1 / 16

Securing API data models

Security and Usability, two methodologies that have fought each other since the there was a login. As we have have progressed from a simple thought that even though something is painful developers will use it if it's secure, to an enlightened stage of good security and usability balance and judgement, we have seen the death of many specs and standards. Two open standards are leading the charge for this new auth age: OAuth 2 and OpenID Connect. In this talk we will explore the principles and standards behind API auth security, which will include: Using OAuth 2 and OpenID Connect as the entry point for secure API data auth - How those implementations have cannibalized previous standards to create something both secure and usable - How to practically use these standards.

jcleblanc
Download Presentation

Securing API data models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing API Data Models Building on the Ashes of Past Standards Jonathan LeBlanc Head of Developer Evangelism (North America) Github: http://github.com/jcleblanc Slides: http://slideshare.net/jcleblanc Twitter: @jcleblanc

  2. The Ultimate Decision Security Usability

  3. The Insecure, Unmanageable Start

  4. Very Secure, Long to Implement

  5. Two Currently Widely Used Specs

  6. Fetching a Code Prepare the Redirect URI Authorization Endpoint client_id response_type (code) scope redirect_uri nonce state Browser Redirect Redirect URI

  7. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id client_secret code (query string) grant_type HTTP POST Access Token Endpoint

  8. A few implementation differences Endpoints Scopes (dynamic / static) Using the Access Token in a request

  9. How it’s Normally Used Access user details Push data through user social streams

  10. But why? Access token as a control structure Improve Existing Products Our showcase: Seamless Checkout

  11. A Few Code Links OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal

  12. Thank You! Questions? http://bit.ly/securing_apis Jonathan LeBlanc Head of Developer Evangelism (North America) Github: http://github.com/jcleblanc Slides: http://slideshare.net/jcleblanc Twitter: @jcleblanc

More Related