Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure RESTful API
Automation With JavaScript

Jonathan LeBlanc (@jcleblanc)
Head of Developer Evangelism
PayPal North Ame...
Automation?
What JavaScript Can Feel Like
JavaScript Challenges
The Same-Origin Policy
Keeping Private Keys Private
Not Providing a Hacked Experience
How Did We Used to Do It?
Server-side Proxies
Flash / iFrame Proxies
Private Token Storage
Securing Content Negotiation
A Modern Approach

OAuth 2
Tight Access Control

CORS
Easy Access Control
OAuth 2 User Agent Flow
User Agent Flow: Redirect
Prepare the Redirect URI
Authorization Endpoint
client_id response_type (token)
scope
redirect_u...
User Agent Flow: Redirect
Building the redirect link
var auth_uri = auth_endpoint +
"?response_type=token" +
"&client_id="...
User Agent Flow: Hash Mod

Fetch the Hash Mod
access_token
refresh_token
expires_in

Extract Access Token
User Agent Flow: Hash Mod
Extracting the access token from the hash
http://site.com/callback#access_token=rBEGu1FQr5
4AzqE...
User Agent Flow: Get Resources

Set Request Headers + URI
Resource Endpoint
Header: token type + access token
Header: acce...
User Agent Flow: Get Resources
Making an authorized request
$.ajax({
url: resource_uri,
beforeSend: function (xhr) {
xhr.s...
CORS Easy Access Control
Cross Origin Issues and Options
Access to other domains / subdomains is
restricted (same origin policy)
JSONP to request r...
Can you use it?
http://caniuse.com/cors
How Does it Work?
Site sends Origin header to server
OPTIONS /v1/oauth2/token HTTP/1.1
Origin: http://jcleblanc.com
Access...
How Does it Work?
Server responds with matching
Access-Control-Allow-Origin header

Access-Control-Allow-Origin: http://jc...
A Lil’ Bit O’ Automation
Uniform Interface Sub-Constraints
Resource Identification

Resources must be manipulated via
representations
Self descript...
Uniform Interface Sub-Constraints
Resource Identification

Resources must be manipulated
via representations
Self descript...
HATEOAS
How we Normally Consume APIs
Using HATEOAS to Automate
How HATEOAS Works
You make an API request
curl -v -X GET
https://api.sandbox.paypal.com/v1/payments/authoriz
ation/2DC8761...
"links": [
{
"href":"https://api.sandbox.paypal.com/v1/payments/
authorization/6H149011U8307001M",
"rel":"self",
"method":...
Object Chaining
Interactions Should be Stateless
Send enough detail to not have to make another
request to the API
{ "id": "PAY-17S8410768...
Resources and Representations
Manipulate a concept (e.g. payment) with
the intended state
Chaining Actions
The first request builds the action object
Subsequent calls manipulate the object

var paymentObj =
getPr...
In Summation…
Security needs to allow you to work the
browser security model
Always assume statelessness
Build to allow yo...
Thanks! Questions?
http://www.slideshare.net/jcleblanc

Jonathan LeBlanc (@jcleblanc)
Head of Developer Evangelism
PayPal ...
Upcoming SlideShare
Loading in …5
×

of

Secure RESTful API Automation With JavaScript Slide 1 Secure RESTful API Automation With JavaScript Slide 2 Secure RESTful API Automation With JavaScript Slide 3 Secure RESTful API Automation With JavaScript Slide 4 Secure RESTful API Automation With JavaScript Slide 5 Secure RESTful API Automation With JavaScript Slide 6 Secure RESTful API Automation With JavaScript Slide 7 Secure RESTful API Automation With JavaScript Slide 8 Secure RESTful API Automation With JavaScript Slide 9 Secure RESTful API Automation With JavaScript Slide 10 Secure RESTful API Automation With JavaScript Slide 11 Secure RESTful API Automation With JavaScript Slide 12 Secure RESTful API Automation With JavaScript Slide 13 Secure RESTful API Automation With JavaScript Slide 14 Secure RESTful API Automation With JavaScript Slide 15 Secure RESTful API Automation With JavaScript Slide 16 Secure RESTful API Automation With JavaScript Slide 17 Secure RESTful API Automation With JavaScript Slide 18 Secure RESTful API Automation With JavaScript Slide 19 Secure RESTful API Automation With JavaScript Slide 20 Secure RESTful API Automation With JavaScript Slide 21 Secure RESTful API Automation With JavaScript Slide 22 Secure RESTful API Automation With JavaScript Slide 23 Secure RESTful API Automation With JavaScript Slide 24 Secure RESTful API Automation With JavaScript Slide 25 Secure RESTful API Automation With JavaScript Slide 26 Secure RESTful API Automation With JavaScript Slide 27 Secure RESTful API Automation With JavaScript Slide 28 Secure RESTful API Automation With JavaScript Slide 29 Secure RESTful API Automation With JavaScript Slide 30 Secure RESTful API Automation With JavaScript Slide 31 Secure RESTful API Automation With JavaScript Slide 32 Secure RESTful API Automation With JavaScript Slide 33 Secure RESTful API Automation With JavaScript Slide 34 Secure RESTful API Automation With JavaScript Slide 35 Secure RESTful API Automation With JavaScript Slide 36 Secure RESTful API Automation With JavaScript Slide 37 Secure RESTful API Automation With JavaScript Slide 38 Secure RESTful API Automation With JavaScript Slide 39
Upcoming SlideShare
RESTful API Automation with JavaScript
Next
Download to read offline and view in fullscreen.

10 Likes

Share

Download to read offline

Secure RESTful API Automation With JavaScript

Download to read offline

Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.

In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.

We will cover many of these architecture standards, including:
- Building in action automation using HATEOAS
- OAuth 2 in the JavaScript model
- The challenges behind secure resource consumption through JavaScript

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Secure RESTful API Automation With JavaScript

  1. 1. Secure RESTful API Automation With JavaScript Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
  2. 2. Automation?
  3. 3. What JavaScript Can Feel Like
  4. 4. JavaScript Challenges
  5. 5. The Same-Origin Policy
  6. 6. Keeping Private Keys Private
  7. 7. Not Providing a Hacked Experience
  8. 8. How Did We Used to Do It?
  9. 9. Server-side Proxies
  10. 10. Flash / iFrame Proxies
  11. 11. Private Token Storage
  12. 12. Securing Content Negotiation
  13. 13. A Modern Approach OAuth 2 Tight Access Control CORS Easy Access Control
  14. 14. OAuth 2 User Agent Flow
  15. 15. User Agent Flow: Redirect Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
  16. 16. User Agent Flow: Redirect Building the redirect link var auth_uri = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
  17. 17. User Agent Flow: Hash Mod Fetch the Hash Mod access_token refresh_token expires_in Extract Access Token
  18. 18. User Agent Flow: Hash Mod Extracting the access token from the hash http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash = document.location.hash; var match = hash.match(/access_token=(w+)/);
  19. 19. User Agent Flow: Get Resources Set Request Headers + URI Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
  20. 20. User Agent Flow: Get Resources Making an authorized request $.ajax({ url: resource_uri, beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } });
  21. 21. CORS Easy Access Control
  22. 22. Cross Origin Issues and Options Access to other domains / subdomains is restricted (same origin policy) JSONP to request resources across domains Only supports HTTP GET requests Cross-origin resource sharing (CORS) Supports additional range of HTTP requests
  23. 23. Can you use it? http://caniuse.com/cors
  24. 24. How Does it Work? Site sends Origin header to server OPTIONS /v1/oauth2/token HTTP/1.1 Origin: http://jcleblanc.com Access-Control-Request-Method: PUT Host: api.sandbox.paypal.com Accept-Language: en-US Connection: keep-alive ...
  25. 25. How Does it Work? Server responds with matching Access-Control-Allow-Origin header Access-Control-Allow-Origin: http://jcleblanc.com Access-Control-Allow-Methods: GET, POST, PUT Content-Type: text/html; charset=utf-8
  26. 26. A Lil’ Bit O’ Automation
  27. 27. Uniform Interface Sub-Constraints Resource Identification Resources must be manipulated via representations Self descriptive messages Hypermedia as the engine of application state
  28. 28. Uniform Interface Sub-Constraints Resource Identification Resources must be manipulated via representations Self descriptive messages Hypermedia as the engine of application state
  29. 29. HATEOAS
  30. 30. How we Normally Consume APIs
  31. 31. Using HATEOAS to Automate
  32. 32. How HATEOAS Works You make an API request curl -v -X GET https://api.sandbox.paypal.com/v1/payments/authoriz ation/2DC87612EK520411B -H "Content-Type:application/json" -H "Authorization:Bearer ENxom5Fof1KqAffEsXtx1HTEK__KVdIsaCYF8C"
  33. 33. "links": [ { "href":"https://api.sandbox.paypal.com/v1/payments/ authorization/6H149011U8307001M", "rel":"self", "method":"GET" },{ "href":"https://api.sandbox.paypal.com/v1/payments/ authorization/6H149011U8307001M/capture", "rel":"capture", "method":"POST" },{ "href":"https://api.sandbox.paypal.com/v1/payments/ authorization/6H149011U8307001M/void", "rel":"void", "method":"POST" } ]
  34. 34. Object Chaining
  35. 35. Interactions Should be Stateless Send enough detail to not have to make another request to the API { "id": "PAY-17S8410768582940NKEE66EQ", "create_time": "2013-01-31T04:12:02Z", "update_time": "2013-01-31T04:12:04Z", "state": "approved", "intent": "sale", "payer": {...}, "transactions": [{...}], "links": [{...}] }
  36. 36. Resources and Representations Manipulate a concept (e.g. payment) with the intended state
  37. 37. Chaining Actions The first request builds the action object Subsequent calls manipulate the object var paymentObj = getPreAuth(paymentID) .getNextAction() .processNext(); //build pay object //next HATEOAS link //process action
  38. 38. In Summation… Security needs to allow you to work the browser security model Always assume statelessness Build to allow your developers to automate complexities
  39. 39. Thanks! Questions? http://www.slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
  • aliensurfer1

    Aug. 16, 2018
  • HectorSalazar10

    Jun. 23, 2015
  • suifengtec

    Apr. 25, 2015
  • JuliusFlywheel

    Feb. 19, 2015
  • HonNguyen

    Dec. 28, 2014
  • noirleo

    Oct. 14, 2014
  • GoutamBagchi

    Apr. 5, 2014
  • piotrlewandowski

    Apr. 1, 2014
  • coryarmbrecht

    Mar. 3, 2014
  • Ssrdjan

    Oct. 21, 2013

Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript. In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs. We will cover many of these architecture standards, including: - Building in action automation using HATEOAS - OAuth 2 in the JavaScript model - The challenges behind secure resource consumption through JavaScript

Views

Total views

6,065

On Slideshare

0

From embeds

0

Number of embeds

97

Actions

Downloads

145

Shares

0

Comments

0

Likes

10

×