Securing RESTful APIs using OAuth 2 and OpenID Connect

2,629 views
2,310 views

Published on

Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this.

In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,629
On SlideShare
0
From Embeds
0
Number of Embeds
61
Actions
Shares
0
Downloads
53
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Securing RESTful APIs using OAuth 2 and OpenID Connect

  1. 1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
  2. 2. Why do we Need This?
  3. 3. Poor Password Choices • 4.7% of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords
  4. 4. …And of What’s Left 1. Pet’s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Child’s name 5. Other family member’s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partner’s name
  5. 5. Handing Over Account Passwords
  6. 6. Malicious Applications
  7. 7. Aspects of Revocation
  8. 8. App Revoked by User App Revoked by Service Provider
  9. 9. Path to the Standard
  10. 10. Username & Password to Auth
  11. 11. Rise of the Token
  12. 12. Two Widely Used Specifications
  13. 13. REST Request Components
  14. 14. How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
  15. 15. How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
  16. 16. Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)
  17. 17. Adding in the Auth
  18. 18. Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
  19. 19. When You Need Access Security
  20. 20. User Login (authentication) User Involvement (authorization) Application Only (monitoring)
  21. 21. Practical Implementation
  22. 22. Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
  23. 23. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint
  24. 24. Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
  25. 25. Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
  26. 26. Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
  27. 27. Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
  28. 28. Maintaining SDK Consistency
  29. 29. Defining APIs with WADL / WSDL
  30. 30. <?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>
  31. 31. <?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
  32. 32. Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically
  33. 33. Final Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
  34. 34. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

×