatures (JWS) Algorithms (JWA)

Lightweight tokens passed in HTTP headers & query strings

Akin to SAML tokens

Copyright © 2013 Twobo Technologies AB. All rights reserved

The Neo-security Platform

Identity Management

System

API Management

System

Entitlement Management

System

Copyright © 2013 Twobo Technologies AB. All rights reserved

SAML / OpenID Connect

SCIM JSON Identity Suite

OAuth XACML

Building on the Platform

Copyright © 2013 Twobo Technologies AB. All rights reserved

Identity Management

System

API Management

System

Entitlement Management

System

Solutions  must  be  ”baked”

Copyright © 2013 Twobo Technologies AB. All rights reserved

Solutions  must  be  ”baked”

Web SSO Account

Management & Provisioning

Authorization Social Media Aggregation

API Security

Copyright © 2013 Twobo Technologies AB. All rights reserved

using open apis

Get Started

‣ Use API without authentication

‣ Nobel Prize API

‣ Make request

‣ Parse response

using open apis

Get Started

‣ cURL

‣ Postman

‣ Unirest

‣ Java, .NET, Python...

publishing open apis

Get Started

‣ Identify source

‣ Design based on external reqs.

‣ Do NOT mimic internal structures

‣ Mashape

‣ Use your own API!

publishing open apis

Get Started

Pro

‣ Business case, marketing plan etc

‣ Analyze requirements

‣ What to build & what to buy

‣ Build a community!

Thank younordicapis.com/oredev2013