36
The API Gatekeeper Dick Hardt Monday, November 4, 13

OAuth: The API Gatekeeper

  • Upload
    apigee

  • View
    121

  • Download
    3

Embed Size (px)

DESCRIPTION

Now that you have built your API, how do you let the right people have access to the right API at the right time? This talk covers the basics of API access management and then does a deep dive into modern authorization architectures.

Citation preview

Page 1: OAuth: The API Gatekeeper

The API GatekeeperDick Hardt

Monday, November 4, 13

Page 2: OAuth: The API Gatekeeper

Agenda

2

Monday, November 4, 13

Page 3: OAuth: The API Gatekeeper

Agenda

•Access Control Overview

2

Monday, November 4, 13

Page 4: OAuth: The API Gatekeeper

Agenda

•Access Control Overview•OAuth History

2

Monday, November 4, 13

Page 5: OAuth: The API Gatekeeper

Agenda

•Access Control Overview•OAuth History•OAuth Flows

2

Monday, November 4, 13

Page 6: OAuth: The API Gatekeeper

Agenda

•Access Control Overview•OAuth History•OAuth Flows•Implementation Steps

2

Monday, November 4, 13

Page 7: OAuth: The API Gatekeeper

Agenda

•Access Control Overview•OAuth History•OAuth Flows•Implementation Steps•What can go wrong?

2

Monday, November 4, 13

Page 8: OAuth: The API Gatekeeper

Agenda

•Access Control Overview•OAuth History•OAuth Flows•Implementation Steps•What can go wrong?•Q & A

2

Monday, November 4, 13

Page 9: OAuth: The API Gatekeeper

Authorization Code

3

Monday, November 4, 13

Page 10: OAuth: The API Gatekeeper

Authorization Code

•key into database

3

Monday, November 4, 13

Page 11: OAuth: The API Gatekeeper

Authorization Code

•key into database–user, scope, app id, expiry (5 min)

3

Monday, November 4, 13

Page 12: OAuth: The API Gatekeeper

Authorization Code

•key into database–user, scope, app id, expiry (5 min)

•token (self contained)

3

Monday, November 4, 13

Page 13: OAuth: The API Gatekeeper

Authorization Code

•key into database–user, scope, app id, expiry (5 min)

•token (self contained)–user, scope, app id, expiry (5 min)

3

Monday, November 4, 13

Page 14: OAuth: The API Gatekeeper

Authorization Code

•key into database–user, scope, app id, expiry (5 min)

•token (self contained)–user, scope, app id, expiry (5 min)–JWT

3

Monday, November 4, 13

Page 15: OAuth: The API Gatekeeper

Access Token Lifecycle

4

Monday, November 4, 13

Page 16: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database

4

Monday, November 4, 13

Page 17: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

4

Monday, November 4, 13

Page 18: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)

4

Monday, November 4, 13

Page 19: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)–user, scope, app id, expiry (60 minutes)

4

Monday, November 4, 13

Page 20: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)–user, scope, app id, expiry (60 minutes)–JWT

4

Monday, November 4, 13

Page 21: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)–user, scope, app id, expiry (60 minutes)–JWT

•Refresh token

4

Monday, November 4, 13

Page 22: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)–user, scope, app id, expiry (60 minutes)–JWT

•Refresh token–user, scope, app id, expiry / status

4

Monday, November 4, 13

Page 23: OAuth: The API Gatekeeper

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)–user, scope, app id, expiry (60 minutes)–JWT

•Refresh token–user, scope, app id, expiry / status–JWT

4

Monday, November 4, 13

Page 24: OAuth: The API Gatekeeper

API Authorization Middlewareimplementation dependent

Monday, November 4, 13

Page 25: OAuth: The API Gatekeeper

X-RateLimit-Limit: 500X-RateLimit-Remaining: 432

Monday, November 4, 13

Page 26: OAuth: The API Gatekeeper

Developer Documentation / Sandbox

Monday, November 4, 13

Page 27: OAuth: The API Gatekeeper

Developer Documentation / Sandbox

Monday, November 4, 13

Page 28: OAuth: The API Gatekeeper

What can go wrong?

8

Monday, November 4, 13

Page 29: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret

8

Monday, November 4, 13

Page 30: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)

8

Monday, November 4, 13

Page 31: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret

8

Monday, November 4, 13

Page 32: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated

8

Monday, November 4, 13

Page 33: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated–Refresh tokens still work, but require new secret

8

Monday, November 4, 13

Page 34: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated–Refresh tokens still work, but require new secret

•Compromise of access token (client)

8

Monday, November 4, 13

Page 35: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated–Refresh tokens still work, but require new secret

•Compromise of access token (client)–User revokes authorization

8

Monday, November 4, 13

Page 36: OAuth: The API Gatekeeper

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated–Refresh tokens still work, but require new secret

•Compromise of access token (client)–User revokes authorization

•Resolution is self service8

Monday, November 4, 13