SecuringYourAPIs:How,What,WhyandWhen
DulanjaLiyanageTechnicalLead,[email protected]
A:ributesofasecureddesignAuthen>ca>on Onlylegi>mateuserscanaccessthesystem
Authoriza>on Thesystemwon’tallowuserstodoanythingmorethanwhattheyaresupposedtodo
Confiden>ality Confiden>aldatacanonlybeseenbytheintendedrecipients,nobodyelse
Integrity Integrityofthetransac>onsareprotected
Non-repudia>on Anen>tycannotdenyitsac>ons
Audi>ng Allanomaliesarerecorded
Availability Thesystemisavailableforlegi>mateuserstoaccess,allthe>me
HTTPBasicAuthen?ca?on
• Crea?ngaGitHubrepository
curl-I-u$GitHubUserName:$GitHubPassword-XPOST-H'Content-Type:applica>on/x-www-form-urlencoded’-d'{"name":"my_github_repo"}'hYps://api.github.com/user/repos
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
HTTPDigestAuthen?ca?on
curl-k--digest--uusername:password-vhYps://localhost:8443/recipe
Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
HTTPBasicvs.DigestAuthen?ca?on
BasicAuthen?ca?on DigestAuthen?ca?on
Sendscreden>alsincleartext Creden>alsneversentincleartext.Adigestderivedissent
MustbeusedwithatransportlevelsecuritylikeTLS
Doesnotdependontransportlevelsecurity
Onlyperformsauthen>ca>on Canperformauthen>ca>onandintegrityprotec>on(withqop=auth-int)
Userstorecanstorepasswordasasaltedhash
Userstoreshouldstorepasswordincleartextorstorethehashvalueofusername:password:realm
TLSMutualAuthen?ca?on
curl-k--certclient.pemh:ps://localhost:8443/recipe
• Gatewayitselfdoesthecer>ficatevalida>on• Fine-grainedaccessvalida>onscanbedonebytheauthoriza>onserver
OAuth • Allowsapplica?onstoactonbehalfofenduserswithoutsharing
creden?als• Three-leggedOAuth
– Client,ResourceServerandUser(ResourceOwner)• Two-leggedOAuth
– Client(ResourceOwner)andResourceServer• OAuth1.0a
– Restric>ve,cumbersome,involvessignatures– OnlytwiYerusesit
• OAuth2.0– DependsonSSL– Aframeworkratherthanaconcretestandard– Couldcatermanyusecases-viagranttypes
Authoriza?onCodeGrantSuitableforwebapplica>ons.
ImplicitGrantSuitableformobile,SPAanduntrustedpublicappswhereclientsecretcannotbekeptprivate.
ResourceOwnerCreden?alsGrantSuitableforappstrustedbyAuthzServer.e.g.officialFBapp.
ClientCreden?alsGrantSuitabletoretrievedatanotspecifictoendusers-e.g.Weather/Stocks-andformachine-to-machinecommunica>ons.
OAuth2.0
OAuth2.0-Authoriza?onCodeGrant
OAuth2.0- DecouplingEndUserAuthen?ca?onfromtheAuthoriza?onServer
OAuth2.0-SAMLGrantType
OAuth2.0-JWTGrantType
OAuth2.0-NTLMGrantType
OAuth2.0-ChainedGrantType
TokenIntrospec?on
POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=…
{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
Standardiza>onofResourceServer->Authoriza>onServercommunica>onfortokenvalida>on
Fine-grainedAuthoriza?onwithXACML
User-ManagedAccess(UMA)
• OAuth2.0solvesPerson-to-Clientdelega>on
• UMAtriestosolve/standardizePerson-to-Persondelega>one.g.LukesharingadoconGoogleDrivewith‘edit’rightstoJohnand‘view’rightstoPeter
• Introducesanen>tynamed“Reques>ngParty”
• IoThavequiteinteres>ngscenariosUMAcouldsolve.
User-ManagedAccess(UMA)
Confiden?ality:• TLS,JWE
Integrity:• TLS,JWS
Non-repudia?on:• JWS
Audi?ng:• Auditlogs• Analy>csforfraud/threatdetec>on
Availability:• Networklevelmeasures• ThroYling: Clientlevel, Userlevel
ThankYou!
#WSO2ConEU
Shareyourfeedbackforthissessionwso2con.com/app