Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ten steps for
Token based API Security
Senthilkumar Gopal
@sengopal | IndexConf2018
ACME Fort Knox Web Application
Browser
Traffic Limiter
Bot Check
CSRF
INPUT
SANITIZER
MODEL
TRAN...
@sengopal | IndexConf2018
A Hero’s (‘real’) story
Expose APIs
for 3rd Parties
@sengopal | IndexConf2018
ACME (Not) Fort Knox Web Application
API Server
Browser Traffic
Limiter
Bot Check
CSRF
Input
San...
@sengopal | IndexConf2018
@sengopal | IndexConf2018
A Hero’s (‘real’) story
@sengopal | IndexConf2018
Web Application vs. APIs
“But no one else
knew about the
API server
“
@sengopal | IndexConf2018
First Principles
APIs are …
Intended to serve
machines instead of
real users
Closer to Object
Da...
@sengopal | IndexConf2018
Example of Web Application vs. APIs
@sengopal | IndexConf2018
Example of Web Application vs. APIs
https://developer.ebay.com/api-docs/buy/order/resources/chec...
@sengopal | IndexConf2018
I need an
‘expert’
@sengopal | IndexConf2018
Delegated Authentication
Delegated Authorization
Client Revocability
User Control
Code @ http://...
STEP 1
Embrace the standards
@sengopal | IndexConf2018
Typical API Security Workflow
ResourceAuthentication
Authorization
Rate Limiting
Proxy Resource ...
@sengopal | IndexConf2018
Why “Authentication" is important?
@PreAuthorize("hasPermission(#contact, 'admin')")
public void...
STEP 2
Maintain an extensible token
architecture
@sengopal | IndexConf2018
“If you decide to go and
create your own token
system,
you had best be really
smart.”
- Stack Ov...
@sengopal | IndexConf2018
What is a token?
“A token is a piece of data which only a
specific authentication server could po...
@sengopal | IndexConf2018
“A token is a piece of data which only a
specific authentication server could possibly
have creat...
@sengopal | IndexConf2018
Entities
User
Entity
Application
Entity
@sengopal | IndexConf2018
“A token is a piece of data which only a
specific authentication server could possibly
have creat...
@sengopal | IndexConf2018
Cryptography 101
server
private
e32d140bc54d
public
client
STEP 3
Learn the nuances of
Cryptography
@sengopal | IndexConf2018
“A token is a piece of data which only a
specific authentication server could
possibly have creat...
@sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg ...
@sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg ...
@sengopal | IndexConf2018
LifeCycle - Application
Registered
App
Developer
Active
Blocked
Retired
Generate
tokens
@sengopal | IndexConf2018
LifeCycle - Tokens
User
Consent
App
Developer
Refresh
Token
Access
token
Resource
API
Access Tok...
@sengopal | IndexConf2018
Fitting it all together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure
Toke...
@sengopal | IndexConf2018
LifeCycle - Purpose
Refresh Token Access Token
To Generate
new Access Token
To Access
protected ...
STEP 4
Learn Live the nomenclature
@sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg ...
@sengopal | IndexConf2018
Structure
ebay
AgAAAA**AQAAAA**aAAAAA**E6+EWg**nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA
2dj6x9...
@sengopal | IndexConf2018
Structure
https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/exp...
@sengopal | IndexConf2018
Structure - JWT
https://jwt.io/
STEP 5
Choose the token format wisely
(standards)
@sengopal | IndexConf2018
Structure - JWT
https://jwt.io/
What goes in
the claim?
@sengopal | IndexConf2018
Structure - What goes in the claim?
Resource
/cart
client
OAuth
/token
Access Token
Access-token...
@sengopal | IndexConf2018
Structure - Why everything?
User entity
App entity
issuer
issueAt
Photo by Jennifer Pallian on U...
@sengopal | IndexConf2018
Structure - Versioning
User entity
App entity
issuer
issueAt
version
expiresAt
deviceIdentifier
...
STEP 6
Capture every identifier
possible and use versions
@sengopal | IndexConf2018
Master!
Am I ready
yet ?
No!
One more
important
step
Photo by DeviantArt
@sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg ...
@sengopal | IndexConf2018
Security
Photo by Samuel Zeller on Unsplash
Integrity Verified
{
"sub": "110169484474386276334",...
@sengopal | IndexConf2018
Security
By Reference
{
"sub": "110169484474386276334",
"name": "John Doe",
"iss": "https://www....
@sengopal | IndexConf2018
Security
Integrity Verified Integrity Verified
Confidential
Custom format *
Persisted
By Referen...
@sengopal | IndexConf2018
Fitting them together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
...
@sengopal | IndexConf2018
Persistence - Considerations
Atomic & Strong Consistency
New Token Generation of new token
Token...
@sengopal | IndexConf2018
Persistence - Considerations
Eventually Consistent
User - token Association
Cache duplication
STEP 7
Identify transactional needs
@sengopal | IndexConf2018
Performance
“Premature optimization
is the root of all evil”
- Donald Knuth
Identify Hot spots
C...
@sengopal | IndexConf2018
Fitting them together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
...
STEP 8
Use caching to get optimal
performance
@sengopal | IndexConf2018
OWASP
Open Web Application Security Project
A2 – Broken Authentication and Session Management
A1...
@sengopal | IndexConf2018
Fitting them together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
...
STEP 9
Audit all access patterns
@sengopal | IndexConf2018
Managing the whole show
Application Lifecycle
Token lifecycle
Cryptography artifacts rotation
Au...
STEP 10
Automate Everything
@sengopal | IndexConf2018
And the 10 steps are ….
Embrace the standards
Extensible token architecture
Nuances of Cryptogra...
Thank You!
http://sengopal.me
Tweets @sengopal
Experimental Code @ http://bit.ly/ebay-oauth
Upcoming SlideShare
Loading in …5
×

IBM Index Conference - 10 steps to build token based API Security

545 views

Published on

"10 steps to build token based API Security" is a presentation about building robust token systems for protecting APIs. This was presented as part of Index Conference.

Published in: Software

IBM Index Conference - 10 steps to build token based API Security

  1. 1. Ten steps for Token based API Security Senthilkumar Gopal
  2. 2. @sengopal | IndexConf2018 ACME Fort Knox Web Application Browser Traffic Limiter Bot Check CSRF INPUT SANITIZER MODEL TRANSFORM APPLICATION LOGIC
  3. 3. @sengopal | IndexConf2018 A Hero’s (‘real’) story Expose APIs for 3rd Parties
  4. 4. @sengopal | IndexConf2018 ACME (Not) Fort Knox Web Application API Server Browser Traffic Limiter Bot Check CSRF Input Sanitizer Model Transform Application Logic CRUD Operations
  5. 5. @sengopal | IndexConf2018
  6. 6. @sengopal | IndexConf2018 A Hero’s (‘real’) story
  7. 7. @sengopal | IndexConf2018 Web Application vs. APIs “But no one else knew about the API server “
  8. 8. @sengopal | IndexConf2018 First Principles APIs are … Intended to serve machines instead of real users Closer to Object Data Model
  9. 9. @sengopal | IndexConf2018 Example of Web Application vs. APIs
  10. 10. @sengopal | IndexConf2018 Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples
  11. 11. @sengopal | IndexConf2018 I need an ‘expert’
  12. 12. @sengopal | IndexConf2018 Delegated Authentication Delegated Authorization Client Revocability User Control Code @ http://bit.ly/ebay-oauth How to protect them? By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066
  13. 13. STEP 1 Embrace the standards
  14. 14. @sengopal | IndexConf2018 Typical API Security Workflow ResourceAuthentication Authorization Rate Limiting Proxy Resource Cache Request
  15. 15. @sengopal | IndexConf2018 Why “Authentication" is important? @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Authorization Rate Limiting fs.setPath(“/hi") .requestRateLimiter(RedisRateLimiter.args(2, 4)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
  16. 16. STEP 2 Maintain an extensible token architecture
  17. 17. @sengopal | IndexConf2018 “If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source
  18. 18. @sengopal | IndexConf2018 What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.”
  19. 19. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  20. 20. @sengopal | IndexConf2018 Entities User Entity Application Entity
  21. 21. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  22. 22. @sengopal | IndexConf2018 Cryptography 101 server private e32d140bc54d public client
  23. 23. STEP 3 Learn the nuances of Cryptography
  24. 24. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” What is a token?
  25. 25. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  26. 26. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  27. 27. @sengopal | IndexConf2018 LifeCycle - Application Registered App Developer Active Blocked Retired Generate tokens
  28. 28. @sengopal | IndexConf2018 LifeCycle - Tokens User Consent App Developer Refresh Token Access token Resource API Access Token Consent Revoked Tokens Revoked
  29. 29. @sengopal | IndexConf2018 Fitting it all together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token
  30. 30. @sengopal | IndexConf2018 LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived
  31. 31. STEP 4 Learn Live the nomenclature
  32. 32. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  33. 33. @sengopal | IndexConf2018 Structure ebay AgAAAA**AQAAAA**aAAAAA**E6+EWg**nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs ya29.GltiBRICgroWhf0XJ- e4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v google facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/ * Tokens edited for brewity
  34. 34. @sengopal | IndexConf2018 Structure https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/ JWT Are there any standards? Is it just a random string? SAML
  35. 35. @sengopal | IndexConf2018 Structure - JWT https://jwt.io/
  36. 36. STEP 5 Choose the token format wisely (standards)
  37. 37. @sengopal | IndexConf2018 Structure - JWT https://jwt.io/ What goes in the claim?
  38. 38. @sengopal | IndexConf2018 Structure - What goes in the claim? Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token Everything!
  39. 39. @sengopal | IndexConf2018 Structure - Why everything? User entity App entity issuer issueAt Photo by Jennifer Pallian on Unsplash Service APIs tokens Web Apps cookies IS SAME AS expiresAt deviceIdentifier trackingId …
  40. 40. @sengopal | IndexConf2018 Structure - Versioning User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, ….
  41. 41. STEP 6 Capture every identifier possible and use versions
  42. 42. @sengopal | IndexConf2018 Master! Am I ready yet ? No! One more important step Photo by DeviantArt
  43. 43. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  44. 44. @sengopal | IndexConf2018 Security Photo by Samuel Zeller on Unsplash Integrity Verified { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } JWT - Claim Missing Confidentiality Revocation
  45. 45. @sengopal | IndexConf2018 Security By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } By Value { “ref”:” AgAAAA**AQAAAA**aAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” }
  46. 46. @sengopal | IndexConf2018 Security Integrity Verified Integrity Verified Confidential Custom format * Persisted By ReferenceBy Value
  47. 47. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS AUDIT async App Metadata Server
  48. 48. @sengopal | IndexConf2018 Persistence - Considerations Atomic & Strong Consistency New Token Generation of new token Token Revocation *
  49. 49. @sengopal | IndexConf2018 Persistence - Considerations Eventually Consistent User - token Association Cache duplication
  50. 50. STEP 7 Identify transactional needs
  51. 51. @sengopal | IndexConf2018 Performance “Premature optimization is the root of all evil” - Donald Knuth Identify Hot spots Caching in Couchbase
  52. 52. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async App Metadata Server
  53. 53. STEP 8 Use caching to get optimal performance
  54. 54. @sengopal | IndexConf2018 OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference
  55. 55. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async User & Risk Systems App Metadata Server
  56. 56. STEP 9 Audit all access patterns
  57. 57. @sengopal | IndexConf2018 Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry ….
  58. 58. STEP 10 Automate Everything
  59. 59. @sengopal | IndexConf2018 And the 10 steps are …. Embrace the standards Extensible token architecture Nuances of Cryptography Learn the nomenclature Correct token format All identifiers & versioning Identify transactional needs Use caching Audit all access patterns Automate Everything
  60. 60. Thank You! http://sengopal.me Tweets @sengopal Experimental Code @ http://bit.ly/ebay-oauth

×