apidays LIVE Helsinki & North: API Ecosystems - Connecting Physical and Digital
March 16 & 17, 2022
Financial-Grade Security for APIs
Michał Trojanowski, Product Marketing Engineer at Curity AB
5. 2022 SERIES OF EVENT
New York
JULY
(HYBRID)
Australia
SEPTEMBER
(HYBRID)
Singapore
APRIL
(VIRTUAL)
Helsinki & North
MARCH
(VIRTUAL)
Paris
DECEMBER
(HYBRID)
London
OCTOBER
(HYBRID)
Hong Kong
AUGUST
(VIRTUAL)
JUNE (VIRTUAL)
India
MAY
(VIRTUAL)
APRIL (VIRTUAL)
Dubai & Middle East
JUNE
(VIRTUAL)
Check out our API Conferences here
Wa nt t o t a lk a t one of our conference?
Apply t o spea k here
13. Proof-of-Possession for JWTs
• Standard defined in RFC 7800.
• Adds a “cnf” (confirmation) claim to the token, which enables
the recipient to verify the caller.
14. PoP JWTs with “cnf” claim
Client
API
API
Gateway
Authorization
Server
public key
private key
+ proof of
{
“cnf”: {
“kid”: “1234”
}
}
+ proof of
17. HTTP 400
Standard OAuth Authorization Requests
GET /authorize?client_id=abc&scopes=read%20write
HTTP 302
Location: /cb?code=123
Is that a legitimate client?
Are the parameters OK?
Can these end up in the browser logs?
Client Authorization
Server
18. Pushed Authorization Requests
POST /authorize/par
Authorization: Basic 0JjQlNCYOtCd0JDQpdCj0Jkh
client_id=abc&scopes=read%20write
request_id: 1234
GET /authorize?request_id=1234
Client Authorization
Server
19. Pushed Authorization Requests
• The client is authenticated before the authorization request.
• Authorization request parameters can’t be tampered with.
• Request parameters do not traverse through unsecure transport.
• URL limitations are no longer a concern.
• Ability to ease on redirect URI restrictions.
21. JWT Secured Authorization Response Mode
•Draft specification from the OpenID Foundation.
•Protects against attacks on the authorization code response.
25. JWT Secured Authorization Response Mode
•The code response is integrity-protected.
•Response parameters strongly coupled (mitigates replay attacks).
•Protection from mix-up attacks (ability to verify iss claim).
26. Key Takeways
• Don’t discard “financial-grade” topics only because you’re not
dealing with finance.
• Remember sender-constrained access tokens if stealing the token
is what troubles you.
• Give PAR and JARM a try if you’re concerned with some attack
vectors against authorization requests and responses.