apidays LIVE LONDON - The Road to Embedded Finance, Banking and Insurance with APIs
Hypermedia API for Secure, Seamless User Authentication
Travis Spencer, CEO at Curity
2. • Need for a hypermedia authentication API
• How it works (compared to a browser-based solution)
• Demo
• Client identification using attestation
• Contextualizing authentication based on first- or third-party app
Agenda
3. • Avoid customer dropoff during login
• Seamless login & authorization of mobile & web apps
• Control UX
• Reduce frequency & friction involved in login
• Regulatory compliance
Requirements Driving Need for API
4. • Control branding / look & feel of login views
• Use technologies & techniques teams already use
• Client-side JavaScript frameworks for web
• Mobile apps want to use native UI widgets
• Safe and private
Requirements Driving Need for API
5. • Browser-based login can be frictionful & non-compliant with
regulation
• Browsers are on a death march to kill third-party cookies
• Non-experts are inventing unsafe APIs & shoehorning into OAuth
• Using ROPC and even smuggling MFA through it
Challenge to Meet Requirements
6. • REST architectural pattern lends itself to the problem of login
• User authentication without a browser
• All authentication methods (including federation) can work
• Supports (client-side and/or server-side) localization
• Existing clients are unaffected
Hypermedia is the Solution
10. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)
Server-side HTML rendering
with page post-backs
11. API
Token Management
App to Server (back-channel)
User Authentication
App to Server
API
Remove the need for the browser
18. • Method to assert application identity characteristics
• Android’s package ID and signature certificate
• iOS’s app ID (Apple team ID + app bundle ID)
• Provided by the application’s execution platform
• Android Key Attestation
• iOS Application Attestation
Application Attestation
19. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
{ … hypermedia-based authentication state response …}
dpop-private-key
HAAPI is an API, therefore:
• All accesses require an haapi-access-token
• With key proof-of-possession using DPoP
• To authenticate the client application
20. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
dpop-private-key
haapi-access-token obtained:
• Via an OAuth 2.0 token request
• Using the OAuth 2.0 Assertion Framework (RFC 7521)
• Based on an attestation-based assertion/token.
dpop-private-key
22. Authorization: DPOP haapi-access-token
DPoP: dpop-proof-token HAAPI
Token Endpoint
X.509 certificate binding the public-key
to the app identity and execution environment Attestation Endpoint
{“token_type”: “DPoP”, “access_token”: “haapi-access-token”, … }
{“cat”: “client-attestation-token”, … }
DPoP: dpop-proof-token
grant_type=client_credentials
client_assertion_type=urn:se:curity:attestation:client
client_assertion=client-attestation-token
{ … hypermedia-based authentication state response …}
hardware stored
private-key
hardware stored
private-key
hardware stored
private-key
The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.
26. Attestation
• Attestation binds public-key to
• app identity
• and execution environment (e.g. non-rooted device)
• Private-key remains stored in the device (hardware-backed)
• On all HAAPI interactions, client app proves possession of this private-key
27. Attestation
• Android Attestation binds public-key to
• app identity
• and execution environment (e.g. non-rooted device)
• Private-key remains stored in the device (hardware-backed)
• On all HAAPI interactions, client app proves possession of this private-key
• Using standards-based solutions
• OAuth 2.0 DPoP - access tokens with proof-of-possession
• OAuth 2.0 Assertion framework – attestation-based client authentication
28. 1. Once the app is identified
2. First- or third-party can be determined
3. Requirement for MFA + signed consent can be judged
Attestation Provides Context
29. • Hypermedia is a perfect fit for a login API
• Removes need for browser
• Need to identify client using attestation
• Determine how authentication & consent must be performed
based on first- or third-party publisher
Conclusion