Overview
Explore OAuth and OpenID Connect as powerful tools for managing identity in distributed systems during this 48-minute conference talk from GOTO Copenhagen 2019. Discover how to leverage these protocols to enhance agility, scalability, and security in your API infrastructure. Learn about tracing and delegating end-user identities, managing user permissions across large organizations, and implementing standards-based approaches for large-scale deployments. Delve into topics such as API security maturity models, the limitations of API keys and Basic Auth, and practical examples involving publishers and mobile apps. Gain insights on passing information securely, verifying claims, utilizing attribute sources, and effectively implementing access control. Understand the distinctions between claims and scopes, explore custom grouping techniques, and learn how to identify essential data for tokens. Conclude with a summary of best practices for maintaining a clean, non-spaghetti-like architecture and properly distinguishing between attributes and claims in your identity management strategy.
Syllabus
Intro
Me, using a service
API Security Maturity Model
The problem with API keys and Basic Auth
Example: The publisher
Scopes Example
Example: The Swish app
Passing information around
Verifying claims
Using Claims
Attribute sources
Claim data
How to identify data to put in the token
Scope not Scopes
Claims vs. Scopes
Custom Grouping
Usefulness
Access Control Example
Summary: No spaghetti
Summary: Attributes are not claims
Taught by
GOTO Conferences