Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Prabath Siriwardena
Director of Security Architecture
WSO2
API Security
Patterns and Practices
API Ecosystem
Gateway Pattern
• Decouple clients from the actual API implementation
• No point-to-point to connection
• Centralized secu...
Six key attributes of a secured design
• Only legitimate users can access the system (authentication)
• The system won’t a...
Direct Authentication
• HTTP Basic Authentication
• HTTP Digest Authentication
• TLS Mutual Authentication
• OAuth 2.0 (fo...
HTTP Basic Authentication
curl -I
-u $GitHubUserName:GitHubPassword
-X POST -H 'Content-Type: application/x-www-form-urlen...
HTTP Digest Authentication
curl -k –-digest –u userName:password -v https://localhost:8443/recipe
HTTP/1.1 401 Unauthorize...
HTTP Basic vs. Digest Authentication
TLS Mutual Authentication
 Gateway itself does the certificate validation
 Fine-grained access validations can be done b...
OAuth 2.0 (authorization code grant type)
OAuth 2.0 (implicit grant type)
OAuth 2.0 (password grant type)
OAuth 2.0 (client credentials grant type)
OAuth 2.0 (chained grant type)
OAuth 2.0 Tokens
 AccessTokens
 Bearer tokens vs. Mac
 TLS is a must
 Pass the access token in the HTTP Authorization ...
OAuth 2.0 Tokens
 RefreshTokens
 Must useTLS
 Long-lasting
 No refresh tokens under
 implicit grant type
 client cre...
Self-contained Access Tokens
 JWT
 RFC 7519
 Encodes claims to be transmitted as a JSON object
 Can be signed using JW...
Self-issued Access Tokens
 Same as self-contained access tokens
 Issued by the client itself
Brokered Authentication
• TLS Mutual Authentication
• OAuth 2.0
OAuth 2.0
(decoupling end user authentication from the authorization server)
OAuth 2.0
(SAML grant type)
OAuth 2.0
(JWT grant type)
OAuth 2.0
(External Client)
Authorization
XACML
OAuth & XACML
 A given access token has a scope associated with it and it governs the
access token’s capabilities
 A use...
Token Introspection
POST /introspection HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: server.example.com
Author...
XACML Policy
<Policy>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Attri...
XACML Request
<Request>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client">
<Attribute At...
Confidentiality
• TLS
• JWE
Integrity
• TLS
• JWS
Non-repudiation
• JWS
High Availability
• Network level measures
• Throttling
• Client level
• User level
Thank You
Nächste SlideShare
Wird geladen in …5
×

API Security : Patterns and Practices

API Security : Patterns and Practices

API Security : Patterns and Practices

  1. 1. Prabath Siriwardena Director of Security Architecture WSO2 API Security Patterns and Practices
  2. 2. API Ecosystem
  3. 3. Gateway Pattern • Decouple clients from the actual API implementation • No point-to-point to connection • Centralized security enforcing • Centralized auditing & monitoring • Version controlling
  4. 4. Six key attributes of a secured design • Only legitimate users can access the system (authentication) • The system won’t allow users to do anything more than what they are supposed to do (authorization) • Confidential data can only be seen by the intended recipients, nobody else (confidentiality) • Integrity of the transactions are protected (integrity) • Protected for non-repudiation • They system is available for legitimate users to access, all the time (availability)
  5. 5. Direct Authentication • HTTP Basic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 2.0 (for authentication ?)
  6. 6. HTTP Basic Authentication curl -I -u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’ -d '{"name": "my_github_repo"}' https://api.github.com/user/repos  Creating a GitHub repository
  7. 7. HTTP Digest Authentication curl -k –-digest –u userName:password -v https://localhost:8443/recipe HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED" Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
  8. 8. HTTP Basic vs. Digest Authentication
  9. 9. TLS Mutual Authentication  Gateway itself does the certificate validation  Fine-grained access validations can be done by the authorization server. curl -k --cert client.pem https://localhost:8443/recipe
  10. 10. OAuth 2.0 (authorization code grant type)
  11. 11. OAuth 2.0 (implicit grant type)
  12. 12. OAuth 2.0 (password grant type)
  13. 13. OAuth 2.0 (client credentials grant type)
  14. 14. OAuth 2.0 (chained grant type)
  15. 15. OAuth 2.0 Tokens  AccessTokens  Bearer tokens vs. Mac  TLS is a must  Pass the access token in the HTTP Authorization header  Authorization: Bearer <token>  Pass the access token in as a URL query parameter  Avoid this  Request  Cache-Control: no-store  Response  Cache-Control: private  E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.  Shorter life-time – in minutes or hours  Do not store in cookies  Issue scoped tokens
  16. 16. OAuth 2.0 Tokens  RefreshTokens  Must useTLS  Long-lasting  No refresh tokens under  implicit grant type  client credentials grant type  SAML grant type  JWT grant type
  17. 17. Self-contained Access Tokens  JWT  RFC 7519  Encodes claims to be transmitted as a JSON object  Can be signed using JWS (JSON Web Signature)  Can be encrypted using JWE (JSON Web Encryption)  Represented as a sequence of URL-safe parts separated by period ('.') characters.  Each part contains a base64url-encoded value  Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ .dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
  18. 18. Self-issued Access Tokens  Same as self-contained access tokens  Issued by the client itself
  19. 19. Brokered Authentication • TLS Mutual Authentication • OAuth 2.0
  20. 20. OAuth 2.0 (decoupling end user authentication from the authorization server)
  21. 21. OAuth 2.0 (SAML grant type)
  22. 22. OAuth 2.0 (JWT grant type)
  23. 23. OAuth 2.0 (External Client)
  24. 24. Authorization
  25. 25. XACML
  26. 26. OAuth & XACML  A given access token has a scope associated with it and it governs the access token’s capabilities  A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.  token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
  27. 27. Token Introspection POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=… { "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
  28. 28. XACML Policy <Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
  29. 29. XACML Request <Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes> </Request>
  30. 30. Confidentiality • TLS • JWE
  31. 31. Integrity • TLS • JWS
  32. 32. Non-repudiation • JWS
  33. 33. High Availability • Network level measures • Throttling • Client level • User level
  34. 34. Thank You

×