The Nuts and Bolts of API Security: Protecting Your Data at All Times
Вставка
- Опубліковано 31 лип 2024
- Travis Spencer - Curity (formerly Twobo Technologies). Nordic APIs World Tour 2015: May 11 - Copenhagen. Travis Spencer argues that API keys are insufficient for implementing proper API security and identity management. This talk delves into OAuth and OpenId Connect, with the goal to create a holistic approach to API and enterprise security that keeps all systems safe through a multi-faceted approach to identity control.
This talk specifically covers:
- The risks of relying solely on API keys
- Fundamental introduction to OAuth as an identity delegation protocol
- The actors involved in an OAuth process
- Step-by-step processes involved in the common web server OAuth flow (validating tokens, returning data, etc.)
- Overview of scopes, permissions and delegations.
- Kinds of tokens (Access Tokens, Refresh Tokens)
- Profiles of tokens (Bearer, Holder of Key)
- Overview on types of tokens (WS-Security, SAML, JWT)
- Using OpenID Connect as a federation protocol
- Step-by-step OpenID Connect flow example
- and more
For thought provoking pieces on everything APIs, check out the Nordic APIs blog: nordicapis.com/blog/
Read Curity's blog for more on API Security: curity.io/blog/ - Наука та технологія
