SlideShare une entreprise Scribd logo

Api security

Télécharger en tant que PPTX, PDF
T
teodorcotruta

Presentation about API security and latest trends

Logiciels
1  sur  38
API Security Teodor Cotruta 29 June 2016 Author of LDAP Client for Windows, LDAP 3.0 browser Programming in Java, OpenGL, C/C++, C#/.NET, VB, SQL, UNIX/Windows (20 years) Integration, SOA, REST/SOAP, Oracle fusion, IBM Crossworlds, Camel, JBoss esb Various websites: telecom.co.nz (8.5 years)
OS Hardware / Infrastructure API APIAPIAPI API API API API API Client/User Application Security Security User/*** Authentication Authorisation 1$/1hCompany Uni courses HTTP, TLS, OAuth, WRAP OpenID Connect, SAML Federation Delegation TOKEN, JSON, JWT, JWS, JWE
API = Application Programming Interface A set of functions, procedures and tools for building software and applications. Platform Hardware OS Protocols API Security Applications Client WEB 2.0 Cloud (AWS, Google, MS Azure) Web services, HTTP, HTTPS Web services SOA, SOAP, REST AAA, Federation Delegation Web applications Rich Internet Integration Users Business apps B2B PC, Laptops, Windows Windows API, .NET, Java Word, Excel, MSAccess, Oracle Users, Other apps PC, Sun stations, IPC V Unix, Linux Unix POSIX, Motif, Java Oracle Users Mobile Android Android OS Android API, Java, C Google app store, business app Users, applications, Surveys Macintosh EL Capitan Carbon, Cocoa IPhone Apple store Business apps
Managed and Naked APIs Managed API Naked API Can connect easily Intranet Security, documentation, life cycle, intelligence Manage load, Performance, access
Middleware ESB vs API Application API ESB Application API SOA APIAPI Proxy API Gateway SOA WS WS WS WS BUSINESS LOGIC 3. Name + Bank account FAST SECURE VISIBLE SLOW NOT ACCESSIBLE PARTIAL LOGIC 2. Account no 1. Name 4. Teo, 1234543
API = Application Programming Interface Twitter API Twitter Website
What is API Security? Security means Safe to do something at a certain location, during a specified period using some tools and information API Security means protecting the API against unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Protecting the applications and the users using the API.
WHEN TO implement security? https://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic1_1 Microsoft SDL security dev lifecycle model - 2005 Security build should start along with API build.
HOW TO implement security? HTTP Authentication TLS – Transport Layer Security Identity delegation OAuth 1.0 OAuth 2.0 Federation, SAML and JWT (jot) OpenID Connect JWToken, JWSignature, JWEncryption Design Patterns and best practices
HTTP Basic Authentication HTTP Digest Authentication Sends credentials in cleartext over the wire A digest derived from the cleartext password is sent over the wire. Should be used in conjunction with some external security systems like TLS Doesn’t depend on transport-level security or external security systems. Only performs authentication Can be used to protect the integrity of the message, in addition to authentication User store can store passwords as a salted hash User store should store passwords in cleartext or should store a hash Basic authentication: Base64Encode (username:password) Digest authentication: Recommend to store hash (username:password:realm) HTTP Authentication
TLS = Transport Layer security One-way TLS, only the server proves its identity to the client; this is mostly used in e-commerce to win consumer confidence by guaranteeing the legitimacy of the e-commerce vendor. Two-way TLS Mutual authentication authenticates the client and the server. TLS Handshake process • 4 keys and a master secrete • Java key store • If one key leaks, we can get the master secret and all other 3 keys PFS Perfect forward secrecy enabled by Google in 2011 (gmail, search, google+) • Exchange data
Service to verify TLS sites Qualys SSL Labs https://www.ssllabs.com/ssltest/analyze.html free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
Identity Delegation Model 3 roles (actors) • delegator, owns the resource • delegate, wants to access the resource • service provider (resource server) hosts the protected service, validated the delegate Print app (delegate) Flickr Service Provider Grants privileges Imports photos Delegator Direct delegation File Editor Google drive Resource server Grants privileges Export filesGives read privilege On google drive Print app Read files Brokered delegation
Evolution of identity delegation Up to 2006 (give away username/password) • Sites were asking username/password on your email accounts to invite your friends, or SlideShare asked for your google username/password to use your google calendar. After 2006 • Google started using tokens
History after 2006 Google uses tokens Google AuthSub: App doesn’t know username/password Similar models were used by • Flickr Authentication API, before 2006 • Yahoo BBAuth similar to flicker WEB APP Google account Authentication Authorisation User Google services Request token Request access With token Response with Data Redirect to app With TOKEN Login page Access Y/N
History – Delegation models … + federation < 2006: Google AuthSub, Yahoo BBAuth, Flickr Authentication • 2007 OAUTH 1.0 – becomes standard Similar to Google, Yahoo and Flickr, request token, use token for data • 2009 OAUTH 2.0 As a result, OAuth 2.0 was developed as an authorization framework, rather than a standard protocol. OAuth 2.0 became RFC 6749 • 2009 OpenID/OAuth hybrid extension Integrate OAuth with OpenID, delegation with federation OpenId is a standard developed by the OpenId Foundation for decentralized single sign-on. http://openid.net/specs/openid-authentication-2_0.html. • OpenID Connect
OAUTH 1.0 = Open Authorization TOKEN A unique identifier issued by the server and used by the client to associate authenticated requests with the resource owner whose authorization is requested or has been obtained by the client. Tokens have a matching shared-secret that is used by the client to establish its ownership of the token, and its authority to represent the resource owner. 3 PHASES are defined in OAuth 1.0 handshake 1. Temporary-credential request phase 2. Resource-owner authorization phase 3. Token-credential request phase.
OAuth 1.0 Token dance Simplified 3 steps or phases 1. Credential request TOKEN + SECRET 2. Owner Authorisation: TOKEN + VERIFIER 3. Access token given: ACCESS TOKEN + SECRET CONSUMER APP AUTHORIZATION SERVER REQUEST TOKEN TOKEN Authenticates Authorises Token AUTHORISED REQUEST TOKEN PROTECTED API ACCESS TOKEN ACCESS TOKEN CREDENTIALAUTHORIZATONACCESS REQUEST ACCESS TOKEN TOKEN phases 1. TOKEN + SECRET credential 2. TOKEN + VERIFIER authorisation 3. ACCESS TOKEN + SECRET access
OAuth 1.0 = Credential + Authorisation + Access initial token, verified, new token • Temporary credential phase: TOKEN + TOKEN SECRET • Temporary-Credential Request Phase During the temporary-credential request phase, the OAuth client sends an HTTP POST to the temporary-credential request endpoint hosted in the resource server • At the end the client has oauth_token and an oauth_token_secret. • Resource-Owner Authorization Phase: TOKEN + VERIFIER • During the resource-owner authorization phase, the client must get the oauth_token received in the previous phase authorized by the user or the resource owner. The client redirects the user to the resource server with the following HTTP GET request. The oauth_token received in the previous phase is added as a query parameter. Once the request hits the resource server, the resource server knows the client corresponding to this token and displays it to the user on its login page. • The user must authenticate first and then authorize the token. • To initiate the resource-owner authorization phase, the client must have access to the oauth_token and the oauth_token_secret. At the end of this phase, the client has a new oauth_token and an oauth_verifier • Token-Credential Request Phase: NEW TOKEN (ACCESS) AND TOKEN SECRET • During the token-credential request phase, the client makes a direct HTTP POST or a GET request to the access-token endpoint hosted at the authorization server • To initiate the token-credential request phase, the client must have access to the oauth_token from the first phase and the oauth_verifier from the second phase. At the end of this phase, the client will have a new oauth_token and a new oauth_token_secret.
OAuth 2.0 Facebook, Google, Instagram, PayPal OAUTH 2.0: Facebook, Google, LinkedIn, Microsoft (MSN, Live), PayPal, Instagram OAUTH 1.0: Twitter WRAP uses the notion of profiles Client • The Client Account and Password Profile and • The Assertion Profile. User USER DELEGATION PROFILES • Username and Password Profile: installed trusted apps APP gets username/password, get a token, store the token for later use • Web App Profile: verification code then access token • Rich App Profile: installed app or mixed, mostly mobile Accessing a WRAP-Protected API curl –H "Authorization:WRAP access_token=cac93e1d29e45bf6d84073dbfb460" http://localhost:8080/recipe
OAuth 2.0 Oauth 2.0 adds two major extension points: • Grant types • Authorization code • Implicit • Resource owner password credential • Client credential • Token types A grant type defines how a client can obtain an authorization grant from a resource owner to access a resource on their behalf. The grant types in OAuth 2.0 are very similar to the OAuth profiles in WRAP { "access_token":"ya29.1.AADtN_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":"" }
OAuth 1.0 vs. OAuth 2.0 OAuth 1.0 OAuth 2.0 Bearer Token Profile An access-delegation protocol An authorization framework for access delegation Signature based: HMAC- SHA256/RSA-SHA256 Non-signature-based, Bearer Token Profile Less extensibility Highly extensible via grant types and token types Less developer friendly More developer friendly TLS required only during the initial handshake Bearer Token Profile mandates using TLS during the entire flow Secret key never passed on the wire Secret key goes on the wire (Bearer Token Profile)
OAUTH 2 Profiles Built on top of OAUTH 2.0 grant types and token types • Token Introspection Profile • Chain Grant Type Profile • Dynamic Client Registration Profile • Token Revocation Profile EXAMPLES Salesforce revocation token • curl https://login.salesforce.com/services/oauth2/revoke? token='00D90000000…Teo4RMT' • anyone can revoke a token
Federation (Single Sign On, …) Federation, in the context of API security, is about Propagating user identities across • distinct identity-management systems or • distinct enterprises. Brokered Authentication • With brokered authentication, at the time of authentication, the authorization server can trust a broker from the given domain. • Each external party should have a trust broker whose responsibility is to authenticate its own users Uses OAuth principles, it means four entities in a federation scenario: • Owner for resource • Server with resource • Authorization server • Client application
Brokered authentication OAuth Client app YAHOO XTRA WEB MAIL Client ID OAuth Authorisation Server Authorization code Trust Broker authenticate Signed assertion Redirects user Client id + Signed assertion OWNER EMAIL API (SERVER) WEB MAIL Client Trust Broker UK ACCESS TOKEN Get email 1 Yahoo website (SERVER) 2 34 ACCESS TOKEN 1. OWNER Request 2. Redirect Auth code 3. Authenticate Assertion 4. Authorise Access Token Get Email
SAML (XML), JWT (JSON) SAML: Security Assertion Markup Language Standard for exchanging authentication, authorization, and identity- related data between interested parties in an XML-based data format Assertions, Protocol (SAML Request/Response), Bindings Profiles: Web Single Sign-on profile defines a standard way to establish SSO between different service providers via SAML. JSON Web Token (JWT) is a well-structured JSON message. Both profiles address the same use cases.
OpenID Connect = OpenID + OAuth 2.0 • Identity layer built on top of OAuth 2.0 • OpenID Connect: standard February 26, 2014. • Lightweight framework for identity interactions using REST • OpenID extension for OAuth 1.0 OpenID + OAuth 1.0 = authentication + delegated authorisation • OpenID Connect The ID token is the primary add-on to OAuth 2.0 to support OpenID Connect
OpenID protocol flow Relying party OpenID || OpenID Provider OpenID Provider OpenID protocol scenario 1. Enter OpenID on the relying party site 2. Discover the OpenID provider, if not known 3. Shared secret key between the RP and OP 4. User redirected to OpenID provider 5. User has to authenticate 6. Relying party receives a response 7. Relying party checks the response signature Which should be signed with the secret key Exchanges between relying party And the provider including authentication Of the use on the provider
OpenID Connect OpenID Connect Relying party OpenID Provider User identifier ID Token
JWT JWS JWE JASON Web token • JSON Web Token (JWT) defines a container to transport data between interested parties in JSON • The OpenID Connect specification, uses a JWT to represent the ID token. • Google API is one example JSON Web Signature • The JSON Web Signature (JWS) specification, developed under the IETF JOSE working group, defines how JSON messages can be digitally signed or MACed JSON Web Encryption • The JSON Web Encryption (JWE) specification, defines how JSON messages can be encrypted. • It introduces two new attributes (enc and zip) to be included in the JWE header of an encrypted JSON payload First signed, then encrypted
Patterns and practices Direct Authentication with the Trusted Subsystem Pattern WEB APP API available LDAP Federation Single Sign on Pattern Token dance, OAuth 1.0
Risks and vulnerabilities OWASP Open Web Application Security Project (OWASP) There are scanners for • Injection • Broken Authentication and Session Management • Cross Site Scripting • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross Site Request Forgery • Using Components with Known Vulnerabilities • Invalidated Redirects and Forwards. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
Case studies with examples Sample Methods in time What has been used Pro Cons Large website in NZ Start with requirements Security available off the self Siteminder Sun IDA Availability of a known product Documentation Team skills ok Training available Hard to maintain (special team) High coupling between code and security, impossible to change in the future Desktop software distribution After the fact Custom made License model Protects revenue Unflexible Difficult to move from a machine to another Desktop software distribution Off the self product License model Protect revenue Easy to use Known issues, vulnerable to attacks. Web applications In house during development OAUTH 1.0 Can change at will Doesn’t cover all scenarios, requires patches Web applications Third party products Hard to implement No experience Industry standards In house build None Hard to implement No experience
CONCLUSION API Security API meaning has changed in the past decade, meaning apps that are used on the internet. This can be achieved through SOA, especially REST and JSON. Security evolved with a number of models, the most important being: • OpenID Connect • JWToken, JWSignature, JWEncryption • Federation, SAML and JWT (jot) • Identity delegation • OAuth 2.0 quite equal with OAuth 1.0 • TLS – Transport Layer Security • HTTP Authentication
OS Hardware / Infrastructure API APIAPIAPI API API API API API Client/User Application Security Security User/*** Authentication Authorisation 1$/1hCompany Uni courses HTTP, TLS, OAuth, WRAP OpenID Connect, SAML Federation Delegation TOKEN, JSON, JWT, JWS, JWE
Bibliography 1. Advanced API Security, Prabath Siriwardena, apress, 2014 2. OpenID connect: http://openid.net/connect/ 3. Securing the API Stronghold, Travis Spencer and all, nordicaps.com, 2015, http://nordicapis.com/wp-content/uploads/securing-the-api-stronghold.pdf 4. How to control User Identity within microservices http://nordicapis.com/how-to-control-user-identity-within-microservices/ 5. Rest security cheat sheet https://www.owasp.org/index.php/REST_Security_Cheat_Sheet 6. State of API security https://www.soapui.org/testing-dojo/world-of-api-testing/state-of-api- security.html
QUESTIONS THANK YOU

Recommandé

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Soap vs rest
Soap vs restSoap vs rest
Soap vs restAntonio Severien
 
Web api
Web apiWeb api
Web apiSudhakar Sharma
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 

Recommandé

OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
What is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaWhat is REST API? REST API Concepts and Examples | Edureka
What is REST API? REST API Concepts and Examples | EdurekaEdureka!
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
Soap vs rest
Soap vs restSoap vs rest
Soap vs restAntonio Severien
 
Web api
Web apiWeb api
Web apiSudhakar Sharma
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
REST API
REST APIREST API
REST APITofazzal Ahmed
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap uipkslide28
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
What's an api
What's an apiWhat's an api
What's an apiJacques Ledoux
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
Rest API Automation with REST Assured
Rest API Automation with REST AssuredRest API Automation with REST Assured
Rest API Automation with REST AssuredTO THE NEW Pvt. Ltd.
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGSiddharth Sharma
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
REST API Basics
REST API BasicsREST API Basics
REST API BasicsTharindu Weerasinghe
 
Laravel Introduction
Laravel IntroductionLaravel Introduction
Laravel IntroductionAhmad Shah Hafizan Hamidin
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 

Contenu connexe

Tendances

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap uipkslide28
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
Rest API Automation with REST Assured
Rest API Automation with REST AssuredRest API Automation with REST Assured
Rest API Automation with REST AssuredTO THE NEW Pvt. Ltd.
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGSiddharth Sharma
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 

Tendances (20)

Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Rest API
Rest APIRest API
Rest API
 
REST API
REST APIREST API
REST API
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Ppt of soap ui
Ppt of soap uiPpt of soap ui
Ppt of soap ui
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
What's an api
What's an apiWhat's an api
What's an api
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
 
Rest API Automation with REST Assured
Rest API Automation with REST AssuredRest API Automation with REST Assured
Rest API Automation with REST Assured
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
API Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNGAPI Testing Using REST Assured with TestNG
API Testing Using REST Assured with TestNG
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
REST API Basics
REST API BasicsREST API Basics
REST API Basics
 
Laravel Introduction
Laravel IntroductionLaravel Introduction
Laravel Introduction
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 

En vedette

Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoRyo Ito
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectNat Sakimura
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing your API Portfolio with API Management
Securing your API Portfolio with API ManagementSecuring your API Portfolio with API Management
Securing your API Portfolio with API ManagementCA Technologies
 
Mad lazim musaqqal kilmi
Mad lazim musaqqal kilmiMad lazim musaqqal kilmi
Mad lazim musaqqal kilmiMuhammad Yusuf
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An IntroductionSteve Ivy
 

En vedette (10)

Summary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memoSummary of OAuth 2.0 draft 8 memo
Summary of OAuth 2.0 draft 8 memo
 
OAuth
OAuthOAuth
OAuth
 
Financial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID ConnectFinancial Grade OAuth & OpenID Connect
Financial Grade OAuth & OpenID Connect
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing your API Portfolio with API Management
Securing your API Portfolio with API ManagementSecuring your API Portfolio with API Management
Securing your API Portfolio with API Management
 
Mad lazim musaqqal kilmi
Mad lazim musaqqal kilmiMad lazim musaqqal kilmi
Mad lazim musaqqal kilmi
 
OpenID and OAuth
OpenID and OAuthOpenID and OAuth
OpenID and OAuth
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Openid & Oauth: An Introduction
Openid & Oauth: An IntroductionOpenid & Oauth: An Introduction
Openid & Oauth: An Introduction
 

Similaire à Api security

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Getting Started with Globus for Developers
Getting Started with Globus for DevelopersGetting Started with Globus for Developers
Getting Started with Globus for DevelopersGlobus
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthfossmy
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuthMohan Krishnan
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 IntroductionArpit Suthar
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Ubisecure
 

Similaire à Api security (20)

Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Getting Started with Globus for Developers
Getting Started with Globus for DevelopersGetting Started with Globus for Developers
Getting Started with Globus for Developers
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Mohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuthMohanraj - Securing Your Web Api With OAuth
Mohanraj - Securing Your Web Api With OAuth
 
Securing your Web API with OAuth
Securing your Web API with OAuthSecuring your Web API with OAuth
Securing your Web API with OAuth
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth2 Introduction
OAuth2 IntroductionOAuth2 Introduction
OAuth2 Introduction
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
OAuth
OAuthOAuth
OAuth
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Secure Webservices
Secure WebservicesSecure Webservices
Secure Webservices
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0Protecting your APIs with OAuth 2.0
Protecting your APIs with OAuth 2.0
 

Dernier

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Dernier (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Api security

  • 1. API Security Teodor Cotruta 29 June 2016 Author of LDAP Client for Windows, LDAP 3.0 browser Programming in Java, OpenGL, C/C++, C#/.NET, VB, SQL, UNIX/Windows (20 years) Integration, SOA, REST/SOAP, Oracle fusion, IBM Crossworlds, Camel, JBoss esb Various websites: telecom.co.nz (8.5 years)
  • 2. OS Hardware / Infrastructure API APIAPIAPI API API API API API Client/User Application Security Security User/*** Authentication Authorisation 1$/1hCompany Uni courses HTTP, TLS, OAuth, WRAP OpenID Connect, SAML Federation Delegation TOKEN, JSON, JWT, JWS, JWE
  • 3. API = Application Programming Interface A set of functions, procedures and tools for building software and applications. Platform Hardware OS Protocols API Security Applications Client WEB 2.0 Cloud (AWS, Google, MS Azure) Web services, HTTP, HTTPS Web services SOA, SOAP, REST AAA, Federation Delegation Web applications Rich Internet Integration Users Business apps B2B PC, Laptops, Windows Windows API, .NET, Java Word, Excel, MSAccess, Oracle Users, Other apps PC, Sun stations, IPC V Unix, Linux Unix POSIX, Motif, Java Oracle Users Mobile Android Android OS Android API, Java, C Google app store, business app Users, applications, Surveys Macintosh EL Capitan Carbon, Cocoa IPhone Apple store Business apps
  • 4. Managed and Naked APIs Managed API Naked API Can connect easily Intranet Security, documentation, life cycle, intelligence Manage load, Performance, access
  • 5. Middleware ESB vs API Application API ESB Application API SOA APIAPI Proxy API Gateway SOA WS WS WS WS BUSINESS LOGIC 3. Name + Bank account FAST SECURE VISIBLE SLOW NOT ACCESSIBLE PARTIAL LOGIC 2. Account no 1. Name 4. Teo, 1234543
  • 6. API = Application Programming Interface Twitter API Twitter Website
  • 7. What is API Security? Security means Safe to do something at a certain location, during a specified period using some tools and information API Security means protecting the API against unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Protecting the applications and the users using the API.
  • 8. WHEN TO implement security? https://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic1_1 Microsoft SDL security dev lifecycle model - 2005 Security build should start along with API build.
  • 9. HOW TO implement security? HTTP Authentication TLS – Transport Layer Security Identity delegation OAuth 1.0 OAuth 2.0 Federation, SAML and JWT (jot) OpenID Connect JWToken, JWSignature, JWEncryption Design Patterns and best practices
  • 10. HTTP Basic Authentication HTTP Digest Authentication Sends credentials in cleartext over the wire A digest derived from the cleartext password is sent over the wire. Should be used in conjunction with some external security systems like TLS Doesn’t depend on transport-level security or external security systems. Only performs authentication Can be used to protect the integrity of the message, in addition to authentication User store can store passwords as a salted hash User store should store passwords in cleartext or should store a hash Basic authentication: Base64Encode (username:password) Digest authentication: Recommend to store hash (username:password:realm) HTTP Authentication
  • 11. TLS = Transport Layer security One-way TLS, only the server proves its identity to the client; this is mostly used in e-commerce to win consumer confidence by guaranteeing the legitimacy of the e-commerce vendor. Two-way TLS Mutual authentication authenticates the client and the server. TLS Handshake process • 4 keys and a master secrete • Java key store • If one key leaks, we can get the master secret and all other 3 keys PFS Perfect forward secrecy enabled by Google in 2011 (gmail, search, google+) • Exchange data
  • 12. Service to verify TLS sites Qualys SSL Labs https://www.ssllabs.com/ssltest/analyze.html free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
  • 13. Identity Delegation Model 3 roles (actors) • delegator, owns the resource • delegate, wants to access the resource • service provider (resource server) hosts the protected service, validated the delegate Print app (delegate) Flickr Service Provider Grants privileges Imports photos Delegator Direct delegation File Editor Google drive Resource server Grants privileges Export filesGives read privilege On google drive Print app Read files Brokered delegation
  • 14. Evolution of identity delegation Up to 2006 (give away username/password) • Sites were asking username/password on your email accounts to invite your friends, or SlideShare asked for your google username/password to use your google calendar. After 2006 • Google started using tokens
  • 15. History after 2006 Google uses tokens Google AuthSub: App doesn’t know username/password Similar models were used by • Flickr Authentication API, before 2006 • Yahoo BBAuth similar to flicker WEB APP Google account Authentication Authorisation User Google services Request token Request access With token Response with Data Redirect to app With TOKEN Login page Access Y/N
  • 16. History – Delegation models … + federation < 2006: Google AuthSub, Yahoo BBAuth, Flickr Authentication • 2007 OAUTH 1.0 – becomes standard Similar to Google, Yahoo and Flickr, request token, use token for data • 2009 OAUTH 2.0 As a result, OAuth 2.0 was developed as an authorization framework, rather than a standard protocol. OAuth 2.0 became RFC 6749 • 2009 OpenID/OAuth hybrid extension Integrate OAuth with OpenID, delegation with federation OpenId is a standard developed by the OpenId Foundation for decentralized single sign-on. http://openid.net/specs/openid-authentication-2_0.html. • OpenID Connect
  • 17. OAUTH 1.0 = Open Authorization TOKEN A unique identifier issued by the server and used by the client to associate authenticated requests with the resource owner whose authorization is requested or has been obtained by the client. Tokens have a matching shared-secret that is used by the client to establish its ownership of the token, and its authority to represent the resource owner. 3 PHASES are defined in OAuth 1.0 handshake 1. Temporary-credential request phase 2. Resource-owner authorization phase 3. Token-credential request phase.
  • 18. OAuth 1.0 Token dance Simplified 3 steps or phases 1. Credential request TOKEN + SECRET 2. Owner Authorisation: TOKEN + VERIFIER 3. Access token given: ACCESS TOKEN + SECRET CONSUMER APP AUTHORIZATION SERVER REQUEST TOKEN TOKEN Authenticates Authorises Token AUTHORISED REQUEST TOKEN PROTECTED API ACCESS TOKEN ACCESS TOKEN CREDENTIALAUTHORIZATONACCESS REQUEST ACCESS TOKEN TOKEN phases 1. TOKEN + SECRET credential 2. TOKEN + VERIFIER authorisation 3. ACCESS TOKEN + SECRET access
  • 19. OAuth 1.0 = Credential + Authorisation + Access initial token, verified, new token • Temporary credential phase: TOKEN + TOKEN SECRET • Temporary-Credential Request Phase During the temporary-credential request phase, the OAuth client sends an HTTP POST to the temporary-credential request endpoint hosted in the resource server • At the end the client has oauth_token and an oauth_token_secret. • Resource-Owner Authorization Phase: TOKEN + VERIFIER • During the resource-owner authorization phase, the client must get the oauth_token received in the previous phase authorized by the user or the resource owner. The client redirects the user to the resource server with the following HTTP GET request. The oauth_token received in the previous phase is added as a query parameter. Once the request hits the resource server, the resource server knows the client corresponding to this token and displays it to the user on its login page. • The user must authenticate first and then authorize the token. • To initiate the resource-owner authorization phase, the client must have access to the oauth_token and the oauth_token_secret. At the end of this phase, the client has a new oauth_token and an oauth_verifier • Token-Credential Request Phase: NEW TOKEN (ACCESS) AND TOKEN SECRET • During the token-credential request phase, the client makes a direct HTTP POST or a GET request to the access-token endpoint hosted at the authorization server • To initiate the token-credential request phase, the client must have access to the oauth_token from the first phase and the oauth_verifier from the second phase. At the end of this phase, the client will have a new oauth_token and a new oauth_token_secret.
  • 20. OAuth 2.0 Facebook, Google, Instagram, PayPal OAUTH 2.0: Facebook, Google, LinkedIn, Microsoft (MSN, Live), PayPal, Instagram OAUTH 1.0: Twitter WRAP uses the notion of profiles Client • The Client Account and Password Profile and • The Assertion Profile. User USER DELEGATION PROFILES • Username and Password Profile: installed trusted apps APP gets username/password, get a token, store the token for later use • Web App Profile: verification code then access token • Rich App Profile: installed app or mixed, mostly mobile Accessing a WRAP-Protected API curl –H "Authorization:WRAP access_token=cac93e1d29e45bf6d84073dbfb460" http://localhost:8080/recipe
  • 21. OAuth 2.0 Oauth 2.0 adds two major extension points: • Grant types • Authorization code • Implicit • Resource owner password credential • Client credential • Token types A grant type defines how a client can obtain an authorization grant from a resource owner to access a resource on their behalf. The grant types in OAuth 2.0 are very similar to the OAuth profiles in WRAP { "access_token":"ya29.1.AADtN_WY1SHPAYomlwrc", "token_type":"Bearer", "expires_in":3600, "id_token":"" }
  • 22. OAuth 1.0 vs. OAuth 2.0 OAuth 1.0 OAuth 2.0 Bearer Token Profile An access-delegation protocol An authorization framework for access delegation Signature based: HMAC- SHA256/RSA-SHA256 Non-signature-based, Bearer Token Profile Less extensibility Highly extensible via grant types and token types Less developer friendly More developer friendly TLS required only during the initial handshake Bearer Token Profile mandates using TLS during the entire flow Secret key never passed on the wire Secret key goes on the wire (Bearer Token Profile)
  • 23. OAUTH 2 Profiles Built on top of OAUTH 2.0 grant types and token types • Token Introspection Profile • Chain Grant Type Profile • Dynamic Client Registration Profile • Token Revocation Profile EXAMPLES Salesforce revocation token • curl https://login.salesforce.com/services/oauth2/revoke? token='00D90000000…Teo4RMT' • anyone can revoke a token
  • 24. Federation (Single Sign On, …) Federation, in the context of API security, is about Propagating user identities across • distinct identity-management systems or • distinct enterprises. Brokered Authentication • With brokered authentication, at the time of authentication, the authorization server can trust a broker from the given domain. • Each external party should have a trust broker whose responsibility is to authenticate its own users Uses OAuth principles, it means four entities in a federation scenario: • Owner for resource • Server with resource • Authorization server • Client application
  • 25. Brokered authentication OAuth Client app YAHOO XTRA WEB MAIL Client ID OAuth Authorisation Server Authorization code Trust Broker authenticate Signed assertion Redirects user Client id + Signed assertion OWNER EMAIL API (SERVER) WEB MAIL Client Trust Broker UK ACCESS TOKEN Get email 1 Yahoo website (SERVER) 2 34 ACCESS TOKEN 1. OWNER Request 2. Redirect Auth code 3. Authenticate Assertion 4. Authorise Access Token Get Email
  • 26. SAML (XML), JWT (JSON) SAML: Security Assertion Markup Language Standard for exchanging authentication, authorization, and identity- related data between interested parties in an XML-based data format Assertions, Protocol (SAML Request/Response), Bindings Profiles: Web Single Sign-on profile defines a standard way to establish SSO between different service providers via SAML. JSON Web Token (JWT) is a well-structured JSON message. Both profiles address the same use cases.
  • 27. OpenID Connect = OpenID + OAuth 2.0 • Identity layer built on top of OAuth 2.0 • OpenID Connect: standard February 26, 2014. • Lightweight framework for identity interactions using REST • OpenID extension for OAuth 1.0 OpenID + OAuth 1.0 = authentication + delegated authorisation • OpenID Connect The ID token is the primary add-on to OAuth 2.0 to support OpenID Connect
  • 28. OpenID protocol flow Relying party OpenID || OpenID Provider OpenID Provider OpenID protocol scenario 1. Enter OpenID on the relying party site 2. Discover the OpenID provider, if not known 3. Shared secret key between the RP and OP 4. User redirected to OpenID provider 5. User has to authenticate 6. Relying party receives a response 7. Relying party checks the response signature Which should be signed with the secret key Exchanges between relying party And the provider including authentication Of the use on the provider
  • 29. OpenID Connect OpenID Connect Relying party OpenID Provider User identifier ID Token
  • 30. JWT JWS JWE JASON Web token • JSON Web Token (JWT) defines a container to transport data between interested parties in JSON • The OpenID Connect specification, uses a JWT to represent the ID token. • Google API is one example JSON Web Signature • The JSON Web Signature (JWS) specification, developed under the IETF JOSE working group, defines how JSON messages can be digitally signed or MACed JSON Web Encryption • The JSON Web Encryption (JWE) specification, defines how JSON messages can be encrypted. • It introduces two new attributes (enc and zip) to be included in the JWE header of an encrypted JSON payload First signed, then encrypted
  • 31. Patterns and practices Direct Authentication with the Trusted Subsystem Pattern WEB APP API available LDAP Federation Single Sign on Pattern Token dance, OAuth 1.0
  • 32. Risks and vulnerabilities OWASP Open Web Application Security Project (OWASP) There are scanners for • Injection • Broken Authentication and Session Management • Cross Site Scripting • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross Site Request Forgery • Using Components with Known Vulnerabilities • Invalidated Redirects and Forwards. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf
  • 33.
  • 34. Case studies with examples Sample Methods in time What has been used Pro Cons Large website in NZ Start with requirements Security available off the self Siteminder Sun IDA Availability of a known product Documentation Team skills ok Training available Hard to maintain (special team) High coupling between code and security, impossible to change in the future Desktop software distribution After the fact Custom made License model Protects revenue Unflexible Difficult to move from a machine to another Desktop software distribution Off the self product License model Protect revenue Easy to use Known issues, vulnerable to attacks. Web applications In house during development OAUTH 1.0 Can change at will Doesn’t cover all scenarios, requires patches Web applications Third party products Hard to implement No experience Industry standards In house build None Hard to implement No experience
  • 35. CONCLUSION API Security API meaning has changed in the past decade, meaning apps that are used on the internet. This can be achieved through SOA, especially REST and JSON. Security evolved with a number of models, the most important being: • OpenID Connect • JWToken, JWSignature, JWEncryption • Federation, SAML and JWT (jot) • Identity delegation • OAuth 2.0 quite equal with OAuth 1.0 • TLS – Transport Layer Security • HTTP Authentication
  • 36. OS Hardware / Infrastructure API APIAPIAPI API API API API API Client/User Application Security Security User/*** Authentication Authorisation 1$/1hCompany Uni courses HTTP, TLS, OAuth, WRAP OpenID Connect, SAML Federation Delegation TOKEN, JSON, JWT, JWS, JWE
  • 37. Bibliography 1. Advanced API Security, Prabath Siriwardena, apress, 2014 2. OpenID connect: http://openid.net/connect/ 3. Securing the API Stronghold, Travis Spencer and all, nordicaps.com, 2015, http://nordicapis.com/wp-content/uploads/securing-the-api-stronghold.pdf 4. How to control User Identity within microservices http://nordicapis.com/how-to-control-user-identity-within-microservices/ 5. Rest security cheat sheet https://www.owasp.org/index.php/REST_Security_Cheat_Sheet 6. State of API security https://www.soapui.org/testing-dojo/world-of-api-testing/state-of-api- security.html