December 22nd, 2011

The Future is a Story About Mobile Computing

Written by
Marc Andreessen

Earlier today, CNET published an interview with Marc Andreessen, in which the Netscape founder and influential VC outlines his personal vision for where tech is heading in the near future. His new tagline, from a piece he wrote for the New York Times, is “software is eating the world”, a blunt reference to how software increasingly appears out of nowhere to utterly consume a traditional practice or business model — be this in commerce, the social realm or just about everywhere.

Andreessen asserts that this affect will only accelerate in the future because of the explosion we are experiencing in mobile computing:

"Most of the people in the world still don’t have a personal computer, whereas in three to five years, most people in the world will have a smartphone…. If you’ve got a smartphone, then I can build a business in any domain or category and serve you as a customer no matter where you are in the world in just gigantic numbers — in terms of billions of people."

This new scale of mobile is something we’re only beginning to see but it is becoming clear that the change this will bring about is going to be profound. Mobile computing is very interesting to Layer 7 — watch our for some interesting new developments coming out of our labs early in the new year.

I discovered a similar indicator of mobile interest using Google’s Insights for Search. Pete Soderling and Chris Comerford from Stratus Security Technologies gave an excellent talk, back in 2010 at the RSA show, about REST security. They illustrated how the zeitgeist around distributed computer communications was changing over time, by comparing search volume for “SOAP Security” (blue line) and “REST Security” (red line):

Try this out for yourself here.

What struck me about this was not that REST came up so fast — you’d have to be living under a rock to have missed that one — but that the two approaches have been tracking roughly equivalent over the last year. This mirrors our own experience at Layer 7, where we support both SOAP and REST security equally. We see similar patterns of interest coming from our customers.

What is even more interesting is what happens when you add “Mobile Security” (yellow line) to the mix:

Try it here.

The future indeed, will be written from a hand-held device.

December 19th, 2011

OAuth 2.0 with Layer 7 Gateways, Tutorial 4: The SAML Grant Type

OAuth SAML Grant Type TutorialAs promised, here’s another of my weekly tutorial videos on how Layer 7’s OAuth Toolkit can be used to leverage the many grant types and use cases supported by the OAuth 2.0 standard. I’m glad to report that there has been a lot of interest in this series of videos. We get queries about OAuth just about every day, so enterprise architects clearly see this emerging standard as a potentially powerful tool for controlling access to APIs.

For those of you who haven’t seen my previous OAuth 2.0 tutorials, I should explain that the OAuth Toolkit provides a number of OAuth template implementations that can be imported into our Gateways in order to apply OAuth. This template integrates into existing environments by connecting with identity providers and APIs.

This week, I’m explaining the OAuth 2.0 SAML grant type. This grant type is defined in an OAuth extension specification (draft-ietf-oauth-saml2-bearer-09), which defines another grant type not included in the core OAuth specification. This grant type describes how a client application uses a SAML bearer assertion to obtain an OAuth access token.

Although this specification does not describe how the client application obtains the SAML assertion in the first place, the tutorial does use a test application to provide an example in which the user is forwarded to a SAML identity provider which authenticates the user, issues a SAML assertion and redirects the user back to the application. The application then uses this redirected SAML assertion to obtain an access token from the Layer 7 Gateway’s OAuth authorization server endpoint.

Tutorial 4: The SAML Grant Type

December 16th, 2011

FROM THE VAULT: Webinar – Security, Governance & Integration in a Cloud-Connected World presented with Red Hat

Red Hat webinarEnterprise IT is becoming more complex. Companies are investing in systems that promise great benefits in terms of connectivity and cost-effectiveness but, to really make the most of these investments, they need control over and visibility into how systems connect across departments, environments and locations. Introduce the Cloud and things can get really complicated.

This summer, we presented a webinar that addressed these specific issues. Created in association with Red Hat, Security, Governance & Integration in a Cloud-Connected World provided deep insight into how enterprises can address integration, management and security challenges arising from technologies like SOA and Cloud.

With input from Pierre Fricke, Director of SOA Products at Red Hat, as well as Jaime Ryan, our Partner Solutions Architect, this webinar proposed combining an enterprise service bus with a SOA Gateway to create a secure, standards-based system for governing integrations that cross organizational boundaries. You can stream the full recording in the player below.


December 12th, 2011

OAuth 2.0 with Layer 7 Gateways, Tutorial 3: The Implicit Grant Type

OAuth Tutorial 3Last week, in the second of my tutorial videos demonstrating how Layer 7 Gateways can be used to implement OAuth, I talked about the authorization code grant type and showed how it could be adapted to suit specific needs. This week, in my third tutorial, I’ll be doing the same for the implicit grant type.

As you may remember, I previously gave an overview of the flow for the authorization code grant type. To help you compare and contrast, here’s the implicit grant type flow:

  • The resource owner is redirected by the client application to the OAuth authorization server, to express authorization
  • The OAuth authorization server redirects the resource owner back to the client application along with an access token
  • The client application uses the access token to call the service on behalf of the resource owner
  • The implicit grant type does not include refresh tokens since the client application is not authenticated

The response we’ve already had to these tutorials is evidence of the ever-growing interest in all things OAuth – and the fact that there’s still a lot to learn about this emerging standard. If you’re finding this content useful – and I certainly hope you are – don’t worry: there’s plenty more to come!

Tutorial 3: The Implicit Grant Type

December 5th, 2011

Gartner AADI 2011 Presentation Video: API Management, Governance & OAuth

Scott Morrison at Gartner AADII delivered a talk all about API governance at last week’s Gartner Application Architecture, Development & Integration (AADI) summit in Las Vegas. I was the lunchtime entertainment on Wednesday. The session was packed—in fact, a large number of people were turned away because we ran out of place settings. Fortunately, a video of the session is now available, so if you were not able to attend, you can now watch it online.

In this talk, I explore how governance is changing in the API world. I even do a live OAuth demonstration using people, instead of computers. Unlike the classic “swim lane” diagrams that only show how OAuth works, this one also teaches you why the protocol operates as it does. (If you want to skip directly to the OAuth component, it begins at around 22 minutes