OAuth 2.0 seems to be on everybody’s minds these days. I can’t remember an emerging standard picking up interest so fast. The Layer 7 OAuth Toolkit evolved through three stages over the last couple of years and I’m proud to say that I was involved right from the beginning. It was first developed out of necessity, using existing elements of the Layer 7 SecureSpan Gateway platform – a testament to the flexibility of that platform. Then, leveraging precious feedback from numerous architects applying OAuth with our Gateway, the OAuth Toolkit matured; became a product of its own. Today, we’re witnessing the third evolution phase: OAuth is making its way to the very core of the SecureSpan Gateway platform.

I mention these different evolution phases because I noticed how different engineers working at these different levels – and in some cases isolated from each other (I travel a lot) – identified very similar patterns relating to implementing API access control using OAuth. I’m talking about interaction patterns between various components involved, including for example a token issuer, an API consumer, a policy enforcement point etc. These parties need to discover information at runtime relating to tokens and identities; tokens need to be stored somewhere and managed. It just seems logical that this information would be exchanged via open APIs themselves. Integrating these logical components via APIs means that you can easily separate them as needed and manage their mutual trust. For example, implement the OAuth protocol in a DMZ perimeter zone but store tokens and associated state in the trusted network. API-based integration between these different logical components also facilitates the integration of existing IT assets into a new OAuth-enabled system.

I recognize many of these patterns in emerging standards building on top of OAuth 2.0, such as OpenID Connect and User Mediated Access (UMA). Coincidence? Obviously not. I expect these emerging standards to be among the new focuses while building the next generation API management infrastructure.

We are going live for an exclusive, interactive event through our Facebook page and we want you to join us. We’ll be livestreaming a conversation with Layer 7 Director of Solutions Engineering Francois Lascelles on our live Facebook channel, next Tuesday. This will be the first in a bi-weekly series of interactive town hall meetings we’re calling “Tech Talk Tuesday”.

Simply go to the Layer 7 Facebook page and click the Livestream icon to start watching live on Tuesday March 20 at 9am PDT (12pm EDT, 4pm GMT). We’ll be discussing the topic of OAuth Best Practices for API Access Control. We’ll start by talking about the broader aspects of API access control before diving deep into the specifics of OAuth.

And here’s where you come in… We’d love to answer any questions you have concerning OAuth, like: how to incorporate an existing API and identity provider or how to apply the different grant types used in OAuth. The more questions, the better! So be sure to tell your friends and join us on Tuesday March 20 at 9am PDT | 12pm EDT | 4pm GMT.

OAuth handshake patterns and OAuth token management are currently two of the hottest topics related to enterprise APIs. Although OAuth originated as a third-party authorization mechanism, it now addresses a multitude of patterns related to controlling access for RESTful APIs. With version 2.0 of the standard defining numerous grant types that accommodate both two and three-legged cases, OAuth is becoming the de-facto standard for any API access control.

Regardless of the specific access control scenario, any enterprise-scale OAuth implementation must leverage existing infrastructure and processes for managing and controlling identities. For example, OAuth should be implemented in a way that maintains any existing Single Sign-On user experience or it should simply reuse existing identities and their attributes as part of the authorization checks.

Next Wednesday, I’ll be joined by Steve Coplan of 451 Research for a webinar called Simplifying API Access Control with OAuth. We’ll be taking an in-depth look at just how OAuth can be integrated with existing systems for effective API access control. We’ve already had a lot of interest in the event but there are still a few free spots, so don’t hesitate to sign up for the webinar today.

The 2012 RSA Conference is now over and as many journalists rightly noted this year’s show was as much about opening up the enterprise to the outside as it was about closing the enterprise from the outside. With the acceleration of Cloud adoption and the rapid growth of tablet and smart phone inside the enterprise, the need to manage how information is shared out securely has never been greater. To this end, Layer 7 gave two talks at RSA in addition to two workshops and a sponsorship of Cloud Security Alliance Conference around this general theme.

The two talks given by Layer 7 staff at RSA included one focused on access best practices for APIs called Enterprise Access Control Patterns for REST & Web API and the other focused on the threat implications of Open APIs called Hacking’s Gilded Age — How APIs Will Increase Risk & Chaos. The first was delivered by Layer 7 Director of Solution Engineering Francois Lascelles. The second was delivered by Layer 7 CTO Scott Morrison. For those of you not able to have caught the talks live, we provide the slides below. Enjoy.

Access control is a key aspect of API management. When an enterprise launches an API, identity and access management (IAM) will be among its most pressing concerns. But access control is handled differently for APIs than it is for the Web or even Web services. This can present difficulties for an enterprise that wants to reuse its existing IAM  infrastructure to provide access control for APIs.

On March 14, I’ll be co-presenting a webinar called Simplifying API Access Control with OAuth, alongside Steve Coplan of 451 Research. We’ll be exploring a good deal of the ground around API access control and OAuth but with a particular focus on how existing IAM and Single Sign-On (SSO) systems can be extended to integrate with API-enabled applications and services.

In addition to discussing how enterprises can extend their existing IAM and SSO investments for API access, we’ll be looking at:

• What security and management concerns are created by open APIs
• How enterprises can address key IAM challenges when securing APIs
• Why OAuth is becoming central to API access control

Space is limited – so, if you’re interested, sign up today!