• Share
  • Email
  • Embed
  • Like
  • Private Content
Understanding Identity in the World of Web APIs – Ronnie Mitra,  API Architect, Layer 7 Talk from Identity Management 2013
 

Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013

on

  • 682 views

Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management ...

Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)

Statistics

Views

Total Views
682
Views on SlideShare
682
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Understanding Identity in the World of Web APIs – Ronnie Mitra,  API Architect, Layer 7 Talk from Identity Management 2013 Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architect, Layer 7 Talk from Identity Management 2013 Presentation Transcript

    • Understanding Identity in the World of WebAPIsRonnie MitraPrincipal API Architect - EuropeLayer 7 API Academy
    • API Managementvirtual cloudon-premise
    • Connecting things
    • Connecting computer programs
    • … over the web
    • 2000 – ebay
    • 2000 – salesforce
    • 2006 – Amazon Web Services
    • Twilio or stripe2007 - Twillio
    • Web APIsLanguage IndependentAPIs are constrained by the syntax of the webMost API Design principles can be appliedSome design principles are unique to Web APIs
    • Web APIsHTTP
    • Network Based APIsHTTPCOAP MQTTWebSocket?
    • Tunnel StyleURI StyleHypermedia StyleEvent Driven Style
    • Tunnel StyleExample: SOAP• transport agnostic• operation based• binding documents (WSDL)
    • Tunnel Style<RetrieveStudentRecords><StudentId>1213</StudentId></RetrieveStudentRecords>
    • URI StyleGETPUTPOSTDELETE+ URI
    • URI StyleGET /students/1232
    • Hypermedia Style
    • Hypermedia Style• links• templated input (forms)• task based
    • {links: [link {href: ‘…’ rel: ‘list’},link {href: ‘…’ rel: ‘add’}]collection: [{link: {rel:complete,href:‘…},id:42,text:‘Record 42}]}
    • Event Driven StyleExample: WebSockets• event based communication• server initiated events• full-duplex (websocket)
    • Ronnie,Mitra,UK
    • Established mechanisms, tools and frameworksHTTP and URI security mechanismsSimilar to URI style, new challenges with linksStarts in HTTP, need visibility in new protocol
    • Private/Partner or Closed APIs
    • Acme Corp.APIAcme Corp.App
    • Public or Open APIs
    • Acme Corp.APIThird PartyApp
    • Priority:Lower CostPriority:Increased Adoption
    • Focus on the developer experience(dx)
    • UsabilityReliabilitySimplicitySecurityEtc…Software Qualities
    • DX > Software Qualities
    • Priority:Lower CostPriority:Increased Adoption
    • InnovationConsumer ReachRevenue SourceMarketingIntegrationLight Bulb designed by Jean-Philippe Cabaroc from The Noun Project
    • The API security challenge:BalancingSecurity and Usability
    • IdentityAuthenticationAuthorizationAvailabilityIntegrityPrivacy
    • Identities and Attack Surfaces
    • DeveloperPortalAPIDeveloperEnd UserAdministrator
    • PortalAPIDeveloperEnd UserAdministrator
    • APIEnd User
    • Injection Attack
    • API
    • Examples:SQL InjectionCommand InjectionCode InjectionArgument Injection
    • API Attack Example:SQL Injection Attacks: APIsGET http://host.com/aresource?token=%E2%80%98or%20%E2%80%981%3D1GET http://host.com/aresource?token=‘ or ‘1=1select * from tokens where token = ‘’ or ‘1=1’;
    • APIs May Be A Direct Conduit49HTTPServerAppServerDatabaseAppObjectsOften:• Self-documenting• Closely mapped to object space
    • SQL Injection Attack - MitigationSanitize inputsValidate request and response dataLimit data size
    • Denial of Service
    • API
    • Examples:XML/JSON Parser AttacksJumbo MessagesServer Overload
    • Denial of Service Attack: MitigationEnforcement of boundary conditionsIntelligent rate limitingOffload processing
    • Overflow
    • API
    • Buffer Overflow Attack: MitigationBoundary limit enforcementMessage validation
    • Cross Site Scripting
    • API
    • XSS API Example60AttackerWeb App Server(browser+APIs)Victim: WebBrowserClient<SCRIPT …>1. API injectsscript in3. Browser loadscontent withembedded script2. Server fails toperform FIEO: FilterInput, Escape OutputAPI
    • Cross Site Scripting: MitigationWhitelist tags if you can (i.e. where the validation space issmall and concise)Blacklist dangerous tags like <SCRIPT>Always perform FIEO (Filter Input, Escape Output)Learn more: http://xssed.com61
    • rate limiting is essential
    • we need message and payload validation too
    • is this new API world compatible with validation?
    • good APIs are extendable and evolvable
    • /myapi/v1<contact><name>Ronnie</name><city>London</city></contact>
    • /myapi/v1<contact><name>Ronnie</name><city>London</city><country>UK</country></contact>
    • <xs:complexType><xs:sequence><xs:element name=“name" type="xs:string"/><xs:element name=“city" type="xs:string"/></xs:sequence></xs:complexType><contact><name>Ronnie</name><city>London</city><country>UK</country></contact>
    • API!
    • Man in the Middle
    • API
    •  Always use HTTPS Corollary: Use a secure HTTPS implementationMan in the Middle Attack: Mitigation
    • App Spoofing
    • API
    •  Examples:- Guessing application ID by brute force- Retrieving application ID by sniffing traffic- Cracking application to retrieve application IDApp Spoofing
    • how can I protect identity on a mobile device?
    • …?
    • what happens if my mobile app is impersonated?
    • APIEnd User
    • Revenue Source
    • What the Fudge*! Ididn’t make 10000calls yesterday!!!!!!I’m not paying that.*This is what WTF actually stands for.
    • I didn’t buy 1000mobile phones inRussia!I’m not paying that!
    • Forrester:we are moving towards a ‘zero-trust’ model
    • New platforms, new languages, new challenges:• Ruby on Rails• Node.js• Scala• Nginx• Squid/Varnish/Traffic Manager
    • TLSOAuth 2Open ID Connect
    • OAuth provides aDelegated Authorization Framework
    • An imperfect analogy….
    • http://www.flickr.com/photos/drewleavy/5587005480
    • http://www.flickr.com/photos/24oranges/5791460046/
    • http://www.flickr.com/photos/grumbler/571106054/http://www.flickr.com/photos/roboppy/238406811/Your MoneyThis Shop Needs Your MoneyYou need to grant accessto your money
    • http://www.flickr.com/photos/drewleavy/5587005480I won’t tell.I promise!
    • www.flickr.com/photos/auntiep/255249516
    • Granting access to someone to acton your behalf.
    • resolving the password anti-pattern
    • Your resourcesThis app needs to act on your behalfYou need to grant accessto your resources
    • Your google+ dataThis app needs to access yourGoogle+ dataYou need to grant accessto your resources
    • Hi Google.I’d like to have access to a user’sfriends list.
    • Hang on, let meask…
    • He said yes. Here is youraccess code.
    • “Client” == application“Resource owner” == end-userThe first step to understanding OAuth 2:
    • OAuth 2 Grant Types Authorization Code Implicit Resource Owner Password Credentials Client Credentials
    • Authorization Code Grant104Client ApplicationResource OwnerUsingApplicationResource ServerI Wish I could accessmy resources throughthis application…
    • Authorization Code Grant105Client ApplicationResource OwnerUsingApplicationResource Server…but I don’t trust thisapp enough to give itmy credentials.
    • Authorization Code GrantInitiation106Client ApplicationResource Owner Authorization ServerResource ServerUser AgentIssue GETrequest viaUser-Agent
    • Authorization Code GrantInitiation107Client ApplicationResource Owner Authorization ServerResource ServerUser AgentIssue GETrequest viaUser-Agentresponse_typeclient_idredirect_uriscopestate
    • OAuth 2 Authorization Request response_type – indicates grant type client_id –application identifier redirect_uri (optional) – address which the UA can use to respond to client scope (optional) – space delimited string: what the client wants to do state (optional)– opaque string used to defeat CSRF attacks Sample Authorization GET URL:https://azserver/oauth2/authorize?response_type=code&client_id=my_id&state=state&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback
    • Authorization Code GrantResource Owner Authentication109Client ApplicationResource Owner Authorization ServerResource ServerUser AgentSendUserAuthenticationForm?Authenticate
    • Authorization Code GrantAuthorization110Client ApplicationResource Owner Authorization ServerResource ServerUser AgentDeliverGrantScreen???ApproveGrantRequest
    • Authorization Code GrantReceipt of Authorization Code111Client ApplicationResource Owner Authorization ServerResource ServerUser AgentRedirectUser-AgentClientApplication! RedirectedToClientApplicationcodestate302
    • Authorization Code GrantAccess Token Request112Client ApplicationResource Owner Authorization ServerResource ServerRequestAccessTokenReturnAccessTokenand OptionalRefresh Tokengrant_typecoderedirect_uriclient_id200AZ CodeAZ Code
    • Authorization Code GrantAccess Protected Resource113Client ApplicationResource Owner Authorization ServerResource ServerRequestResourceUsingApplicationReturnResource200
    • be careful – much can go wrong!
    • Authorization Code GrantInitiation115Client ApplicationResource Owner Authorization ServerResource ServerUser AgentIssue GETrequest viaUser-Agentresponse_typeclient_idredirect_uriscopestate
    • Authorization Code GrantReceipt of Authorization Code116Resource Owner Authorization ServerResource ServerUser AgentRedirectUser-AgentClientApplicationRedirectedToClientApplicationcodestate302
    • is this complex?
    • is this too complex?a better question:
    • is this too complex for our developers?an even better question:
    • It depends, but it is the best we have today
    • 2 vs. 3 Legged Spectrum121ThreeleggedTwolegged
    • Three Legged122Client ApplicationResource OwnerAuthorization ServerResource Server
    • Two Legged123Client ApplicationAuthorization ServerResource Server
    • OAuth 2 ChallengesIt is a framework
    • OAuth 2 ChallengesIt is complex for the implementer
    • OpenID Connect Identity Access Built on top of OAuth 2 Not tied to any single vendor or identity provider
    • APIEnd User
    • APIEnd User?
    • Client ApplicationRetrieve UserInformationOpenIDResourceServerid_token
    • Portal
    • Who is using the API?How are they (mis)using it?
    • What would happen if the portal was exploited?
    • PortalAPIDeveloperEnd UserAPI
    • PortalAPIAdministrator
    • Where are the components deployed?Who owns the identity store?
    • PortalAPIis this safe?
    • http://www.flickr.com/photos/naomi_pincher/3306312873/Layered Pattern
    • Security LayerTLS terminationOAuth and OpenID Connect supportSchema validationBoundary enforcementCryptographic operationsSecurity mediation
    • API GatewayGatewayAPIAPI
    • API ManagementPortalGatewayAPIAPI
    • Summary:Old threats still existBe aware of new surfaces and threatsEnforce security in an abstracted layer with a gateway
    • www.apiacademy.co
    • Visit the Layer 7 booth for informationon our gateways and portals!