WSO2, profile picture
Uploaded byWSO2
PDF, PPTX357 views

[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021

The document outlines best practices for API authentication and authorization in 2021, emphasizing the need for strong security measures due to a significant increase in data breaches. It covers the importance of protecting APIs using OAuth 2.0 flows, multi-factor authentication, and dynamic authentication methods to enhance user security. The document also highlights the role of authorization in limiting access to resources and implementing fine-grained access controls.

Download as PDF, PPTX
Authentication and Authorization Best Practices for Your API in 2021 June 16, 2021 isharak@wso2.com Director of Engineering, IAM @ WSO2 Ishara Karunarathna
2 The Agenda ● High-level API security architecture ● Authentication and authorization for API access ● Implementing authentication and authorization best practices ○ Demo using WSO2 Identity Server
API Security Architecture
25,000-Foot View of API Security Architecture 4
Closer View of API Security Architecture 5
Recommended OAuth 2.0 Flows for API Access 6 Grant Type Web App Native App SPA Services Device Authorization Code X Authorization Code with PKCE X X Client Credentials X X Implicit Flow X* Password Grant X* Device Authorization Grant X JWT and SAML Grant (RFC7523) X OAuth MTLS (RFC8705) X X Token Exchange (RFC8693) X X
Authentication and Authorization for API Access
8 Over 8.4B records exposed during the first quarter of 2020 Whopping 273% increase compared to Q1 2019 Approximately 70% due to unauthorized access to systems or services Due to the COVID-19 pandemic, millions of employees around the world switched to remote working, and many businesses were forced to adopt digitalization within a short time frame. Attackers thrived during this period because companies skipped some of the long-held security practices in the rush to adopt the new normal. 2020 2020 Q1 Data Breach QuickView Report - Risk Based Security
9 IAM should not be the weakest link in the system
End-User Identity Management Digital identities can be everywhere. Managing them is a primary concern. ● Different user Stores ● Different user types ● Different user schemas ● Different user management workflows 10
11 Authentication Verifying that a person is who they say they are.
Authentication ‘Passwords’ are Not Secure! ● Around 60% of people reuse passwords across multiple sites regularly. ● 13% of people use the same password for all accounts and devices. ● 48% of workers use the same password in both their personal and work accounts. ● 80% of data breaches in 2019 were caused by password compromise. Authentication must be a focal point when protecting your APIs. 12
Strong Authentication Authenticating users by challenging them with multiple authentication factors, e.g., password, SMS, and fingerprint. ● Multi-factor authentication (MFA) ⦿ Knowledge ⦾ Something you know ⦾ Password, pin, secret ⦿ Possession ⦾ Something you have ⦾ Phone, token, badge, smart card ⦿ Inherence ⦾ Something you are ⦾ Fingerprint, facial feature, voice
14 User is not static, so is their authentication ● Authentication needs to be more dynamic and responsive ● Context sensitivity is important ● Security is key, but it should be balanced with convenience
Adaptive Authentication ● Provides high security without impacting usability. ● Select the right authentication factors depending on a user’s risk profile and tendencies. 15
Demo time
Federated API Access 17 Attract developer community Acquisitions and mergers Hassle-free API access
Federated API Access 18
Identity Federation 19
Demo time
21 Authorization Verifying whether the user is permitted to access a specific resource or function.
Authorization ● OAuth 2.0 scopes limit an application's access to a user's resources. ● Authorization server-level and resource-level scope validation. Upcoming, ● Rich Authorization Requests (draft) ● Incremental Authorization (draft) 22
Fine-grained Scope Validation Rule and Policy-Based scope validation: ● XACML ● Open Policy Agent (OPA) 23
Question Time! 24
wso2.com Thanks!

More Related Content

PDF
Which ap is which business models_ a real-world guide for banks in sri lanka
byWSO2
 
PPTX
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
byapidays
 
PPTX
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
byapidays
 
PDF
Best Practices for Productizing APIs with API Management and Automated Testing
byWSO2
 
PDF
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]
byWSO2
 
PDF
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
byWSO2
 
PDF
Identity Hub’s Role in Social Logins
byWSO2
 
PDF
An Entry Point to Impactful Open Banking Architecture
byWSO2
 
Which ap is which business models_ a real-world guide for banks in sri lanka
byWSO2
 
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
byapidays
 
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
byapidays
 
Best Practices for Productizing APIs with API Management and Automated Testing
byWSO2
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]
byWSO2
 
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
byWSO2
 
Identity Hub’s Role in Social Logins
byWSO2
 
An Entry Point to Impactful Open Banking Architecture
byWSO2
 

What's hot

PDF
API-first Integration for Microservices
byWSO2
 
PDF
API Driven Applications - An ecosystem architecture
byWSO2
 
PDF
Message based microservices architectures driven with docker
byDocker, Inc.
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
PDF
Role of API Management in an API led Digital Economy
byWSO2
 
PPTX
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
byapidays
 
PDF
Identity Federation Patterns with WSO2 Identity Server​
byWSO2
 
PDF
WSO2 Product Release Webinar - WSO2 API Manager 1.9
byWSO2
 
PDF
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
byWSO2
 
PDF
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
byWSO2
 
PDF
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
byWSO2
 
PDF
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
byWSO2
 
PDF
Open Banking and PSD2: Are your APIs ready for external testing?
byWSO2
 
PDF
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
byapidays
 
PDF
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
byapidays
 
PDF
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
byWSO2
 
PDF
Integrating Healthcare Applications with EMR Systems and Databases and Transf...
byWSO2
 
PDF
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
byapidays
 
PDF
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
byWSO2
 
PDF
[WSO2 Summit Sydney 2019] API-Driven World
byWSO2
 
API-first Integration for Microservices
byWSO2
 
API Driven Applications - An ecosystem architecture
byWSO2
 
Message based microservices architectures driven with docker
byDocker, Inc.
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
byapidays
 
Role of API Management in an API led Digital Economy
byWSO2
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
byapidays
 
Identity Federation Patterns with WSO2 Identity Server​
byWSO2
 
WSO2 Product Release Webinar - WSO2 API Manager 1.9
byWSO2
 
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
byWSO2
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
byWSO2
 
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
byWSO2
 
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
byWSO2
 
Open Banking and PSD2: Are your APIs ready for external testing?
byWSO2
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
byapidays
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
byapidays
 
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
byWSO2
 
Integrating Healthcare Applications with EMR Systems and Databases and Transf...
byWSO2
 
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
byapidays
 
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
byWSO2
 
[WSO2 Summit Sydney 2019] API-Driven World
byWSO2
 

Similar to [APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021

PDF
API Security Best Practices and Guidelines
byWSO2
 
PDF
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
byapidays
 
PPTX
API Security from the DevOps and CSO Perspectives (Webcast)
byApigee | Google Cloud
 
PDF
API Security In Cloud Native Era
byWSO2
 
PDF
How To Fix The Most Critical API Security Risks.pdf
byNiloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
PPTX
Extended Security with WSO2 API Management Platform
byWSO2
 
PPTX
2022 APIsecure_Hackers with Valid Credentials
byAPIsecure_ Official
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
API Security: the full story
by42Crunch
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
PDF
42Crunch Security Audit for WSO2 API Manager 3.1
byWSO2
 
PDF
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
byapidays
 
PDF
APISecurity_OWASP_MitigationGuide
byIsabelle Mauny
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PPTX
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
byDavid Brossard
 
PDF
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
PPTX
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
PDF
Enhancing your Security APIs
byApigee | Google Cloud
 
API Security Best Practices and Guidelines
byWSO2
 
apidays LIVE London 2021 - API Security challenges and solutions by Wadii Tah...
byapidays
 
API Security from the DevOps and CSO Perspectives (Webcast)
byApigee | Google Cloud
 
API Security In Cloud Native Era
byWSO2
 
How To Fix The Most Critical API Security Risks.pdf
byNiloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
Extended Security with WSO2 API Management Platform
byWSO2
 
2022 APIsecure_Hackers with Valid Credentials
byAPIsecure_ Official
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
API Security: the full story
by42Crunch
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 
42Crunch Security Audit for WSO2 API Manager 3.1
byWSO2
 
APIsecure 2023 - API Security - doing more with less, Nir Paz (Standard.ai)
byapidays
 
APISecurity_OWASP_MitigationGuide
byIsabelle Mauny
 
API Security Fundamentals
byJosé Haro Peralta
 
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
byDavid Brossard
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
byapidays
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
Enhancing your Security APIs
byApigee | Google Cloud
 

More from WSO2

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
byWSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
byWSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
byWSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
byWSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
byWSO2
 
PDF
Platformless Modernization with Choreo.pdf
byWSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
byWSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
byWSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
byWSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
byWSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
byWSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
byWSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
byWSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
byWSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
byWSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
byWSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
byWSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
byWSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
byWSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
byWSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
byWSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
byWSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
byWSO2
 
Platformless Modernization with Choreo.pdf
byWSO2
 
Application Modernization with Choreo for the BFSI Sector
byWSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
byWSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
byWSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
byWSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
byWSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
byWSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
byWSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
byWSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
byWSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
byWSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
byWSO2
 
Accelerate Enterprise Software Engineering with Platformless
byWSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
byWSO2
 

Recently uploaded

PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Virtualization and Container Technologies in Cloud Security - ISC2 Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Virtualization and Container Technologies in Cloud Security - ISC2 Certificate
byVICTOR MAESTRE RAMIREZ
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Your First Deep Learning project With CNN (workshop).pptx
byMuhammad Fahad Bashir
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 

[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021

  • 1.
    Authentication and AuthorizationBest Practices for Your API in 2021 June 16, 2021 isharak@wso2.com Director of Engineering, IAM @ WSO2 Ishara Karunarathna
  • 2.
    2 The Agenda ● High-levelAPI security architecture ● Authentication and authorization for API access ● Implementing authentication and authorization best practices ○ Demo using WSO2 Identity Server
  • 3.
  • 4.
    25,000-Foot View ofAPI Security Architecture 4
  • 5.
    Closer View ofAPI Security Architecture 5
  • 6.
    Recommended OAuth 2.0Flows for API Access 6 Grant Type Web App Native App SPA Services Device Authorization Code X Authorization Code with PKCE X X Client Credentials X X Implicit Flow X* Password Grant X* Device Authorization Grant X JWT and SAML Grant (RFC7523) X OAuth MTLS (RFC8705) X X Token Exchange (RFC8693) X X
  • 7.
  • 8.
    8 Over 8.4B records exposed duringthe first quarter of 2020 Whopping 273% increase compared to Q1 2019 Approximately 70% due to unauthorized access to systems or services Due to the COVID-19 pandemic, millions of employees around the world switched to remote working, and many businesses were forced to adopt digitalization within a short time frame. Attackers thrived during this period because companies skipped some of the long-held security practices in the rush to adopt the new normal. 2020 2020 Q1 Data Breach QuickView Report - Risk Based Security
  • 9.
    9 IAM should notbe the weakest link in the system
  • 10.
    End-User Identity Management Digitalidentities can be everywhere. Managing them is a primary concern. ● Different user Stores ● Different user types ● Different user schemas ● Different user management workflows 10
  • 11.
    11 Authentication Verifying that aperson is who they say they are.
  • 12.
    Authentication ‘Passwords’ are NotSecure! ● Around 60% of people reuse passwords across multiple sites regularly. ● 13% of people use the same password for all accounts and devices. ● 48% of workers use the same password in both their personal and work accounts. ● 80% of data breaches in 2019 were caused by password compromise. Authentication must be a focal point when protecting your APIs. 12
  • 13.
    Strong Authentication Authenticating usersby challenging them with multiple authentication factors, e.g., password, SMS, and fingerprint. ● Multi-factor authentication (MFA) ⦿ Knowledge ⦾ Something you know ⦾ Password, pin, secret ⦿ Possession ⦾ Something you have ⦾ Phone, token, badge, smart card ⦿ Inherence ⦾ Something you are ⦾ Fingerprint, facial feature, voice
  • 14.
    14 User is notstatic, so is their authentication ● Authentication needs to be more dynamic and responsive ● Context sensitivity is important ● Security is key, but it should be balanced with convenience
  • 15.
    Adaptive Authentication ● Provideshigh security without impacting usability. ● Select the right authentication factors depending on a user’s risk profile and tendencies. 15
  • 16.
  • 17.
    Federated API Access 17 Attractdeveloper community Acquisitions and mergers Hassle-free API access
  • 18.
  • 19.
  • 20.
  • 21.
    21 Authorization Verifying whether theuser is permitted to access a specific resource or function.
  • 22.
    Authorization ● OAuth 2.0scopes limit an application's access to a user's resources. ● Authorization server-level and resource-level scope validation. Upcoming, ● Rich Authorization Requests (draft) ● Incremental Authorization (draft) 22
  • 23.
    Fine-grained Scope Validation Ruleand Policy-Based scope validation: ● XACML ● Open Policy Agent (OPA) 23
  • 24.
  • 25.