Using OAuth 2
Securing RESTful Payment APIs
Jonathan LeBlancPrincipal Developer Evangelist (PayPal)
Github: http://github.com/jcleblancTwitter: @jcleblanc
The Ultimate Decision
Security Usability
REST Arc
hitect
ure
What a RESTful API isn’t
Our API is RESTful, we support GET, PUT, POST, and DELETE requests
No…actually you just support HTTP…like the rest of the web.
What a RESTful API is
Honor HTTP request verbs
Use proper HTTP status codes
No version numbering in URIs
Return format via HTTP Accept header
Double Rainbow: Discovery via HATEOAS
Does Anyone Actually Do That?
Very few APIs follow pragmatic REST principles
"links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" }]
Adding a
n Auth
Mech
anism
When You Need Access Security
A Few Different Flavors of Usage
User login (authentication)
Application only (bearer tokens)
User Involvement (authorization)
Our App Usage: Bearer Tokens
A Pra
ctica
l Im
plem
entatio
n
Making Your Definitions
<?phpdefine("CLIENT_ID", "YOUR CLIENT ID");define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/");define("URI_LIVE", "https://api.paypal.com/v1/");?>
class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, 'POST', $postvals, true); $this->access_token = $auth_response['body']->access_token; $this->token_type = $auth_response['body']->token_type; }
…}
private function curl($url, $method = 'GET', $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){ $headers = array("Accept: application/json", "Accept-Language: en_US"); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET); } else { $headers = array("Content-Type:application/json", "Authorization:{$this->token_type} {$this->access_token}"); }
$options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == 'POST'){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response;}
Making a Call with the Token
public function process_payment($request){ $postvals = $request; $uri = URI_SANDBOX . "payments/payment"; return self::curl($uri, 'POST', $postvals);}
The Last Considerations
REST and OAuth are specifications, not religions
Don’t alienate your developers with security
Open source is your friend
www.slideshare.com/jcleblanc
Thank You! Questions?
Jonathan LeBlancPrincipal Developer Evangelist (PayPal)
Github: http://github.com/jcleblancTwitter: @jcleblanc
Top Related