Deconstructing and Evolving REST Security

#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ
Deconstruc-ng REST Security
Roberto Cortez
Tomitribe

XantarJ
Passionate Developer, Blogger, Youtuber, Speaker, JUG Leader, Java
Champion
twi;er:
@radcortez
blog:
h;p://www.radcortez.com
youtube:
h;p://youtube.com/radcortez
mail:
radcortez@yahoo.com
Who am I?

XantarJ
“The nice thing about standards is
you have so many to choose from.”
- Andrew S. Tanenbaum

@dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Focus Areas
• Beyond Basic Auth
• Theory of OAuth 2.0
• IntroducKon of JWT
• Google/Facebook style API security
• Stateless vs Stateful Architecture
• HTTP Signatures
• Amazon EC2 style API security

XantarJ Baseline Architecture
1000 users
x 3 TPS
4 hops
3000 TPS
frontend
12000 TPS
backend

XantarJ
Basic Auth
(and its problems)

XantarJ Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}

XantarJ Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
(no auth)
3000 TPS
(LDAP)
12000 TPS
(HTTP)

XantarJ Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
username+password
Base64
15000 TPS
(LDAP)
Password Sent
12000 TPS
(HTTP)

XantarJ Basic Auth
Password Sent
3000 TPS
(HTTP+SSL)
username+password
Base64
IP
whitelisKng
3000 TPS
(LDAP)
12000 TPS
(HTTP)

XantarJ
“Hey, give me all
of Joe’s salary
information.”
“I don’t know
who you are,
…
but sure!”

XantarJ
Latveria A;acks!!

XantarJ

XantarJ Basic Auth - A;acks
Valid
Password Sent
3000 TPS
(HTTP+SSL) IP
whitelisKng
9000 TPS
(LDAP)
12000 TPS
(HTTP)
Invalid
Password Sent
6000 TPS
(HTTP+SSL)

XantarJ
OAuth 2.0
(and its problems)

XantarJ OAuth 2 - Password Grant
(LDAP)
(Token Store)
POST /oauth2/token
Host: api.superbiz.io
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
Verify
Password
Generate
Token

XantarJ OAuth 2.0 Message
POST /painter/color/object HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
Accept: */*
Content-Length: 45
{"color":{"r":0,"g":0,"b":255,"name":"blue"}}

POST /painter/color/palette HTTP/1.1
Accept: */*
Content-Length: 45
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

POST /painter/color/select HTTP/1.1
Accept: */*
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

POST /painter/color/fill HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

POST /painter/color/stroke HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":255,"g":200,"b":255,"name":"orange"}}

XantarJ
401

XantarJ OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Password
Generate
Token
POST /oauth2/token
Accept: */*
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}

XantarJ
Old pair
• Access Token 2YotnFZFEjr1zCsicMWpAA
• Refresh Token tGzv3JOkF0XG5Qx2TlKWIA
New pair
• Access Token 6Fe4jd7TmdE5yW2q0y6W2w
• Refresh Token hyT5rw1QNh5Ttg2hdtR54e

POST /painter/color/palette HTTP/1.1
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
Accept: */*
Content-Length: 46
{"color":{"r":0,"g":255,"b":0,"name":"green"}}

POST /painter/color/select HTTP/1.1
Accept: */*
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}

POST /painter/color/fill HTTP/1.1
Accept: */*
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}

XantarJ
What have we achieved?

XantarJ
You have more passwords
(at least your devices do)

XantarJ Term Alert
• Password Grant???
• Logging in
• Token?
• Slightly less crappy password
• Equally crappy HTTP Session ID

XantarJ OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisKng
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend

XantarJ
“Who the heck
is
6Fe4jd7TmdE5y
W2q0y6W2w
???????”
“No idea, dude.
Ask the token
server.”

XantarJ OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisKng
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend

XantarJ OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisKng
3000 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
12000 TPS
(token checks)
8 hops
24000 TPS
backend
55% of all traﬃc

XantarJ OAuth 2
Tokens Sent
3000 TPS
(HTTP+SSL)
IP
whitelisKng
0 TPS
(token checks)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
0 TPS
(token checks)
0 hops
0 TPS
backend

XantarJ OAuth 2
Pointer Pointer
State

XantarJ
Access Token
Access Pointer?
Access Primary Key?

XantarJ
OAuth 2.0
High Frequency Password
Exchange Algorithm?

XantarJ
Problem: how to detect if a ﬁle's
contents have changed?

XantarJ
Hashing and Signing
Symmetric and Asymmetric

XantarJ Hashing Data

XantarJ
01010000010001000011011011101000110101001001100001010011110000
00111010101111111111111111000101111101001110111000100010000000000
111111101011100001001100100000101011111001101111111100111011000011
111011001101100100000101011110011001100001011011110101110110001

XantarJ More Bits the Be;er

XantarJ Spain beats Croa-a 6 - 0

XantarJ Spain beats Croa-a 6 - 5

XantarJ Protec-ng the Hash
HMAC (Symmetric)
RSA (Asymmetric)
abc123 abc123
private
public

XantarJ HMAC (Symmetric)
Read &
Write
Read

& Write
Shared and equal relationship

XantarJ RSA (Asymmetric)
Write
Read
Read
Read
One side has more authority
* the reverse is possible

XantarJ Distributed Read-Only Data
Can Write
Read
Read
Read
Data
Encrypted
Hash of Data

XantarJ
How many RSA keys does Susan
need to sign
1,000,000
documents?

XantarJ
one

XantarJ
OAuth 2.0
+
JSon Web Tokens (JWT)

XantarJ JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expiraKon

XantarJ • { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv
0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl
LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo

XantarJ Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expiraKon
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone

XantarJ Access Token Previously
• 6Fe4jd7TmdE5yW2q0y6W2w

XantarJ Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi
10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb
m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw
czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI
sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW
VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O
TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz
IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8
DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta
Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0
98ocefuv08TdzRxqYoEqYNo

XantarJ
Subtle But High Impact
Architectural Change

XantarJ
What we had
(quick recap)

XantarJ
(LDAP)
Pull User Info
From IDP

XantarJ
(LDAP)
Generate an
Access Token
(pointer)

XantarJ
(LDAP)
Insert both
into DB

XantarJ
(LDAP)
Send Access Token (pointer)
to client

XantarJ
Results
Client Holds Pointer Server Holds State

XantarJ
What we can do now
(Hello JWT!)

XantarJ
(LDAP)
Format the data
as JSON

XantarJ
(LDAP)
RSA-SHA 256
sign JSON private

XantarJ
(LDAP)
Insert only
pointer
into DB
(for revoca*on)

XantarJ
(LDAP)
Send Access Token (state)
to client

XantarJ
Client Holds State Server Holds Pointer
Desired
Results

(LDAP)
(Token ID Store)
POST /oauth2/token
Accept: */*
Content-Length: 54
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}

XantarJ OAuth 2.0 Message with JWT
POST /painter/color/palele HTTP/1.1 
Host: api.superbiz.io 
Authoriza-on: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
User-Agent: curl/7.43.0 
Accept: */* 
Content-Type: applicaKon/json 
Content-Length: 46 
 
{"color":{"b":0,"g":255,"r":0,"name":"green"}}

XantarJ OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
(30 minute expiraKon)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature veriﬁcaKon)
12000 TPS
(signature veriﬁcaKon)(private key)
(public key)

XantarJ
Impact on the Backend

XantarJ
“Hey, give me all
of Joe’s salary
information.”
“Not a chance!”

XantarJ
“Hey, give me all
of Joe’s salary
information.”
“Sure thing!”
Every Microservice Has the Gateway's Public Key

XantarJ
Latveria A;acks!!
(again)

XantarJ OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
12000 TPS
Invalid
Tokens Sent
12000 TPS
(HTTP+SSL)
(private key)
(public key)

XantarJ
HTTP Signatures
(Amazon EC2 style API Security)

XantarJ HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves idenKty
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Drat
• hlps://tools.ieu.org/html/drat-cavage-hlp-signatures
• Extremely simple
• Does NOT eliminate beneﬁts of JWT

XantarJ Signing a Message
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */* 
 
Take the full http
message

Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */* 
 
Select the parts

you want to protect

(request-target): POST /painter/color/palele 
host: api.superbiz.io 
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Create a

Signing String

(request-target): POST /painter/color/palele 
host: api.superbiz.io 
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Hash the string

(sha256 shown)

Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Encrypt the hash

(hmac shown)
j050ZC4iWDW40nVx2oVwBEymX
zwvsgm+hKBkuw04b+w=

Signature
keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" 
Put it all together

XantarJ Signed Message
AuthorizaKon: Signature keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" 
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */* 
 

XantarJ Signature Auth
Password Sent
0 TPS
(HTTP)
Signature (no auth)
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

XantarJ Signature Auth
Password Sent
0 TPS
(HTTP)
Signature Signature
3000 TPS
(LDAP or Keystore)
12000 TPS
(HTTP)

XantarJ
“Hey, give me all
of Joe’s salary
information.”
“Hey, Larry!
Sure!”
Issue Returns
(bad)

XantarJ
OAuth 2.0 Proof-of-Possession
(JWT + HTTP Signatures)

XantarJ
Key Value
IdenKty InformaKon
(JWT)
Key ID
Proof Of IdenKty
(HTTP Signature)

XantarJ
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "access-token",
"iss": "hlps://demo.superbiz.com/oauth2/token",
"scopes": ["twiler”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jK": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token

XantarJ
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "pop",
"cnf":{ "kid": "green-1234" }
"iss": "hlps://demo.superbiz.com/oauth2/token",
"scopes": ["twiler”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jK": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token

(LDAP)
(Token ID Store)
POST /oauth2/token
Accept: */*
Content-Length: 54
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Pragma: no-cache
{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M
TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2",
"token_type":"pop",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5
jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M",
"key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ
2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1
MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS
ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W
WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ
PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd
2ZzIiwiYWxnIjoiSFMyNTYifQ"
}
Generate
HMAC
Key
(Key Store)

XantarJ JSON Web Key (encoded)
eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2UteX
lqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1MFd
NeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlSci
1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5
WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczh
OajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocm
FzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ

XantarJ JSON Web Key (decoded)
{ "kty": "oct",
"use": "sig",
"kid": "orange-1234",
"k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW
THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j
JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs
s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c
wfs",
"alg": "HS256"
}

XantarJ Signed OAuth 2.0 Message
AuthorizaKon: Signature keyId=“orange-1234", algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h
bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL2
9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO
DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY
O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaE
lxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo 
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */* 
 

XantarJ OAuth 2 + JWT + Signatures
Tokens+Signatures Sent
3000 TPS
(HTTP safe)
0.55 TPS
Password Sent
1000/daily
(HTTP+TLS)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
12000 TPS

XantarJ
hlps://tools.ieu.org/html/drat-ieu-oauth-pop-key-distribuKon
Speciﬁca-on Reference

XantarJ Observa-ons
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “IdenKty Load” problem
• OAuth 2 with JWT signiﬁcantly improves IDP (Intrusion
DetecKon and PrevenKon) load
• Plain OAuth 2
• HTTP Session-like implicaKons
• OAuth 2 with JWT
• Signed cookie

Thank You
Slides and Resources
https://tribestream.io/
#RESTSecurity
XantarJ

Deconstructing and Evolving REST Security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (17)

Ähnlich wie Deconstructing and Evolving REST Security

Ähnlich wie Deconstructing and Evolving REST Security (20)

Mehr von Roberto Cortez

Mehr von Roberto Cortez (14)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Deconstructing and Evolving REST Security