Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IBM Index Conference - 10 steps to build token based API Security

436 views

Published on

"10 steps to build token based API Security" is a presentation about building robust token systems for protecting APIs. This was presented as part of Index Conference.

Published in: Software
  • Be the first to comment

IBM Index Conference - 10 steps to build token based API Security

  1. 1. Ten steps for Token based API Security Senthilkumar Gopal
  2. 2. @sengopal | IndexConf2018 ACME Fort Knox Web Application Browser Traffic Limiter Bot Check CSRF INPUT SANITIZER MODEL TRANSFORM APPLICATION LOGIC
  3. 3. @sengopal | IndexConf2018 A Hero’s (‘real’) story Expose APIs for 3rd Parties
  4. 4. @sengopal | IndexConf2018 ACME (Not) Fort Knox Web Application API Server Browser Traffic Limiter Bot Check CSRF Input Sanitizer Model Transform Application Logic CRUD Operations
  5. 5. @sengopal | IndexConf2018
  6. 6. @sengopal | IndexConf2018 A Hero’s (‘real’) story
  7. 7. @sengopal | IndexConf2018 Web Application vs. APIs “But no one else knew about the API server “
  8. 8. @sengopal | IndexConf2018 First Principles APIs are … Intended to serve machines instead of real users Closer to Object Data Model
  9. 9. @sengopal | IndexConf2018 Example of Web Application vs. APIs
  10. 10. @sengopal | IndexConf2018 Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples
  11. 11. @sengopal | IndexConf2018 I need an ‘expert’
  12. 12. @sengopal | IndexConf2018 Delegated Authentication Delegated Authorization Client Revocability User Control Code @ http://bit.ly/ebay-oauth How to protect them? By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066
  13. 13. STEP 1 Embrace the standards
  14. 14. @sengopal | IndexConf2018 Typical API Security Workflow ResourceAuthentication Authorization Rate Limiting Proxy Resource Cache Request
  15. 15. @sengopal | IndexConf2018 Why “Authentication" is important? @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Authorization Rate Limiting fs.setPath(“/hi") .requestRateLimiter(RedisRateLimiter.args(2, 4)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
  16. 16. STEP 2 Maintain an extensible token architecture
  17. 17. @sengopal | IndexConf2018 “If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source
  18. 18. @sengopal | IndexConf2018 What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.”
  19. 19. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  20. 20. @sengopal | IndexConf2018 Entities User Entity Application Entity
  21. 21. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  22. 22. @sengopal | IndexConf2018 Cryptography 101 server private e32d140bc54d public client
  23. 23. STEP 3 Learn the nuances of Cryptography
  24. 24. @sengopal | IndexConf2018 “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” What is a token?
  25. 25. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  26. 26. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  27. 27. @sengopal | IndexConf2018 LifeCycle - Application Registered App Developer Active Blocked Retired Generate tokens
  28. 28. @sengopal | IndexConf2018 LifeCycle - Tokens User Consent App Developer Refresh Token Access token Resource API Access Token Consent Revoked Tokens Revoked
  29. 29. @sengopal | IndexConf2018 Fitting it all together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token
  30. 30. @sengopal | IndexConf2018 LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived
  31. 31. STEP 4 Learn Live the nomenclature
  32. 32. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  33. 33. @sengopal | IndexConf2018 Structure ebay AgAAAA**AQAAAA**aAAAAA**E6+EWg**nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs ya29.GltiBRICgroWhf0XJ- e4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v google facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/ * Tokens edited for brewity
  34. 34. @sengopal | IndexConf2018 Structure https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/ JWT Are there any standards? Is it just a random string? SAML
  35. 35. @sengopal | IndexConf2018 Structure - JWT https://jwt.io/
  36. 36. STEP 5 Choose the token format wisely (standards)
  37. 37. @sengopal | IndexConf2018 Structure - JWT https://jwt.io/ What goes in the claim?
  38. 38. @sengopal | IndexConf2018 Structure - What goes in the claim? Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token Everything!
  39. 39. @sengopal | IndexConf2018 Structure - Why everything? User entity App entity issuer issueAt Photo by Jennifer Pallian on Unsplash Service APIs tokens Web Apps cookies IS SAME AS expiresAt deviceIdentifier trackingId …
  40. 40. @sengopal | IndexConf2018 Structure - Versioning User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, ….
  41. 41. STEP 6 Capture every identifier possible and use versions
  42. 42. @sengopal | IndexConf2018 Master! Am I ready yet ? No! One more important step Photo by DeviantArt
  43. 43. @sengopal | IndexConf2018 Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence
  44. 44. @sengopal | IndexConf2018 Security Photo by Samuel Zeller on Unsplash Integrity Verified { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } JWT - Claim Missing Confidentiality Revocation
  45. 45. @sengopal | IndexConf2018 Security By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } By Value { “ref”:” AgAAAA**AQAAAA**aAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” }
  46. 46. @sengopal | IndexConf2018 Security Integrity Verified Integrity Verified Confidential Custom format * Persisted By ReferenceBy Value
  47. 47. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS AUDIT async App Metadata Server
  48. 48. @sengopal | IndexConf2018 Persistence - Considerations Atomic & Strong Consistency New Token Generation of new token Token Revocation *
  49. 49. @sengopal | IndexConf2018 Persistence - Considerations Eventually Consistent User - token Association Cache duplication
  50. 50. STEP 7 Identify transactional needs
  51. 51. @sengopal | IndexConf2018 Performance “Premature optimization is the root of all evil” - Donald Knuth Identify Hot spots Caching in Couchbase
  52. 52. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async App Metadata Server
  53. 53. STEP 8 Use caching to get optimal performance
  54. 54. @sengopal | IndexConf2018 OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference
  55. 55. @sengopal | IndexConf2018 Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async User & Risk Systems App Metadata Server
  56. 56. STEP 9 Audit all access patterns
  57. 57. @sengopal | IndexConf2018 Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry ….
  58. 58. STEP 10 Automate Everything
  59. 59. @sengopal | IndexConf2018 And the 10 steps are …. Embrace the standards Extensible token architecture Nuances of Cryptography Learn the nomenclature Correct token format All identifiers & versioning Identify transactional needs Use caching Audit all access patterns Automate Everything
  60. 60. Thank You! http://sengopal.me Tweets @sengopal Experimental Code @ http://bit.ly/ebay-oauth

×