SecuringYourAPIs:How,What,WhyandWhen

DulanjaLiyanageTechnicalLead,WSO2dulanja@wso2.com

A:ributesofasecureddesignAuthen>ca>on Onlylegi>mateuserscanaccessthesystem

Authoriza>on Thesystemwon’tallowuserstodoanythingmorethanwhattheyaresupposedtodo

Confiden>ality Confiden>aldatacanonlybeseenbytheintendedrecipients,nobodyelse

Integrity Integrityofthetransac>onsareprotected

Non-repudia>on Anen>tycannotdenyitsac>ons

Audi>ng Allanomaliesarerecorded

Availability Thesystemisavailableforlegi>mateuserstoaccess,allthe>me

HTTPBasicAuthen?ca?on

•  Crea?ngaGitHubrepository

curl-I-u$GitHubUserName:$GitHubPassword-XPOST-H'Content-Type:applica>on/x-www-form-urlencoded’-d'{"name":"my_github_repo"}'hYps://api.github.com/user/repos

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

HTTPDigestAuthen?ca?on

curl-k--digest--uusername:password-vhYps://localhost:8443/recipe

Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

HTTPBasicvs.DigestAuthen?ca?on

BasicAuthen?ca?on DigestAuthen?ca?on

Sendscreden>alsincleartext Creden>alsneversentincleartext.Adigestderivedissent

MustbeusedwithatransportlevelsecuritylikeTLS

Doesnotdependontransportlevelsecurity

Onlyperformsauthen>ca>on Canperformauthen>ca>onandintegrityprotec>on(withqop=auth-int)

Userstorecanstorepasswordasasaltedhash

Userstoreshouldstorepasswordincleartextorstorethehashvalueofusername:password:realm

TLSMutualAuthen?ca?on

curl-k--certclient.pemh:ps://localhost:8443/recipe

•  Gatewayitselfdoesthecer>ficatevalida>on•  Fine-grainedaccessvalida>onscanbedonebytheauthoriza>onserver

OAuth •  Allowsapplica?onstoactonbehalfofenduserswithoutsharing

creden?als•  Three-leggedOAuth

–  Client,ResourceServerandUser(ResourceOwner)•  Two-leggedOAuth

–  Client(ResourceOwner)andResourceServer•  OAuth1.0a

–  Restric>ve,cumbersome,involvessignatures–  OnlytwiYerusesit

•  OAuth2.0–  DependsonSSL–  Aframeworkratherthanaconcretestandard–  Couldcatermanyusecases-viagranttypes

Authoriza?onCodeGrantSuitableforwebapplica>ons.

ImplicitGrantSuitableformobile,SPAanduntrustedpublicappswhereclientsecretcannotbekeptprivate.

ResourceOwnerCreden?alsGrantSuitableforappstrustedbyAuthzServer.e.g.officialFBapp.

ClientCreden?alsGrantSuitabletoretrievedatanotspecifictoendusers-e.g.Weather/Stocks-andformachine-to-machinecommunica>ons.

OAuth2.0

OAuth2.0-Authoriza?onCodeGrant

OAuth2.0- DecouplingEndUserAuthen?ca?onfromtheAuthoriza?onServer

OAuth2.0-SAMLGrantType

OAuth2.0-JWTGrantType

OAuth2.0-NTLMGrantType

OAuth2.0-ChainedGrantType

TokenIntrospec?on

POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=…

{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }

Standardiza>onofResourceServer->Authoriza>onServercommunica>onfortokenvalida>on

Fine-grainedAuthoriza?onwithXACML

User-ManagedAccess(UMA)

•  OAuth2.0solvesPerson-to-Clientdelega>on

•  UMAtriestosolve/standardizePerson-to-Persondelega>one.g.LukesharingadoconGoogleDrivewith‘edit’rightstoJohnand‘view’rightstoPeter

•  Introducesanen>tynamed“Reques>ngParty”

•  IoThavequiteinteres>ngscenariosUMAcouldsolve.

User-ManagedAccess(UMA)

Confiden?ality:•  TLS,JWE

Integrity:•  TLS,JWS

Non-repudia?on:•  JWS

Audi?ng:•  Auditlogs•  Analy>csforfraud/threatdetec>on

Availability:•  Networklevelmeasures•  ThroYling: Clientlevel, Userlevel

ThankYou!

#WSO2ConEU

Shareyourfeedbackforthissessionwso2con.com/app