Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Session discussing customer issues around securing an API:

  1. Customers: Met Police, University of Exeter, Lloyds, Kainos, IDNucleus

  2. Focus:

    1. Protect APIs

      1. One customer had no No security on their REST APIs

    2. Evolution

      1. OAuthm Token-types (SAML)

  3. Questions:

    1. Question: Security end-to-end:

      1. How to obtain proof-of-possession (of token)

    2. Question: Upgrading a token with OAuth?

      1. A user access the web application (and authenticates). This web application calls different web services to deliver the service passing on access tokens. However at some point an access token might not have the right scope/claim. Looking for a way to challenge the user sitting in front of his web browser for a session upgrade and subsequently access tokens which appropriate scopes.

      2. Joachim: I think this is a valid use case, but I don't know if there is a flow to combine