Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Helsinki & North 2025 - API access cont...

Avatar for apidays apidays
PRO
June 07, 2025
0
1

apidays Helsinki & North 2025 - API access control strategies beyond JWT bearer tokens, Judith Kahrer (Curity)

API access control strategies beyond JWT bearer tokens
Judith Kahrer, Identity Expert at Curity

apidays Helsinki & North 2025 - APIs for Innovation, Intelligence, and Impact
June 3 & 4, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Avatar for apidays

apidays
PRO

June 07, 2025
Tweet

More Decks by apidays

See All by apidays
apidays Helsinki & North 2025 - APIs in the healthcare sector: hospitals interoperability with FHIR, Matias Aiskovich (Toptal)
Avatar for apidays apidays
PRO
0
4
apidays Helsinki & North 2025 - Monetizing AI APIs: The New API Economy, Allan Knabe (apiable.io)
Avatar for apidays apidays
PRO
0
1
apidays Helsinki & North 2025 - From Chaos to Clarity: Designing (AI-Ready) APIs with APIOps Cycles, Marjukka Niinioja (Osaango)
Avatar for apidays apidays
PRO
0
2
apidays Helsinki & North 2025 - API-Powered Journeys: Mobility in an API-Driven Economy, Jaakko Rintamäki (Finntraffic)
Avatar for apidays apidays
PRO
0
3
apidays Helsinki & North 2025 - Agentic AI: A Friend or Foe?, Merja Kajava (Aavista)
Avatar for apidays apidays
PRO
0
0
apidays Helsinki & North 2025 - How (not) to run a Graphql Stewardship Group, Gadiel Cruz (Alpha-Sense)
Avatar for apidays apidays
PRO
0
1
apidays Helsinki & North 2025 - Vero APIs - Experiences of API development in Finnish Tax Administration, Tuomo Hyttinen (Tax Administration of Finland)
Avatar for apidays apidays
PRO
0
1
apidays Helsinki & North 2025 - APIs at Scale: Designing for Alignment, Trust, and Intelligence, Michael Jackson (Loihde)
Avatar for apidays apidays
PRO
0
1
apidays Helsinki & North 2025 - AI in Privacy tech and Consent Management, Unnikrishnan Sreedhara Kurup (Gravito)
Avatar for apidays apidays
PRO
0
2

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
12k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
3k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
25
2.8k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
137
34k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.3k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
6.6k

Transcript

  1. API Access Control Strategies Beyond JWT Bearer Tokens

  2. Judith Kahrer Identity Expert API Security Specialist Author https://curity.io/cloud-native-data-security-oauth/

  3. Common Token-based Architecture Services API Gateway Application

  4. Token Replay Services API Gateway Application

  5. Sender-constrained Tokens “cnf” : { <reference to public key> }

  6. Proof • mutual TLS (RFC 8705) • self-signed JWT (DPoP,

    RFC 9449)

  7. Mutual TLS Services API Gateway Application Transport Layer

  8. Certificate-bound Access Tokens Services API Gateway Application Transport Layer

  9. Certificate-bound Access Tokens – Token Replay Services API Gateway Application

  10. Certificate-bound Access Tokens – Proxy Services API Gateway Application No

    key

  11. Certificate-bound Access Tokens – Proxy Services API Gateway Application

  12. Certificate-bound Access Tokens • Great support for mTLS • Third-party

    Assertion • Built-in Authentication • Public Key Infrastructure (PKI) • Complex Operation • Certificate Rollout

  13. Demonstrating Proof of Possession (DPoP) Services API Gateway Application Application

    Layer

  14. Demonstrating Proof of Possession (DPoP) Services API Gateway Application

  15. Demonstrating Proof of Possession (DPoP) Services API Gateway Application

  16. DPoP – Token Replay Services API Gateway Application No proof

  17. DPoP – Token Replay Services API Gateway Application

  18. Demonstrating Proof of Possession (DPoP) • Suitable for all Applications

    • Runtime Keys • End-to-End Solution • Complex Validation

  19. Token Validation • Issuer • Scope • Audience

  20. What to Secure?

  21. What are the Rules?

  22. Identity Attributes

  23. Why JSON Web Tokens?

  24. JWT Access Token iss: trusted-party sub: Judith exp: 1749046500 scope:

    invoice …

  25. Common Token-based Architecture Services API Gateway Identity Attributes Application

  26. Confidentiality Risk Services API Gateway May parse JWT May parse

    JWT Application

  27. Improved Token-based Architecture Services API Gateway Opaque Token Application

  28. Improved Token-based Architecture Services API Gateway Application

  29. Benefits • Local Changes Only • Confidentiality • Privacy •

    Trust Boundary • Token Translation

  30. Token Translation Services API Gateway Different

  31. Transaction Tokens Services API Gateway Bound to Transaction

  32. Access Control Strategies • Validate access tokens whenever data is

    returned. • Use sender-constrained access tokens. • Use JWTs for APIs, opaque tokens for clients. • Limit scope for internal tokens.

  33. Thank You! curity.io developer.curity.io [email protected]

  34. Cloud Native Data Security with OAuth https://curity.io/cloud-native-data-security-oauth/