Embed Size (px)
Citation preview
A Practical Guide to API Security and OAuth
for the Enterprise K. Scott Morrison
CTO and Chief Architect
Layer 7 Technologies, Inc.
Eve Maler
Principal Analyst
Forrester Research, Inc.
Layer 7 Confidential 2
Housekeeping
Questions
- Chat any questions you have and we’ll answer them at the end of this call
- Today’s event hashtag:
- #L7webinar
- Follow us on Twitter as well:
- @KScottMorrison
- @xmlgrrl
- @layer7
- @forrester
facebook.com/layer7
layer7.com/blogs
layer7.com/linkedin
Layer 7 Confidential 3
Layer 7 Confidential 4
© 2009 Forrester Research, Inc. Reproduction Prohibited
OAuth As A Serious API Security Tool
For Enterprises: A Practical Overview Eve Maler, Principal Analyst
Layer 7 Confidential 5
“API economy” technologies and
habits are trickling down into the
enterprise.
Leverage OAuth’s strengths for modern
service and app security scenarios while
steering clear of its dangers.
Layer 7 Confidential 6
Web services are opening up — and paying a security price.
OAuth is a powerhouse of API security and SSO solutions.
Leverage OAuth’s ascendance while minding its weaknesses.
Agenda
Layer 7 Confidential 7
Web APIs aren’t toys; they’re business-enabling tools for
retail, content delivery, financial transactions . . .
Layer 7 Confidential 8
Security pros’ control over developers diminishes with
distance
Layer 7 Confidential 9
A variety of pressures make traditional security and
access control methods less viable
Layer 7 Confidential 10
Web services are opening up — and paying a security price.
OAuth is a powerhouse of API security and SSO solutions.
Leverage OAuth’s ascendance while minding its weaknesses.
Agenda
Layer 7 Confidential 11
Web 2.0 players originally invented OAuth simply
to solve the ―password antipattern‖
Layer 7 Confidential 12
At base, OAuth lets a person delegate constrained
access from one app to another
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 13
Using the OAuth approach helps manage risk, cost, and
complexity in environments that need Zero Trust
Gets client apps out of the business of storing passwords
Allows for a variety of user authentication methods
Allows app access to be tracked and revoked on a per-client basis
Allows for least-privilege access to API features
Can capture explicit user authorization for access
Lowers the cost of secure app development
Bonus: solves a much larger class of needs around security, identity, access,
and privacy
Layer 7 Confidential 14
In consumer-facing scenarios, services can audit who
made each API call on whose behalf
Third parties offer
productivity apps to
eBay sellers that list
items and do other
tasks through the eBay
API
These apps never see
the seller’s eBay
credentials
They don’t merely
“impersonate” the seller
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 15
In extranet and SaaS integration scenarios, services can
consume SAML
Partner apps integrate
with the construction
firm’s valve-design
service
On-site partner
engineers log in to their
home systems through
a tablet
They can then use
apps that call the
valve-design service
through SAML SSO
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 16
OAuth-native SSO is ―off label‖ but popular for
unifying user-present and user-absent experiences
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 17
―Two-legged‖ userless A2A scenarios enable uniform
auditing and compliance for low-level services
Including services such
as:
- Calculating sales tax
- Formatting shipping
labels
- Verifying credit card
numbers
- Performing HTML
code checking
Most scenarios
separate these two
server functions
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
Layer 7 Confidential 18
Web services are opening up — and paying a security price.
OAuth is a powerhouse of API security and SSO solutions.
Leverage OAuth’s ascendance while minding its weaknesses.
Agenda
Layer 7 Confidential 19
Simplicity doesn’t have to equal insecurity — if you use
and insist on good OAuth practices
Establish UX standards
for users’ “consent
ceremonies.”
Use the strongest
protocol options your
ecosystem will tolerate.
If you depend on
password
authentication,
remember you’re not
immune from user
credential-stealing risks
such as phishing.
Store OAuth tokens
and other secrets
securely.
Fully protect the use of
your callback endpoint.
If your use of OAuth
involves cryptographic
algorithms, reuse a
well-tested library.
Server-side Client-side
Layer 7 Confidential 20
So how can you maximize value in an
OAuth-enabled future?
Determine which scenarios resonate with your
organization’s needs.
Ask which SaaS providers are in a position to force
your hand.
If you will be publishing your own web APIs, catalog
your client app requirements and constraints.
Partner with enterprise architects to plan how OAuth
token handling and your current SOA infrastructure
need to interact.
Accept some volatility around OAuth’s evolution — and
even embrace it.
Layer 7 Confidential 21
In particular, keep an eye on OAuth’s SSO futures
© 2009 Forrester Research, Inc. Reproduction Prohibited
Thank you
Eve Maler
+1 425.345.6756
Twitter: @xmlgrrl
www.forrester.com
A Practical Guide to API Security and OAuth
for the Enterprise K. Scott Morrison
CTO and Chief Architect
Layer 7 Confidential 24
First Let’s Nail the Terminology…
Resource Owner
(RO)
(a.k.a., the User)
Client
Authorization
Server (AS)
Resource
Server (RS)
Layer 7 Confidential 25
Request Twitter (Client) Access – Facebook (AS)
Layer 7 Confidential 26
Authorization Grant – Twitter (Client), Facebook (AS)
Finger of Resource Owner
Layer 7 Confidential 27
Authorization Granted – Twitter (Client), Facebook (AS)
Layer 7 Confidential 28
API Call (request for Protected Resource)
from Twitter (Client) to Facebook (RS)
Layer 7 Confidential 29
Manage Twitter (Client) Access – Facebook (AS)
Layer 7 Confidential 30
Manage Flipboard (Client) Access – Facebook (AS)
Layer 7 Confidential 31
Comprehensive REST Access Control Needs:
OAuth Clients
Provisioning
Approval Flow
Persistence
Querying
Metrics
OAuth Tokens
Persistence
Querying
Metrics
Revocation
Refresh
OAuth Autz
server
Policy Modeling
OAuth Protocol
Identity integration
Token issuing
Token refresh
SLA enforcement
Prot Res Server
Policy Modeling
Token validation
Bearer, MAC, SAML
Identity integration
Integrity check
API proxying
SLA enforcement
Analytics
Reports
Monitoring
SLAs
Alerting
*all of this*
Layer 7 Confidential 32
The Layer 7 OAuth Toolkit Provides:
OAuth Clients
Provisioning
Approval Flow
Persistence
Querying
Metrics
OAuth Tokens
Persistence
Querying
Metrics
Revocation
Refresh
OAuth Autz
server
Policy Modeling
OAuth Protocol
Identity integration
Token issuing
Token refresh
SLA enforcement
Prot Res Server
Policy Modeling
Token validation
Bearer, MAC, SAML
Identity integration
Integrity check
API proxying
SLA enforcement
Analytics
Reports
Monitoring
SLAs
Alerting
Omg, it’s full of win
*all of this*
Layer 7 Confidential 33
Today’s Demo
Resource Owner
(RO)
(a.k.a., the User)
Client
Authorization
Server (AS)
Resource
Server (RS)
Get Recipe
Layer 7 Confidential 34
Demo
To View the Demo, Download a
Recording of This Webinar in
Layer 7 Resource Library
Layer7.com/library
![[MS-ADFSOAL]: Active Directory Federation Services OAuth ...... · The Active Directory Federation Services OAuth Authcode Lookup Protocol is defined as a RESTful protocol API. In](https://img.pdfslide.us/doc/110x75/5e855a9e3d369572391827f6/ms-adfsoal-active-directory-federation-services-oauth-the-active-directory.jpg)
