wso2con eu 2016: securing apis: how, what, why, when
TRANSCRIPT
![Page 2: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/2.jpg)
A:ributesofasecureddesignAuthen>ca>on Onlylegi>mateuserscanaccessthesystem
Authoriza>on Thesystemwon’tallowuserstodoanythingmorethanwhattheyaresupposedtodo
Confiden>ality Confiden>aldatacanonlybeseenbytheintendedrecipients,nobodyelse
Integrity Integrityofthetransac>onsareprotected
Non-repudia>on Anen>tycannotdenyitsac>ons
Audi>ng Allanomaliesarerecorded
Availability Thesystemisavailableforlegi>mateuserstoaccess,allthe>me
![Page 3: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/3.jpg)
HTTPBasicAuthen?ca?on
• Crea?ngaGitHubrepository
curl-I-u$GitHubUserName:$GitHubPassword-XPOST-H'Content-Type:applica>on/x-www-form-urlencoded’-d'{"name":"my_github_repo"}'hYps://api.github.com/user/repos
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
![Page 4: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/4.jpg)
HTTPDigestAuthen?ca?on
curl-k--digest--uusername:password-vhYps://localhost:8443/recipe
Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
![Page 5: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/5.jpg)
HTTPBasicvs.DigestAuthen?ca?on
BasicAuthen?ca?on DigestAuthen?ca?on
Sendscreden>alsincleartext Creden>alsneversentincleartext.Adigestderivedissent
MustbeusedwithatransportlevelsecuritylikeTLS
Doesnotdependontransportlevelsecurity
Onlyperformsauthen>ca>on Canperformauthen>ca>onandintegrityprotec>on(withqop=auth-int)
Userstorecanstorepasswordasasaltedhash
Userstoreshouldstorepasswordincleartextorstorethehashvalueofusername:password:realm
![Page 6: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/6.jpg)
TLSMutualAuthen?ca?on
curl-k--certclient.pemh:ps://localhost:8443/recipe
• Gatewayitselfdoesthecer>ficatevalida>on• Fine-grainedaccessvalida>onscanbedonebytheauthoriza>onserver
![Page 7: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/7.jpg)
OAuth • Allowsapplica?onstoactonbehalfofenduserswithoutsharing
creden?als• Three-leggedOAuth
– Client,ResourceServerandUser(ResourceOwner)• Two-leggedOAuth
– Client(ResourceOwner)andResourceServer• OAuth1.0a
– Restric>ve,cumbersome,involvessignatures– OnlytwiYerusesit
• OAuth2.0– DependsonSSL– Aframeworkratherthanaconcretestandard– Couldcatermanyusecases-viagranttypes
![Page 8: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/8.jpg)
Authoriza?onCodeGrantSuitableforwebapplica>ons.
ImplicitGrantSuitableformobile,SPAanduntrustedpublicappswhereclientsecretcannotbekeptprivate.
ResourceOwnerCreden?alsGrantSuitableforappstrustedbyAuthzServer.e.g.officialFBapp.
ClientCreden?alsGrantSuitabletoretrievedatanotspecifictoendusers-e.g.Weather/Stocks-andformachine-to-machinecommunica>ons.
OAuth2.0
![Page 9: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/9.jpg)
OAuth2.0-Authoriza?onCodeGrant
![Page 10: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/10.jpg)
OAuth2.0- DecouplingEndUserAuthen?ca?onfromtheAuthoriza?onServer
![Page 11: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/11.jpg)
OAuth2.0-SAMLGrantType
![Page 12: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/12.jpg)
OAuth2.0-JWTGrantType
![Page 13: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/13.jpg)
OAuth2.0-NTLMGrantType
![Page 14: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/14.jpg)
OAuth2.0-ChainedGrantType
![Page 15: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/15.jpg)
TokenIntrospec?on
POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=…
{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
Standardiza>onofResourceServer->Authoriza>onServercommunica>onfortokenvalida>on
![Page 16: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/16.jpg)
Fine-grainedAuthoriza?onwithXACML
![Page 17: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/17.jpg)
User-ManagedAccess(UMA)
• OAuth2.0solvesPerson-to-Clientdelega>on
• UMAtriestosolve/standardizePerson-to-Persondelega>one.g.LukesharingadoconGoogleDrivewith‘edit’rightstoJohnand‘view’rightstoPeter
• Introducesanen>tynamed“Reques>ngParty”
• IoThavequiteinteres>ngscenariosUMAcouldsolve.
![Page 18: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/18.jpg)
User-ManagedAccess(UMA)
![Page 19: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/19.jpg)
Confiden?ality:• TLS,JWE
Integrity:• TLS,JWS
Non-repudia?on:• JWS
Audi?ng:• Auditlogs• Analy>csforfraud/threatdetec>on
Availability:• Networklevelmeasures• ThroYling: Clientlevel, Userlevel
![Page 20: WSO2Con EU 2016: Securing APIs: How, What, Why, When](https://reader031.vdocuments.site/reader031/viewer/2022022123/58a132561a28abd34f8b59bd/html5/thumbnails/20.jpg)
ThankYou!
#WSO2ConEU
Shareyourfeedbackforthissessionwso2con.com/app