SlideShare a Scribd company logo

Api security with o auth2

Download as PPTX, PDF
Anthony Chow
Anthony Chow

This document discusses API security topics like OAuth2, OpenID Connect, and JSON Web Tokens. It defines OAuth2 as an authorization framework that allows clients to access user accounts and defines common OAuth2 flows and actors. OpenID Connect builds upon OAuth2 to provide authentication. JSON Web Tokens are used to securely transmit information in OAuth2 and OpenID Connect flows. Links to documentation and resources for implementing these standards are also provided.

Technology
1 of 17
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Anthony Chow Twitter: @vCloudernBeer
Different kinds of APIs  https://ffeathers.wordpress.com/2014/02/16/api-types/
REST API Security Best Practice  OWASP - Open Web Application Security Project  https://www.owasp.org/index.php/REST_Security_ Cheat_Sheet  https://dzone.com/articles/top-5-rest-api-security- guidelines
What is OAuth2?
OAuth2  “Open Authentication” (??)  Authorization delegation  An authorization framework  Defined by RFC 6749 and 6750  OAuth 1 is defined by RFC 5849  OAuth 1 and OAuth 2 are not compatible
Oauth2 Actors  Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
OAuth2 Flows (grants)  image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
OAuth2 Authorization Grants  Different ways of getting a token  Authorization code,  Implicit grant,  Resource owner password credentials and  Client credentials  Which OAuth 2.0 flow should I use?
OAuth2 Tokens  Access Token  Refresh Token
OAuth2 simplified view  Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
OpenID Connect (OIDC)  Image source: https://developer.okta.com/standards/OIDC/index
OpenID Connect vs OAuth2  Image source: https://www.slideshare.net/vladimirdzhuvinov/openid-connectexplained
JSON Web Token (JWT)  Image source: www.youtube.com
OAuth2 + OIDC + JWT  Image source: http://kasunpanorama.blogspot.com/2015/11/microservices-in-practice.html
Resources for API Security  Auth0: https://auth0.com/  Mulesoft: https://www.mulesoft.com/  Ory: https://www.ory.am/index.html  Stormpath (now Okta): https://www.okta.com/  Nordic APIs: https://nordicapis.com/  Amazon Cognito: https://aws.amazon.com/cognito/
Resources for JSON Web Token  https://auth0.com/learn/json-web-tokens/  https://jwt.io/introduction/  https://scotch.io/tutorials/the-anatomy-of-a-json- web-token  https://auth0.com/e-books/jwt-handbook
Resource for OAuth2  RFC 6749 - https://tools.ietf.org/html/rfc6749  RFC 6750 - https://tools.ietf.org/html/rfc6750  https://auth0.com/docs/protocols/oauth2  https://developers.google.com/oauthplayground/

More Related Content

What's hot (10)

PDF
RESTful Day 5
Akhil Mittal
 
PDF
Vulnerability Funalitics with vulners.com
Kirill Ermakov
 
PPTX
Introduction to OAuth2
Sean Whitesell
 
PDF
Vulners: Google for hackers
Kirill Ermakov
 
PPTX
SSO with sfdc
Ming Yuan
 
PDF
Top 10 Web App Security Risks
Sperasoft
 
PDF
Spring4 security oauth2
Sang Shin
 
PPTX
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
PDF
Seminar2015Bilic_Nicole
Nicole Bili?
 
PPTX
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 
RESTful Day 5
Akhil Mittal
 
Vulnerability Funalitics with vulners.com
Kirill Ermakov
 
Introduction to OAuth2
Sean Whitesell
 
Vulners: Google for hackers
Kirill Ermakov
 
SSO with sfdc
Ming Yuan
 
Top 10 Web App Security Risks
Sperasoft
 
Spring4 security oauth2
Sang Shin
 
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...
DevDay Da Nang
 
Seminar2015Bilic_Nicole
Nicole Bili?
 
Securing the Web @DevDay Da Nang 2018
Sumanth Damarla
 

Similar to Api security with o auth2 (20)

PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PDF
Full stack security
DPC Consulting Ltd
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PPTX
OAuth2 para desarrolladores
Luis Ruiz Pavón
 
PPTX
Identity, authentication and authorization
Mithun Shanbhag
 
PDF
Access Management for Cloud and Mobile
ForgeRock
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
PDF
The OpenID Connect Protocol
Clément OUDOT
 
PPTX
OAuth 2
ChrisWood262
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PDF
Top X OAuth 2 Hacks
Antonio Sanso
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PDF
API Security In Cloud Native Era
WSO2
 
PPTX
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Full stack security
DPC Consulting Ltd
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OAuth2 para desarrolladores
Luis Ruiz Pavón
 
Identity, authentication and authorization
Mithun Shanbhag
 
Access Management for Cloud and Mobile
ForgeRock
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
The OpenID Connect Protocol
Clément OUDOT
 
OAuth 2
ChrisWood262
 
Demystifying OAuth 2.0
Karl McGuinness
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Top X OAuth 2 Hacks
Antonio Sanso
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
API Security In Cloud Native Era
WSO2
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Ad

More from Anthony Chow (14)

PPTX
Build your own Blockchain with the right tool for your application
Anthony Chow
 
PPT
Container security
Anthony Chow
 
PPT
MQTT security
Anthony Chow
 
PPTX
Understanding gRPC Authentication Methods
Anthony Chow
 
PPTX
Container security
Anthony Chow
 
PPT
Container security
Anthony Chow
 
PPTX
V brownbag sept-14-2016
Anthony Chow
 
PPTX
Understanding the container landscape and it associated projects
Anthony Chow
 
PPTX
Getting over the barrier and start contributing to OpenStack
Anthony Chow
 
PPT
Introduction to go
Anthony Chow
 
PPTX
Micro segmentation – a perfect fit for microservices
Anthony Chow
 
PPTX
An overview of OpenStack for the VMware community
Anthony Chow
 
PPTX
VXLAN in the contemporary data center
Anthony Chow
 
PPT
What a Beginner Should Know About OpenStack
Anthony Chow
 
Build your own Blockchain with the right tool for your application
Anthony Chow
 
Container security
Anthony Chow
 
MQTT security
Anthony Chow
 
Understanding gRPC Authentication Methods
Anthony Chow
 
Container security
Anthony Chow
 
Container security
Anthony Chow
 
V brownbag sept-14-2016
Anthony Chow
 
Understanding the container landscape and it associated projects
Anthony Chow
 
Getting over the barrier and start contributing to OpenStack
Anthony Chow
 
Introduction to go
Anthony Chow
 
Micro segmentation – a perfect fit for microservices
Anthony Chow
 
An overview of OpenStack for the VMware community
Anthony Chow
 
VXLAN in the contemporary data center
Anthony Chow
 
What a Beginner Should Know About OpenStack
Anthony Chow
 
Ad

Recently uploaded (20)

PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
PDF
Meetup Kickoff & Welcome - Rohit Yadav, CSIUG Chairman
ShapeBlue
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
PPTX
Top Managed Service Providers in Los Angeles
Captain IT
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
Meetup Kickoff & Welcome - Rohit Yadav, CSIUG Chairman
ShapeBlue
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
Top Managed Service Providers in Los Angeles
Captain IT
 

Api security with o auth2

  • 2. Different kinds of APIs  https://ffeathers.wordpress.com/2014/02/16/api-types/
  • 3. REST API Security Best Practice  OWASP - Open Web Application Security Project  https://www.owasp.org/index.php/REST_Security_ Cheat_Sheet  https://dzone.com/articles/top-5-rest-api-security- guidelines
  • 5. OAuth2  “Open Authentication” (??)  Authorization delegation  An authorization framework  Defined by RFC 6749 and 6750  OAuth 1 is defined by RFC 5849  OAuth 1 and OAuth 2 are not compatible
  • 6. Oauth2 Actors  Image source: https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh/
  • 7. OAuth2 Flows (grants)  image source: https://www.slideshare.net/rcandidosilva/javaone-2014-securing-restful-resources-with-oauth2
  • 8. OAuth2 Authorization Grants  Different ways of getting a token  Authorization code,  Implicit grant,  Resource owner password credentials and  Client credentials  Which OAuth 2.0 flow should I use?
  • 9. OAuth2 Tokens  Access Token  Refresh Token
  • 10. OAuth2 simplified view  Image source: https://www.hivemq.com/wp-content/uploads/oauth-simple.png
  • 11. OpenID Connect (OIDC)  Image source: https://developer.okta.com/standards/OIDC/index
  • 12. OpenID Connect vs OAuth2  Image source: https://www.slideshare.net/vladimirdzhuvinov/openid-connectexplained
  • 13. JSON Web Token (JWT)  Image source: www.youtube.com
  • 14. OAuth2 + OIDC + JWT  Image source: http://kasunpanorama.blogspot.com/2015/11/microservices-in-practice.html
  • 15. Resources for API Security  Auth0: https://auth0.com/  Mulesoft: https://www.mulesoft.com/  Ory: https://www.ory.am/index.html  Stormpath (now Okta): https://www.okta.com/  Nordic APIs: https://nordicapis.com/  Amazon Cognito: https://aws.amazon.com/cognito/
  • 16. Resources for JSON Web Token  https://auth0.com/learn/json-web-tokens/  https://jwt.io/introduction/  https://scotch.io/tutorials/the-anatomy-of-a-json- web-token  https://auth0.com/e-books/jwt-handbook
  • 17. Resource for OAuth2  RFC 6749 - https://tools.ietf.org/html/rfc6749  RFC 6750 - https://tools.ietf.org/html/rfc6750  https://auth0.com/docs/protocols/oauth2  https://developers.google.com/oauthplayground/