DM
Uploaded byDan Moore
PDF, PPTX66 views

Protecting Your APIs.pdf

The document discusses protecting APIs using FusionAuth and various authentication methods, including API keys and JSON Web Tokens (JWTs). It covers the strengths and weaknesses of these methods, the structure of JWTs, and how they can be used to validate user identity and authorization. The workshop also includes interactive elements for attendees to engage with each other and explore API-related questions.

Embed presentation

Download as PDF, PPTX
1 / 255
2 / 255
3 / 255
4 / 255
5 / 255
6 / 255
7 / 255
8 / 255
9 / 255
10 / 255
11 / 255
12 / 255
13 / 255
14 / 255
15 / 255
16 / 255
17 / 255
18 / 255
19 / 255
20 / 255
21 / 255
22 / 255
23 / 255
24 / 255
25 / 255
26 / 255
27 / 255
28 / 255
29 / 255
30 / 255
31 / 255
32 / 255
33 / 255
34 / 255
35 / 255
36 / 255
37 / 255
38 / 255
39 / 255
40 / 255
41 / 255
42 / 255
43 / 255
44 / 255
45 / 255
46 / 255
47 / 255
48 / 255
49 / 255
50 / 255
51 / 255
52 / 255
53 / 255
54 / 255
55 / 255
56 / 255
57 / 255
58 / 255
59 / 255
60 / 255
61 / 255
62 / 255
63 / 255
64 / 255
65 / 255
66 / 255
67 / 255
68 / 255
69 / 255
70 / 255
71 / 255
72 / 255
73 / 255
74 / 255
75 / 255
76 / 255
77 / 255
78 / 255
79 / 255
80 / 255
81 / 255
82 / 255
83 / 255
84 / 255
85 / 255
86 / 255
87 / 255
88 / 255
89 / 255
90 / 255
91 / 255
92 / 255
93 / 255
94 / 255
95 / 255
96 / 255
97 / 255
98 / 255
99 / 255
100 / 255
101 / 255
102 / 255
103 / 255
104 / 255
105 / 255
106 / 255
107 / 255
108 / 255
109 / 255
110 / 255
111 / 255
112 / 255
113 / 255
114 / 255
115 / 255
116 / 255
117 / 255
118 / 255
119 / 255
120 / 255
121 / 255
122 / 255
123 / 255
124 / 255
125 / 255
126 / 255
127 / 255
128 / 255
129 / 255
130 / 255
131 / 255
132 / 255
133 / 255
134 / 255
135 / 255
136 / 255
137 / 255
138 / 255
139 / 255
140 / 255
141 / 255
142 / 255
143 / 255
144 / 255
145 / 255
146 / 255
147 / 255
148 / 255
149 / 255
150 / 255
151 / 255
152 / 255
153 / 255
154 / 255
155 / 255
156 / 255
157 / 255
158 / 255
159 / 255
160 / 255
161 / 255
162 / 255
163 / 255
164 / 255
165 / 255
166 / 255
167 / 255
168 / 255
169 / 255
170 / 255
171 / 255
172 / 255
173 / 255
174 / 255
175 / 255
176 / 255
177 / 255
178 / 255
179 / 255
180 / 255
181 / 255
182 / 255
183 / 255
184 / 255
185 / 255
186 / 255
187 / 255
188 / 255
189 / 255
190 / 255
191 / 255
192 / 255
193 / 255
194 / 255
195 / 255
196 / 255
197 / 255
198 / 255
199 / 255
200 / 255
201 / 255
202 / 255
203 / 255
204 / 255
205 / 255
206 / 255
207 / 255
208 / 255
209 / 255
210 / 255
211 / 255
212 / 255
213 / 255
214 / 255
215 / 255
216 / 255
217 / 255
218 / 255
219 / 255
220 / 255
221 / 255
222 / 255
223 / 255
224 / 255
225 / 255
226 / 255
227 / 255
228 / 255
229 / 255
230 / 255
231 / 255
232 / 255
233 / 255
234 / 255
235 / 255
236 / 255
237 / 255
238 / 255
239 / 255
240 / 255
241 / 255
242 / 255
243 / 255
244 / 255
245 / 255
246 / 255
247 / 255
248 / 255
249 / 255
250 / 255
251 / 255
252 / 255
253 / 255
254 / 255
255 / 255
@mooreds Protecting Your APIs Dan Moore Longhorn PHP 2023
@mooreds @mooreds
@mooreds @mooreds Let’s Get Going ● Let’s call and modify an API ● Let me know if you have any issues with the workshop
@mooreds https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds Workshop Nuts And Bolts https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds @mooreds User survey ● Have built an API? ● Used PHP? ● Used framework? https://fusionauth.link/ longhorn-php-protecting-apis
@mooreds Intro
@mooreds @mooreds About FusionAuth ● FusionAuth is the authentication and authorization platform built for developers, by developers. ● FusionAuth solves the problem of building essential user security without adding risk or distracting from the primary application. 16
@mooreds @mooreds About This Talk
@mooreds @mooreds About Me
@mooreds @mooreds About Me ● Who cares
@mooreds @mooreds Questions? ● Raise your hand, please
@mooreds @mooreds Meet Your Neighbor ● Introduce yourself
@mooreds @mooreds Meet Your Neighbor ● Introduce yourself ● Ask a question ○ Have you ever built an API? ○ Favorite PHP framework? ○ What was your favorite joke?
@mooreds API Basics
@mooreds @mooreds Why Use APIs ● Stands for Application Programming Interface
@mooreds @mooreds Why Use APIs ● Stands for Application Programming Interface ● Let computers and people access data and perform operations
@mooreds @mooreds JSON HTTP APIs ● Commonly used to integrate software
@mooreds @mooreds JSON HTTP APIs ● Commonly used to integrate software ○ Mobile devices
@mooreds @mooreds JSON HTTP APIs ● Commonly used to integrate software ○ Mobile devices ○ Javascript in the browser
@mooreds @mooreds JSON HTTP APIs ● Commonly used to integrate software ○ Mobile devices ○ Javascript in the browser ○ Server side services
@mooreds @mooreds How an API Call Works Joke API jokes
@mooreds @mooreds How an API Call Works Joke API jokes
@mooreds @mooreds How an API Call Works Joke API jokes
@mooreds @mooreds How an API Call Works Joke API jokes
@mooreds @mooreds JSON HTTP APIs { "joke": "Chuck Norris doesn't read books. He stares them down until he gets the information he wants." }
@mooreds @mooreds JSON HTTP APIs { "joke": "Chuck Norris doesn't read books. He stares them down until he gets the information he wants." }
@mooreds @mooreds JSON HTTP APIs { "joke": "Chuck Norris doesn't read books. He stares them down until he gets the information he wants." }
@mooreds @mooreds Service to Service API Request Joke API jokes Email API
@mooreds @mooreds How Does the Client Get Authenticated Joke API jokes
@mooreds @mooreds How Does the Client Get Authenticated Joke API jokes X
@mooreds Questions?
@mooreds Back To Instruqt
@mooreds API Keys
@mooreds @mooreds API Keys Joke API Authorization: mf3MjsQy0EE3dFTAkjHz
@mooreds mf3MjsQy0EE3dFTAkjHz
@mooreds @mooreds API Keys ● Arbitrary string
@mooreds @mooreds API Keys ● Arbitrary string ● Delivered to known user
@mooreds @mooreds API Keys ● Arbitrary string ● Delivered to known user ● Used by developers
@mooreds @mooreds API Keys ● Arbitrary string ● Delivered to known user ● Used by developers ● Static
@mooreds @mooreds API Keys ● Arbitrary string ● Delivered to known user ● Used by developers ● Static ● Can be in header, cookie, form parameter
@mooreds @mooreds API Key Strengths ● Easy to understand
@mooreds @mooreds API Key Strengths ● Easy to understand ● Tied to one user
@mooreds @mooreds API Key Strengths ● Easy to understand ● Tied to one user ● Easy to implement
@mooreds @mooreds API Key Strengths ● Easy to understand ● Tied to one user ● Easy to implement ● Can be viewed by user if they forget
@mooreds @mooreds API Key Strengths ● Easy to understand ● Tied to one user ● Easy to implement ● Can be viewed by user if they forget ● Good library and framework support
@mooreds @mooreds API Key Weaknesses ● Risks of embedding
@mooreds @mooreds API Key Weaknesses ● Risks of embedding ● Good forever
@mooreds @mooreds API Key Weaknesses ● Risks of embedding ● Good forever ● Credential stored in database
@mooreds Questions?
@mooreds Back To Instruqt
@mooreds Hashed API Keys
@mooreds @mooreds Hashed API Keys Joke API Generate API Key mf3MjsQy0EE3dFTAkjHz keys
@mooreds mf3MjsQy0EE3dFTAkjHz
@mooreds 44cc9621613fabd3e3d4c414 45f475b106f48037c5b12ae1b c92b5581f581e69
@mooreds @mooreds Hashed API Keys Joke API Generate API Key keys 44cc9621613fabd3e3d 475b106f48037c5b12a 581f581e69
@mooreds @mooreds Hashed API Keys Joke API Generate API Key mf3MjsQy0EE3dFTAkjHz keys
@mooreds @mooreds Hashed API Keys Joke API Authorization: mf3MjsQy0EE3dFTAkjHz Generate API Key keys
@mooreds @mooreds Hashed API Keys Joke API Generate API Key keys
@mooreds @mooreds Hashed API Keys ● Same as API keys
@mooreds @mooreds Hashed API Keys ● Same as API keys ● Hashed at rest (serverside)
@mooreds @mooreds Hashed API Key Strengths ● Safe to store in db
@mooreds @mooreds Hashed API Key Weaknesses ● One time display
@mooreds Questions?
@mooreds Break
@mooreds @mooreds Chat With Your Neighbor ● What is the most powerful API you’ve ever seen? ● What are you working on that is most interesting right now?
@mooreds Back To Instruqt
@mooreds Scoped API Keys
@mooreds Multiple Operations
@mooreds @mooreds Scoped API Keys Joke API Generate API Key mf3MjsQy0EE3dFTAkjHz keys
@mooreds @mooreds Scoped API Keys Joke API Generate API Key keys 44cc9621613fabd3e3d 475b106f48037c5b12a 581f581e69, read-all
@mooreds @mooreds Scoped API Keys Joke API Generate API Key mf3MjsQy0EE3dFTAkjHz keys
@mooreds @mooreds Scoped API Keys Joke API Authorization: mf3MjsQy0EE3dFTAkjHz Generate API Key keys
@mooreds @mooreds Scoped API Keys Joke API Generate API Key keys read-all?
@mooreds mf3MjsQy0EE3dFTAkjHz == read/read all
@mooreds wCuJL0yCiOAVdDWule3L == read
@mooreds @mooreds Scoped API Keys ● Just like hashed API keys ● N scopes
@mooreds @mooreds Scoped API Key Strengths ● Granular access limits
@mooreds @mooreds Scoped API Key Weaknesses ● Combinatorial explosion
@mooreds @mooreds Scoped API Key Weaknesses ● Combinatorial explosion ● More complex
@mooreds Questions?
@mooreds @mooreds In Instruqt,This Message is OKAY Composer is operating significantly slower than normal because you do not have the PHP curl extension enabled. No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
@mooreds Back To Instruqt
@mooreds JWTs
@mooreds @mooreds What Is a JWT ● RFC 7519
@mooreds @mooreds What Is a JWT ● RFC 7519 ● Timebound token
@mooreds @mooreds What Is a JWT ● RFC 7519 ● Timebound token ● Has structure
@mooreds @mooreds What Is a JWT ● RFC 7519 ● Timebound token ● Has structure ● Can be encrypted
@mooreds @mooreds What Is a JWT ● RFC 7519 ● Timebound token ● Has structure ● Can be encrypted ● Has integrity checks
@mooreds @mooreds What Is a JWT ● RFC 7519 ● Timebound token ● Has structure ● Can be encrypted ● Has integrity checks ● Often used to represent identity
@mooreds @mooreds JWT Structure eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJmd XNpb25hdXRoLmlvIiwiZXhwIjoxNjk3NzQxMTM1LCJhdW QiOiIyMzhkNDc5My03MGRlLTQxODMtOTcwNy00OGVkO GVjZDE5ZDkiLCJzdWIiOiIxOTAxNmI3My0zZmZhLTRiMjYt ODBkOC1hYTkyODc3Mzg2NzciLCJuYW1lIjoiRGFuIE1vb3J lIiwicm9sZXMiOlsiUkVUUklFVkVfSk9LRVMiXX0.r44ylf2q M5WqVqU_wg5QpceOtOhkq8Hdha6tCdfn7g8
@mooreds @mooreds JWT Structure eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 === {"typ":"JWT","alg":"HS256"}
@mooreds @mooreds JWT Structure eyJpc3MiOiJmdXNpb25hdXRoLmlvIiwiZXhwIjoxNjk3NzQxMTM1L CJhdWQiOiIyMzhkNDc5My03MGRlLTQxODMtOTcwNy00OGVkO GVjZDE5ZDkiLCJzdWIiOiIxOTAxNmI3My0zZmZhLTRiMjYtODBkO C1hYTkyODc3Mzg2NzciLCJuYW1lIjoiRGFuIE1vb3JlIiwicm9sZXMi OlsiUkVUUklFVkVfSk9LRVMiXX0= === {"iss":"fusionauth.io","exp":1697741135,"aud":"238d4793-70de-41 83-9707-48ed8ecd19d9","sub":"19016b73-3ffa-4b26-80d8-aa9 287738677","name":"Dan Moore","roles":["RETRIEVE_JOKES"]}
@mooreds @mooreds JWT Structure r44ylf2qM5WqVqU_wg5QpceOtOhkq8Hdha6tCdfn7g8 === signature
@mooreds @mooreds JWT Body { "iss": "fusionauth.io", "exp": 1697741135, "aud": "238d4793-70de-4183-9707-48ed8ecd19d9", "sub": "19016b73-3ffa-4b26-80d8-aa9287738677", "name": "Dan Moore", "roles": [ "RETRIEVE_JOKES" ] }
@mooreds Questions?
@mooreds Back To Instruqt
@mooreds Protecting an API With JWTs
@mooreds @mooreds JWTs and APIs Joke API JWT Generator
@mooreds @mooreds JWTs and APIs Joke API JWT Generator eyJ0eX…
@mooreds @mooreds JWTs and APIs Joke API Authorization: eyJ0eX… JWT Generator
@mooreds @mooreds JWTs and APIs Joke API JWT Generator
@mooreds @mooreds Scoped API Keys Joke API Generate API Key keys read-all?
@mooreds @mooreds JWTs and APIs Joke API {"joke":"Chuck Norris once roundhouse kicked someone so hard that his foot broke the speed of light"} JWT Generator
@mooreds @mooreds Why Use a JWT ● Structure
@mooreds @mooreds Why Use a JWT ● Structure ● Standards
@mooreds @mooreds Why Use a JWT ● Structure ● Standards ● Standalone
@mooreds @mooreds Why Use a JWT ● Structure ● Standards ● Standalone ● Timebound
@mooreds @mooreds JWTs and APIs Joke API JWT Generator
@mooreds @mooreds Validation: How ● Check signature ○ With a library
@mooreds @mooreds Validation: How ● Check signature ○ With a library ● Check claims ○ Standard ○ Custom
@mooreds @mooreds Validation: Where ● At the API
@mooreds @mooreds Validation: Where ● At the API ● At the Gateway
@mooreds @mooreds Validation: Where ● At the API ● At the Gateway ● Everywhere
@mooreds @mooreds
@mooreds Validation: What
@mooreds @mooreds Validate the Issuer { "iss": "fusionauth.io", "exp": 1697741135, "aud": "238d4793-70de-4183-9707-48ed8ecd19d9", "sub": "19016b73-3ffa-4b26-80d8-aa9287738677", "name": "Dan Moore", "roles": [ "RETRIEVE_JOKES", "RETRIEVE_ALL_JOKES" ] }
@mooreds @mooreds Validate the Expiration { "iss": "fusionauth.io", "exp": 1697741135, "aud": "238d4793-70de-4183-9707-48ed8ecd19d9", "sub": "19016b73-3ffa-4b26-80d8-aa9287738677", "name": "Dan Moore", "roles": [ "RETRIEVE_JOKES", "RETRIEVE_ALL_JOKES" ] }
@mooreds @mooreds Validate the Audience { "iss": "fusionauth.io", "exp": 1697741135, "aud": "238d4793-70de-4183-9707-48ed8ecd19d9", "sub": "19016b73-3ffa-4b26-80d8-aa9287738677", "name": "Dan Moore", "roles": [ "RETRIEVE_JOKES", "RETRIEVE_ALL_JOKES" ] }
@mooreds @mooreds JWTs and APIs Joke API JWT Generator Accounting API Authorization: eyJ0eX…
@mooreds @mooreds Validate { "iss": "fusionauth.io", "exp": 1697741135, "aud": "238d4793-70de-4183-9707-48ed8ecd19d9", "sub": "19016b73-3ffa-4b26-80d8-aa9287738677", "name": "Dan Moore", "roles": [ "RETRIEVE_JOKES", "RETRIEVE_ALL_JOKES" ] }
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256)
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster ○ Simpler
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster ○ Simpler ○ Secret distribution
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster ○ Simpler ○ Secret distribution ● Asymmetric (RS256, ES256)
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster ○ Simpler ○ Secret distribution ● Asymmetric (RS256, ES256) ○ Slower
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster ○ Simpler ○ Secret distribution ● Asymmetric (RS256, ES256) ○ Slower ○ Better library support
@mooreds @mooreds Signing Algorithm Types ● Symmetric (HS256) ○ Faster ○ Simpler ○ Secret distribution ● Asymmetric (RS256, ES256) ○ Slower ○ Better library support ○ Public/private keys
@mooreds @mooreds JWT Structure eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 === {"typ":"JWT","alg":"HS256"}
@mooreds @mooreds Shared Secret require __DIR__ . '/hmac_secret.php';
@mooreds Questions?
@mooreds Break
@mooreds @mooreds Stand Up and/or Talk To Your Neighbor ● What APIs have you built? ● What was your first PHP framework? ● Who could possibly beat Chuck Norris in a fight?
@mooreds Back To Instruqt
@mooreds Using An Auth Server
@mooreds @mooreds Auth Server Joke API Auth Server
@mooreds Public Private
@mooreds @mooreds Auth Server And APIs Joke API Auth Server
@mooreds @mooreds Auth Server And APIs Joke API Auth Server eyJ0eX…
@mooreds @mooreds Auth Server And APIs Joke API Auth Server eyJ0eX… Signed by private key, held in the auth server.
@mooreds @mooreds Auth Server And APIs Joke API Authorization: eyJ0eX… Auth Server
@mooreds @mooreds Auth Server And APIs Joke API Auth Server Needs public key to be able to validate signature.
@mooreds @mooreds Auth Server And APIs Joke API {"joke":"Chuck Norris once roundhouse kicked someone so hard that his foot broke the speed of light"} Auth Server
@mooreds Retrieving Public Keys
@mooreds @mooreds Two Ways To Get Public Keys Joke API Auth Server
@mooreds Deploy Time
@mooreds @mooreds At Deploy Time Joke API Auth Server
@mooreds @mooreds At Deploy Time Joke API Auth Server
@mooreds @mooreds At Deploy Time Joke API Auth Server
@mooreds @mooreds At Deploy Time Joke API Auth Server
@mooreds @mooreds At Deploy Time Joke API Auth Server
@mooreds Run Time
@mooreds @mooreds At Run Time Joke API Auth Server Authorization: eyJ0eX…
@mooreds @mooreds At Run Time Joke API Auth Server Authorization: eyJ0eX… https://example.com/.well-known/jwks.json
@mooreds @mooreds At Run Time Joke API Auth Server Authorization: eyJ0eX…
@mooreds @mooreds At Run Time Joke API Auth Server
@mooreds @mooreds Which Public Key {"typ":"JWT","alg":"RS256", "kid": "cmIG9qeeEjS6a83p_Qy4ZRxBfNA"}
@mooreds @mooreds Distribution Considerations ● Network connectivity
@mooreds @mooreds Distribution Considerations ● Network connectivity ● Rotation
@mooreds @mooreds Distribution Considerations ● Network connectivity ● Rotation ● Caching
@mooreds @mooreds What This Enables ● Separation of concerns
@mooreds @mooreds What This Enables ● Separation of concerns ● PII isolation
@mooreds @mooreds Auth Server And APIs Joke API Auth Server Organization A Organization B
@mooreds @mooreds What About the Client Joke API Auth Server
@mooreds Questions?
@mooreds Back To Instruqt
@mooreds The Authorization Code Grant
@mooreds @mooreds You Just Did It! ● Start at the app
@mooreds @mooreds You Just Did It! ● Start at the app ● Go to the authorization server
@mooreds @mooreds You Just Did It! ● Start at the app ● Go to the authorization server ● Authenticate
@mooreds @mooreds You Just Did It! ● Start at the app ● Go to the authorization server ● Authenticate ● Sent back to the app
@mooreds @mooreds You Just Did It! ● Start at the app ● Go to the authorization server ● Authenticate ● Sent back to the app ● App exchanges code for token(s)
@mooreds @mooreds You Just Did It! ● Start at the app ● Go to the authorization server ● Authenticate ● Sent back to the app ● App exchanges code for token(s) ● Store the token(s)
@mooreds @mooreds
@mooreds Token Security
@mooreds Bearer Tokens
@mooreds @mooreds
@mooreds @mooreds Joke API Auth Server jwt Bad actor
@mooreds @mooreds Joke API Auth Server Bad actor jwt
@mooreds @mooreds Joke API Auth Server Bad actor jwt
@mooreds @mooreds Joke API Auth Server Bad actor {"joke":"Chuck Norris once roundhouse kicked someone so hard that his foot broke the speed of light"}
@mooreds @mooreds In Transit ● Use HTTPS
@mooreds @mooreds In Transit ● Use HTTPS ● Never in any place that could be logged or intercepted ○ Query parameters
@mooreds @mooreds At Rest ● Use secure storage based on your client
@mooreds @mooreds At Rest ● Use secure storage based on your client ○ Secure storage or keychain on mobile
@mooreds @mooreds At Rest ● Use secure storage based on your client ○ Secure storage or keychain on mobile ○ HTTPOnly, Secure cookies on browser
@mooreds @mooreds At Rest ● Use secure storage based on your client ○ Secure storage or keychain on mobile ○ HTTPOnly, Secure cookies on browser ○ Encrypted on disk or in db for server
@mooreds First Party and Third Party APIs
@mooreds How Many People Have Software Clients That Are Not Browsers?
@mooreds @mooreds First Party and Third Party APIs ● Matters for browser based apps
@mooreds @mooreds First Party and Third Party APIs ● Matters for browser based apps ● Others not an issue ○ Service to service ○ Mobile apps ○ Desktop apps
@mooreds @mooreds When the Client Is a Browser ??.com auth.exampl e.com eyJ0eX…
@mooreds @mooreds First Party joke.example .com auth.exampl e.com eyJ0eX… can be stored as a cookie safely
@mooreds @mooreds First Party joke.exampl e.com auth.exampl e.com eyJ0eX… sent as a cookie
@mooreds @mooreds First Party joke.example .com auth.exampl e.com
@mooreds Domain Names Match
@mooreds @mooreds Third Party ??.com auth.exampl e.com eyJ0eX…
@mooreds @mooreds Third Party chuck-norris- apis.com auth.exampl e.com eyJ0eX… can be stored safely on the browser
@mooreds @mooreds Third Party chuck-norris -apis.com auth.exampl e.com X
@mooreds Domain Names Don’t Match
@mooreds Instead Use the BFF
@mooreds
@mooreds @mooreds BFF chuck-norris- apis.com auth.exampl e.com eyJ0eX… bff.example.c om
@mooreds @mooreds BFF chuck-norris- apis.com auth.exampl e.com eyJ0eX… bff.example.c om eyJ0eX… or session
@mooreds @mooreds Third Party chuck-norris- apis.com auth.exampl e.com bff.example.c om
@mooreds @mooreds Other Third Party API Attributes ● You don’t control them
@mooreds @mooreds Other Third Party API Attributes ● You don’t control them ● User may be authenticated at a different auth server
@mooreds @mooreds Other Third Party API Attributes ● You don’t control them ● User may be authenticated at a different auth server ● OAuth Scopes may be used to limit access ○ Read ○ Write
@mooreds @mooreds Other Third Party API Attributes ● You don’t control them ● User may be authenticated at a different auth server ● OAuth Scopes may be used to limit access ○ Read ○ Write ● May have other business rules
@mooreds Questions?
@mooreds Back To Instruqt
@mooreds API Gateways
@mooreds @mooreds API Gateway Joke API Email API gw.example. com eyJ0eX…
@mooreds @mooreds API Gateway Joke API Email API gw.example. com
@mooreds @mooreds API Gateway Joke API Email API gw.example. com
@mooreds @mooreds Benefits Of Using a Gateway ● Can be shared across many APIs
@mooreds @mooreds Benefits Of Using a Gateway ● Can be shared across many APIs ● Declarative syntax simpler to understand
@mooreds @mooreds Benefits Of Using a Gateway ● Can be shared across many APIs ● Declarative syntax simpler to understand ● Offer other functionality
@mooreds @mooreds Benefits Of Using a Gateway ● Can be shared across many APIs ● Declarative syntax simpler to understand ● Offer other functionality ● Can stop errant requests before your code ever sees them
@mooreds @mooreds Weaknesses ● Not flexible enough to verify non standard claims
@mooreds @mooreds Weaknesses ● Not flexible enough to verify non standard claims ● Additional architectural complexity
@mooreds Other Options To Protect APIs
@mooreds @mooreds Network Layer Protection ● VPN or internal network configuration
@mooreds @mooreds Encrypted JWTs ● Provide secrecy as well as integrity checks
@mooreds @mooreds Sessions ● Cookie based
@mooreds @mooreds Sessions ● Cookie based ● Require stateful routing
@mooreds @mooreds Sessions ● Cookie based ● Require stateful routing ● May have scale issues
@mooreds Other API Concerns
@mooreds @mooreds Impersonation ● Letting admin users “take action” as another user
@mooreds @mooreds Impersonation ● Letting admin users “take action” as another user ● Allow escalated privileges via API key or JWT
@mooreds @mooreds On Behalf Of ● Useful for chaining API calls
@mooreds @mooreds On Behalf Of ● Useful for chaining API calls ● Service A gets a token for user Trivette, wants to call service B on behalf of him
@mooreds Wrapping Up
@mooreds @mooreds Evolution of API protection ● Unprotected
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key ● Scoped API key
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key ● Scoped API key ● JWT
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key ● Scoped API key ● JWT ● JWT issued by Identity Provider
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key ● Scoped API key ● JWT ● JWT issued by Identity Provider ● Storing tokens
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key ● Scoped API key ● JWT ● JWT issued by Identity Provider ● Storing tokens ● API Gateway
@mooreds @mooreds Evolution of API protection ● Unprotected ● API key ● Hashed API key ● Scoped API key ● JWT ● JWT issued by Identity Provider ● Storing tokens ● API Gateway ● Other options for protecting an API
@mooreds @mooreds What To Choose ● If you can, skip authentication
@mooreds @mooreds What To Choose ● If you can, skip authentication ○ Rare ● Think about your API’s users
@mooreds @mooreds What To Choose ● If you can, skip authentication ○ Rare ● Think about your API’s users ● Tradeoffs between simplicity and flexibility
@mooreds @mooreds Thanks & Questions ● Contact me for more info: ○ dan@fusionauth.io ○ https://twitter.com/mooreds ○ https://fusionauth.io ● Links ○ https://joind.in/event/longhorn-php-conference-2023/protecting-your-apis ○ https://fusionauth.link/lhp-modern-guide ○ FusionAuth Community Edition (free!): https://fusionauth.link/lhp-dl ○ Code for the APIs: https://fusionauth.link/lhp-php-api-github 255

More Related Content

PDF
JWTs - What PHP developers need to know - LonghornPHP.pdf
byDan Moore
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PDF
API Testing and Hacking.pdf
byVishwas N
 
PDF
API Testing and Hacking (1).pdf
byVishwas N
 
PPTX
Web api security
by9xdot
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
PPTX
OAuth
byAdi Challa
 
PDF
API Testing and Hacking.pdf
byVishwasN6
 
JWTs - What PHP developers need to know - LonghornPHP.pdf
byDan Moore
 
API SECURITY
byTubagus Rizky Dharmawan
 
API Testing and Hacking.pdf
byVishwas N
 
API Testing and Hacking (1).pdf
byVishwas N
 
Web api security
by9xdot
 
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
OAuth
byAdi Challa
 
API Testing and Hacking.pdf
byVishwasN6
 

Similar to Protecting Your APIs.pdf

PDF
API Hijacking (1).pdf
byVishwas N
 
PDF
API Hijacking.pdf
byVishwas N
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
PPTX
TYPES OF API & vulnerabilities (Muqaddas Bin Tahir) .pptx
byROOTs International , MIUC
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PDF
Api design and development
byoquidave
 
PDF
REST API Authentication Methods.pdf
byRubersy Ramos García
 
PPTX
Securing APIs using OAuth 2.0
byAdam Lewis
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
byCloudIDSummit
 
PDF
Open APIs - concepts. applications. visualizations.
byChristian Dalager
 
PDF
API Hijacking.pdf
byVishwasN6
 
PDF
Secure your api from basics to beyond
byAlexandre Faria
 
PDF
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
APIs : Mapping the way
byWSO2
 
PPTX
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 
API Hijacking (1).pdf
byVishwas N
 
API Hijacking.pdf
byVishwas N
 
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
TYPES OF API & vulnerabilities (Muqaddas Bin Tahir) .pptx
byROOTs International , MIUC
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
byAdar Weidman
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
Api design and development
byoquidave
 
REST API Authentication Methods.pdf
byRubersy Ramos García
 
Securing APIs using OAuth 2.0
byAdam Lewis
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
CIS14: Best Practices You Must Apply to Secure Your APIs
byCloudIDSummit
 
Open APIs - concepts. applications. visualizations.
byChristian Dalager
 
API Hijacking.pdf
byVishwasN6
 
Secure your api from basics to beyond
byAlexandre Faria
 
Protecting Your APIs Against Attack & Hijack
byCA API Management
 
Securing RESTful API
byMuhammad Zbeedat
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
APIs : Mapping the way
byWSO2
 
Unit 3_detailed_automotiving_mobiles.pptx
byVijaySasanM21IT
 

More from Dan Moore

ODP
An Introduction to Pentaho Kettle
byDan Moore
 
PPTX
AWS 101
byDan Moore
 
PDF
Building a slackbot
byDan Moore
 
PPTX
Three things that surprised me when I was a new developer
byDan Moore
 
PPTX
New developer talk culture foundry - 0519
byDan Moore
 
PPTX
Life at an early stage SaaS company as a technical co-founder
byDan Moore
 
PDF
Super Simple Supervised Learning - AML - Dan Moore
byDan Moore
 
PDF
Stripe - Do You Like Money
byDan Moore
 
An Introduction to Pentaho Kettle
byDan Moore
 
AWS 101
byDan Moore
 
Building a slackbot
byDan Moore
 
Three things that surprised me when I was a new developer
byDan Moore
 
New developer talk culture foundry - 0519
byDan Moore
 
Life at an early stage SaaS company as a technical co-founder
byDan Moore
 
Super Simple Supervised Learning - AML - Dan Moore
byDan Moore
 
Stripe - Do You Like Money
byDan Moore
 

Recently uploaded

PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PDF
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
PDF
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
PDF
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
PDF
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PPTX
Orion Context Broker introduction 20260114
byFermin Galan
 
PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PDF
Salesforce Data Migration Services.pdf
byRobert Mark
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
Orion Context Broker introduction 20260114
byFermin Galan
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
Salesforce Data Migration Services.pdf
byRobert Mark
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 

Protecting Your APIs.pdf