apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs Hypermedia API for Secure, Seamless User Authentication Travis Spencer, CEO at Curity

1. Hypermedia
API for Secure, Seamless
User Authentication
By Travis Spencer, CEO

2. • Need for a hypermedia authentication API
• How it works (compared to a browser-based solution)
• Demo
• Client identification using attestation
• Contextualizing authentication based on first- or third-party app
Agenda

3. • Avoid customer dropoff during login
• Seamless login & authorization of mobile & web apps
• Control UX
• Reduce frequency & friction involved in login
• Regulatory compliance
Requirements Driving Need for API

4. • Control branding / look & feel of login views
• Use technologies & techniques teams already use
• Client-side JavaScript frameworks for web
• Mobile apps want to use native UI widgets
• Safe and private
Requirements Driving Need for API

5. • Browser-based login can be frictionful & non-compliant with
regulation
• Browsers are on a death march to kill third-party cookies
• Non-experts are inventing unsafe APIs & shoehorning into OAuth
• Using ROPC and even smuggling MFA through it
Challenge to Meet Requirements

6. • REST architectural pattern lends itself to the problem of login
• User authentication without a browser
• All authentication methods (including federation) can work
• Supports (client-side and/or server-side) localization
• Existing clients are unaffected
Hypermedia is the Solution

7. API
Token Management
App to Server (back-channel)

8. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)

9. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)

10. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)
Server-side HTML rendering
with page post-backs

11. API
Token Management
App to Server (back-channel)
User Authentication
App to Server
API
Remove the need for the browser

12. Initial request
Hypermedia-based API

13. Initial request
Authentication Step – Available Actions and Links
Hypermedia
Hypermedia-based API

14. Initial request
Authentication Step – Available Actions and Links
User provided information
Hypermedia
Hypermedia-based API

15. Initial request
Authentication Step – Available Actions and Links
User provided information
Hypermedia
Hypermedia-based API

16. Initial request
Authentication Step – Available Actions and Links
User provided information
Authentication Result
Hypermedia
Hypermedia-based API

17. Demo

18. • Method to assert application identity characteristics
• Android’s package ID and signature certificate
• iOS’s app ID (Apple team ID + app bundle ID)
• Provided by the application’s execution platform
• Android Key Attestation
• iOS Application Attestation
Application Attestation

19. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
{ … hypermedia-based authentication state response …}
dpop-private-key
HAAPI is an API, therefore:
• All accesses require an haapi-access-token
• With key proof-of-possession using DPoP
• To authenticate the client application

20. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
dpop-private-key
haapi-access-token obtained:
• Via an OAuth 2.0 token request
• Using the OAuth 2.0 Assertion Framework (RFC 7521)
• Based on an attestation-based assertion/token.
dpop-private-key

21. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
Attestation-specific
challenge-response protocol Attestation Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
{“cat”: “client-attestation-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
dpop-private-key
dpop-private-key
device-specific
attestation mechanism

22. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
X.509 certificate binding the public-key
to the app identity and execution environment Attestation Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
{“cat”: “client-attestation-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
hardware stored
private-key
hardware stored
private-key
hardware stored
private-key
The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.

23. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
X.509 certificate binding the public-key
to the app identity and execution environment Attestation Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
{“cat”: “client-attestation-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
hardware stored
private-key
hardware stored
private-key
hardware stored
private-key

24. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
X.509 certificate binding the public-key
to the app identity and execution environment Attestation Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
{“cat”: “client-attestation-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
hardware stored
private-key
hardware stored
private-key
hardware stored
private-key

25. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
X.509 certificate binding the public-key
to the app identity and execution environment Attestation Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
{“cat”: “client-attestation-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
hardware stored
private-key
hardware stored
private-key
hardware stored
private-key

26. Attestation
• Attestation binds public-key to
• app identity
• and execution environment (e.g. non-rooted device)
• Private-key remains stored in the device (hardware-backed)
• On all HAAPI interactions, client app proves possession of this private-key

27. Attestation
• Android Attestation binds public-key to
• app identity
• and execution environment (e.g. non-rooted device)
• Private-key remains stored in the device (hardware-backed)
• On all HAAPI interactions, client app proves possession of this private-key
• Using standards-based solutions
• OAuth 2.0 DPoP - access tokens with proof-of-possession
• OAuth 2.0 Assertion framework – attestation-based client authentication

28. 1. Once the app is identified
2. First- or third-party can be determined
3. Requirement for MFA + signed consent can be judged
Attestation Provides Context

29. • Hypermedia is a perfect fit for a login API
• Removes need for browser
• Need to identify client using attestation
• Determine how authentication & consent must be performed
based on first- or third-party publisher
Conclusion

30. Thank You!
curity.io
developer.curity.io
@curityio
info@curity.io