New digital identity thanks to APIs

A large part of the user authentication protocols in the new digital age –both proprietary solutions in the hands of companies such as IBM or Oracle and open solutions like OpenID and OAuth 2.0– are based on application programming interfaces (APIs). APIs have become a key piece in the machinery.
4 min reading
APIs , Cybersecurity / 21 November 2018
New digital identity thanks to APIs
New digital identity thanks to APIs

BBVA API Market

A large part of the user authentication protocols in the new digital age –both proprietary solutions in the hands of companies such as IBM or Oracle and open solutions like OpenID and OAuth 2.0– are based on application programming interfaces (APIs). APIs have become a key piece in the machinery.

The creation of software products involves numerous delicate aspects, one of which is most certainly identity management (IDM), particularly when changes are made by the user. Registration and access processes, changes in personal information –any element of this management may turn into a genuine headache for developers in this volatile environment which has implications for security, and where identity theft is particularly serious in sectors such as banking.

Against this backdrop, APIs have become a key piece in the machinery, as they open up possibilities that were previously relatively unexplored. One of their features is that they facilitate authentication processes and may even become the core of the entire business operation. For example, the APIs linked to social networks such as Facebook or Twitter allow them to manage the personal data in all the profiles. Application programming interfaces have implications for customizing platforms and creating income from advertising

Digital identity is an umbrella that covers a large number of businesses and areas of software production: directories, digital cards, service providers and identity providers, authentication processes through access tokens, password administration, registration and access control, OpenID (the OpenID Foundation‘s open code authentication standard), OAuth (specifically OAuth 2.0.), SAML (SAML 2.0.), single sign-on and others. There are numerous examples of digital identity protocols and standards that allow both the actual formation of that identity and its protection. 

APIs and digital identity

Within the realm of identity management and the APIs that have enabled this process, the SCIM (System for Cross-domain Identity Management) standard in 2011 signaled the path to follow. Rather than revolutionizing the digital identity industry, this standard outlines the best sector practices in this area. Companies such as Ping Identity, SailPoint, Nexus Group and UnboundID joined forces with cloud providers such as Google, Cisco and Salesforce (one of the large CRM, or Customer Relationship Management) to launch and promote the identity management protocol in the simple cloud.

The System for Cross-domain Identity Management is designed to facilitate this process in cloud-based applications. The aim of SCIM is to streamline the development and the integration of authentication and authorization processes with already existing platforms and systems. The standard aims to ensure faster speeds, lower costs and greater ease in identifying and moving user profiles inside and outside cloud-based applications. 

SCIM is based on an API REST that manages information in JSON format. The API uses common requests such as POST (user creation, GET (read user profile information), PUT (replace personal information), DELETE (delete user); and PATCH (update the information in the user profile): 

– Create = POST https://example.com/{v}/{resource}

– Read = GET https://example.com/{v}/{resource}/{id}

– Replace = PUT https://example.com/{v}/{resource}/{id}

– Delete = DELETE https://example.com/{v}/{resource}/{id}

– Update = PATCH https://example.com/{v}/{resource}/{id}

How are each user’s data encrypted in the JSON format? Here is an example of SCIM objects with simple attributes such as user identification and name chains; or complex attributes such as address, e-mail, telephone number and others:  

{

  “schemas” : [ “urn:ietf:params:scim:schemas:core:2.0:User” ],
  “id” : “2819c223-7f76-453a-919d-413861904646” ,
  “externalId” : “bjensen” ,
  “meta” :{
    “resourceType” : “User” ,
    “created” : “2011-08-01T18:29:49.793Z” ,
    “lastModified” : “2011-08-01T18:29:49.793Z” ,
    “location” : “https://example.com/v2/Users/2819c223…” ,
    “version” : “W\/\”f250dd84f0671c3\””
  },
  “name” :{
    “formatted” : “Ms. Barbara J Jensen, III” ,
    “familyName” : “Jensen” ,
    “givenName” : “Barbara” ,
    “middleName” : “Jane” ,
    “honorificPrefix” : “Ms.” ,
    “honorificSuffix” : “III”
  },
  “userName” : “bjensen” ,
  “phoneNumbers” :[
    {
      “value” : “555-555-8377” ,
      “type” : “work”
    }
  ],
  “emails” :[
    {
      “value” : “bjensen@example.com” ,
      “type” : “work” ,
      “primary” : true
    }
  ]
}

Digital identity and open code solutions

One of the weaknesses of digital identification processes is the enormous inconvenience it represents for users who wish to authenticate themselves on several services or platforms at the same time. Each entry process requires different identities. This requires the creation of centralized authentication protocols and management policies. Initially, some companies such as IBM and Oracle launched proprietary tools (IBM Tivoli Access Manager or Oracle Access Manager), and these were followed later by open or open-code protocols.

Highlights within the opensource framework include OpenID Connect and OAuth 2.0, two solutions that represent a watershed in identity management and authentication processes in software development and have enabled independent payment solutions and brought low-cost democratization. So much so that sectors with an enormous future such as the Internet of Things have based a large part of their development on open protocols like OAuth 2.0. 

– OpenID Connect: an open protocol using single authentication of users that is part of the specifications of OAuth 2.0. It allows developers to authenticate users on websites through the browser (JavaScript) and native mobile applications without having to store and manage passwords –thus avoiding all the implications of potentially losing that information. It is an easy and guaranteed identification process. OpenID uses HTTP requests and JSON format to identify users.

The OpenID specifications were launched in February 2014 and the OpenID Connect certification program was published in April 2015. The program is backed by such well-known companies as Google, Microsoft, Ping Identity, ForgeRock, Nomura Research Institute and Paypal

– OAuth 2.0: this framework protocol has brought a genuine revolution in digital identity management processes in software development for user identification. It enables limited access to a HTTP service in a simple and guaranteed way through third-party apps without the need for user names and passwords, by using an access token. This ensures it doesn’t put the use of resources by other providers or customers at risk when a password is breached. OAuth 2.0 is available for web apps, desktop apps, cellphones and more. This authentication protocol is also used by most companies in the technology sector (Google, Twitter, Facebook…) and the Internet of Things. 

If you want to try BBVA’s APIs, you can test them here.

It may interest you