allowed
Intro to API Security Matthew DeNapoli, DevNet Systems Engineer DEVNET-1060
Agenda •
Introduction
•
Authentication vs. Authorization
•
Basic Authentication
•
Token Authentication
•
Oauth
Introduction •
API Security OR I Ain’t Afraid of No Data Breach
•
APIs are access to data!
•
GET Data
•
ADD Data
•
CHANGE Data
•
DELETE Data
• •
APIs use resources! Compute & Storage
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Authentication vs. Authorization vs. Federation vs. Delegation Authentication – I am me Authorization – I am allowed to do this (whatever that is) Federation – where can I do this Delegation – I am trusted here as well
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Basic Authentication/Authorization 1. Hey service, I’m making an API Request
2. Cool! I need a valid username:password
Application 3. You’re the boss. Here’s username:password
4. All looks good! I’ve processed your API Request
Service
OR 1. Hey service, I’m making an API Request and here’s my username:password.
Application
2. All looks good! I’ve processed your API Request!
DEVNET-1060
Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Basic Authentication with CMX
Token Authentication/Authorization 1. Hey, service I would like to make an API Request. I need a token. Here are my credentials
2. Credentials check out. Here’s your token
Application
3. Thanks! Here’s an API Request (or many API Requests) using my token
Service
4. All looks good! I’ve processed your API Request
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Token Authentication with APIC-EM
OAuth 2.0 - Open Authorization •
NOT Authentication – NO IDENTITY MANAGEMENT IS SPECIFIED • Use Open ID as an authentication layer
•
Standardize Token Method (well, kind of…) • Federation • Delegation
•
Two-legged authorization
•
Three-legged authorization (the good stuff)
•
The best intro to Oauth 2: https://www.digitalocean.com/community/tutorials/anintroduction-to-oauth-2 (as a note of reference this is what we’ll be going through the rest of the way)
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
OAuth 2.0 – Roles •
Resource Owner: The actual user.
•
Client: The application
•
Authorization Server: Verifies identity and issues tokens to the application
•
Resource Server: Hosts the protected accounts/content
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
OAuth 2.0 – General Flow
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
OAuth 2.0 – Terms •
Application/Client Registration
•
Client ID/Secret: Issued by Authorization server when application (client) is registered
•
Authorization Grant: 4 Types • Authorization Code • Implicit • Resource Owner Password Credentials • Client Credentials
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
OAuth 2.0 – Authorization Code Flow
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
OAuth 2.0 – Implicit Code Flow
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Oauth2 authentication using Spark
Complete Your Online Session Evaluation •
Please complete your Online Session Evaluations after each session
•
Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
•
All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Continue Your Education •
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Lunch & Learn
•
Meet the Engineer 1:1 meetings
•
Related sessions
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Q&A
Thank You
Agenda •
Introduction
•
Authentication vs. Authorization
•
Basic Authentication
•
Token Authentication
•
Oauth
Introduction •
API Security OR I Ain’t Afraid of No Data Breach
•
APIs are access to data!
•
GET Data
•
ADD Data
•
CHANGE Data
•
DELETE Data
• •
APIs use resources! Compute & Storage
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Authentication vs. Authorization vs. Federation vs. Delegation Authentication – I am me Authorization – I am allowed to do this (whatever that is) Federation – where can I do this Delegation – I am trusted here as well
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Basic Authentication/Authorization 1. Hey service, I’m making an API Request
2. Cool! I need a valid username:password
Application 3. You’re the boss. Here’s username:password
4. All looks good! I’ve processed your API Request
Service
OR 1. Hey service, I’m making an API Request and here’s my username:password.
Application
2. All looks good! I’ve processed your API Request!
DEVNET-1060
Service
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Basic Authentication with CMX
Token Authentication/Authorization 1. Hey, service I would like to make an API Request. I need a token. Here are my credentials
2. Credentials check out. Here’s your token
Application
3. Thanks! Here’s an API Request (or many API Requests) using my token
Service
4. All looks good! I’ve processed your API Request
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Token Authentication with APIC-EM
OAuth 2.0 - Open Authorization •
NOT Authentication – NO IDENTITY MANAGEMENT IS SPECIFIED • Use Open ID as an authentication layer
•
Standardize Token Method (well, kind of…) • Federation • Delegation
•
Two-legged authorization
•
Three-legged authorization (the good stuff)
•
The best intro to Oauth 2: https://www.digitalocean.com/community/tutorials/anintroduction-to-oauth-2 (as a note of reference this is what we’ll be going through the rest of the way)
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
OAuth 2.0 – Roles •
Resource Owner: The actual user.
•
Client: The application
•
Authorization Server: Verifies identity and issues tokens to the application
•
Resource Server: Hosts the protected accounts/content
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
OAuth 2.0 – General Flow
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
OAuth 2.0 – Terms •
Application/Client Registration
•
Client ID/Secret: Issued by Authorization server when application (client) is registered
•
Authorization Grant: 4 Types • Authorization Code • Implicit • Resource Owner Password Credentials • Client Credentials
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
OAuth 2.0 – Authorization Code Flow
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
OAuth 2.0 – Implicit Code Flow
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Oauth2 authentication using Spark
Complete Your Online Session Evaluation •
Please complete your Online Session Evaluations after each session
•
Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
•
All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Continue Your Education •
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Lunch & Learn
•
Meet the Engineer 1:1 meetings
•
Related sessions
DEVNET-1060
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
Q&A
Thank You
