API Security : Patterns and Practices
-
Upload
prabath-siriwardena -
Category
Software
-
view
808 -
download
2
Transcript of API Security : Patterns and Practices
![Page 1: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/1.jpg)
Prabath SiriwardenaDirector of Security ArchitectureWSO2
API Security Patterns and Practices
![Page 2: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/2.jpg)
API Ecosystem
![Page 3: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/3.jpg)
Gateway Pattern
• Decouple clients from the actual API implementation
• No point-to-point to connection• Centralized security enforcing• Centralized auditing & monitoring• Version controlling
![Page 4: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/4.jpg)
Six key attributes of a secured design
• Only legitimate users can access the system (authentication)
• The system won’t allow users to do anything more than what they are supposed to do (authorization)
• Confidential data can only be seen by the intended recipients, nobody else (confidentiality)
• Integrity of the transactions are protected (integrity)• Protected for non-repudiation• They system is available for legitimate users to access,
all the time (availability)
![Page 5: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/5.jpg)
Direct Authentication
• HTTP Basic Authentication• HTTP Digest Authentication• TLS Mutual Authentication• OAuth 2.0 (for authentication ?)
![Page 6: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/6.jpg)
HTTP Basic Authentication
curl -I-u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’-d '{"name": "my_github_repo"}' https://api.github.com/user/repos
Creating a GitHub repository
![Page 7: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/7.jpg)
HTTP Digest Authenticationcurl -k –-digest –u userName:password -v https://localhost:8443/recipe
HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
![Page 8: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/8.jpg)
HTTP Basic vs. Digest Authentication
![Page 9: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/9.jpg)
TLS Mutual Authentication
Gateway itself does the certificate validation Fine-grained access validations can be done by the authorization server.
curl -k --cert client.pem https://localhost:8443/recipe
![Page 10: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/10.jpg)
OAuth 2.0 (authorization code grant type)
![Page 11: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/11.jpg)
OAuth 2.0 (implicit grant type)
![Page 12: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/12.jpg)
OAuth 2.0 (password grant type)
![Page 13: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/13.jpg)
OAuth 2.0 (client credentials grant type)
![Page 14: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/14.jpg)
OAuth 2.0 (chained grant type)
![Page 15: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/15.jpg)
OAuth 2.0 Tokens Access Tokens
Bearer tokens vs. Mac TLS is a must Pass the access token in the HTTP Authorization header
Authorization: Bearer <token> Pass the access token in as a URL query parameter
Avoid this Request Cache-Control: no-store Response Cache-Control: private E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.
Shorter life-time – in minutes or hours Do not store in cookies Issue scoped tokens
![Page 16: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/16.jpg)
OAuth 2.0 Tokens Refresh Tokens
Must use TLS Long-lasting No refresh tokens under
implicit grant type client credentials grant type SAML grant type JWT grant type
![Page 17: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/17.jpg)
Self-contained Access Tokens
JWT RFC 7519 Encodes claims to be transmitted as a JSON object Can be signed using JWS (JSON Web Signature) Can be encrypted using JWE (JSON Web Encryption) Represented as a sequence of URL-safe parts separated by period
('.') characters. Each part contains a base64url-encoded value
Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
![Page 18: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/18.jpg)
Self-issued Access Tokens
Same as self-contained access tokens Issued by the client itself
![Page 19: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/19.jpg)
Brokered Authentication
• TLS Mutual Authentication• OAuth 2.0
![Page 20: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/20.jpg)
OAuth 2.0 (decoupling end user authentication from the authorization server)
![Page 21: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/21.jpg)
OAuth 2.0 (SAML grant type)
![Page 22: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/22.jpg)
OAuth 2.0 (JWT grant type)
![Page 23: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/23.jpg)
OAuth 2.0 (External Client)
![Page 24: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/24.jpg)
Authorization
![Page 25: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/25.jpg)
XACML
![Page 26: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/26.jpg)
OAuth & XACML
A given access token has a scope associated with it and it governs the access token’s capabilities
A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.
token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
![Page 27: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/27.jpg)
Token Introspection
POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
token=X3241Affw.4233-99JXJ&resource_id=…
{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/*}
![Page 28: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/28.jpg)
XACML Policy<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule></Policy>
![Page 29: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/29.jpg)
XACML Request<Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes></Request>
![Page 30: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/30.jpg)
Confidentiality
• TLS• JWE
![Page 31: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/31.jpg)
Integrity
• TLS• JWS
![Page 32: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/32.jpg)
Non-repudiation
• JWS
![Page 33: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/33.jpg)
High Availability
• Network level measures• Throttling• Client level• User level
![Page 34: API Security : Patterns and Practices](https://reader036.fdocuments.us/reader036/viewer/2022062821/589be05d1a28aba5108b571f/html5/thumbnails/34.jpg)
Thank You