Weitere ähnliche Inhalte Ähnlich wie Deconstructing and Evolving REST Security (20) Mehr von Roberto Cortez (14) Kürzlich hochgeladen (20) Deconstructing and Evolving REST Security4. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Focus Areas
• Beyond Basic Auth
• Theory of OAuth 2.0
• IntroducKon of JWT
• Google/Facebook style API security
• Stateless vs Stateful Architecture
• HTTP Signatures
• Amazon EC2 style API security
7. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Basic Auth Message
POST /painter/color/object HTTP/1.1
Host: localhost:8443
Authorization: Basic c25vb3B5OnBhc3M=
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"b":255,"g":0,"name":"blue","r":0}}
20. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 - Password Grant
(LDAP)
(Token Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
}
Verify
Password
Generate
Token
21. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/object HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"r":0,"g":0,"b":255,"name":"blue"}}
22. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 45
{"color":{"r":0,"g":255,"b":0,"name":"green"}}
23. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}
24. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
25. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/stroke HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":255,"g":200,"b":255,"name":"orange"}}
27. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 - Refresh Grant
(LDAP)
(Token Store)
Verify
Password
Generate
Token
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"6Fe4jd7TmdE5yW2q0y6W2w",
"expires_in":3600,
"refresh_token":"hyT5rw1QNh5Ttg2hdtR54e",
}
29. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"r":0,"g":255,"b":0,"name":"green"}}
30. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/select HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 44
{"color":{"r":255,"g":0,"b":0,"name":"red"}}
31. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message
POST /painter/color/fill HTTP/1.1
Host: api.superbiz.io
Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/json
Content-Length: 49
{"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
63. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ JSon Web Token
• Pronounced “JOT”
• Fancy JSON map
• Base64 URL Encoded
• Digitally Signed (RSA-SHA256, HMAC-SHA512, etc)
• Built-in expiraKon
64. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ • { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv
0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl
LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
65. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expiraKon
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone
67. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Access Token Now
• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi
10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb
m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw
czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI
sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW
VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O
TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz
IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8
DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta
Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0
98ocefuv08TdzRxqYoEqYNo
82. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM
i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0
LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M
TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ
9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8
OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO
EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh
VDaiqmhct098ocefuv08TdzRxqYoEqYNo",
"expires_in":3600,
"refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X.
eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb
WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M
iOiJodHRwczovL",
}
83. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2.0 Message with JWT
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
Authoriza-on: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR
va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ
iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy
ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl
6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ
vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
User-Agent: curl/7.43.0
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
84. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 + JWT
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
(30 minute expiraKon)
Password Sent
1000/daily
(HTTP+SSL)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verificaKon)
12000 TPS
(signature verificaKon)(private key)
(public key)
89. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 + JWT
Valid
Tokens Sent
3000 TPS
(HTTP+SSL)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+SSL)
(LDAP)
4 hops
12000 TPS
backend
9000 TPS
(signature verificaKon)
12000 TPS
(signature verificaKon)
Invalid
Tokens Sent
12000 TPS
(HTTP+SSL)
(private key)
(public key)
91. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves idenKty
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Drat
• hlps://tools.ieu.org/html/drat-cavage-hlp-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT
92. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Take the full http
message
93. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Select the parts
you want to protect
94. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
(request-target): POST /painter/color/palele
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Create a
Signing String
95. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
(request-target): POST /painter/color/palele
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Hash the string
(sha256 shown)
96. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Encrypt the hash
(hmac shown)
j050ZC4iWDW40nVx2oVwBEymX
zwvsgm+hKBkuw04b+w=
97. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signing a Message
Signature
keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Put it all together
98. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signed Message
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
AuthorizaKon: Signature keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
104. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "access-token",
"username": "snoopy",
"iss": "hlps://demo.superbiz.com/oauth2/token",
"scopes": ["twiler”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jK": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token
105. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "pop",
"cnf":{ "kid": "green-1234" }
"username": "snoopy",
"iss": "hlps://demo.superbiz.com/oauth2/token",
"scopes": ["twiler”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jK": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFX
GDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token
106. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 - Password Grant
(LDAP)
(Token ID Store)
POST /oauth2/token
Host: api.superbiz.io
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
grant_type=password&username=snoopy&password=woodstock
Verify
Password
Generate
Signed
Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M
TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2",
"token_type":"pop",
"expires_in":3600,
"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc
3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5
jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M",
"key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ
2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1
MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS
ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W
WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ
PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd
2ZzIiwiYWxnIjoiSFMyNTYifQ"
}
Generate
HMAC
Key
(Key Store)
107. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ JSON Web Key (encoded)
eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2UteX
lqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1MFd
NeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlSci
1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5
WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczh
OajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocm
FzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ
108. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ JSON Web Key (decoded)
{ "kty": "oct",
"use": "sig",
"kid": "orange-1234",
"k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW
THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j
JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs
s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c
wfs",
"alg": "HS256"
}
109. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Signed OAuth 2.0 Message
POST /painter/color/palele HTTP/1.1
Host: api.superbiz.io
AuthorizaKon: Signature keyId=“orange-1234", algorithm="hmac-sha256",
headers="content-length host date (request-target)”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h
bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL2
9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO
DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY
O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaE
lxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: applicaKon/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
110. #RESTSecurity @radcortez @tomitribetribestream.io
XantarJ OAuth 2 + JWT + Signatures
Tokens+Signatures Sent
3000 TPS
(HTTP safe)
0.55 TPS
(refresh token checks)
Password Sent
1000/daily
(HTTP+TLS)
OAuth 2
(LDAP)
4 hops
12000 TPS
backend
3000 TPS
(signature verificaKon)
12000 TPS
(signature verificaKon)
112. @dblevins @tomitribe#RESTSecurity @radcortez @tomitribetribestream.io
XantarJ Observa-ons
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “IdenKty Load” problem
• OAuth 2 with JWT significantly improves IDP (Intrusion
DetecKon and PrevenKon) load
• Plain OAuth 2
• HTTP Session-like implicaKons
• OAuth 2 with JWT
• Signed cookie