Securing RESTful APIs using OAuth 2 and OpenID Connect

29 %
71 %
Information about Securing RESTful APIs using OAuth 2 and OpenID Connect
Technology

Published on February 27, 2014

Author: jcleblanc

Source: slideshare.net

Description

Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this.

In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2

Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

Why do we Need This?

Poor Password Choices • 4.7% of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords

…And of What’s Left 1. Pet’s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Child’s name 5. Other family member’s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partner’s name

Handing Over Account Passwords

Malicious Applications

Aspects of Revocation

App Revoked by User App Revoked by Service Provider

Path to the Standard

Username & Password to Auth

Rise of the Token

Two Widely Used Specifications

REST Request Components

How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'

How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'

Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)

Adding in the Auth

Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data

When You Need Access Security

User Login (authentication) User Involvement (authorization) Application Only (monitoring)

Practical Implementation

Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI

Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint

Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" -d "grant_type=client_credentials"

Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }

Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint

Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"

Maintaining SDK Consistency

Defining APIs with WADL / WSDL

<?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>

<?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>

Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically

Final Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend

Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

Add a comment

Related presentations

Related pages

Securing RESTful APIs using OAuth 2 and OpenID Connect ...

Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and ...
Read more

#) Download Advanced API Security: Securing APIs with ...

With a multitude of bogus Advanced API Security: Securing APIs with OAuth 2.0, ... Securing RESTful APIs using OAuth 2 and OpenID Connect ...
Read more

c# - Securing Only API Access Using OAuth 2.0 and OpenID ...

Securing Only API Access Using OAuth 2.0 and OpenID ... I've got a .NET web API that I'm trying to secure and want to allow a ... c# rest openid owin oauth2.
Read more

Download Advanced API Security: Securing APIs with OAuth 2 ...

absorbinggovern. Search this site. Home ... Securing APIs with Oauth 2.0, Openid Connect, Jws, ... Securing RESTful APIs using OAuth 2 and OpenID Connect ...
Read more

Securing JAX-RS Services with OAuth 2 - YouTube

The popularity of RESTful APIs has ... of securing REST APIs have emerged. OAuth is ... OpenID Connect. All examples are based on Jersey 2 ...
Read more

Secure REST API and Single Page App by using external ...

Secure REST API and Single Page App by using external OAuth 2 ... If you only want to secure your RESTful API ... and I should be using OpenID Connect ...
Read more

Securing JAX-RS Services with OAuth 2 | Tutorial | Parleys

The popularity of RESTful APIs has grown ... delegating login authentication by using OpenID Connect. ... Securing JAX-RS Services with OAuth 2 ...
Read more

Advanced API Security: Securing APIs with Oauth 2.0 ...

Advanced API Security: Securing APIs with Oauth 2.0, ... Securing APIs with Oauth 2.0, Openid Connect, ... with OAuth and Passport; Using OAuth to ...
Read more

Advanced API Security: Securing APIs with OAuth 2.0 ...

Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, ... or API to which you want to add an extensible layer of protection using ...
Read more