API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.

Slides:

Advertisements

Similar presentations

FI-WARE Testbed Access Control temporary solution.

Advertisements

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Prabath Siriwardena | Johann Nallathamby.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

Working with Workgroups and Domains

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Remotely authenticating against the Service Framework.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

How to Log-in to EPIC for the First Time. to FY 2015 Form 471 Authorized Signer Looks Like:

Module 11: Securing a Microsoft ASP.NET Web Application.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

OAuth Use Cases Zachary Zeltsan 31 March Outline Why use cases? Present set in the draft draft-zeltsan-oauth-use-cases-01.txt by George Fletcher.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

Enabling Cloud Native Security with Multi-Tenant UAA

Building consumer apps with Azure AD B2C

Adxstudio Portals Training

Securing Angular Apps Brian Noyes

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.

Secure Mobile Development with NetIQ Access Manager

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

THE API AN INTRODUCTION TO THE MINISTRYPLATFORM APPLICATION PROGRAMMING INTERFACE STEPHEN WAREHAM.

Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.

Web Application Security + OAuth2 NWEN 304: Advanced Network Applications.

Ask the Experts – Building Login-Based Sites in AEM

MQTT-255 Support alternate authenticaion mechanisms

Consuming OAuth Services in Alfresco Share

CollegeSource Security Application &

WMarket For Developers API && Authorization.

Data Virtualization Tutorial… OAuth Example using Google Sheets

WEB-API & MVC5 - Identity & Security

WStore Programmer Guide

Dominik Pinter, CMS.IO, Authentication Dominik Pinter,

Azure AD Line Of Business Application Integration

Multifactor Authentication & First Time Login

IOS SDK v1.0 with NAM 4.2.

What is OAuth and Why?.

Agenda OAuth Concepts Programming OAuth.

X-Road as a Platform to Exchange MyData

SharePoint Online Authentication Patterns

Office 365 Development.

SMART on FHIR for managed authorised access to medical records

Introduction into the Power BI REST API Jan Pieter Posthuma

HACKIN G CITRIX.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Security for Science Gateways Initial Design Discussions

D Guidance 26-Jun: Would like to see a refresh of this title slide

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02

Presentation transcript:

API Auth By Kyle Bradley

Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.  Server/API (Resource Server)  The resource server is the API server used to access the user's information.  Client (Third-Party Application)  The client is the application that is attempting to get access to the user's account. It needs to get permission from the user before it can do so.

oAuth 2.0 Grant Types  Authorization Code  Apps running on web-server  Implicit Grant  Browser-Based  Mobile Apps  Password  Internal Username-Password  Client Credentials  Application Access

Authorization Type (Secure Server)  Client Request Auth from Server using Client Id  (User redirected to server to allow access)  Server returns an auth code to client  (User redirected to client)  Client sends to server:  Client Id  Client Secret  Auth Code  Server responds with access token.

Implicit Type (Brower, Apps)  Client requests token from server using Client Id  (Redirects user to server to allow access)  Server returns token

Password (Internal Username-Password)  (User request’s client username and password)  Client sends to server:  Client Id  Username  Password  Server responds with access token.

Client Credentials  (Client stores a client secret)  Client sends to server:  Client Id  Client Secret  Server responds with access token.

Two-Legged Auth  Client-Credentials  Implicit Grant  Password

Gateway Security  Apps are inherently vulnerable. (Reverse-Engineering)  Modify Current System  Implement “Client”  IsSafe property on client  Safe clients can use AppKey on all calls.  Non-Safe clients require a token to access pathing calls  Allows us to constrain on individual calls.  Overly oAuth (Recommend)  Implement “Client”  Allow Implicit Property (External clients will have to use client credentials)  Use Implicit grant type (Client Credentials on secure)  Client_ID is AppKey  Client Secret (Optional)  Constrain on temporary token (expirt/limited calls)  Token purely used for data analysis and as identifier within Fmw/Tct

Overly oAuth Cond.  Defaulted roles per call that can be assigned to clients  Basic (GET Paths call)  Moderate (GET Paths, announcements etc)  Internal (POST Coordinates etc)  Trusted (GET Timetables)

Clients  FindMyWay  TransportCapeTown  AppCampus  GauTrain*

Sources  oAuth Bible: Overly of oAuth in it’s entirety oAuth Bible:  oAuth Simplified: Different grating types and flow oAuth Simplified:  Apps aren’t secure #1: Own API to own iOS app Apps aren’t secure #1:  Apps aren’t secure #2: Never verify any entity. Only very what they telling you and then assume honesty. Apps aren’t secure #2:  Apps aren’t secure #3: Token system secure in web. App is vulnerable. Apps aren’t secure #3:  Securing OpenApi: Different methods and why use Implicit Grant Securing OpenApi: