Your SlideShare is downloading. ×
0
Best Practices in Building an API
Security Ecosystem
Prabath Siriwardena, Director of Security, WSO2
Twitter : @prabath
About Me
• Director Security @ WSO2
• Lead Architect WSO2 Identity Server
• Apache Axis PMC Member
• Blog : http://blog.fa...
Gateway Pattern
Gateway Pattern - Benefits
• Decouple clients from the actual API implementation
• No point-to-point to connection
• Centr...
Direct Authentication – Internal Users
• HTTP Basic Authentication
• HTTP Digest Authentication
• TLS Mutual Authenticatio...
HTTP Basic Authentication
curl -I
-u $GitHubUserName:GitHubPassword
-X POST -H 'Content-Type: application/x-www-form-urlen...
HTTP Digest Authentication
curl -k –-digest –u userName:password -v https://localhost:8443/recipe
HTTP/1.1 401 Unauthorize...
HTTP Basic vs. Digest Authentication
TLS Mutual Authentication
 Gateway itself does the certificate validation
 Fine-grained access validations can be done b...
OAuth 1.0 : Two Legged OAuth
POST /student?name=pavithra HTTP/1.1
Host: server.com
Content-Type: application/x-www-form-ur...
OAuth 2.0 : Client Credentials
curl -v -X POST
--basic -u 588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b ]
-H "Content-T...
Kerberos / NTLM
 Can be implemented as OAuth 2.0 grant types
Auditing / Monitoring
Chained APIs
Decoupling Authorization Server from
Resource Server
Decoupling Authorization Server from
Resource Server
POST /introspection HTTP/1.1
Accept: application/x-www-form-urlencode...
Externalizing Authorization
XACML
OAuth & XACML
 A given access token has a scope associated with it and it
governs the access token’s capabilities
 A use...
XACML Request
<Request>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client">
<Attribute At...
XACML Policy
<Policy>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Attri...
Cross-Domain API Access
Cross-Domain API Access
curl -X POST
-u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa”
-H "Content-Type: appl...
Centralized Authorization with Distributed Resource Servers
User Managed Access
• PAT (Protection API Token) : Token issued to the
Resource Server to access the Protection API
(Autho...
Contact us !
Upcoming SlideShare
Loading in...5
×

Api security-eic-prabath

2,085

Published on

Enterprise API adoption has gone beyond predictions. It has become the ‘coolest’ way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed. This talk focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question – and you need to deal with it quite carefully to identify and isolate the tradeoffs.
Security is not an afterthought. It has to be an integral part of any development project – so as for APIs. API security has evolved a lot in last five years. The growth of standards, out there, has been exponential. The talk will elaborate how to build an ecosystem for API security around OAuth 2.0, OpenID Connect, UMA, SAML, SCIM and XACML.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,085
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
51
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Api security-eic-prabath"

  1. 1. Best Practices in Building an API Security Ecosystem Prabath Siriwardena, Director of Security, WSO2 Twitter : @prabath
  2. 2. About Me • Director Security @ WSO2 • Lead Architect WSO2 Identity Server • Apache Axis PMC Member • Blog : http://blog.facilelogin.com • Twitter : @prabath
  3. 3. Gateway Pattern
  4. 4. Gateway Pattern - Benefits • Decouple clients from the actual API implementation • No point-to-point to connection • Centralized security enforcing • Centralized auditing & monitoring • Version controlling
  5. 5. Direct Authentication – Internal Users • HTTP Basic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 1.o : Two Legged OAuth • OAuth 2.o : Client Credentials • NTLM / Kerberos
  6. 6. HTTP Basic Authentication curl -I -u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’ -d '{"name": "my_github_repo"}' https://api.github.com/user/repos  Creating a GitHub repository
  7. 7. HTTP Digest Authentication curl -k –-digest –u userName:password -v https://localhost:8443/recipe HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute- cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08e effc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED" Authorization: Digest username="prabath", realm="cute- cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422 ", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
  8. 8. HTTP Basic vs. Digest Authentication
  9. 9. TLS Mutual Authentication  Gateway itself does the certificate validation  Fine-grained access validations can be done by the authorization server. curl -k --cert client.pem https://localhost:8443/recipe
  10. 10. OAuth 1.0 : Two Legged OAuth POST /student?name=pavithra HTTP/1.1 Host: server.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="simple", oauth_consumer_key="dsdsddDdsdsds ", oauth_token=" ", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1474343201", oauth_nonce="rerwerweJHKjhkdsjhkhj", oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
  11. 11. OAuth 2.0 : Client Credentials curl -v -X POST --basic -u 588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b ] -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8” -d "client_id=588997174524690&grant_type=client_credentials" https://graph.facebook.com/oauth/access_token
  12. 12. Kerberos / NTLM  Can be implemented as OAuth 2.0 grant types
  13. 13. Auditing / Monitoring
  14. 14. Chained APIs
  15. 15. Decoupling Authorization Server from Resource Server
  16. 16. Decoupling Authorization Server from Resource Server POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=… { "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
  17. 17. Externalizing Authorization
  18. 18. XACML
  19. 19. OAuth & XACML  A given access token has a scope associated with it and it governs the access token’s capabilities  A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.  token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
  20. 20. XACML Request <Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes> </Request>
  21. 21. XACML Policy <Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
  22. 22. Cross-Domain API Access
  23. 23. Cross-Domain API Access curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa” -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2 bearer&assertion=PHNhbWxwOl...[omitted for brevity]...ZT4" https://localhost:9443/oauth2/token
  24. 24. Centralized Authorization with Distributed Resource Servers
  25. 25. User Managed Access • PAT (Protection API Token) : Token issued to the Resource Server to access the Protection API (Authorization Server) with the approval of the Resource Owner. • AAT (Authorization API Token) : Token issued to the Client to access the Authorization API (Authorization Server) • RPT (Requesting Party Token) : Token issued to the Client to access the Protected Resource on behalf of the Requesting Party by the Authorization Server.
  26. 26. Contact us !
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×