Securing RESTful APIs
Using OAuth 2 and OpenID Connect
Jonathan LeBlanc (@jcleblanc)
Head of Developer Evangelism
PayPal N...
What We’re Covering
Auth History and REST Concepts
Adding in an Auth Mechanism
Integration in Practice
(server + client si...
What We Want
The Ultimate Decision
Security Usability
Path to the Standard
The Insecure, Unmanageable Start
Very Secure, Long to Implement
Two Currently Widely Used Specs
REST Architecture
What a RESTful API isn’t
Our API is RESTful, we support GET,
PUT, POST, and DELETE requests
No…actually you just support
H...
What a RESTful API is
Honor HTTP request verbs
Use proper HTTP status codes
No version numbering in URIs
Return format via...
Does Anyone Actually Do That?
Very few APIs
follow pragmatic
REST principles
HATEOAS
"links": [{
"href": "https://api.sandbox.paypal.com/v1/payments/
payment/PAY-6RV75EKEYSZ6Y",
"rel": "self",
"method": "GET...
Adding Auth Mechanisms
Reasons for Auth
Rate Limiting and Attack Vector Protection
Having the ability to revoke application
access
Needing to all...
When You Need Access Security
A Few Different Flavors of Usage
User login (authentication)
Application only (bearer tokens)
User Involvement (authorizat...
Practical Implementation
Fetching the Access Token
Fetch the Access Token
Access Token Endpoint
client_id grant_type
client_secret
HTTP POST
Access...
Fetching the Access Token
curl https://api.sandbox.paypal.com/v1/oauth2/token 
-H "Accept: application/json" 
-H "Accept-L...
Access Token Response
{
"scope": "https://api.paypal.com/v1/payments/.*
https://api.paypal.com/v1/vault/credit-card",
"acc...
Using the Access Token
Fetch Privileged Resources
Resource Endpoint
Token Type (Authorization header)
Access Token (Author...
Using the Access Token
curl -v
https://api.sandbox.paypal.com/v1/payments/payment 
-H "Content-Type:application/json" 
-H ...
A few implementation differences
Endpoints
Scopes (dynamic / static)
Using the Access Token in a request
OAuth 2 & JavaScript?
The Complexities of JavaScript
The same-origin policy
Keeping private keys private
Not having to provide a hacked
experien...
The Ways we Made it Work
Server-side proxy
Flash / iframe proxy
Private token storage
mechanism
User Agent Flow: Redirect
Prepare the Redirect URI
Authorization Endpoint
client_id response_type (token)
scope redirect_u...
User Agent Flow: Redirect
Building the redirect link
var auth_uri = auth_endpoint +
"?response_type=token" +
"&client_id="...
User Agent Flow: Hash Mod
Fetch the Hash Mod
access_token
refresh_token
expires_in
Extract Access Token
User Agent Flow: Hash Mod
http://site.com/callback#access_token=rBEGu1FQr5
4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a&
exp...
User Agent Flow: Get Resources
Set Request Headers + URI
Resource Endpoint
Header: token type + access token
Header: accep...
User Agent Flow: Get Resources
$.ajax({
url: resource_uri,
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorizatio...
Using the Skeleton Key
How it’s Normally Used
Access user details
Push data through
user social streams
But why?
Access token as a
control structure
Improve Existing
Products
Our showcase:
Seamless Checkout
The Last Considerations
REST and OAuth are specifications,
not religions
Don’t alienate your developers
with security
Open...
A Few Code Links
OAuth2 & OpenID Connect Samples
https://github.com/jcleblanc/oauth
https://github.com/paypal/paypal-acces...
Thank You! Questions?
http://slideshare.net/jcleblanc
Jonathan LeBlanc (@jcleblanc)
Head of Developer Evangelism
PayPal No...
Upcoming SlideShare
Loading in...5
×

Securing RESTful APIs using OAuth 2 and OpenID Connect

25,818

Published on

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Published in: Technology
0 Comments
47 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
25,818
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
666
Comments
0
Likes
47
Embeds 0
No embeds

No notes for slide
  • What we want
  • Working with HATEOASHypermedia as the Engine of Application State("hate -o's") or "hate yo' ass"
  • Securing RESTful APIs using OAuth 2 and OpenID Connect

    1. 1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
    2. 2. What We’re Covering Auth History and REST Concepts Adding in an Auth Mechanism Integration in Practice (server + client side integrations)
    3. 3. What We Want
    4. 4. The Ultimate Decision Security Usability
    5. 5. Path to the Standard
    6. 6. The Insecure, Unmanageable Start
    7. 7. Very Secure, Long to Implement
    8. 8. Two Currently Widely Used Specs
    9. 9. REST Architecture
    10. 10. What a RESTful API isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.
    11. 11. What a RESTful API is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header
    12. 12. Does Anyone Actually Do That? Very few APIs follow pragmatic REST principles
    13. 13. HATEOAS
    14. 14. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
    15. 15. Adding Auth Mechanisms
    16. 16. Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
    17. 17. When You Need Access Security
    18. 18. A Few Different Flavors of Usage User login (authentication) Application only (bearer tokens) User Involvement (authorization)
    19. 19. Practical Implementation
    20. 20. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret HTTP POST Access Token Endpoint
    21. 21. Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_KS1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
    22. 22. Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
    23. 23. Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
    24. 24. Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
    25. 25. A few implementation differences Endpoints Scopes (dynamic / static) Using the Access Token in a request
    26. 26. OAuth 2 & JavaScript?
    27. 27. The Complexities of JavaScript The same-origin policy Keeping private keys private Not having to provide a hacked experience
    28. 28. The Ways we Made it Work Server-side proxy Flash / iframe proxy Private token storage mechanism
    29. 29. User Agent Flow: Redirect Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
    30. 30. User Agent Flow: Redirect Building the redirect link var auth_uri = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
    31. 31. User Agent Flow: Hash Mod Fetch the Hash Mod access_token refresh_token expires_in Extract Access Token
    32. 32. User Agent Flow: Hash Mod http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash = document.location.hash; var match = hash.match(/access_token=(w+)/); Extracting the access token from the hash
    33. 33. User Agent Flow: Get Resources Set Request Headers + URI Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
    34. 34. User Agent Flow: Get Resources $.ajax({ url: resource_uri, beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } }); Making an authorized request
    35. 35. Using the Skeleton Key
    36. 36. How it’s Normally Used Access user details Push data through user social streams
    37. 37. But why? Access token as a control structure Improve Existing Products Our showcase: Seamless Checkout
    38. 38. The Last Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
    39. 39. A Few Code Links OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal
    40. 40. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×