Your SlideShare is downloading. ×
0
Securing RESTful Payment APIs                            Using OAuth 2                               Jonathan LeBlanc     ...
The Ultimate Decision    Security            Usability
What a RESTful API isn’t   Our API is RESTful, we support GET,   PUT, POST, and DELETE requests   No…actually you just sup...
What a RESTful API is   Honor HTTP request verbs   Use proper HTTP status codes   No version numbering in URIs   Return fo...
Does Anyone Actually Do That?Very few APIsfollow pragmaticREST principles
"links": [{      "href": "https://api.sandbox.paypal.com/v1/payments/               payment/PAY-6RV75EKEYSZ6Y",      "rel"...
When You Need Access Security
A Few Different Flavors of Usage       User login (authentication)       User Involvement (authorization)       Applicatio...
Our App Usage: Bearer Tokens
Making Your Definitions <?php define("CLIENT_ID", "YOUR CLIENT ID"); define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define...
class paypal{  private $access_token;  private $token_type;    public function __construct(){      $postvals = "grant_type...
private function curl($url, $method = GET, $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){    $header...
$options = array(     CURLOPT_HEADER => true,     CURLINFO_HEADER_OUT => true,     CURLOPT_HTTPHEADER => $headers,     CUR...
Making a Call with the Tokenpublic function process_payment($request){  $postvals = $request;  $uri = URI_SANDBOX . "payme...
The Last Considerations   REST and OAuth are specifications,   not religions   Don’t alienate your developers   with secur...
Thank You! Questions?www.slideshare.com/jcleblanc                        Jonathan LeBlanc  Principal Developer Evangelist ...
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Securing RESTful Payment APIs Using OAuth 2
Upcoming SlideShare
Loading in...5
×

Securing RESTful Payment APIs Using OAuth 2

7,684

Published on

Audio from this session is available at https://archive.org/details/rest_apis_with_oauth2

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this.

In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Published in: Technology, Economy & Finance
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,684
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
171
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide
  • This is where REST and OAuth 2 come in
  • Working with HATEOASHypermedia as the Engine of Application State(&quot;hate -o&apos;s&quot;) or &quot;hate yo&apos; ass&quot;
  • Constructor
  • The cURL method for HTTP requests
  • Transcript of "Securing RESTful Payment APIs Using OAuth 2"

    1. 1. Securing RESTful Payment APIs Using OAuth 2 Jonathan LeBlanc Principal Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Twitter: @jcleblanc
    2. 2. The Ultimate Decision Security Usability
    3. 3. What a RESTful API isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.
    4. 4. What a RESTful API is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header Double Rainbow: Discovery via HATEOAS
    5. 5. Does Anyone Actually Do That?Very few APIsfollow pragmaticREST principles
    6. 6. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" }]
    7. 7. When You Need Access Security
    8. 8. A Few Different Flavors of Usage User login (authentication) User Involvement (authorization) Application only (bearer tokens)
    9. 9. Our App Usage: Bearer Tokens
    10. 10. Making Your Definitions <?php define("CLIENT_ID", "YOUR CLIENT ID"); define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/"); define("URI_LIVE", "https://api.paypal.com/v1/"); ?>
    11. 11. class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, POST, $postvals, true); $this->access_token = $auth_response[body]->access_token; $this->token_type = $auth_response[body]->token_type; } …}
    12. 12. private function curl($url, $method = GET, $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){ $headers = array("Accept: application/json", "Accept-Language: en_US"); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET); } else { $headers = array("Content-Type:application/json", "Authorization:{$this->token_type} {$this->access_token}"); }
    13. 13. $options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == POST){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response;}
    14. 14. Making a Call with the Tokenpublic function process_payment($request){ $postvals = $request; $uri = URI_SANDBOX . "payments/payment"; return self::curl($uri, POST, $postvals);}
    15. 15. The Last Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
    16. 16. Thank You! Questions?www.slideshare.com/jcleblanc Jonathan LeBlanc Principal Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Twitter: @jcleblanc
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×