Upload
erik-wahlstroem
View
291
Download
1
Tags:
Embed Size (px)
Citation preview
Erik Wahlström
Technology Strategist
9/19/20132
Protecting your Applications and
APIs with Nordic e-IDs
Erik Wahlström
Technology Strategist
9/19/20133
Todays topics
eIDs is in the news.
What is an eID?
What are the Nordic eID?
Three ways to use your eIDs to protect apps and APIs.
Erik Wahlström
Technology Strategist
9/19/20134
What is a eID?
Digital passport to authenticate and sign.
Issued or trusted by governments.
Legally binding.
Erik Wahlström
Technology Strategist
9/19/201310
What’s up next?
New platform for Swedish BankID.
SAML based identity federations like eID2.
New projects in Norway and Finland.
Erik Wahlström
Technology Strategist
9/19/201311
How to protect an API using eID?
Web based APIs.
Protocol handlers.
Use browsers and OAuth2.
A token can be anything.
Alternatives to call an API:
Swedish Mobile BankID.
OAuth2 to authenticate using any other type of eID.
Bind two devices together to use smartcards on
smartphones.
Erik Wahlström
Technology Strategist
9/19/201319
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201320
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201321
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201322
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201323
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201324
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201325
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201326
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201327
nexus://state=xyz
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201328
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201329
Personal number
Authentication
Collect
Token
Question
Erik Wahlström
Technology Strategist
9/19/201331
Use your browser to authenticate
using any eID
OAuth2 industry standard to protect APIs.
Define a way to get a authorization to use an API.
A token or two is good.
Use the token to access the API.
Use OAuth2 and a browser dance to authenticate.
Enables any method and eIDaaS.
Erik Wahlström
Technology Strategist
9/19/201333
https://example.com/oauth2?
response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F%
2Fauthorization&scope=api&state=xyz
Erik Wahlström
Technology Strategist
9/19/201341
Use an eID on another device
Put the rather sad user to work.
Connect two devices.
Refresh tokens makes it usable.
Erik Wahlström
Technology Strategist
9/19/201346
Final words
BYOD and consumerization.
eIDaaS and OAuth2 for best coverage.
Refresh tokens is not always ok.
WebCrypto is cool.