The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
65. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expiraKon
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone
91. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves idenKty
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Drat
• hlps://tools.ieu.org/html/drat-cavage-hlp-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT
92. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Take the full http
message
93. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Select the parts
you want to protect
94. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
(request-target): POST /painter/color/palele
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Create a
Signing String
95. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
(request-target): POST /painter/color/palele
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Hash the string
(sha256 shown)
96. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Encrypt the hash
(hmac shown)
j050ZC4iWDW40nVx2oVwBEymX
zwvsgm+hKBkuw04b+w=
97. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
Signature
keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Put it all together