SlideShare une entreprise Scribd logo

oauth-for-credentials-security-in-rest-api-access

idsecconf
idsecconf

malcoder - OAuth untuk pengamanan credentials pada akses REST API

1  sur  40
Télécharger pour lire hors ligne
Open Authorization : OAuth for credentials security in REST API access
Panggi Libersa Jasri Akadol Web : http://www.opensecuritylab.org Twitter : @panggi
Agenda • Web 2.0 and Data • OAuth usage • Useful resources
Web 2.0 and Data
Web 2.0
= Your Data
Different service = Different data
What if you need to use your data that stored in another service provider’s server ?
Yup , just take it 
OK .. Enough with the Cute creatures :-p Let’s dive into technical things
Once again.. How ?
Using API (Application Programming Interface)
An application programming interface (API) is an interface implemented by a software program that enables it to interact with other software. It facilitates interaction between different software programs similar to the way the user interface facilitates interaction between humans and computers. ( via http://en.wikipedia.org/wiki/API)
REST Representational State Transfer •Provide every resource with a unique ID, for example, a URI •Link resources with each other, establishing relationships among resources •Use standard methods (HTTP, media types, XML) •Resources can have multiple representations that reflect different application states •The communication should be stateless using the HTTP
Accessing API
What’s on your mind ?
"Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay." - oauth.net
we need an easy, user-friendly standard for third party api security
OAuth usage
OAuth puts the user back in control You choose who you share your data with
OAuth is secure No need to give Username and Password
Big Name Adoption Google Yahoo! OpenSocial Netflix MySpace twitter SmugMug GetSatisfaction and more...
Love triangle End user (Resource Owner) Service provider Consumer OAuth
OAuth Protected resources are exposed by service providers and used by consumer applications on behalf of users
OAuth My Twitter Status Is exposed by Twitter And used by Seesmic On my behalf
OAuth Terminology • Provider is the application that exposes the secure API and user’s identity • Consumer is the application that is written against the Provider’s API, intended for Provider’s users. • Users or resource owners are registered users of the Provider • Consumer Key is an identifier for the consumer • Consumer Secret is a shared-secret between the provider and the consumer • Signature Methods are encryption methods used by OAuth communication. Methods suggested are PLAINTEXT, RSA-SHA1 and HMAC-SHA1 • OAuth Endpoints are endpoints exposed by the provider to facilitate OAuth dance • Callback URL is an endpoint at the Consumer that is invoked by the Provider once the user authorizes the Consumer. If none, the value is oob, or Out-of- Band
Tokens • Request Token – Short lived identifiers which start the handshake – Must be converted to Access Token in order to gain access to a user’s resources • Access Token – Long lived identifiers that are tied to the user’s identity – Are used to access a user’s resources (data) at the Provider on behalf of the user
Endpoints • Get request token • Authorize token • Get access token
Get Request Token • The endpoint provides consumers to get an unauthorized request token by providing their consumer key and other parameters as a signed request • The credentials can be passed via HTTP Header, POST body or GET QueryString • The request includes an oauth_signature which is calculated by following the steps defined in the spec. Use libraries instead of writing your own signing implementations. • The response has an unauthorized request token as well as a token secret, and a flag indicating if the callback was accepted.
Authorize Token • The step authorizes an unauthorized request token retrieved via previous request. • The endpoint takes the unauthorized request token – or the user can enter one manually if supported. • The Authorize Token endpoint then redirects the user to the Provider’s login page • The user logs in, and is asked to authorize the consumer (and hence the request token) • Once the user authenticates, and authorizes access to the consumer, the provider calls the callback URL provided earlier with a verifier code. This verifier code, along with other credentials is used to get an Access Token.
Get Access Token • At this step, the now authorized request token is exchanged for an access token • The access token acts as a user’s credential for any further transactions • The endpoint takes the request token and the verifier code returned via the callback, or manually if callback is not supported. The request is signed with consumer secret and the request token’s secret. • The Provider returns an access token and a token secret. • The token secret is used to sign the requests along with the consumer secret.
Access User’s Resources • Now that the consumer has the access token, the user’s resources can be requested via signed requests to the provider. • The user should be able to unauthorize the consumer by revoking the access token. • The access token has a time to live which is typically longer than the request token
Useful Resources
• http://tools.ietf.org/html/rfc5849 • http://oauth.net/code/ • http://hueniverse.com/oauth/ • http://code.google.com/p/oauth/ • http://opensecuritylab.org/tag/oauth

Recommandé

eWise at FinDEVr
eWise at FinDEVreWise at FinDEVr
eWise at FinDEVrLucile Mathe
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gatewayKartik Kalpande Patil
 
IDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things LandscapeIDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI InfrastructureShubham Sharma
 
Identity Platform Use Cases
Identity Platform Use CasesIdentity Platform Use Cases
Identity Platform Use CasesUbisecure
 
What Is The Blockchain kyc solutions
What Is The Blockchain kyc solutions What Is The Blockchain kyc solutions
What Is The Blockchain kyc solutions Blockchain Council
 
Digital signature and certificate authority
Digital signature and certificate authorityDigital signature and certificate authority
Digital signature and certificate authorityKrutiShah114
 

Recommandé

eWise at FinDEVr
eWise at FinDEVreWise at FinDEVr
eWise at FinDEVrLucile Mathe
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gatewayKartik Kalpande Patil
 
IDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things LandscapeIDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI InfrastructureShubham Sharma
 
Identity Platform Use Cases
Identity Platform Use CasesIdentity Platform Use Cases
Identity Platform Use CasesUbisecure
 
What Is The Blockchain kyc solutions
What Is The Blockchain kyc solutions What Is The Blockchain kyc solutions
What Is The Blockchain kyc solutions Blockchain Council
 
Digital signature and certificate authority
Digital signature and certificate authorityDigital signature and certificate authority
Digital signature and certificate authorityKrutiShah114
 
Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified IdentitiesUbisecure
 
Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0DigiLocker
 
Wallet mobile-ui-presentation
Wallet mobile-ui-presentationWallet mobile-ui-presentation
Wallet mobile-ui-presentationVelmie
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
White-Label Mobile Payments System
White-Label Mobile Payments SystemWhite-Label Mobile Payments System
White-Label Mobile Payments SystemVelmie
 
Exploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareExploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareIonixx Technologies Inc.
 
Technical Specifications DLTS ver 2.3
Technical Specifications DLTS ver 2.3Technical Specifications DLTS ver 2.3
Technical Specifications DLTS ver 2.3DigiLocker
 
Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4DigiLocker
 
eSign Brochure1.5
eSign Brochure1.5eSign Brochure1.5
eSign Brochure1.5DigiLocker
 
What is Digital Signature, Digital Signature FAQ - eMudhra
What is Digital Signature, Digital Signature FAQ - eMudhraWhat is Digital Signature, Digital Signature FAQ - eMudhra
What is Digital Signature, Digital Signature FAQ - eMudhraeMudhra dsc
 
v 1.0
v 1.0v 1.0
v 1.0Vinod Amarathunga
 
Automated E-Pin Generator in Banking Sector
Automated E-Pin Generator in Banking SectorAutomated E-Pin Generator in Banking Sector
Automated E-Pin Generator in Banking Sectordbpublications
 
Bank chain to leverage blockchain further
Bank chain to leverage blockchain furtherBank chain to leverage blockchain further
Bank chain to leverage blockchain furthereTailing India
 
Digital signature certificate provider in delhi
Digital signature certificate provider in delhiDigital signature certificate provider in delhi
Digital signature certificate provider in delhieSign DSC
 
Blockchain Account Aggregation oct 2019 rev nci
Blockchain Account Aggregation oct 2019 rev nciBlockchain Account Aggregation oct 2019 rev nci
Blockchain Account Aggregation oct 2019 rev nciTaras Kuzin
 
DSC E-Sign File Attachment
DSC E-Sign File AttachmentDSC E-Sign File Attachment
DSC E-Sign File AttachmentINDIA TAX INFO PVT LTD
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockForgeRock Identity Tech Talks
 
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Blockchain Worx
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 

Contenu connexe

Tendances

Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified IdentitiesUbisecure
 
Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0DigiLocker
 
Wallet mobile-ui-presentation
Wallet mobile-ui-presentationWallet mobile-ui-presentation
Wallet mobile-ui-presentationVelmie
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
White-Label Mobile Payments System
White-Label Mobile Payments SystemWhite-Label Mobile Payments System
White-Label Mobile Payments SystemVelmie
 
Exploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareExploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareIonixx Technologies Inc.
 
Technical Specifications DLTS ver 2.3
Technical Specifications DLTS ver 2.3Technical Specifications DLTS ver 2.3
Technical Specifications DLTS ver 2.3DigiLocker
 
Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4DigiLocker
 
eSign Brochure1.5
eSign Brochure1.5eSign Brochure1.5
eSign Brochure1.5DigiLocker
 
What is Digital Signature, Digital Signature FAQ - eMudhra
What is Digital Signature, Digital Signature FAQ - eMudhraWhat is Digital Signature, Digital Signature FAQ - eMudhra
What is Digital Signature, Digital Signature FAQ - eMudhraeMudhra dsc
 
Automated E-Pin Generator in Banking Sector
Automated E-Pin Generator in Banking SectorAutomated E-Pin Generator in Banking Sector
Automated E-Pin Generator in Banking Sectordbpublications
 
Bank chain to leverage blockchain further
Bank chain to leverage blockchain furtherBank chain to leverage blockchain further
Bank chain to leverage blockchain furthereTailing India
 
Digital signature certificate provider in delhi
Digital signature certificate provider in delhiDigital signature certificate provider in delhi
Digital signature certificate provider in delhieSign DSC
 
Blockchain Account Aggregation oct 2019 rev nci
Blockchain Account Aggregation oct 2019 rev nciBlockchain Account Aggregation oct 2019 rev nci
Blockchain Account Aggregation oct 2019 rev nciTaras Kuzin
 
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Blockchain Worx
 

Tendances (18)

Using Strong / Verified Identities
Using Strong / Verified IdentitiesUsing Strong / Verified Identities
Using Strong / Verified Identities
 
Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0Digital Locker Requester Api Specification v1 0
Digital Locker Requester Api Specification v1 0
 
Wallet mobile-ui-presentation
Wallet mobile-ui-presentationWallet mobile-ui-presentation
Wallet mobile-ui-presentation
 
Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity Management
 
White-Label Mobile Payments System
White-Label Mobile Payments SystemWhite-Label Mobile Payments System
White-Label Mobile Payments System
 
Exploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in HealthcareExploring the Possibilities of Blockchain in Healthcare
Exploring the Possibilities of Blockchain in Healthcare
 
Technical Specifications DLTS ver 2.3
Technical Specifications DLTS ver 2.3Technical Specifications DLTS ver 2.3
Technical Specifications DLTS ver 2.3
 
Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4
 
eSign Brochure1.5
eSign Brochure1.5eSign Brochure1.5
eSign Brochure1.5
 
What is Digital Signature, Digital Signature FAQ - eMudhra
What is Digital Signature, Digital Signature FAQ - eMudhraWhat is Digital Signature, Digital Signature FAQ - eMudhra
What is Digital Signature, Digital Signature FAQ - eMudhra
 
v 1.0
v 1.0v 1.0
v 1.0
 
Automated E-Pin Generator in Banking Sector
Automated E-Pin Generator in Banking SectorAutomated E-Pin Generator in Banking Sector
Automated E-Pin Generator in Banking Sector
 
Bank chain to leverage blockchain further
Bank chain to leverage blockchain furtherBank chain to leverage blockchain further
Bank chain to leverage blockchain further
 
Digital signature certificate provider in delhi
Digital signature certificate provider in delhiDigital signature certificate provider in delhi
Digital signature certificate provider in delhi
 
Blockchain Account Aggregation oct 2019 rev nci
Blockchain Account Aggregation oct 2019 rev nciBlockchain Account Aggregation oct 2019 rev nci
Blockchain Account Aggregation oct 2019 rev nci
 
DSC E-Sign File Attachment
DSC E-Sign File AttachmentDSC E-Sign File Attachment
DSC E-Sign File Attachment
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
 
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
Infographic: Designing next-gen Digital Banking, powered by Open Banking API’...
 

Similaire à oauth-for-credentials-security-in-rest-api-access

Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Spring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleSpring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleGordon Dickens
 

Similaire à oauth-for-credentials-security-in-rest-api-access (20)

Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth
OAuthOAuth
OAuth
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest3
Maintest3Maintest3
Maintest3
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Api security
Api security Api security
Api security
 
Oauth Php App
Oauth Php AppOauth Php App
Oauth Php App
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Spring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleSpring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing People
 

Plus de idsecconf

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...idsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullahidsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
 

Plus de idsecconf (20)

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
 

oauth-for-credentials-security-in-rest-api-access

  • 1.
  • 2. Open Authorization : OAuth for credentials security in REST API access
  • 3. Panggi Libersa Jasri Akadol Web : http://www.opensecuritylab.org Twitter : @panggi
  • 4. Agenda • Web 2.0 and Data • OAuth usage • Useful resources
  • 5. Web 2.0 and Data
  • 8. Different service = Different data
  • 9. What if you need to use your data that stored in another service provider’s server ?
  • 10. Yup , just take it 
  • 11.
  • 12. OK .. Enough with the Cute creatures :-p Let’s dive into technical things
  • 14. Using API (Application Programming Interface)
  • 15. An application programming interface (API) is an interface implemented by a software program that enables it to interact with other software. It facilitates interaction between different software programs similar to the way the user interface facilitates interaction between humans and computers. ( via http://en.wikipedia.org/wiki/API)
  • 16.
  • 17. REST Representational State Transfer •Provide every resource with a unique ID, for example, a URI •Link resources with each other, establishing relationships among resources •Use standard methods (HTTP, media types, XML) •Resources can have multiple representations that reflect different application states •The communication should be stateless using the HTTP
  • 19.
  • 20.
  • 22. "Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay." - oauth.net
  • 23. we need an easy, user-friendly standard for third party api security
  • 25.
  • 26. OAuth puts the user back in control You choose who you share your data with
  • 27. OAuth is secure No need to give Username and Password
  • 28. Big Name Adoption Google Yahoo! OpenSocial Netflix MySpace twitter SmugMug GetSatisfaction and more...
  • 29. Love triangle End user (Resource Owner) Service provider Consumer OAuth
  • 30. OAuth Protected resources are exposed by service providers and used by consumer applications on behalf of users
  • 31. OAuth My Twitter Status Is exposed by Twitter And used by Seesmic On my behalf
  • 32. OAuth Terminology • Provider is the application that exposes the secure API and user’s identity • Consumer is the application that is written against the Provider’s API, intended for Provider’s users. • Users or resource owners are registered users of the Provider • Consumer Key is an identifier for the consumer • Consumer Secret is a shared-secret between the provider and the consumer • Signature Methods are encryption methods used by OAuth communication. Methods suggested are PLAINTEXT, RSA-SHA1 and HMAC-SHA1 • OAuth Endpoints are endpoints exposed by the provider to facilitate OAuth dance • Callback URL is an endpoint at the Consumer that is invoked by the Provider once the user authorizes the Consumer. If none, the value is oob, or Out-of- Band
  • 33. Tokens • Request Token – Short lived identifiers which start the handshake – Must be converted to Access Token in order to gain access to a user’s resources • Access Token – Long lived identifiers that are tied to the user’s identity – Are used to access a user’s resources (data) at the Provider on behalf of the user
  • 34. Endpoints • Get request token • Authorize token • Get access token
  • 35. Get Request Token • The endpoint provides consumers to get an unauthorized request token by providing their consumer key and other parameters as a signed request • The credentials can be passed via HTTP Header, POST body or GET QueryString • The request includes an oauth_signature which is calculated by following the steps defined in the spec. Use libraries instead of writing your own signing implementations. • The response has an unauthorized request token as well as a token secret, and a flag indicating if the callback was accepted.
  • 36. Authorize Token • The step authorizes an unauthorized request token retrieved via previous request. • The endpoint takes the unauthorized request token – or the user can enter one manually if supported. • The Authorize Token endpoint then redirects the user to the Provider’s login page • The user logs in, and is asked to authorize the consumer (and hence the request token) • Once the user authenticates, and authorizes access to the consumer, the provider calls the callback URL provided earlier with a verifier code. This verifier code, along with other credentials is used to get an Access Token.
  • 37. Get Access Token • At this step, the now authorized request token is exchanged for an access token • The access token acts as a user’s credential for any further transactions • The endpoint takes the request token and the verifier code returned via the callback, or manually if callback is not supported. The request is signed with consumer secret and the request token’s secret. • The Provider returns an access token and a token secret. • The token secret is used to sign the requests along with the consumer secret.
  • 38. Access User’s Resources • Now that the consumer has the access token, the user’s resources can be requested via signed requests to the provider. • The user should be able to unauthorize the consumer by revoking the access token. • The access token has a time to live which is typically longer than the request token
  • 40. • http://tools.ietf.org/html/rfc5849 • http://oauth.net/code/ • http://hueniverse.com/oauth/ • http://code.google.com/p/oauth/ • http://opensecuritylab.org/tag/oauth