The Nuts and Bolts of API Security: Protecting Your Data at All Times

Travis Spencer - Curity (formerly Twobo Technologies). Nordic APIs World Tour 2015: May 11 - Copenhagen. Travis Spencer argues that API keys are insufficient for implementing proper API security and identity management. This talk delves into OAuth and OpenId Connect, with the goal to create a holistic approach to API and enterprise security that keeps all systems safe through a multi-faceted approach to identity control. This talk specifically covers: - The risks of relying solely on API keys - Fundamental introduction to OAuth as an identity delegation protocol - The actors involved in an OAuth process - Step-by-step processes involved in the common web server OAuth flow (validating tokens, returning data, etc.) - Overview of scopes, permissions and delegations. - Kinds of tokens (Access Tokens, Refresh Tokens) - Profiles of tokens (Bearer, Holder of Key) - Overview on types of tokens (WS-Security, SAML, JWT) - Using OpenID Connect as a federation protocol - Step-by-step OpenID Connect flow example - and more For thought provoking pieces on everything APIs, check out the Nordic APIs blog: http://nordicapis.com/blog/ Read Curity's blog for more on API Security: https://curity.io/blog/