Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Helsinki & North 2025 - API access cont...

Avatar for apidays apidays
PRO
June 07, 2025
0
4

apidays Helsinki & North 2025 - API access control strategies beyond JWT bearer tokens, Judith Kahrer (Curity)

API access control strategies beyond JWT bearer tokens
Judith Kahrer, Identity Expert at Curity

apidays Helsinki & North 2025 - APIs for Innovation, Intelligence, and Impact
June 3 & 4, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Avatar for apidays

apidays
PRO

June 07, 2025
Tweet

More Decks by apidays

See All by apidays
apidays Helsinki & North 2025 - APIs in the healthcare sector: hospitals interoperability with FHIR, Matias Aiskovich (Toptal)
Avatar for apidays apidays
PRO
0
10
apidays Helsinki & North 2025 - Monetizing AI APIs: The New API Economy, Allan Knabe (apiable.io)
Avatar for apidays apidays
PRO
0
6
apidays Helsinki & North 2025 - From Chaos to Clarity: Designing (AI-Ready) APIs with APIOps Cycles, Marjukka Niinioja (Osaango)
Avatar for apidays apidays
PRO
0
11
apidays Helsinki & North 2025 - API-Powered Journeys: Mobility in an API-Driven Economy, Jaakko Rintamäki (Finntraffic)
Avatar for apidays apidays
PRO
0
9
apidays Helsinki & North 2025 - Agentic AI: A Friend or Foe?, Merja Kajava (Aavista)
Avatar for apidays apidays
PRO
0
3
apidays Helsinki & North 2025 - How (not) to run a Graphql Stewardship Group, Gadiel Cruz (Alpha-Sense)
Avatar for apidays apidays
PRO
0
4
apidays Helsinki & North 2025 - Vero APIs - Experiences of API development in Finnish Tax Administration, Tuomo Hyttinen (Tax Administration of Finland)
Avatar for apidays apidays
PRO
0
4
apidays Helsinki & North 2025 - APIs at Scale: Designing for Alignment, Trust, and Intelligence, Michael Jackson (Loihde)
Avatar for apidays apidays
PRO
0
4
apidays Helsinki & North 2025 - AI in Privacy tech and Consent Management, Unnikrishnan Sreedhara Kurup (Gravito)
Avatar for apidays apidays
PRO
0
5

Featured

See All Featured
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
277
23k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
61k
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
35
2.3k
Done Done
Avatar for chrislema chrislema
184
16k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
69
11k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
107
19k
Scaling GitHub
Avatar for Zach Holman holman
459
140k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
181
53k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k

Transcript

  1. API Access Control Strategies Beyond JWT Bearer Tokens

  2. Judith Kahrer Identity Expert API Security Specialist Author https://curity.io/cloud-native-data-security-oauth/

  3. Common Token-based Architecture Services API Gateway Application

  4. Token Replay Services API Gateway Application

  5. Sender-constrained Tokens “cnf” : { <reference to public key> }

  6. Proof • mutual TLS (RFC 8705) • self-signed JWT (DPoP,

    RFC 9449)

  7. Mutual TLS Services API Gateway Application Transport Layer

  8. Certificate-bound Access Tokens Services API Gateway Application Transport Layer

  9. Certificate-bound Access Tokens – Token Replay Services API Gateway Application

  10. Certificate-bound Access Tokens – Proxy Services API Gateway Application No

    key

  11. Certificate-bound Access Tokens – Proxy Services API Gateway Application

  12. Certificate-bound Access Tokens • Great support for mTLS • Third-party

    Assertion • Built-in Authentication • Public Key Infrastructure (PKI) • Complex Operation • Certificate Rollout

  13. Demonstrating Proof of Possession (DPoP) Services API Gateway Application Application

    Layer

  14. Demonstrating Proof of Possession (DPoP) Services API Gateway Application

  15. Demonstrating Proof of Possession (DPoP) Services API Gateway Application

  16. DPoP – Token Replay Services API Gateway Application No proof

  17. DPoP – Token Replay Services API Gateway Application

  18. Demonstrating Proof of Possession (DPoP) • Suitable for all Applications

    • Runtime Keys • End-to-End Solution • Complex Validation

  19. Token Validation • Issuer • Scope • Audience

  20. What to Secure?

  21. What are the Rules?

  22. Identity Attributes

  23. Why JSON Web Tokens?

  24. JWT Access Token iss: trusted-party sub: Judith exp: 1749046500 scope:

    invoice …

  25. Common Token-based Architecture Services API Gateway Identity Attributes Application

  26. Confidentiality Risk Services API Gateway May parse JWT May parse

    JWT Application

  27. Improved Token-based Architecture Services API Gateway Opaque Token Application

  28. Improved Token-based Architecture Services API Gateway Application

  29. Benefits • Local Changes Only • Confidentiality • Privacy •

    Trust Boundary • Token Translation

  30. Token Translation Services API Gateway Different

  31. Transaction Tokens Services API Gateway Bound to Transaction

  32. Access Control Strategies • Validate access tokens whenever data is

    returned. • Use sender-constrained access tokens. • Use JWTs for APIs, opaque tokens for clients. • Limit scope for internal tokens.

  33. Thank You! curity.io developer.curity.io [email protected]

  34. Cloud Native Data Security with OAuth https://curity.io/cloud-native-data-security-oauth/