api security : patterns and practices
TRANSCRIPT
Prabath SiriwardenaDirector of Security ArchitectureWSO2
API Security Patterns and Practices
API Ecosystem
Gateway Pattern
• Decouple clients from the actual API implementation
• No point-to-point to connection• Centralized security enforcing• Centralized auditing & monitoring• Version controlling
Six key attributes of a secured design
• Only legitimate users can access the system (authentication)
• The system won’t allow users to do anything more than what they are supposed to do (authorization)
• Confidential data can only be seen by the intended recipients, nobody else (confidentiality)
• Integrity of the transactions are protected (integrity)• Protected for non-repudiation• They system is available for legitimate users to access,
all the time (availability)
Direct Authentication
• HTTP Basic Authentication• HTTP Digest Authentication• TLS Mutual Authentication• OAuth 2.0 (for authentication ?)
HTTP Basic Authentication
curl -I-u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’-d '{"name": "my_github_repo"}' https://api.github.com/user/repos
Creating a GitHub repository
HTTP Digest Authenticationcurl -k –-digest –u userName:password -v https://localhost:8443/recipe
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
HTTP Basic vs. Digest Authentication
TLS Mutual Authentication
Gateway itself does the certificate validation Fine-grained access validations can be done by the authorization server.
curl -k --cert client.pem https://localhost:8443/recipe
OAuth 2.0 (authorization code grant type)
OAuth 2.0 (implicit grant type)
OAuth 2.0 (password grant type)
OAuth 2.0 (client credentials grant type)
OAuth 2.0 (chained grant type)
OAuth 2.0 Tokens Access Tokens
Bearer tokens vs. Mac TLS is a must Pass the access token in the HTTP Authorization header
Authorization: Bearer <token> Pass the access token in as a URL query parameter
Avoid this Request Cache-Control: no-store Response Cache-Control: private E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.
Shorter life-time – in minutes or hours Do not store in cookies Issue scoped tokens
OAuth 2.0 Tokens Refresh Tokens
Must use TLS Long-lasting No refresh tokens under
implicit grant type client credentials grant type SAML grant type JWT grant type
Self-contained Access Tokens
JWT RFC 7519 Encodes claims to be transmitted as a JSON object Can be signed using JWS (JSON Web Signature) Can be encrypted using JWE (JSON Web Encryption) Represented as a sequence of URL-safe parts separated by period
('.') characters. Each part contains a base64url-encoded value
Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Self-issued Access Tokens
Same as self-contained access tokens Issued by the client itself
Brokered Authentication
• TLS Mutual Authentication• OAuth 2.0
OAuth 2.0 (decoupling end user authentication from the authorization server)
OAuth 2.0 (SAML grant type)
OAuth 2.0 (JWT grant type)
OAuth 2.0 (External Client)
Authorization
XACML
OAuth & XACML
A given access token has a scope associated with it and it governs the access token’s capabilities
A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.
token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
Token Introspection
POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
token=X3241Affw.4233-99JXJ&resource_id=…
{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/*}
XACML Policy<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule></Policy>
XACML Request<Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes></Request>
Confidentiality
• TLS• JWE
Integrity
• TLS• JWS
Non-repudiation
• JWS
High Availability
• Network level measures• Throttling• Client level• User level
Thank You