SlideShare a Scribd company logo

Extended Security with WSO2 API Management Platform

Download as PPTX, PDF
WSO2
WSO2

Uvindra Jayasinha from WSO2 presented on extending security with the WSO2 API Management platform. He covered best practices for OAuth 2.0 access tokens, adding SAML single sign-on, federated identity with third-party providers, enforcing fine-grained entitlement policies, and accessing user attributes. The presentation explained key OAuth concepts like grant types, actors, and tokens. It also described using SAML assertions, XACML policies, and JWT claims to pass user information and control access.

1 of 20
Downloaded 38 times
WSO2 Uvindra Dias Jayasinha Extended Security with WSO2 API Management Platform 30th April, 2015
** About the Presenter Uvindra joined WSO2 in November 2013. He is a Senior Software Engineer in the WSO2 API Manager Team. He has a background in Telecom Billing Systems and Financial Trading systems, including High Performance Software development
** Agenda ● Best practices when requesting OAuth 2.0 Access Tokens ● Adding SAML based Single Sign On (SSO) capabilities to API management and leveraging SAML2 Bearer Tokens to request OAuth 2.0 Access Tokens ● Federated identity: How to use a third-party identity provider with API Manager ● Enforcing fine-grained entitlement policies at the API management layer ● Accessing API user's attributes to make decisions
** APIs and Security Exposing Services as APIs means we need to address how those APIs are going to be secured ● Primarily protecting APIs via API Access Tokens ● But also so much more than that…... ❏ Forced to deal with different kinds of users and applications ❏ One size does not fit all when it comes to security
** OAuth 2.0 - The Cornerstone OAuth definition from the OAuth 2.0 IETF specification - "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." [1] [1] http://tools.ietf.org/html/rfc6749
** OAuth 2.0 - Grant Types Depending on the trustworthiness of the application that is trying to access the API, oauth provides different methods that can be used for granting access ● Authorization Code ● Password(Resource Owner Credentials) ● Client Credentials ● Implicit
** Understanding the actors involved Resource owner The Person who owns the data or has rights to the data that will be exposed by the Service via an API Resource Server The server that hosts the actual Service/API that exposes the data Application Considered as the ‘client’ in OAuth circles. The one requesting access to the API Auth Server Grants access to the Application after authenticating it with the Resource Owner
** Key OAuth concepts Client ID A unique string representing an Application registered with the Auth Server Client Secret A secret password that is used by the Auth Server to authenticate if the Application is an authorized Application Access Token A key provided by the Auth Server to the Application which allows access to a given API for a limited amount of time. After the time expires the key will be considered invalid Refresh Token A secondary key that can be used by the Application to request a new Access Token from the Auth Server
** Authorization Code Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides remotely from the Resource Owner ● Resource Owner gets involved initially to decide if the Auth Server should grant API access to the Application ● ‘Auth Code’ is returned by Auth Server to the Application which uses it to request Access + Refresh Tokens from the Auth Server ● The Application may store the Access + Refresh Tokens and reuse them to access the API, no longer needing intervention from the Resource Owner ● Considered the most secure grant type
** Implicit Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides locally to the Resource Owner(eg: Web browser, Mobile device) ● A simplified version of the Authorization Code grant type with the elimination of the Auth Code issuing step ● Since Resource Owner is present in proximity to App there is nothing to be gained by issuing an Auth Code ● Once Resource Owner approves App, Auth Server provides Access Token directly to App ● Access Token validity periods should be relatively short, no Refresh Token is issued ● App should rely on the Resource Owner to get involved again to get a new Access Token
** Password Grant Type Category of Application - 3rd Party trusted ● Since the App is trusted the Resource Owner is able to share their own username and password directly with the App ● By providing their credentials to the App, the Resource Owner is delegating authority to the App to authenticate itself with the Auth Server and get Access + Refresh Tokens
** Client Credentials Grant Type Category of Application - Resource Owners App ● Since the App belongs to the Resource Owner there is no need to authenticate the App via the Resource Owners credentials or require that the Resource Owner get involved to help the Auth Server decide if access should be granted ● All that is required by the Auth Server is to identify if the App requesting the Access Token is in fact the Resource Owners App ● The App only needs to provide the Client ID and Client Secret to the Auth Server to get the Access Token
** Single Sign On ● The WSO2 API Management platform can be configured to support SAML 2.0 based SSO ● Security Assertion Markup Language 2.0 - XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider ● SAML is a widely established means of identity federation in enterprises.
** Advantage of SAML based SSO ● Provides convenience when working with multiple store/publisher web applications ● Reduces password fatigue ● Able to exchange the SAML token issued by the Identity Provider for an OAuth 2.0 access token, avoiding the need to explicitly be authenticated by an Auth 2.0 Auth Server. This is an advantage for enterprises that already have an existing SAML identity provider
** Federated Identity ● Demo Scenario - Using Facebook as a Federated identity provider to act as a Auth Server to obtain a API Access Token
** Fine-grained entitlement policies ● API Manager supports Auth 2.0 scopes to restrict access to API resources based on user roles ● But when more fine grained entitlement policies are required XACML policies can be used ● XACML stands for "eXtensible Access Control Markup Language", which defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate access requests according to the rules defined in policies.
** Accessing API users attributes to make decisions ● Its often useful for the API hosting service to make decisions based on information associated with the user who initiated the API invocation such as, ○ Username of end user ○ The organization the end user is associated with ○ The email of the end user ○ The gender of the end user
** Passing Claims via JWT ● Claim - user attribute that is mapped to the underlying user store ● Claim dialect - A set of predefined claims ● API Manager can be configured to pass a Claim Dialect via a JSON Web Token[1] to the back end API along with the API invocation [1] http://openid.net/specs/draft-jones-json-web-token-07.html#anchor3
** Resources ● [Article] OAuth2 Grant Types and Need For Implicit Grant for JavaScript and Mobile Applications http://wso2.com/library/articles/2014/12/article- oauth2-grant-types-and-need-for-implicit-grant-for-javascript-mobile-applications/ ● What is the purpose of the implicit grant authorization type in OAuth 2? http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2 ● Enforcing fine grained entitlement policies With XACML http://xacmlinfo.org/2014/10/24/authorization-for-apis-with-xacml-and-oauth-2-0/
Contact us !
Ad

Recommended

Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO2
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
Marcin Wolnik
 
Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API Manager
WSO2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
Ubisecure
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
Manish Pandit
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
Sanjoy Kumar Roy
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API Management
WSO2
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryCombining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
WSO2
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
WSO2
 
Ad

More Related Content

What's hot (20)

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API Management
WSO2
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
UMA for ACE
UMA for ACEUMA for ACE
UMA for ACE
Hannes Tschofenig
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim00
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API Management
WSO2
 
The State of OAuth2
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
axykim00
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
vinoth kumar
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 

Viewers also liked (19)

Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryCombining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
WSO2
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
WSO2
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 
Implementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformImplementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management Platform
WSO2
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
 
WSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementWSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API Management
Edgar Silva
 
Open Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service BusOpen Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service Bus
sumedha.r
 
How to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API EcosystemHow to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API Ecosystem
WSO2
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
WSO2
 
CAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemplesCAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemples
Clément OUDOT
 
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery ChannelWSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2
 
API designing with WSO2 API Manager
API designing with WSO2 API ManagerAPI designing with WSO2 API Manager
API designing with WSO2 API Manager
WSO2
 
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital EnterpriseWSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
WSO2
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API Management
WSO2
 
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemplesCAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
Clément OUDOT
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industryCombining WSO2 API Manager with WSO2 BAM for billing in the energy industry
Combining WSO2 API Manager with WSO2 BAM for billing in the energy industry
WSO2
 
Leveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gatewayLeveraging federation capabilities of Identity Server for API gateway
Leveraging federation capabilities of Identity Server for API gateway
WSO2
 
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2Con EU 2015: Securing, Monitoring and Monetizing APIs
WSO2
 
Implementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformImplementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management Platform
WSO2
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
WSO2
 
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
 
WSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API ManagementWSO2 API Manager : Going beyond the just API Management
WSO2 API Manager : Going beyond the just API Management
Edgar Silva
 
Open Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service BusOpen Source Integration with WSO2 Enterprise Service Bus
Open Source Integration with WSO2 Enterprise Service Bus
sumedha.r
 
How to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API EcosystemHow to Enable Monetization of Your API Ecosystem
How to Enable Monetization of Your API Ecosystem
WSO2
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
WSO2
 
CAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemplesCAS, OpenID, SAML : concepts, différences et exemples
CAS, OpenID, SAML : concepts, différences et exemples
Clément OUDOT
 
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery ChannelWSO2Con USA 2017: Cloud as a Delivery Channel
WSO2Con USA 2017: Cloud as a Delivery Channel
WSO2
 
API designing with WSO2 API Manager
API designing with WSO2 API ManagerAPI designing with WSO2 API Manager
API designing with WSO2 API Manager
WSO2
 
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital EnterpriseWSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2Con USA 2017: Analytics Patterns for Your Digital Enterprise
WSO2
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
WSO2
 
Workshop: API Management
Workshop: API ManagementWorkshop: API Management
Workshop: API Management
WSO2
 
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemplesCAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
CAS, OpenID, Shibboleth, SAML : concepts, différences et exemples
Clément OUDOT
 
Best Practices for API Management
Best Practices for API Management Best Practices for API Management
Best Practices for API Management
WSO2
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
Ad

Similar to Extended Security with WSO2 API Management Platform (20)

Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
Amin Mesbahi
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
Priyanka Aash
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
Stefan Weber
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
Amin Mesbahi
 
1000 ways to die in mobile oauth
1000 ways to die in mobile oauth1000 ways to die in mobile oauth
1000 ways to die in mobile oauth
Priyanka Aash
 
OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)OAuth2 Implementation Presentation (Java)
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
Introduction to OAuth2
Introduction to OAuth2Introduction to OAuth2
Introduction to OAuth2
Kumaresh Chandra Baruri
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
Stefan Weber
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)
gemziebeth
 
Ad

More from WSO2 (20)

Platformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdfPlatformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI SectorApplication Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: OverviewChoreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience AppsWSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on CodeWSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native ApplicationsWSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless ModernizationMastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 
Platformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdfPlatformless Modernization with Choreo.pdf
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI SectorApplication Modernization with Choreo for the BFSI Sector
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: OverviewChoreo - The AI-Native Internal Developer Platform as a Service: Overview
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience AppsWSO2Con 2025 - Building Secure Customer Experience Apps
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on CodeWSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native ApplicationsWSO2Con 2025 - Architecting Cloud-Native Applications
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless ModernizationMastering Intelligent Digital Experiences with Platformless Modernization
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
WSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
WSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2
 

Recently uploaded (20)

TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Vaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without HallucinationsVaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without Hallucinations
john409870
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Vaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without HallucinationsVaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without Hallucinations
john409870
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 

Extended Security with WSO2 API Management Platform

  • 1. WSO2 Uvindra Dias Jayasinha Extended Security with WSO2 API Management Platform 30th April, 2015
  • 2. ** About the Presenter Uvindra joined WSO2 in November 2013. He is a Senior Software Engineer in the WSO2 API Manager Team. He has a background in Telecom Billing Systems and Financial Trading systems, including High Performance Software development
  • 3. ** Agenda ● Best practices when requesting OAuth 2.0 Access Tokens ● Adding SAML based Single Sign On (SSO) capabilities to API management and leveraging SAML2 Bearer Tokens to request OAuth 2.0 Access Tokens ● Federated identity: How to use a third-party identity provider with API Manager ● Enforcing fine-grained entitlement policies at the API management layer ● Accessing API user's attributes to make decisions
  • 4. ** APIs and Security Exposing Services as APIs means we need to address how those APIs are going to be secured ● Primarily protecting APIs via API Access Tokens ● But also so much more than that…... ❏ Forced to deal with different kinds of users and applications ❏ One size does not fit all when it comes to security
  • 5. ** OAuth 2.0 - The Cornerstone OAuth definition from the OAuth 2.0 IETF specification - "The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." [1] [1] http://tools.ietf.org/html/rfc6749
  • 6. ** OAuth 2.0 - Grant Types Depending on the trustworthiness of the application that is trying to access the API, oauth provides different methods that can be used for granting access ● Authorization Code ● Password(Resource Owner Credentials) ● Client Credentials ● Implicit
  • 7. ** Understanding the actors involved Resource owner The Person who owns the data or has rights to the data that will be exposed by the Service via an API Resource Server The server that hosts the actual Service/API that exposes the data Application Considered as the ‘client’ in OAuth circles. The one requesting access to the API Auth Server Grants access to the Application after authenticating it with the Resource Owner
  • 8. ** Key OAuth concepts Client ID A unique string representing an Application registered with the Auth Server Client Secret A secret password that is used by the Auth Server to authenticate if the Application is an authorized Application Access Token A key provided by the Auth Server to the Application which allows access to a given API for a limited amount of time. After the time expires the key will be considered invalid Refresh Token A secondary key that can be used by the Application to request a new Access Token from the Auth Server
  • 9. ** Authorization Code Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides remotely from the Resource Owner ● Resource Owner gets involved initially to decide if the Auth Server should grant API access to the Application ● ‘Auth Code’ is returned by Auth Server to the Application which uses it to request Access + Refresh Tokens from the Auth Server ● The Application may store the Access + Refresh Tokens and reuse them to access the API, no longer needing intervention from the Resource Owner ● Considered the most secure grant type
  • 10. ** Implicit Grant Type Category of Application - 3rd Party untrusted Locality of Application - Resides locally to the Resource Owner(eg: Web browser, Mobile device) ● A simplified version of the Authorization Code grant type with the elimination of the Auth Code issuing step ● Since Resource Owner is present in proximity to App there is nothing to be gained by issuing an Auth Code ● Once Resource Owner approves App, Auth Server provides Access Token directly to App ● Access Token validity periods should be relatively short, no Refresh Token is issued ● App should rely on the Resource Owner to get involved again to get a new Access Token
  • 11. ** Password Grant Type Category of Application - 3rd Party trusted ● Since the App is trusted the Resource Owner is able to share their own username and password directly with the App ● By providing their credentials to the App, the Resource Owner is delegating authority to the App to authenticate itself with the Auth Server and get Access + Refresh Tokens
  • 12. ** Client Credentials Grant Type Category of Application - Resource Owners App ● Since the App belongs to the Resource Owner there is no need to authenticate the App via the Resource Owners credentials or require that the Resource Owner get involved to help the Auth Server decide if access should be granted ● All that is required by the Auth Server is to identify if the App requesting the Access Token is in fact the Resource Owners App ● The App only needs to provide the Client ID and Client Secret to the Auth Server to get the Access Token
  • 13. ** Single Sign On ● The WSO2 API Management platform can be configured to support SAML 2.0 based SSO ● Security Assertion Markup Language 2.0 - XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider ● SAML is a widely established means of identity federation in enterprises.
  • 14. ** Advantage of SAML based SSO ● Provides convenience when working with multiple store/publisher web applications ● Reduces password fatigue ● Able to exchange the SAML token issued by the Identity Provider for an OAuth 2.0 access token, avoiding the need to explicitly be authenticated by an Auth 2.0 Auth Server. This is an advantage for enterprises that already have an existing SAML identity provider
  • 15. ** Federated Identity ● Demo Scenario - Using Facebook as a Federated identity provider to act as a Auth Server to obtain a API Access Token
  • 16. ** Fine-grained entitlement policies ● API Manager supports Auth 2.0 scopes to restrict access to API resources based on user roles ● But when more fine grained entitlement policies are required XACML policies can be used ● XACML stands for "eXtensible Access Control Markup Language", which defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate access requests according to the rules defined in policies.
  • 17. ** Accessing API users attributes to make decisions ● Its often useful for the API hosting service to make decisions based on information associated with the user who initiated the API invocation such as, ○ Username of end user ○ The organization the end user is associated with ○ The email of the end user ○ The gender of the end user
  • 18. ** Passing Claims via JWT ● Claim - user attribute that is mapped to the underlying user store ● Claim dialect - A set of predefined claims ● API Manager can be configured to pass a Claim Dialect via a JSON Web Token[1] to the back end API along with the API invocation [1] http://openid.net/specs/draft-jones-json-web-token-07.html#anchor3
  • 19. ** Resources ● [Article] OAuth2 Grant Types and Need For Implicit Grant for JavaScript and Mobile Applications http://wso2.com/library/articles/2014/12/article- oauth2-grant-types-and-need-for-implicit-grant-for-javascript-mobile-applications/ ● What is the purpose of the implicit grant authorization type in OAuth 2? http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2 ● Enforcing fine grained entitlement policies With XACML http://xacmlinfo.org/2014/10/24/authorization-for-apis-with-xacml-and-oauth-2-0/