securing api data models
DESCRIPTION
Security and Usability, two methodologies that have fought each other since the there was a login. As we have have progressed from a simple thought that even though something is painful developers will use it if it's secure, to an enlightened stage of good security and usability balance and judgement, we have seen the death of many specs and standards. Two open standards are leading the charge for this new auth age: OAuth 2 and OpenID Connect. In this talk we will explore the principles and standards behind API auth security, which will include: Using OAuth 2 and OpenID Connect as the entry point for secure API data auth - How those implementations have cannibalized previous standards to create something both secure and usable - How to practically use these standards.TRANSCRIPT
Building on the Ashes of Past Standards
Securing API Data Models
Jonathan LeBlancHead of Developer Evangelism (North
America)Github: http://github.com/jcleblanc
Slides: http://slideshare.net/jcleblancTwitter: @jcleblanc
The Ultimate Decision
Security Usability
The Path
to th
e Sta
ndard
The Insecure, Unmanageable Start
Very Secure, Long to Implement
Two Currently Widely Used Specs
Auth in
Pra
ctice
Fetching a Code
Prepare the Redirect URIAuthorization Endpointclient_id response_type (code)scope redirect_urinonce state
Browser RedirectRedirect URI
Fetching the Access Token
Fetch the Access TokenAccess Token Endpointclient_id code (query string)client_secret grant_type
HTTP POSTAccess Token Endpoint
A few implementation differences
Endpoints
Scopes (dynamic / static)
Using the Access Token in a request
Using th
e Ske
leto
n Key
How it’s Normally Used
Access user details
Push data throughuser social streams
But why?
Access token as a control structure
Improve Existing Products
Our showcase: Seamless Checkout
A Few Code Links
OAuth2 & OpenID Connect Sampleshttps://github.com/jcleblanc/oauthhttps://github.com/paypal/paypal-access
Log in with PayPalhttp://bit.ly/loginwithpaypal
http://bit.ly/securing_apis
Thank You! Questions?
Jonathan LeBlancHead of Developer Evangelism (North
America)Github: http://github.com/jcleblanc
Slides: http://slideshare.net/jcleblancTwitter: @jcleblanc