understanding identity in the world of web apis – ronnie mitra, api architect, layer 7 talk from...
DESCRIPTION
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)TRANSCRIPT
![Page 1: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/1.jpg)
Understanding Identity in the World of Web
APIs
Ronnie Mitra
Principal API Architect - Europe
Layer 7 API Academy
![Page 2: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/2.jpg)
![Page 3: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/3.jpg)
API Management
virtual cloud on-premise
![Page 4: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/4.jpg)
Connecting things
![Page 5: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/5.jpg)
Connecting computer programs
![Page 6: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/6.jpg)
… over the web
![Page 7: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/7.jpg)
2000 – ebay
![Page 8: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/8.jpg)
2000 – salesforce
![Page 9: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/9.jpg)
2006 – Amazon Web Services
![Page 10: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/10.jpg)
Twilio or stripe
2007 - Twillio
![Page 11: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/11.jpg)
Web APIs
Language Independent
APIs are constrained by the syntax of the web
Most API Design principles can be applied
Some design principles are unique to Web APIs
![Page 12: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/12.jpg)
Web APIs
HTTP
![Page 13: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/13.jpg)
Network Based APIs
HTTP
COAP MQTT
WebSocket ?
![Page 14: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/14.jpg)
![Page 15: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/15.jpg)
Tunnel Style
URI Style
Hypermedia Style
Event Driven Style
![Page 16: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/16.jpg)
Tunnel Style Example: SOAP
• transport agnostic • operation based • binding documents (WSDL)
![Page 17: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/17.jpg)
Tunnel Style
<RetrieveStudentRecords> <StudentId>1213</StudentId> </RetrieveStudentRecords>
![Page 18: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/18.jpg)
URI Style
GET PUT
POST DELETE
+ URI
![Page 19: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/19.jpg)
URI Style
GET /students/1232
![Page 20: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/20.jpg)
Hypermedia Style
![Page 21: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/21.jpg)
Hypermedia Style
• links • templated input (forms) • task based
![Page 22: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/22.jpg)
{ links: [ link {href: ‘…’ rel: ‘list’}, link {href: ‘…’ rel: ‘add’} ] collection: [ {link: {rel:'complete',href:‘…'},
id:42,
text:‘Record 42'
} ] }
![Page 23: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/23.jpg)
Event Driven Style Example: WebSockets
• event based communication • server initiated events • full-duplex (websocket)
![Page 24: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/24.jpg)
Ronnie,Mitra,UK
![Page 25: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/25.jpg)
Established mechanisms, tools and frameworks
HTTP and URI security mechanisms
Similar to URI style, new challenges with links
Starts in HTTP, need visibility in new protocol
![Page 26: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/26.jpg)
![Page 27: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/27.jpg)
Private/Partner or Closed APIs
![Page 28: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/28.jpg)
Acme Corp. API
Acme Corp. App
![Page 29: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/29.jpg)
![Page 30: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/30.jpg)
Public or Open APIs
![Page 31: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/31.jpg)
Acme Corp. API
Third Party App
![Page 32: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/32.jpg)
![Page 33: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/33.jpg)
Priority: Lower Cost
Priority: Increased Adoption
![Page 34: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/34.jpg)
Focus on the developer experience
(dx)
![Page 35: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/35.jpg)
Usability
Reliability
Simplicity
Security
Etc…
Software Qualities
![Page 36: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/36.jpg)
DX > Software Qualities
![Page 37: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/37.jpg)
Priority: Lower Cost
Priority: Increased Adoption
![Page 38: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/38.jpg)
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
![Page 39: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/39.jpg)
The API security challenge:
Balancing Security and Usability
![Page 40: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/40.jpg)
Identity Authentication Authorization Availability Integrity Privacy
![Page 41: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/41.jpg)
Identities and Attack Surfaces
![Page 42: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/42.jpg)
Developer
Portal
API
Developer
End User
Administrator
![Page 43: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/43.jpg)
Portal
API
Developer
End User
Administrator
![Page 44: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/44.jpg)
API
End User
![Page 45: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/45.jpg)
Injection Attack
![Page 46: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/46.jpg)
API
![Page 47: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/47.jpg)
Examples:
SQL Injection
Command Injection
Code Injection
Argument Injection
![Page 48: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/48.jpg)
API Attack Example:
SQL Injection Attacks: APIs
GET http://host.com/aresource?token=
%E2%80%98or%20%E2%80%981%3D1
GET http://host.com/aresource?token=‘ or ‘1=1
select * from tokens where token = ‘’ or ‘1=1’;
![Page 49: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/49.jpg)
APIs May Be A Direct Conduit
49
HTTP
Server
App
Server
Database
App
Objects
Often: • Self-documenting
• Closely mapped to object space
![Page 50: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/50.jpg)
SQL Injection Attack - Mitigation
Sanitize inputs
Validate request and response data
Limit data size
![Page 51: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/51.jpg)
Denial of Service
![Page 52: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/52.jpg)
API
![Page 53: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/53.jpg)
Examples:
XML/JSON Parser Attacks
Jumbo Messages
Server Overload
![Page 54: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/54.jpg)
Denial of Service Attack: Mitigation
Enforcement of boundary conditions
Intelligent rate limiting
Offload processing
![Page 55: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/55.jpg)
Overflow
![Page 56: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/56.jpg)
API
![Page 57: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/57.jpg)
Buffer Overflow Attack: Mitigation
Boundary limit enforcement
Message validation
![Page 58: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/58.jpg)
Cross Site Scripting
![Page 59: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/59.jpg)
API
![Page 60: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/60.jpg)
XSS API Example
60
Attacker
Web App Server
(browser+APIs)
Victim: Web
Browser
Client
<SCRIPT …>
1. API injects
script in
3. Browser loads
content with
embedded script
2. Server fails to
perform FIEO: Filter
Input, Escape Output
API
![Page 61: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/61.jpg)
Cross Site Scripting: Mitigation
Whitelist tags if you can (i.e. where the validation space is
small and concise)
Blacklist dangerous tags like <SCRIPT>
Always perform FIEO (Filter Input, Escape Output)
Learn more: http://xssed.com
61
![Page 62: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/62.jpg)
rate limiting is essential
![Page 63: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/63.jpg)
we need message and payload validation too
![Page 64: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/64.jpg)
is this new API world compatible with validation?
![Page 65: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/65.jpg)
good APIs are extendable and evolvable
![Page 66: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/66.jpg)
/myapi/v1
<contact>
<name>Ronnie</name>
<city>London</city>
</contact>
![Page 67: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/67.jpg)
/myapi/v1
<contact>
<name>Ronnie</name>
<city>London</city>
<country>UK</country>
</contact>
![Page 68: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/68.jpg)
<xs:complexType>
<xs:sequence>
<xs:element name=“name" type="xs:string"/>
<xs:element name=“city" type="xs:string"/>
</xs:sequence>
</xs:complexType>
<contact>
<name>Ronnie</name>
<city>London</city>
<country>UK</country>
</contact>
![Page 69: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/69.jpg)
API !
![Page 70: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/70.jpg)
Man in the Middle
![Page 71: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/71.jpg)
API
![Page 72: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/72.jpg)
Always use HTTPS
Corollary: Use a secure HTTPS implementation
Man in the Middle Attack: Mitigation
![Page 73: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/73.jpg)
App Spoofing
![Page 74: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/74.jpg)
API
![Page 75: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/75.jpg)
Examples:
- Guessing application ID by brute force
- Retrieving application ID by sniffing traffic
- Cracking application to retrieve application ID
App Spoofing
![Page 76: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/76.jpg)
how can I protect identity on a mobile device?
![Page 77: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/77.jpg)
…?
![Page 78: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/78.jpg)
what happens if my mobile app is impersonated?
![Page 79: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/79.jpg)
API
End User
![Page 80: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/80.jpg)
Revenue Source
![Page 81: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/81.jpg)
What the Fudge*! I didn’t make 10000 calls yesterday!!!!!!
I’m not paying that.
*This is what WTF actually stands for.
![Page 82: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/82.jpg)
I didn’t buy 1000 mobile phones in
Russia!
I’m not paying that!
![Page 83: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/83.jpg)
Forrester:
we are moving towards a ‘zero-trust’ model
![Page 84: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/84.jpg)
New platforms, new languages, new challenges:
• Ruby on Rails
• Node.js
• Scala
• Nginx
• Squid/Varnish/Traffic Manager
![Page 85: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/85.jpg)
![Page 86: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/86.jpg)
TLS OAuth 2
Open ID Connect
![Page 87: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/87.jpg)
OAuth provides a
Delegated Authorization Framework
![Page 88: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/88.jpg)
An imperfect analogy….
![Page 89: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/89.jpg)
http://www.flickr.com/photos/drewleavy/5587005480
![Page 90: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/90.jpg)
http://www.flickr.com/photos/24oranges/5791460046/
![Page 91: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/91.jpg)
http://www.flickr.com/photos/grumbler/571106054/
http://www.flickr.com/photos/roboppy/238406811/
Your Money
This Shop Needs Your Money
You need to grant access to your money
![Page 92: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/92.jpg)
http://www.flickr.com/photos/drewleavy/5587005480
I won’t tell.
I promise!
![Page 93: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/93.jpg)
www.flickr.com/photos/auntiep/255249516
![Page 94: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/94.jpg)
Granting access to someone to act
on your behalf.
![Page 95: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/95.jpg)
resolving the password anti-pattern
![Page 96: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/96.jpg)
Your resources
This app needs to act on your behalf
You need to grant access to your resources
![Page 97: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/97.jpg)
Your google+ data
This app needs to access your Google+ data
You need to grant access to your resources
![Page 98: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/98.jpg)
Hi Google.
I’d like to have access to a user’s friends list.
![Page 99: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/99.jpg)
Hang on, let me ask…
![Page 100: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/100.jpg)
![Page 101: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/101.jpg)
He said yes. Here is your access code.
![Page 102: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/102.jpg)
“Client” == application
“Resource owner” == end-user
The first step to understanding OAuth 2:
![Page 103: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/103.jpg)
OAuth 2 Grant Types
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
![Page 104: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/104.jpg)
Authorization Code Grant
104
Client Application
Resource Owner
Using
Application
Resource Server
I Wish I could access my resources through
this application…
![Page 105: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/105.jpg)
Authorization Code Grant
105
Client Application
Resource Owner
Using
Application
Resource Server
…but I don’t trust this app enough to give it
my credentials.
![Page 106: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/106.jpg)
Authorization Code Grant
Initiation
106
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
![Page 107: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/107.jpg)
Authorization Code Grant
Initiation
107
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
response_type
client_id
redirect_uri
scope
state
![Page 108: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/108.jpg)
OAuth 2 Authorization Request
response_type – indicates grant type
client_id –application identifier
redirect_uri (optional) – address which the UA can use to respond to client
scope (optional) – space delimited string: what the client wants to do
state (optional)– opaque string used to defeat CSRF attacks
Sample Authorization GET URL:
https://azserver/oauth2/authorize?response_type=code&client_id=my_id&state=state&r
edirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback
![Page 109: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/109.jpg)
Authorization Code Grant
Resource Owner Authentication
109
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Send
User
Authentication
Form
?
Authenticate
![Page 110: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/110.jpg)
Authorization Code Grant
Authorization
110
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Deliver
Grant
Screen
? ? ?
Approve
Grant
Request
![Page 111: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/111.jpg)
Authorization Code Grant
Receipt of Authorization Code
111
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Redirect
User-Agent
Client
Application
! Redirected
To
Client
Application
code
state
302
![Page 112: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/112.jpg)
Authorization Code Grant
Access Token Request
112
Client Application
Resource Owner Authorization Server
Resource Server
Request
Access
Token Return
Access
Token
and Optional
Refresh Token
grant_type
code
redirect_uri
client_id
200
AZ Code
AZ Code
![Page 113: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/113.jpg)
Authorization Code Grant
Access Protected Resource
113
Client Application
Resource Owner Authorization Server
Resource Server
Request
Resource
Using
Application
Return
Resource
200
![Page 114: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/114.jpg)
be careful – much can go wrong!
![Page 115: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/115.jpg)
Authorization Code Grant
Initiation
115
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
response_type
client_id
redirect_uri scope
state
![Page 116: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/116.jpg)
Authorization Code Grant
Receipt of Authorization Code
116
Resource Owner Authorization Server
Resource Server
User Agent
Redirect
User-Agent
Client
Application
Redirected
To
Client
Application
code
state
302
![Page 117: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/117.jpg)
is this complex?
![Page 118: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/118.jpg)
is this too complex?
a better question:
![Page 119: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/119.jpg)
is this too complex for our developers?
an even better question:
![Page 120: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/120.jpg)
It depends, but it is the best we have today
![Page 121: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/121.jpg)
2 vs. 3 Legged Spectrum
121
Three
legged
Two
legged
![Page 122: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/122.jpg)
Three Legged
122
Client Application Resource Owner
Authorization Server
Resource Server
![Page 123: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/123.jpg)
Two Legged
123
Client Application
Authorization Server
Resource Server
![Page 124: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/124.jpg)
OAuth 2 Challenges
It is a framework
![Page 125: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/125.jpg)
OAuth 2 Challenges
It is complex for the implementer
![Page 126: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/126.jpg)
![Page 127: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/127.jpg)
OpenID Connect
Identity Access
Built on top of OAuth 2
Not tied to any single vendor or identity provider
![Page 128: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/128.jpg)
![Page 129: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/129.jpg)
![Page 130: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/130.jpg)
API
End User
![Page 131: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/131.jpg)
API
End User
?
![Page 132: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/132.jpg)
Client Application
Retrieve User
Information
OpenID
Resource
Server
id_token
![Page 133: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/133.jpg)
![Page 134: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/134.jpg)
![Page 135: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/135.jpg)
![Page 136: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/136.jpg)
Portal
![Page 137: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/137.jpg)
Who is using the API? How are they (mis)using it?
![Page 138: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/138.jpg)
What would happen if the portal was exploited?
![Page 139: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/139.jpg)
Portal
API
Developer
End User
API
![Page 140: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/140.jpg)
Portal
API
Administrator
![Page 141: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/141.jpg)
Where are the components deployed? Who owns the identity store?
![Page 142: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/142.jpg)
Portal
API
is this safe?
![Page 143: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/143.jpg)
http://www.flickr.com/photos/naomi_pincher/3306312873/
Layered Pattern
![Page 144: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/144.jpg)
![Page 145: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/145.jpg)
Security Layer
TLS termination
OAuth and OpenID Connect support
Schema validation
Boundary enforcement
Cryptographic operations
Security mediation
![Page 146: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/146.jpg)
![Page 147: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/147.jpg)
API Gateway
Gateway
API
API
![Page 148: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/148.jpg)
API Management
Portal
Gateway
API
API
![Page 149: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/149.jpg)
Summary:
Old threats still exist
Be aware of new surfaces and threats
Enforce security in an abstracted layer with a gateway
![Page 150: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/150.jpg)
www.apiacademy.co
![Page 151: Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042700/5558247ed8b42a25588b4d09/html5/thumbnails/151.jpg)
Visit the Layer 7 booth for information on our gateways and portals!