Securing Your APIs with OAuth 2.0

Securing Your APIs with OAuth 2.0 - API Days

День тому

SLIDES: speakerdeck.com/aaronpk/secur...
In this talk, you’ll learn how to use OAuth 2.0 to secure access to your APIs. OAuth is an authorization protocol which enables applications to access data on behalf of users without needing to know their username and password. This enables many use cases such as easily enabling multi-factor authorization for your users, and better separation of concerns of all your backend services.
We’ll look at how to use JWT access tokens, as well as the tradeoffs that come with them. We’ll look at how to design scopes that allow granular access to various parts of your backend services. We’ll also look at how to design a microservices architecture protected by OAuth at a gateway.
Aaron's book, OAuth 2.0 Simplified: amzn.to/2S6Uj4e
Follow Aaron at / aaronpk
---
Okta is a developer API service that stores user accounts for your web apps, mobile apps, and APIs.
* Sign up for Okta for free at developer.okta.com/signup/
* For more info visit us at developer.okta.com/
* Developer Blog: developer.okta.com/blog/
* Follow us on Twitter: / oktadev
* Follow us on FB: / oktadevelopers
* Follow us on LinkedIn: / oktadev

КОМЕНТАРІ: 29

@Chris.Plunkett Рік тому

This is a golden example of how a technical presentation should be. Great job!

@mingzus 3 роки тому

not shortest one in UKposts, but one of the BEST to explain Oauth ! Thanks you !

@parthsalat 3 роки тому

That's coz he made Oauth 2.0

@starman9000 7 місяців тому

Presenter was clear in mind what he is talking! I am able to understand which I failed to uderstand from many other similar content. Thank you.

@AnonyoX Рік тому

One of the best presentations on this topic. Lucid, on-point, and yet moderately detailed. Thank you, Aaron.

@ThePersepolis32 3 роки тому

I already read some articles, but this was a perfect explanation.

@FictionsAndIllusions 3 роки тому

Thanks for this video. I was curious about how to secure Web APIs using OAuth2.0 and the second half of this talk answered it perfectly.

@randyhockin2437 4 роки тому

Excellent presentation Aaron.

@sergiocamacho730 3 роки тому

Excellent presentation. It wasn't hard at all to watch for a half-hour talk.

@joeyjoejoo Рік тому

that was an absolutely brilliant tutorial. thanks very much.

@OktaDev Рік тому

You're very welcome! Glad that you enjoyed it.

@pepsiholix 7 місяців тому

Now that was an exzellent talk!

@pradeeprao6733 3 роки тому

comprehensive presentation, thanks

@sumitkumarb4u 2 роки тому

Very nice presentation. Really helped!

@JanithKalhara Рік тому

Simple and clean.

@beatagozdziaszek8157 4 роки тому

6:28 Start of the OAuth 2.0 flow

@bdoesbjj 3 роки тому

tintuu Why are you laughing? Your comment in not helpful at all.

@santiagocavanna Рік тому

Thanks for sharing this information. I found it very clear and useful. I am doing some work as IAM Arch and not always it is clear the path.

@green10701 4 роки тому

Perfect explanation 10:28

@mansimen 3 роки тому

Hi, great presentation, the hotel card analogy is quite good. But IMHO, really poor choice of colors for the slides. I'm colorblind and don't see any difference between those arrows that you mentioned in slide at minute 10:39.

@alittleextra2832 2 роки тому

The world does not revolve around you.

@alirezaamedeo Рік тому

PKCE is not the replacement of client authentication. It's simply to prove whoever is exchanging code for token is the same guy who requested the code.

@smritisharan-sfdcamplified 20 днів тому

Nice

@HenryPan 4 роки тому

Is OAuth 2.0 itself secure enough?

@oko2708 4 роки тому

4:15

@davidharris3391 3 роки тому

Empirical data, i.e. the past several years of billions (or trillions ?) of transactions using Oauth2 would say 'if used properly, yes'.

@domaincontroller 3 роки тому

Specs are not good tutorials, 20 specs 00:57 the password anti-pattern 02:23 OAuth spec, Sign in with 02:46 OAuth was designed to give access to data, accessing APIs not about identifying the user 04:15 OpenID connect 04:36 OAuth originally created for that third-party app access, first party app as well, gmail actually redirects you to the google OAuth server 06:24 we gonna take a look how OAuth works, from an application point of view 06:39 access token, hotel key 07:57 five roles 08:51 starting with the simplest flow 10:45

@alirezaamedeo Рік тому

You may not want to expose scopes of a JWT to the world so reference token will be the only option.