secure your apis using oauth 2 and openid connect
TRANSCRIPT
Overview of OAuth and OpenID ConnectThe Nuts and Bolts of API Security
By Travis Spencer, CEO@travisspencer, @2botech
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
üAll API ConferencesüAPI CommunityüActive blogosphere
Organizers and founders
Agenda
§ The security challenge in context§ OAuth 2 Fundamentals§ Building OpenID Connect on OAuth§ 2 example use cases
Copyright © 2013-2014 Twobo Technologies AB. All rights reserved
API Security == API Keys
§ Problem solved!
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
API Security != API Keys
§ Revocable, un-audienced, non-expiring, bearer access tokens
§ Symmetric keys§ Passwords!
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
API Security == OAuth
§ Problem solved for real this time?
Not that easy! Sorry LCopyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Crucial Security Concerns
Enterprise Security API Security Mobile Security
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Identity is Central
MDM MAM
MobileSecurity
APISecurity
EnterpriseSecurity
Identity
Venn diagram by Gunnar Peterson
AuthZ
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Neo-security Stack
JSON Identity Suite
OpenID Connect
SCIM
OAuth 2
Provisioning
Identities
Federation
Delegated Access
Authorization
U2FAuthentication
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
§ OAuth 2 is a protocol of protocols§ Used as the base of other specifications§ OpenID Connect, UMA, HEART, etc.
§ Addresses some important requirements§ Delegated access§ No password sharing§ Revocation of access
OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
1. Resource Owner (RO)2. Client3. Authorization Server (AS)4. Resource Server (RS) (i.e., API)
Get
a to
ken
Delegate
RSClient
AS
RO
Use a token
OAuth Actors
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Request, Authenticate & Consent
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Requests Access
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Requires the RO to Authenticate
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Issues the One-time Use Code
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Redeems the One-time Use Code
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The AS Issues the Token
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The Client Presents the Token to the RS
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
The RS Validates the Token
Resource Owner (RO)
Resource Server (RS)Client
Authorization Server (AS)
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Access!
Resource Owner (RO) Authorization Server (AS)
Resource Server (RS)Client
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
§ Like permissions§ Scopes specify extent of tokens’ usefulness§ Listed on consent UI (if shown)§ No standardized scopes
Scopes
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Kinds of Tokens
Access Tokens
Like a Session
Used to secure API calls
Refresh Tokens
Like a Password
Used to get new access tokens
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Holder of Key
HoK tokens are like credit cards
Profiles of Tokens
Bearer
Bearer tokens are like cash
$
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Types of Tokens
§ WS-Security§ SAML§ Custom
§ Home-grown§ Oracle Access Manager§ SiteMinder
§ JWT
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
JWT Tokens
§ Pronounced like the English word “jot”§ Lightweight tokens passed in HTTP headers & query strings§ Akin to SAML tokens
§ Less expressive§ Less security options§ More compact§ Encoded w/ JSON not XML
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Passing Tokens
123XYZ
John Doe
By Value By Reference
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Not for authentication
Not really for authorization
Not for federation
Improper Usage of OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
For delegated accessUser to app delegation in particular
Proper Usage of OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
• Next generation federation protocol – Based on OAuth 2– Made for mobile– Not backward compatible
• Client & API receive tokens• User info endpoint provided for
client to get user data
OpenID Connect
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Get user info using access token
OpenID Connect Example
OAuth AS / OpenID Provider RP / Client
Browser
Access code
Send code to get access token
Access token & ID token
Check audience restriction of ID token
Request login, providing “openid” scope & user info
scopes
User info
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
ID Token is for Client
§ Access token is for API; ID token is for client§ ID token provides client with info about
§ Intended client recipient§ Username § Credential used to login§ Issuer of token§ Expiration time
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
User Info Endpoint
§ Token issuance and user discovery endpoint
§ Authenticate using bearer access token issued by OpenID Provider
§ Output depends on requested and authorized scopes
§ sub claim must match sub claim in ID token
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Applying All this to Micro-services
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
All Micro-services Accept JWTs
Resource Owner (RO)
But translate!Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Translate from by-ref to by-value in gateway
Resource Owner (RO)123XYZ
API Firewall /Reverse Proxy
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
Additional Resources
§ Blog posts§ bit.ly/oauth-deep-dive§ bit.ly/4-api-security-defenses§ bit.ly/building-secure-api§ bit.ly/right-api-armor§ API keys http://bit.ly/2dI9Z7Q
§ Videos§ bit.ly/oauth-in-depth§ bit.ly/micro-services-security§ bit.ly/building-secure-api-video
§ API security insights§ http://nordicapis.com/api-
insights/security/
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved @travisspencer / @2botech
For more information, visit curity.io
Summary
§ API security > API keys & OAuth§ OAuth 2 fundamentals
§ Token types§ Profiles§ Passing tokens
§ Building OpenID Connect on OAuth
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved
Thank you!
Copyright © 2013-2017 Twobo Technologies AB. All rights reserved