SlideShare a Scribd company logo

Demystifying AuthN/AuthZ Using OIDC & OAuth2

N
NGINX, Inc.

API Security - For the most its an aftermath thought after they develop APIs. Apparently, choosing the right AuthN and AuthZ options for your business need is critical as ever before as most of the companies started or starting to do business digitally. API has clearly emerged as a enabler for digital business and businesses are should consider API Security as first class citizen before designing APIs. Join Rajesh Bavanantham as he explains the uses cases and appropriate API security pattern using OIDC/OAUTH2. Both of these frameworks offer multiple ways of securing, it is important to understand where to use the right pattern from OIDC/OAUTH2. Rajesh will also dwell in to different type of authorisation (fine/finer/finest) to protect your business resources. Come and learn the nuances of token based authorization and how to get prepared to protect your API economy. https://www.nginx.com/resources/webinars/authn-authz-using-oidc-oauth2/

1 of 48
Downloaded 26 times
Demystifying OIDC & OAuth2 Rajesh Bavanantham Solutions Architect
| ©2019 F52 Solutions Architect Rajesh Bavanantham • OIDC Configuration • Ingredients of token(s) • Authentication flow • Authorization Agenda
| ©2019 F53 What makes me keep going during this lockdown Just doing whatever “SHE” says
| ©2019 F54 Terminology OP – OpenID Provider RP – Relying party AuthN – Authentication. First party apps- Apps developed & maintained by the Enterprise. Third party apps – Apps developed & maintained by our partners/customers. OIDC – OpenID Connect User Journey – A flow to show how a user interacts with your apps (domain)
| ©2019 F55 TerminologyContinued… Resource Credentials – ClientID & SecretKey User Credentials – UserName & Password AuthZ – Authorization. Entitlements – Elevated or appropriated access Claims – Defined inside the token(s) as both informational and for verification OIDC grants - AuthCode + PKCE OAuth2 grants – Client credentials
| ©2019 F56 • Around 50% of the Layer 7 vulnerabilities are with weak AuthN and poor AuthZ CONFIDENTIAL API Security Economy Source: edgescan 2019 Vulnerability Statistics Report
| ©2019 F57 • Traditional approach for AuthN are primary target for credential stuffing CONFIDENTIAL API Security Economy Source: edgescan 2019 Vulnerability Statistics Report
| ©2019 F58 • External hacking remained the largest threat actor (69%) • Threat action (53%) respectively for data breaches • Up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly • 55,141,782 malicious login attempts in 2019 CONFIDENTIAL API Security Economy Source: Imperva - The State of Vulnerabilities Report 2019
| ©2019 F59 OIDC Configuration
| ©2019 F510 OpenID Connect Configuration Endpoint • RFC for OIDC configuration endpoint – https://openid.net/specs/openid-connect-discovery-1_0.html • Google OIDC Configuration endpoint – https://accounts.google.com/.well-known/openid-configuration • Salesforce OIDC Configuration endpoint – https://login.salesforce.com/.well-known/openid-configuration
| ©2019 F511 CONFIDENTIAL
| ©2019 F512 Scope vs Claims Scope openid Claims "aud", "exp”, "iat", "iss", "sub”, “jti”, “nbf”
| ©2019 F513 Scope vs Claims Scope openid profile Claims "aud","exp", "iat", "iss", "sub", ”jti", ”nbf", "family_name","middle_name""given_name","local e","picture","organization_id,"picture","preferred_u sername","nickname","updated_at","user_id"
| ©2019 F514 Scope vs Claims Scope openid profile email Claims "aud","exp", "iat", "iss", "sub", ”jti", ”nbf", "family_name","middle_name""given_name","local e","picture","organization_id","picture","preferred_u sername","nickname","updated_at","user_id”, "email","email_verified"
| ©2019 F515 Ingredients of Token(s)
| ©2019 F516 Standard Access Token as JWT { "sub": "1008092044", "iss": "https:// idp.blah.com /authz/v1/", "aud": "https://api.blah.com /consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", }
| ©2019 F517 Summary of Scope & Claims Scope Claims profile requests access to default profile claims email requests access to email and email_verified claims address requests access to address claim phone requests access to phone_number and phone_number_verified claims
| ©2019 F518 Standard Access Token with Profile & Custom Claims { "sub": "1008092044", "iss": "https:// idp.blah.com /authz/v1/", "aud": "https://api.blah.com /consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", "given_name": "firstName", "family_name": "lastName", "email": firstName.lastName@GMAIL.COM "user_metadata": { “crm_reference": ”d34343dfdt6dfd” } ”app_metadata": { “product_name": ”ProductA” } }
| ©2019 F519 JWT Standard Claims Used For Description Type iss To validate who is the issuer of the token Issuer Validate sub To identify the user uniquely Subject Informational aud To validate the recipients of the tokens. Used to restrict which API can use the token Audience Validate exp To validate the expiry of the supplied token Expiry Validate nbf To validate the token that it shouldn’t be used before a specified time Not Before Validate iat Gives information about when the token was created Issued at Informational jti Unique identifier of a JWT which would be used to revoke the token in API Gateway JWT Id Validate
| ©2019 F520 Token(s) Matrix
| ©2019 F521 Access Token Token Types JWT Opaque Mandatory Used For Expiry Time Validation Comments access_token YES YES YES Must be only used to access resources 10-15 minutes • Client can choose not to validate and can solely rely on API Gateway or IDP to validate. • If JWT is not produced by IDP, then IDP should provide oauth2-introspection endpoints to verify the opaque token – Refer https://tools.ietf.org/html/rfc7662. • API Gateway must validate access_token with default claims like exp, iat, aud, and iss. • Services should validate access_token with default claims like exp, iat, aud, and iss and custom claims like roles and groups if supplied expiry of access_token shouldn’t be more than 10-15 mins.
| ©2019 F522 Id Token Token Types JWT Opaque Mandatory Used For Expiry Time Validation Comments id_token YES NO NO Must be only used to identify the user detail Identical to access_ token • id_token must be validated by the client • No entity should fail if id_token is not supplied • In some cases, client choose to send id_token along wit access token to supply user details, API Gateway should verify at_hash claim in the id_token to see whether those tokens are produced for same user along with the access_token • if its supplied, id_token must be validated by the services – Signature and expiry validation. id_token can accompany access_token as add-on, if supplied by the IDP. However, it shouldn’t be used to access resources
| ©2019 F523 Refresh Token Token Types JWT Opaque Mandatory Used For Expiry Time Validation Comments refresh_token NO YES NO Can be only used to request new access_ token upon expiry of access_ token Expiry of refresh_ token will be greater than access_ token * refresh_token can request new access_token upon expiry of the existing access_token. It will be RP’s responsibility. It could be API Gateway or Mobile/Devices • Expiry time can be configured depending on the use case. For mobile/devices it is recommended to have expiry time for months to give better use experience. However, refresh_token needs to be protected with pass pin to be used by the user. • For web apps used by consumers, expiry should be slightly higher than access_token – 5 minutes • For web apps used in the POS terminals by employees, expiry can be up to a days a week • Don’t request for new token until the token is expired
| ©2019 F524 AuthN Flows
| ©2019 F525 Easier migration for existing apps which relies on session authn to integrate with APIs. If third party apps are browser-based apps and if they need long running tokens (eg stores accessing resources) , this AuthCode grant must be implemented on their server for secure token exchange. If client is a browser-based App, then they can’t store client_id & secret_key securely. Grant type OIDC AuthCode grant should be used Use Case for First Party Web Apps for AuthN
| ©2019 F526 CONFIDENTIAL Gateway as RP – AuthCode Grant
| ©2019 F527 When first party or third party native mobile apps requires AuthN. When user is required to login. Grant type used OIDC Auth Code grant along with PKCE - Proof Key for Code Exchange Use Case for Mobile Devices (Native Apps) for AuthN
| ©2019 F528 Native Mobile App as RP – AuthCode Grant + PKCE
| ©2019 F529 Where users are not involved in integrating first party or third-party systems to the resource server. Grant type used OAuth2 Client credential grant Use Case for System to System AuthN
| ©2019 F530 Since this authn is not originated from a user, the token which is created by the IDP for a user should not be used to access other API resources. It can be mitigated by using an OIDC standard claim called “aud”. System AuthN Pattern – OAuth2 Client Credential Grant
| ©2019 F531 Authorization Coarse & Fine Level AuthZ
| ©2019 F532 • Whether user have a valid token to consume resources • Token is not expired – exp • Token is not used before it meant to – nbf • Token has the issuer which APIGateway trust – iss • Token is signed by the issuer and token is not tampered by the user – signature • Token has a valid audience which defines whether the token can be presented against a resource or not Coarse Level Authorization
| ©2019 F533 • Any other checks that happens with the user level or app level which was not taken care by coarse level authorization. • Mostly fine level authorization are like • Custom User claims − RBAC – Role based access control. • Custom App claims − Terms & Condition − Profile info to consume the app Fine Level Authorization
| ©2019 F534 Authorization
| ©2019 F535 • Custom scope must have namespace – preferably uri that identify which product the consumer App is requesting for. • https://www.blah.com/v1/customers/ • Custom scope can also be extended to request elevated access for the app and user • https://www.blah.com/v1/customers/customers.delete • https://www.blah.com/v1/customers/customers.admin How to Present Custom Scope in a Request for Fine-level Authorization OR
| ©2019 F536 How Does App Request Standard Scopes GET /authorize?response_type=code &scope=openid profile email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttps%2Fclient.example.org%2Fcb
| ©2019 F537 How Does App Request Standard & Custom Scopes OIDC for Fine-level Authorization GET /authorize?response_type=code &scope=openid profile email https://www.blah.com/v1/customers.admin &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttps%2Fclient.example.org%2Fcb
| ©2019 F538 { "sub": "1008092044", "iss": "https://idp.blah.com/authz/v1/", "aud": "https://api.blah.com/consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", "given_name": "firstName", "family_name": "lastName", "email": firstName.lastName@GMAIL.COM "user_metadata": { “crm_reference": ”d34343dfdt6dfd” } ”app_metadata": { “v1/customers”: { “roles”: “admin” } } } Example 1: Token with Standard & Custom Claims
| ©2019 F539 { "sub": "1008092044", "iss": "https://idp.blah.com/authz/v1/", "aud": "https://api.blah.com/consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", "given_name": "firstName", "family_name": "lastName", “Scope” : “admin” "email": firstName.lastName@GMAIL.COM "user_metadata": { “crm_reference": ”d34343dfdt6dfd” } } Example 2: Token with Standard & Custom Claims
| ©2019 F540 • There will be two endpoint for each resources if we need to give elevated access to a user. • For example if we want to give ability for users to read, update & create their own customers data and admin access to delete a customer record. GET POST PUT DELETE /customers/v1 DELETE /customers/v1/admin/delete • Different authentication mechanism for admin endpoints to protect admin endpoints. General Approach for Role Based Authorization Now
| ©2019 F541 /payments/v1 /payments/v1/admin/create /payments/v1/admin/delete /user-management/ /user-management/admin/create /user-management/admin/update /user-management/admin/delete Admin Privileged APIs
| ©2019 F542 • Resource representation should be around bounded business context. • HTTP methods should represent what a user is intended to act upon a resource, NOT the endpoints. GET /v1/customers/{customer-id} ==> Read POST /v1/customers /{customer-id} ==> Create PUT /v1/customers /{customer-id} ==> Update DELETE /v1/customers/{customer-id} ==> Delete Recommendation
| ©2019 F543 Having user journey where you could identify your users and personas that would interact with your business resources. This is an ongoing task Simplify your role definition – depends on your domain User Admin Guest Anonymous Identify Your User Journey
| ©2019 F544 CONFIDENTIAL User and Persona for Order Domain
| ©2019 F545 • Generalized Roles should come from IDP • Isolate permissions from IDP • Relevant apps should map roles to permissions (scalable) Role ! = Permissions
| ©2019 F546 CONFIDENTIAL Best Practices for Using access_token (while producing & accessing) •No PII data in the access_token , whatsoever...​ •Have shorter expiry time for the access_token if the token is issued to untrusted client(browser) – 2 - 5 mins.​ •Always make your client applications to request with scope and let your IDP set the right audience the access_token is intended for.​ •Don't overuse access_token - meaning don't use the same access_token to access all the resources in your environment. Be specific with aud claim where it should be used, and gateways can reject the access if the token is not intended to access that specific resource.​ •Sign the token centrally in your IDP where you can rotate Private/Public key periodically. API Gateway should be smart enough to cache the public key from the IDP for the verification and could detect key rotation done by the IDP on the fly.
| ©2019 F547 Questions? CONFIDENTIAL Rajesh Bavanantham r.bavanantham@f5.com apac-enquiries@NGINX.com
CONFIDENTIAL
Ad

Recommended

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
Evernym
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design Workflows
Jakub Nesetril
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
FIWARE Wednesday Webinars - FIWARE Overview
FIWARE Wednesday Webinars - FIWARE OverviewFIWARE Wednesday Webinars - FIWARE Overview
FIWARE Wednesday Webinars - FIWARE Overview
FIWARE
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
組織におけるアイデンティティ管理の基本的な考え方
組織におけるアイデンティティ管理の基本的な考え方組織におけるアイデンティティ管理の基本的な考え方
組織におけるアイデンティティ管理の基本的な考え方
Naohiro Fujie
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM Components
FIWARE
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Ad

More Related Content

What's hot (20)

What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
Evernym
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design Workflows
Jakub Nesetril
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
FIWARE Wednesday Webinars - FIWARE Overview
FIWARE Wednesday Webinars - FIWARE OverviewFIWARE Wednesday Webinars - FIWARE Overview
FIWARE Wednesday Webinars - FIWARE Overview
FIWARE
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
組織におけるアイデンティティ管理の基本的な考え方
組織におけるアイデンティティ管理の基本的な考え方組織におけるアイデンティティ管理の基本的な考え方
組織におけるアイデンティティ管理の基本的な考え方
Naohiro Fujie
 
What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?What are Decentralized Identifiers (DIDs)?
What are Decentralized Identifiers (DIDs)?
Evernym
 
API Design Workflows
API Design WorkflowsAPI Design Workflows
API Design Workflows
Jakub Nesetril
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Rich Authorization Requests
Rich Authorization RequestsRich Authorization Requests
Rich Authorization Requests
Torsten Lodderstedt
 
FIWARE Wednesday Webinars - FIWARE Overview
FIWARE Wednesday Webinars - FIWARE OverviewFIWARE Wednesday Webinars - FIWARE Overview
FIWARE Wednesday Webinars - FIWARE Overview
FIWARE
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
組織におけるアイデンティティ管理の基本的な考え方
組織におけるアイデンティティ管理の基本的な考え方組織におけるアイデンティティ管理の基本的な考え方
組織におけるアイデンティティ管理の基本的な考え方
Naohiro Fujie
 

Similar to Demystifying AuthN/AuthZ Using OIDC & OAuth2 (20)

i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM Components
FIWARE
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
FIWARE
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
WSO2
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
AkashThorat25
 
i4Trust IAM Components
i4Trust IAM Componentsi4Trust IAM Components
i4Trust IAM Components
FIWARE
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
AaronLieberman5
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...
FIWARE
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
OpenID Connect 4 SSI
OpenID Connect 4 SSIOpenID Connect 4 SSI
OpenID Connect 4 SSI
Torsten Lodderstedt
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
WSO2
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
APIs_ An Introduction.pptx
APIs_ An Introduction.pptxAPIs_ An Introduction.pptx
APIs_ An Introduction.pptx
AkashThorat25
 
Ad

More from NGINX, Inc. (20)

【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
NGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
NGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
NGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3
NGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostManaging Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with ObservabilityManage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with Observability
NGINX, Inc.
 
Accelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with AutomationAccelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with Automation
NGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101
NGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
NGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXKeep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
NGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
NGINX Kubernetes API
NGINX Kubernetes APINGINX Kubernetes API
NGINX Kubernetes API
NGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
Installing and Configuring NGINX Open Source
Installing and Configuring NGINX Open SourceInstalling and Configuring NGINX Open Source
Installing and Configuring NGINX Open Source
NGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxHow to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
NGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
NGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
NGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3Get Hands-On with NGINX and QUIC+HTTP/3
Get Hands-On with NGINX and QUIC+HTTP/3
NGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & KubecostManaging Kubernetes Cost and Performance with NGINX & Kubecost
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with ObservabilityManage Microservices Chaos and Complexity with Observability
Manage Microservices Chaos and Complexity with Observability
NGINX, Inc.
 
Accelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with AutomationAccelerate Microservices Deployments with Automation
Accelerate Microservices Deployments with Automation
NGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101Unit 2: Microservices Secrets Management 101
Unit 2: Microservices Secrets Management 101
NGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices ArchitecturesUnit 1: Apply the Twelve-Factor App to Microservices Architectures
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
NGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINXEasily View, Manage, and Scale Your App Security with F5 NGINX
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXKeep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
NGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINXProtecting Apps from Hacks in Kubernetes with NGINX
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
NGINX Kubernetes API
NGINX Kubernetes APINGINX Kubernetes API
NGINX Kubernetes API
NGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
Installing and Configuring NGINX Open Source
Installing and Configuring NGINX Open SourceInstalling and Configuring NGINX Open Source
Installing and Configuring NGINX Open Source
NGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptxHow to Avoid the Top 5 NGINX Configuration Mistakes.pptx
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 
Ad

Recently uploaded (20)

Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
Creating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdfCreating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdf
Applitools
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Implementing promises with typescripts, step by step
Implementing promises with typescripts, step by stepImplementing promises with typescripts, step by step
Implementing promises with typescripts, step by step
Ran Wahle
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
FlakyFix: Using Large Language Models for Predicting Flaky Test Fix Categorie...
Lionel Briand
 
Creating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdfCreating Automated Tests with AI - Cory House - Applitools.pdf
Creating Automated Tests with AI - Cory House - Applitools.pdf
Applitools
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Implementing promises with typescripts, step by step
Implementing promises with typescripts, step by stepImplementing promises with typescripts, step by step
Implementing promises with typescripts, step by step
Ran Wahle
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 

Demystifying AuthN/AuthZ Using OIDC & OAuth2

  • 1. Demystifying OIDC & OAuth2 Rajesh Bavanantham Solutions Architect
  • 2. | ©2019 F52 Solutions Architect Rajesh Bavanantham • OIDC Configuration • Ingredients of token(s) • Authentication flow • Authorization Agenda
  • 3. | ©2019 F53 What makes me keep going during this lockdown Just doing whatever “SHE” says
  • 4. | ©2019 F54 Terminology OP – OpenID Provider RP – Relying party AuthN – Authentication. First party apps- Apps developed & maintained by the Enterprise. Third party apps – Apps developed & maintained by our partners/customers. OIDC – OpenID Connect User Journey – A flow to show how a user interacts with your apps (domain)
  • 5. | ©2019 F55 TerminologyContinued… Resource Credentials – ClientID & SecretKey User Credentials – UserName & Password AuthZ – Authorization. Entitlements – Elevated or appropriated access Claims – Defined inside the token(s) as both informational and for verification OIDC grants - AuthCode + PKCE OAuth2 grants – Client credentials
  • 6. | ©2019 F56 • Around 50% of the Layer 7 vulnerabilities are with weak AuthN and poor AuthZ CONFIDENTIAL API Security Economy Source: edgescan 2019 Vulnerability Statistics Report
  • 7. | ©2019 F57 • Traditional approach for AuthN are primary target for credential stuffing CONFIDENTIAL API Security Economy Source: edgescan 2019 Vulnerability Statistics Report
  • 8. | ©2019 F58 • External hacking remained the largest threat actor (69%) • Threat action (53%) respectively for data breaches • Up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly • 55,141,782 malicious login attempts in 2019 CONFIDENTIAL API Security Economy Source: Imperva - The State of Vulnerabilities Report 2019
  • 9. | ©2019 F59 OIDC Configuration
  • 10. | ©2019 F510 OpenID Connect Configuration Endpoint • RFC for OIDC configuration endpoint – https://openid.net/specs/openid-connect-discovery-1_0.html • Google OIDC Configuration endpoint – https://accounts.google.com/.well-known/openid-configuration • Salesforce OIDC Configuration endpoint – https://login.salesforce.com/.well-known/openid-configuration
  • 11. | ©2019 F511 CONFIDENTIAL
  • 12. | ©2019 F512 Scope vs Claims Scope openid Claims "aud", "exp”, "iat", "iss", "sub”, “jti”, “nbf”
  • 13. | ©2019 F513 Scope vs Claims Scope openid profile Claims "aud","exp", "iat", "iss", "sub", ”jti", ”nbf", "family_name","middle_name""given_name","local e","picture","organization_id,"picture","preferred_u sername","nickname","updated_at","user_id"
  • 14. | ©2019 F514 Scope vs Claims Scope openid profile email Claims "aud","exp", "iat", "iss", "sub", ”jti", ”nbf", "family_name","middle_name""given_name","local e","picture","organization_id","picture","preferred_u sername","nickname","updated_at","user_id”, "email","email_verified"
  • 16. | ©2019 F516 Standard Access Token as JWT { "sub": "1008092044", "iss": "https:// idp.blah.com /authz/v1/", "aud": "https://api.blah.com /consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", }
  • 17. | ©2019 F517 Summary of Scope & Claims Scope Claims profile requests access to default profile claims email requests access to email and email_verified claims address requests access to address claim phone requests access to phone_number and phone_number_verified claims
  • 18. | ©2019 F518 Standard Access Token with Profile & Custom Claims { "sub": "1008092044", "iss": "https:// idp.blah.com /authz/v1/", "aud": "https://api.blah.com /consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", "given_name": "firstName", "family_name": "lastName", "email": [email protected] "user_metadata": { “crm_reference": ”d34343dfdt6dfd” } ”app_metadata": { “product_name": ”ProductA” } }
  • 19. | ©2019 F519 JWT Standard Claims Used For Description Type iss To validate who is the issuer of the token Issuer Validate sub To identify the user uniquely Subject Informational aud To validate the recipients of the tokens. Used to restrict which API can use the token Audience Validate exp To validate the expiry of the supplied token Expiry Validate nbf To validate the token that it shouldn’t be used before a specified time Not Before Validate iat Gives information about when the token was created Issued at Informational jti Unique identifier of a JWT which would be used to revoke the token in API Gateway JWT Id Validate
  • 21. | ©2019 F521 Access Token Token Types JWT Opaque Mandatory Used For Expiry Time Validation Comments access_token YES YES YES Must be only used to access resources 10-15 minutes • Client can choose not to validate and can solely rely on API Gateway or IDP to validate. • If JWT is not produced by IDP, then IDP should provide oauth2-introspection endpoints to verify the opaque token – Refer https://tools.ietf.org/html/rfc7662. • API Gateway must validate access_token with default claims like exp, iat, aud, and iss. • Services should validate access_token with default claims like exp, iat, aud, and iss and custom claims like roles and groups if supplied expiry of access_token shouldn’t be more than 10-15 mins.
  • 22. | ©2019 F522 Id Token Token Types JWT Opaque Mandatory Used For Expiry Time Validation Comments id_token YES NO NO Must be only used to identify the user detail Identical to access_ token • id_token must be validated by the client • No entity should fail if id_token is not supplied • In some cases, client choose to send id_token along wit access token to supply user details, API Gateway should verify at_hash claim in the id_token to see whether those tokens are produced for same user along with the access_token • if its supplied, id_token must be validated by the services – Signature and expiry validation. id_token can accompany access_token as add-on, if supplied by the IDP. However, it shouldn’t be used to access resources
  • 23. | ©2019 F523 Refresh Token Token Types JWT Opaque Mandatory Used For Expiry Time Validation Comments refresh_token NO YES NO Can be only used to request new access_ token upon expiry of access_ token Expiry of refresh_ token will be greater than access_ token * refresh_token can request new access_token upon expiry of the existing access_token. It will be RP’s responsibility. It could be API Gateway or Mobile/Devices • Expiry time can be configured depending on the use case. For mobile/devices it is recommended to have expiry time for months to give better use experience. However, refresh_token needs to be protected with pass pin to be used by the user. • For web apps used by consumers, expiry should be slightly higher than access_token – 5 minutes • For web apps used in the POS terminals by employees, expiry can be up to a days a week • Don’t request for new token until the token is expired
  • 25. | ©2019 F525 Easier migration for existing apps which relies on session authn to integrate with APIs. If third party apps are browser-based apps and if they need long running tokens (eg stores accessing resources) , this AuthCode grant must be implemented on their server for secure token exchange. If client is a browser-based App, then they can’t store client_id & secret_key securely. Grant type OIDC AuthCode grant should be used Use Case for First Party Web Apps for AuthN
  • 26. | ©2019 F526 CONFIDENTIAL Gateway as RP – AuthCode Grant
  • 27. | ©2019 F527 When first party or third party native mobile apps requires AuthN. When user is required to login. Grant type used OIDC Auth Code grant along with PKCE - Proof Key for Code Exchange Use Case for Mobile Devices (Native Apps) for AuthN
  • 28. | ©2019 F528 Native Mobile App as RP – AuthCode Grant + PKCE
  • 29. | ©2019 F529 Where users are not involved in integrating first party or third-party systems to the resource server. Grant type used OAuth2 Client credential grant Use Case for System to System AuthN
  • 30. | ©2019 F530 Since this authn is not originated from a user, the token which is created by the IDP for a user should not be used to access other API resources. It can be mitigated by using an OIDC standard claim called “aud”. System AuthN Pattern – OAuth2 Client Credential Grant
  • 32. | ©2019 F532 • Whether user have a valid token to consume resources • Token is not expired – exp • Token is not used before it meant to – nbf • Token has the issuer which APIGateway trust – iss • Token is signed by the issuer and token is not tampered by the user – signature • Token has a valid audience which defines whether the token can be presented against a resource or not Coarse Level Authorization
  • 33. | ©2019 F533 • Any other checks that happens with the user level or app level which was not taken care by coarse level authorization. • Mostly fine level authorization are like • Custom User claims − RBAC – Role based access control. • Custom App claims − Terms & Condition − Profile info to consume the app Fine Level Authorization
  • 35. | ©2019 F535 • Custom scope must have namespace – preferably uri that identify which product the consumer App is requesting for. • https://www.blah.com/v1/customers/ • Custom scope can also be extended to request elevated access for the app and user • https://www.blah.com/v1/customers/customers.delete • https://www.blah.com/v1/customers/customers.admin How to Present Custom Scope in a Request for Fine-level Authorization OR
  • 36. | ©2019 F536 How Does App Request Standard Scopes GET /authorize?response_type=code &scope=openid profile email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttps%2Fclient.example.org%2Fcb
  • 37. | ©2019 F537 How Does App Request Standard & Custom Scopes OIDC for Fine-level Authorization GET /authorize?response_type=code &scope=openid profile email https://www.blah.com/v1/customers.admin &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttps%2Fclient.example.org%2Fcb
  • 38. | ©2019 F538 { "sub": "1008092044", "iss": "https://idp.blah.com/authz/v1/", "aud": "https://api.blah.com/consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", "given_name": "firstName", "family_name": "lastName", "email": [email protected] "user_metadata": { “crm_reference": ”d34343dfdt6dfd” } ”app_metadata": { “v1/customers”: { “roles”: “admin” } } } Example 1: Token with Standard & Custom Claims
  • 39. | ©2019 F539 { "sub": "1008092044", "iss": "https://idp.blah.com/authz/v1/", "aud": "https://api.blah.com/consumers/", "nbf": 1524225722, "exp": 1524226622, "iat": 1524225722, "jti": "3119f745-2d40-4455-a6df-97b1ad7b4d71", "given_name": "firstName", "family_name": "lastName", “Scope” : “admin” "email": [email protected] "user_metadata": { “crm_reference": ”d34343dfdt6dfd” } } Example 2: Token with Standard & Custom Claims
  • 40. | ©2019 F540 • There will be two endpoint for each resources if we need to give elevated access to a user. • For example if we want to give ability for users to read, update & create their own customers data and admin access to delete a customer record. GET POST PUT DELETE /customers/v1 DELETE /customers/v1/admin/delete • Different authentication mechanism for admin endpoints to protect admin endpoints. General Approach for Role Based Authorization Now
  • 42. | ©2019 F542 • Resource representation should be around bounded business context. • HTTP methods should represent what a user is intended to act upon a resource, NOT the endpoints. GET /v1/customers/{customer-id} ==> Read POST /v1/customers /{customer-id} ==> Create PUT /v1/customers /{customer-id} ==> Update DELETE /v1/customers/{customer-id} ==> Delete Recommendation
  • 43. | ©2019 F543 Having user journey where you could identify your users and personas that would interact with your business resources. This is an ongoing task Simplify your role definition – depends on your domain User Admin Guest Anonymous Identify Your User Journey
  • 44. | ©2019 F544 CONFIDENTIAL User and Persona for Order Domain
  • 45. | ©2019 F545 • Generalized Roles should come from IDP • Isolate permissions from IDP • Relevant apps should map roles to permissions (scalable) Role ! = Permissions
  • 46. | ©2019 F546 CONFIDENTIAL Best Practices for Using access_token (while producing & accessing) •No PII data in the access_token , whatsoever...​ •Have shorter expiry time for the access_token if the token is issued to untrusted client(browser) – 2 - 5 mins.​ •Always make your client applications to request with scope and let your IDP set the right audience the access_token is intended for.​ •Don't overuse access_token - meaning don't use the same access_token to access all the resources in your environment. Be specific with aud claim where it should be used, and gateways can reject the access if the token is not intended to access that specific resource.​ •Sign the token centrally in your IDP where you can rotate Private/Public key periodically. API Gateway should be smart enough to cache the public key from the IDP for the verification and could detect key rotation done by the IDP on the fly.