wso2con usa 2015: securing your apis: patterns and more
TRANSCRIPT
API Security Pa.erns and More
Prabath Siriwardena Director of Security Architecture WSO2
Direct Authen,ca,on
• HTTP Basic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 1.o : Two Legged OAuth • OAuth 2.o : Client Credentials • NTLM / Kerberos
HTTP Basic Authen,ca,on
curl -‐I -‐u $GitHubUserName:GitHubPassword -‐X POST -‐H 'Content-‐Type: applica,on/x-‐www-‐form-‐urlencoded’ -‐d '{"name": "my_github_repo"}' hPps://api.github.com/user/repos
§ Creating a GitHub repository
HTTP Digest Authen,ca,on
curl -‐k –-‐digest –u userName:password -‐v hPps://localhost:8443/recipe
HTTP/1.1 401 Unauthorized WWW-‐Authen,cate: Digest realm="cute-‐cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
Authoriza,on: Digest username="prabath", realm="cute-‐cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bi64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
HTTP Basic vs. Digest Authen,ca,on
TLS Mutual Authen,ca,on
curl -‐k -‐-‐cert client.pem hPps://localhost:8443/recipe
OAuth 1.0 : Two Legged OAuth
POST /student?name=pavithra HTTP/1.1 Host: server.com Content-‐Type: applica,on/x-‐www-‐form-‐urlencoded Authoriza,on: OAuth realm="simple", oauth_consumer_key="dsdsddDdsdsds ", oauth_token=" ", oauth_signature_method="HMAC-‐SHA1", oauth_,mestamp="1474343201", oauth_nonce="rerwerweJHKjhkdsjhkhj", oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
OAuth 2.0 : Client Creden,als
curl -‐v -‐X POST -‐-‐basic -‐u 588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b ] -‐H "Content-‐Type: applica,on/x-‐www-‐form-‐urlencoded;charset=UTF-‐8” -‐d "client_id=588997174524690&grant_type=client_creden,als" hPps://graph.facebook.com/oauth/access_token
Kerberos / NTLM
§ Can be implemented as OAuth 2.0 grant types
Brokered Authen,ca,on § SAML 2.0 grant type for OAuth 2.0
Brokered Authen,ca,on § SAML 2.0 grant type for OAuth 2.0
Brokered Authen,ca,on § JWT grant type for OAuth 2.0
Fine-‐grained Access Control
Fine-‐grained Access Control
POST /introspec,on HTTP/1.1 Accept: applica,on/x-‐www-‐form-‐urlencoded Host: server.example.com Authoriza,on: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-‐99JXJ&resource_id=… { "ac,ve": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309x32kl", "aud": hPp://example.org/protected-‐resource/* }
§ Token Introspection
Fine-‐grained Access Control § XACML Architecture
Fine-‐grained Access Control § XACML Request
<Request> <A.ributes Category="urn:oasis:names:tc:xacml:3.0:a.ribute-‐category:oauth-‐client"> <A.ribute A.ributeId="urn:oasis:names:tc:xacml:1.0:client:client-‐id"> <A.ributeValue DataType="h.p://www.w3.org/2001/XMLSchema#string">32324343434</A.ributeValue> </A.ribute> <A.ributes> <A.ributes Category="urn:oasis:names:tc:xacml:3.0:aPribute-‐category:ac,on"> <A.ribute A.ributeId="urn:oasis:names:tc:xacml:1.0:acUon:acUon-‐id"> <A.ributeValue DataType="h.p://www.w3.org/2001/XMLSchema#string">GET</A.ributeValue> </A.ribute> </A.ributes> <A.ributes Category="urn:oasis:names:tc:xacml:3.0:aPribute-‐category:scope"> <A.ribute A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-‐id"> <A.ributeValue DataType="h.p://www.w3.org/2001/XMLSchema#string">user_acUviUes</A.ributeValue> </A.ribute> </A.ributes> <A.ributes Category="urn:oasis:names:tc:xacml:3.0:a.ribute-‐category:resource"> <A.ribute A.ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-‐id"> <A.ributeValue DataType="h.p://www.w3.org/2001/XMLSchema#string"> h.ps://graph.facebook.com/prabathsiriwardena/acUviUes</A.ributeValue> </A.ribute> </A.ributes> </Request>
Fine-‐grained Access Control § XACML Policy
<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:funcUon:string-‐equal"> <A.ributeValue DataType="h.p://www.w3.org/2001/XMLSchema#string"> user_ac,vi,es</A.ributeValue> <A.ributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:a.ribute-‐category:scope" A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-‐id" DataType="h.p://www.w3.org/2001/XMLSchema#string"></A.ributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
Chained APIs
Chained APIs POST /token HTTP/1.1 Host: authz.server.net Content-‐Type: applica,on/x-‐www-‐form-‐urlencoded grant_type= hPp://oauth.net/grant_type/chain oauth_token=dsddDLJkuiiuieqjhk238khjh scope=read
HTTP/1.1 200 OK Content-‐Type: applica,on/json;charset=UTF-‐8 Cache-‐Control: no-‐store Pragma: no-‐cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":1800, }
Centralized Authoriza,on with Distributed Resource Servers
User Managed Access (UMA)
• PAT (Protection API Token) : Token issued to the Resource Server to access the Protection API (Authorization Server) with the approval of the Resource Owner.
• AAT (Authorization API Token) : Token issued to the Client to access the Authorization API (Authorization Server)..
• RPT (Requesting Party Token) : Token issued to the Client to access the Protected Resource on behalf of the Requesting Party by the Authorization Server.
Thank You