1 / 34

Securing RESTful APIs using OAuth 2 and OpenID Connect

Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this. In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2

jcleblanc
Download Presentation

Securing RESTful APIs using OAuth 2 and OpenID Connect

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

  2. Why do we Need This?

  3. Poor Password Choices 4.7% of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords •

  4. …And of What’s Left 1. Pet’s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Child’s name 5. Other family member’s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partner’s name

  5. Handing Over Account Passwords

  6. Malicious Applications

  7. Aspects of Revocation

  8. App Revoked by User App Revoked by Service Provider

  9. Path to the Standard

  10. Username & Password to Auth

  11. Rise of the Token

  12. Two Widely Used Specifications

  13. REST Request Components

  14. How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt \ -H "Content-Type:application/json" \ -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'

  15. How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment \ -H "Content-Type:application/json" \ -H "Authorization: Bearer {accessToken}" \ -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'

  16. Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)

  17. Adding in the Auth

  18. Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data

  19. When You Need Access Security

  20. User Login (authentication) User Involvement (authorization) Application Only (monitoring)

  21. Practical Implementation

  22. Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI

  23. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id client_secret grant_type code HTTP POST Access Token Endpoint

  24. Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token \ -H "Accept: application/json" \ -H "Accept-Language: en_US" \ -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" \ -d "grant_type=client_credentials"

  25. Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }

  26. Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint

  27. Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment \ -H "Content-Type:application/json" \ -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" \ -d "{...}"

  28. Maintaining SDK Consistency

  29. Defining APIs with WADL / WSDL

  30. <?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>

  31. <?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>

  32. Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically

  33. Final Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend

  34. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

More Related