Presentation is loading. Please wait.

Presentation is loading. Please wait.

API Security: OAuth, OpenID Connect & ABAC

Published byΤερψιχόρη Χριστόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "API Security: OAuth, OpenID Connect & ABAC"— Presentation transcript:

1 API Security: OAuth, OpenID Connect & ABAC
September 12, 2019 Jonas Iggbom

2 Introducing the Business Context

3

4

5 Digital Transformation
Microservices API First Cloud Computing Containers Mobile First Big Data Security Internet of Things Machine Learning Partners Staff Suppliers Customers Digital Enterprise Customer Intimacy Process Automation Collaboration Business Insight BI-Modal IT IT Automation Open for Business DevOps Business Transformation IT

6

7 The Authorization Perspectives

8 Dynamic Authorization
DENY! ACCESS? PERMIT! Dynamic Authorization Applicable to Applications, APIs, Microservices, Databases and Big Data

9 Who? What? When? Where? Why? How?
Attribute Based Access Control A context-aware and dynamic authorization model Who? What? When? Where? Why? How?

10 OAuth 2.0 OpenID Connect

11 ABAC Authorization Flow

12 API / Microservice Security Patterns
OAuth 2.0 and OpenID Connect (OIDC) are commonly used to secure microservices Adequate for many scenarios and use cases OAuth addresses the password anti-pattern This is not sufficient when handling sensitive information, which may be governed by privacy, export control, intellectual property protection, etc. The ABAC standard goes beyond entry-level authorization

13 OAuth – OpenID Connect – ABAC
Address OAuth limitation: Lack of policy language Avoid scope explosion and “Token Bloat” Next generation of role explosion issue Keep developers focused and avoid “API Bloat” Externalize the access control API Gateway is the key integration point Enable inbound and outbound access control Filter data on the way back to calling user/application

14 This is a discretionary access control model
Are Scopes Sufficient? This is a discretionary access control model GET /record/123 Scopes provide a way for a Resource Owner to delegate consent to the Client

15 Repeating History: Programmatic RBAC
@PreAuthorize(“hasRole(‘admin’)") if (ctx.isCallerInRole("admin")) {…}

16 RBAC for Web Applications
Users mapped to groups in LDAP Client authenticates to Identity Provider and gets group memberships @PreAuthorize(“hasRole('admin')") @RequestMapping(method = RequestMethod.GET, value = "/record/{id}") App Roles=employee,admin GET /record/123

17 Scopes: The new RBAC? Users mapped to scopes in persistence
Client authenticates to OAuth Az Provider and gets scopes GET /record/123 App scopes=employee,admin @PreAuthorize(“#oauth2.hasScope(‘admin')") @RequestMapping(method = RequestMethod.GET, value = "/record/{id}")

18 What’s Old is New Again Concerns about “Scope Explosion” – similar to Role explosion Potential for “API Bloat” Where separate APIs are developed to serve different communities (customers, partners, employees) Hard-coded access policies within the API delay application development, limit governance visibility and increase cost of maintenance

19 Three Standards Working Together

20 OAuth/OIDC without ABAC

21 Typical ABAC – API Gateway Integration

22 OAuth – OIDC – ABAC ABAC complements OAuth flows by adding additional context not available to OAuth servers Gateway validates/requests tokens Gateway parses token to build authorization request or pass token to PDP

23 Filtering Data on API Response Leg

24 Authorization as a Microservice
Stateless and immutable Well-defined interface REST/JSON interface Bounded context Fault tolerant Friendly!

25 A Quick Demonstration!

26 Architecture

27 The policy

28 JSON Web Token (JWT) - Alice
{ "alg": "HS256", "typ": "JWT" } "uid": "Alice", "clearance": "top secret", "role": "manager", "department": "Sales" HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), my-secret ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX VCJ9.eyJ1aWQiOiJBbGljZSIsImNsZ WFyYW5jZSI6InRvcCBzZWNyZXQi LCJyb2xlIjoibWFuYWdlciIsImRlcGF ydG1lbnQiOiJTYWxlcyJ9.QXR2_Pw phfbx_lU9uyrUvbH-K- jA8BBnfuZkOkwARU8

29 The authorization request

30 Call from Postman

31 JSON Request { "Request": { "AccessSubject": {
"Attribute": [ { "AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id", "Value": "%request.queryparam.token#" } ] }, "Resource": { "Attribute": [ {"AttributeId":"api.path","Value":"%message.path#"}, { "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id", "Value": "%message.path#" } ] "Action": { "Attribute": [ { "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", "Value": "%message.verb#" } ] }

32 Summary Use the combined capabilities of OAuth 2.0, OIDC and ABAC to address the broadest set of authorization requirements Use scopes for their intended purpose, delegated consent, and avoid issues like scope explosion Streamline your API applications by externalizing authorization into microservices specialized in that functionality Deploy and operate your authorization service like a microservice for improved agility and efficiency Schedule a meeting with us to explore details further, based on your specific requirements Gerry

33 Questions? Visit https://www.axiomatics.com
Contact us

Download ppt "API Security: OAuth, OpenID Connect & ABAC"

Similar presentations

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Delivering an Architecture for the Social Enterprise Alpesh Doshi, Fintricity Information Age Social&Mobile Business Conference Tuesday 31st January 2012.

Delivering an Architecture for the Social Enterprise Alpesh Doshi, Fintricity Information Age Social&Mobile Business Conference Tuesday 31st January 2012.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
© 2005 IBM Corporation IBM Business-Centric SOA Event SOA on your terms and our expertise Operational Efficiency Achieved through People and SOA Martin.

© 2005 IBM Corporation IBM Business-Centric SOA Event SOA on your terms and our expertise Operational Efficiency Achieved through People and SOA Martin.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
Deconstructing API Security

Deconstructing API Security
The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.

The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.
Identity Management and Enterprise Single Sign-On (ESSO)

Identity Management and Enterprise Single Sign-On (ESSO)
2015 NetSymm Overview NETSYMM OVERVIEW December 2015 2015.

2015 NetSymm Overview NETSYMM OVERVIEW December
WSO2 Identity Server 4.0 Fall 2012. WSO2 Carbon Enterprise Middleware Platform 2.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Secure Mobile Development with NetIQ Access Manager

Secure Mobile Development with NetIQ Access Manager

Similar presentations

Ads by Google