OAuth2 on a National Level - How to Secure Extremely Sensitive APIs

Explore the intricacies of securing highly sensitive APIs on a national scale in this comprehensive talk from NDC Conferences. Delve into the HelseID OAuth-based token service, a crucial component in Norway's health sector for sharing sensitive health information across systems and organizations. Learn about the stringent security requirements that surpass baseline OAuth standards and discover the custom security profile developed for HelseID. Examine the justifications behind these security choices and gain insights into future developments. Cover topics such as OAuth 2.1, FAPI 2.0 security profile, standard web security practices, confidential clients, keypair usage, strict signing algorithm requirements, and the importance of using libraries and conducting code reviews. Understand the challenges and solutions involved in implementing OAuth2 at a national level for extremely sensitive data protection.

OAuth2 on a national scale
Sensitive APIs?
The Norwegian health sector
But what is the problem?
alternatives
Securing an API is easy
The HelseID security profile
OAuth 2.1
FAPI 2.0 security profile
Standard web security
Only confidential clients
Keypairs only
Strict requirements regarding signing algorithms
Only one way to use the protocols
USE A LIBRARY!
code reviews
self-service setup
the core service
In summary