2018 IterateConf Deconstructing and Evolving REST Security

1. Iterate #RESTSecurity @dblevins @tomitribe Deconstructing REST Security David Blevins Tomitribe

2. Iterate #RESTSecurity @dblevins @tomitribe “The nice thing about standards is you have so many to choose from.” - Andrew S. Tanenbaum

3. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Focus Areas • Beyond Basic Auth • Theory of OAuth 2.0 • Introduction of JWT • Google/Facebook style API security • Stateless vs Stateful Architecture • HTTP Signatures • Amazon EC2 style API security

4. Iterate #RESTSecurity @dblevins @tomitribe Baseline 1000 users x 3 TPS 4 hops 3000 TPS frontend 12000 TPS backend

5. Iterate #RESTSecurity @dblevins @tomitribe Basic Auth (and its problems)

6. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Basic Auth Message POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}}

7. Iterate #RESTSecurity @dblevins @tomitribe Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 (no auth) 3000 TPS (LDAP) 12000 TPS (HTTP)

8. Iterate #RESTSecurity @dblevins @tomitribe Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 username+password Base64 15000 TPS (LDAP) Password Sent 12000 TPS (HTTP)

9. Iterate #RESTSecurity @dblevins @tomitribe Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 IP whitelisting 3000 TPS (LDAP) 12000 TPS (HTTP)

10. Iterate #RESTSecurity @dblevins @tomitribe “Hey, give me all of Joe’s salary information.” “I don’t know who you are, … but sure!”

11. Iterate #RESTSecurity @dblevins @tomitribe Latveria Attacks

12. Iterate #RESTSecurity @dblevins @tomitribe Basic Auth - Attacks Valid Password Sent 3000 TPS (HTTP+SSL) IP whitelisting 9000 TPS (LDAP) 12000 TPS (HTTP) Invalid Password Sent 6000 TPS (HTTP+SSL)

13. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 (and its problems)

14. Iterate #RESTSecurity @dblevins @tomitribe

18. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } Verify Password Generate Token

19. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}}

20. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}}

21. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}

22. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

23. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}}

24. Iterate #RESTSecurity @dblevins @tomitribe 401

25. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }

26. Iterate #RESTSecurity @dblevins @tomitribe Old pair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e

27. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}}

28. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}

29. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

30. Iterate #RESTSecurity @dblevins @tomitribe What have we achieved?

31. Iterate #RESTSecurity @dblevins @tomitribe You have more passwords (at least your devices do)

32. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Term Alert • Password Grant??? • Logging in • Token? • Slightly less crappy password • Equally crappy HTTP Session ID

33. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend

35. Iterate #RESTSecurity @dblevins @tomitribe “Who the heck is 6Fe4jd7TmdE5y W2q0y6W2w ???????” “No idea, dude. Ask the token server.”

36. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend

37. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend 55% of all trafﬁc

38. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 0 TPS (token checks) 0 hops 0 TPS backend

39. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 Pointer Pointer State

40. Iterate #RESTSecurity @dblevins @tomitribe Access Token Access Pointer? Access Primary Key?

41. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 High Frequency Password Exchange Algorithm?

42. Iterate #RESTSecurity @dblevins @tomitribe Problem: how to detect if a ﬁle's contents have changed?

43. Iterate #RESTSecurity @dblevins @tomitribe Hashing and Signing Symmetric and Asymmetric

44. Iterate #RESTSecurity @dblevins @tomitribe Hashing Data

45. Iterate #RESTSecurity @dblevins @tomitribe 01010000010001000011011011101000110101001001100001010011110000 00111010101111111111111111000101111101001110111000100010000000000 111111101011100001001100100000101011111001101111111100111011000011 111011001101100100000101011110011001100001011011110101110110001

46. Iterate #RESTSecurity @dblevins @tomitribe 01010000010001000011011011101000110101001001100001010011110000 00111010101111111111111111000101111101001110111000100010000000000 111111101011100001001100100000101011111001101111111100111011000011 111011001101100100000101011110011001100001011011110101110110001

47. Iterate #RESTSecurity @dblevins @tomitribe More Bits the Better

52. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Eagles beat Patriots 41 to 33

55. Iterate #RESTSecurity @dblevins @tomitribe Protecting the Hash HMAC (Symmetric) RSA (Asymmetric) abc123 abc123 private public

56. Iterate #RESTSecurity @dblevins @tomitribe HMAC (Symmetric) Read & Write Read & Write Shared and equal relationship

57. Iterate #RESTSecurity @dblevins @tomitribe RSA (Asymmetric) Write Read Read Read One side has more authority * the reverse is possible

58. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Encoding a Hash or Signature Binary 0010100011010111110000011011000100101000110011100111010010001000 0100011011011010000000100011110100111111010100011000100011010001 1101101001010101111100010011111110100000001001100010000000010111 0000000000100101000010110011000100001001011011010111101111101101 Hex 8af5c1468a399708b12d205e7ec588c52dd547fe0232027400526846485bef5b Base64 ivXBRoo5lwixLSBefsWIxS3VR_4CMgJ0AFJoRkhb71s Base85 MY4eTME."/Yq7))I`7,^/_*Aj!sh!!)dK"86bOe~

59. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 + JSon Web Tokens (JWT)

60. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe JSon Web Token • Pronounced “JOT” • Fancy JSON map • Base64 URL Encoded • Digitally Signed (RSA-SHA256, HMAC-SHA512, etc) • Built-in expiration

61. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Access Token Previously • 6Fe4jd7TmdE5yW2q0y6W2w

62. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Access Token Now • eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi 10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8 DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0 98ocefuv08TdzRxqYoEqYNo

63. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe • { "alg": “RS256", "typ": “JWT" } • { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": [ “twitter”, "mans-best-friend" ], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } • DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv 0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

64. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Access Token Now • header (JSON > Base64 URL Encoded) • describes how the token signature can be checked • payload (JSON > Base64 URL Encoded) • Basically a map of whatever you want to put in it • Some standard entries such as expiration • signature (Binary > Base64 URL Encoded • The actual digital signature • made exclusively by the /oauth2/token endpoint • If RSA, can be checked by anyone

65. Iterate #RESTSecurity @dblevins @tomitribe Subtle But High Impact Architectural Change

66. Iterate #RESTSecurity @dblevins @tomitribe What we had (quick recap)

67. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Pull User Info From IDP

68. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Generate an Access Token (pointer)

69. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Insert both into DB

70. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Send Access Token (pointer) to client

71. Iterate #RESTSecurity @dblevins @tomitribe Results Client Holds Pointer Server Holds State

72. Iterate #RESTSecurity @dblevins @tomitribe What we can do now (Hello JWT!)

73. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Pull User Info From IDP

74. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Format the data as JSON

75. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) RSA-SHA 256 sign JSON private

76. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Insert only pointer into DB (for revocation)

77. Iterate #RESTSecurity @dblevins @tomitribe (LDAP) Send Access Token (state) to client

78. Iterate #RESTSecurity @dblevins @tomitribe Client Holds State Server Holds Pointer Desired Results

80. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0 LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ 9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8 OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh VDaiqmhct098ocefuv08TdzRxqYoEqYNo", "expires_in":3600, "refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL", }

81. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Message with JWT POST /painter/color/palette HTTP/1.1  Host: api.superbiz.io  Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl 6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo User-Agent: curl/7.43.0  Accept: */*  Content-Type: application/json  Content-Length: 46    {"color":{"b":0,"g":255,"r":0,"name":"green"}}

82. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 + JWT Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature veriﬁcation) 12000 TPS (signature veriﬁcation)(private key) (public key)

83. Iterate #RESTSecurity @dblevins @tomitribe “Hey, give me all of Joe’s salary information.” “Not a chance!”

84. Iterate #RESTSecurity @dblevins @tomitribe “Hey, give me all of Joe’s salary information.” “Sure thing!” Every Microservice Has the Gateway's Public Key

85. Iterate #RESTSecurity @dblevins @tomitribe Latveria Attacks (again)

86. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 + JWT Valid Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) (LDAP) 4 hops 12000 TPS backend 9000 TPS (signature veriﬁcation) 12000 TPS (signature veriﬁcation) Invalid Tokens Sent 6000 TPS (HTTP+SSL) (private key) (public key)

87. Iterate #RESTSecurity @dblevins @tomitribe HTTP Signatures (Amazon EC2 style API Security)

88. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe HTTP Signatures • No “secret” ever hits the wire • Signs the message itself • Proves identity • Prevents message tampering • Symmetric or Asymmetric signatures • IETF Draft • https://tools.ietf.org/html/draft-cavage-http-signatures • Extremely simple • Does NOT eliminate beneﬁts of JWT

89. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Signature Message POST /painter/color/palette HTTP/1.1  Host: api.superbiz.io  Authorization: Signature keyId=“my-key-name", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="  Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*  Content-Type: application/json  Content-Length: 46    {"color":{"b":0,"g":255,"r":0,"name":"green"}}

90. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Signature closeup Signature keyId=“my-key-name", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" 

91. Iterate #RESTSecurity @dblevins @tomitribe Signature Auth Password Sent 0 TPS (HTTP) Signature (no auth) 3000 TPS (LDAP or Keystore) 12000 TPS (HTTP)

92. Iterate #RESTSecurity @dblevins @tomitribe Signature Auth Password Sent 0 TPS (HTTP) Signature Signature 3000 TPS (LDAP or Keystore) 12000 TPS (HTTP)

93. Iterate #RESTSecurity @dblevins @tomitribe “Hey, give me all of Joe’s salary information.” “Hey, Larry! Sure!” Issue Returns (bad)

94. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2.0 Proof-of-Possession (JWT + HTTP Signatures)

95. Iterate #RESTSecurity @dblevins @tomitribe Key Value Identity Information (JWT) Key ID Proof Of Identity (HTTP Signature)

96. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe { "alg": “RS256", "typ": “JWT" } { "token-type": "access-token", "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token

97. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe { "alg": “RS256", "typ": “JWT" } { "token-type": "pop", "cnf":{ "kid": "green-1234" } "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token

98. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2", "token_type":"pop", "expires_in":3600, "refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5 jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M", "key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ 2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1 MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd 2ZzIiwiYWxnIjoiSFMyNTYifQ" } Generate HMAC Key (Key Store)

99. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe JSON Web Key (encoded) eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ut eXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1M FdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZ WlSci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQ RVd5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53N XhzczhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2Nid kRocmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ

100. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe JSON Web Key (decoded) { "kty": "oct", "use": "sig", "kid": "orange-1234", "k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c wfs", "alg": "HS256" }

101. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Signed OAuth 2.0 Message POST /painter/color/palette HTTP/1.1  Host: api.superbiz.io  Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t L2 9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo  Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */*  Content-Type: application/json  Content-Length: 46    {"color":{"b":0,"g":255,"r":0,"name":"green"}}

102. Iterate #RESTSecurity @dblevins @tomitribe OAuth 2 + JWT + Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature veriﬁcation) 12000 TPS (signature veriﬁcation)

103. Iterate #RESTSecurity @dblevins @tomitribe https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution Speciﬁcation Reference

104. @dblevins @tomitribe Iterate #RESTSecurity @dblevins @tomitribe Observations • HTTP Signatures the only HTTP friendly approach • Signatures does not solve the “Identity Load” problem • OAuth 2 with JWT signiﬁcantly improves IDP load • Plain OAuth 2 • HTTP Session-like implications • OAuth 2 with JWT • Signed cookie • Signing key to the future

105. Thank You Slides & Gateway Sign-up https://tribestream.io/iterate2018/ #RESTSecurity IterateConf

2018 IterateConf Deconstructing and Evolving REST Security

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

2018 IterateConf Deconstructing and Evolving REST Security

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à 2018 IterateConf Deconstructing and Evolving REST Security (20)

Plus par David Blevins (8)

Plus récents (20)