Using OAuth 2

Securing RESTful Payment APIs

Jonathan LeBlancPrincipal Developer Evangelist (PayPal)

Github: http://github.com/jcleblancTwitter: @jcleblanc

The Ultimate Decision

Security Usability

REST Arc

hitect

ure

What a RESTful API isn’t

Our API is RESTful, we support GET, PUT, POST, and DELETE requests

No…actually you just support HTTP…like the rest of the web.

What a RESTful API is

Honor HTTP request verbs

Use proper HTTP status codes

No version numbering in URIs

Return format via HTTP Accept header

Double Rainbow: Discovery via HATEOAS

Does Anyone Actually Do That?

Very few APIs follow pragmatic REST principles

"links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" }]

Adding a

n Auth

Mech

anism

When You Need Access Security

A Few Different Flavors of Usage

User login (authentication)

Application only (bearer tokens)

User Involvement (authorization)

Our App Usage: Bearer Tokens

A Pra

ctica

l Im

plem

entatio

n

Making Your Definitions

<?phpdefine("CLIENT_ID", "YOUR CLIENT ID");define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/");define("URI_LIVE", "https://api.paypal.com/v1/");?>

class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, 'POST', $postvals, true); $this->access_token = $auth_response['body']->access_token; $this->token_type = $auth_response['body']->token_type; }

…}

private function curl($url, $method = 'GET', $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){ $headers = array("Accept: application/json", "Accept-Language: en_US"); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET); } else { $headers = array("Content-Type:application/json", "Authorization:{$this->token_type} {$this->access_token}"); }

$options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == 'POST'){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response;}

Making a Call with the Token

public function process_payment($request){ $postvals = $request; $uri = URI_SANDBOX . "payments/payment"; return self::curl($uri, 'POST', $postvals);}

The Last Considerations

REST and OAuth are specifications, not religions

Don’t alienate your developers with security

Open source is your friend

www.slideshare.com/jcleblanc

Thank You! Questions?

Jonathan LeBlancPrincipal Developer Evangelist (PayPal)

Github: http://github.com/jcleblancTwitter: @jcleblanc