Downloaded 10 times
![#RESTSecurity @CesarHgt @tomitribe
JaverosdeColombia2018 • { "alg": “RS256", "typ": “JWT" }
• {
"token-type": "access-token",
"username": "snoopy",
"animal": "beagle",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": [
“twitter”, "mans-best-friend"
],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
• DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv
0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl
LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo](https://image.slidesharecdn.com/2018colombiadeconstruyendoyevolucionandolaseguridadenserviciosrest-180517012909/75/2018-colombia-deconstruyendo-y-evolucionando-la-seguridad-en-servicios-rest-57-2048.jpg)
![#RESTSecurity @CesarHgt @tomitribe
JaverosdeColombia2018
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "access-token",
"username": "snoopy",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": ["twitter”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF
XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token](https://image.slidesharecdn.com/2018colombiadeconstruyendoyevolucionandolaseguridadenserviciosrest-180517012909/75/2018-colombia-deconstruyendo-y-evolucionando-la-seguridad-en-servicios-rest-94-2048.jpg)
![#RESTSecurity @CesarHgt @tomitribe
JaverosdeColombia2018
{ "alg": “RS256", "typ": “JWT" }
{ "token-type": "pop",
"cnf":{ "kid": "green-1234" }
"username": "snoopy",
"iss": "https://demo.superbiz.com/oauth2/token",
"scopes": ["twitter”, "mans-best-friend"],
"exp": 1474280963,
"iat": 1474279163,
"jti": "66881b068b249ad9"
}
DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc
0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF
XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
Access Token](https://image.slidesharecdn.com/2018colombiadeconstruyendoyevolucionandolaseguridadenserviciosrest-180517012909/75/2018-colombia-deconstruyendo-y-evolucionando-la-seguridad-en-servicios-rest-95-2048.jpg)
Uploaded byCésar Hernández
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
The document discusses evolving security in REST services, highlighting various authentication methods like Basic Auth and OAuth 2.0, along with their limitations. It presents message exchanges and performance metrics related to different approaches, emphasizing token generation and verification processes. The presentation includes insights on hashing and signing methods while addressing potential security issues in the context of API designs.
More Related Content
Similar to 2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
![[OSSParis 2015] The OpenID Connect Protocol](https://cdn.slidesharecdn.com/ss_thumbnails/poss2015openidconnect-151120084012-lva1-app6891-thumbnail.jpg?width=640&height=640&fit=bounds)
![Keeping brazil's medical industry safe with Micro Profile [TDC 2021]](https://cdn.slidesharecdn.com/ss_thumbnails/keepingbrazilsmedicalindustrysafewithmicroprofiletdc2021-210610214609-thumbnail.jpg?width=640&height=640&fit=bounds)
2018 colombia deconstruyendo y evolucionando la seguridad en servicios rest
- 1. JaverosdeColombia2018 #RESTSecurity @CesarHgt @tomitribe Deconstruyendoy evolucionando la seguridad en servicios REST César Hernández Tomitribe
- 2. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 CésarHernández • Senior Software Engineer at Tomitribe • Java Champion • Duke’s Choice Award 2016 y 2017 • Oracle Certified Professional • +10 experience with Java EE • Open Source advocate, teacher and public speaker
- 3. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Thenice thing about standards is you have so many to choose from.” - Andrew S. Tanenbaum
- 4. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Áreasde Enfoque • Más allá de Basic Auth • Teoría de OAuth 2.0 • Introducción a JWT • Google/Facebook style API security • Arquitectura Stateless versus Stateful • HTTP Signatures • Amazon EC2 style API security
- 5. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Línea Base 1000 usuarios x 3 TPS 4 saltos 3000 TPS frontend 12000 TPS backend
- 6. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 BasicAuth (y sus problemas)
- 7. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Mensajeen Basic Auth POST /painter/color/object HTTP/1.1 Host: localhost:8443 Authorization: Basic c25vb3B5OnBhc3M= User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"b":255,"g":0,"name":"blue","r":0}}
- 8. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 (no auth) (LDAP) 12000 TPS (HTTP) 3000 TPS
- 9. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 username+password Base64 15000 TPS (LDAP) Password Sent 12000 TPS (HTTP)
- 10. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Basic Auth Password Sent 3000 TPS (HTTP+SSL) username+password Base64 IP whitelisting 3000 TPS (LDAP) 12000 TPS (HTTP)
- 11. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Dametoda la información del salario de José.” “No se quien eres, … pero por supuesto!”
- 12.
- 13. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Ataque de fuerza bruta: Basic Auth Password válidos 3000 TPS (HTTP+SSL) IP whitelisting 9000 TPS (LDAP) 12000 TPS (HTTP) Passwords inválidos 6000 TPS (HTTP+SSL)
- 14. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 (y sus problemas)
- 15.
- 16.
- 17.
- 18.
- 19. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", } Verificación de Password Generación de Token
- 20. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Password Grant (LDAP) (Token Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verificación de Password Generación de Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", }
- 21. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/object HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":0,"b":255,"name":"blue"}}
- 22. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 45 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
- 23. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
- 24. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
- 25. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/stroke HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":255,"g":200,"b":255,"name":"orange"}}
- 26.
- 27. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }
- 28. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Refresh Grant (LDAP) (Token Store) Verify Password Generate Token POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"6Fe4jd7TmdE5yW2q0y6W2w", "expires_in":3600, "refresh_token":"hyT5rw1QNh5Ttg2hdtR54e", }
- 29. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Oldpair • Access Token 2YotnFZFEjr1zCsicMWpAA • Refresh Token tGzv3JOkF0XG5Qx2TlKWIA New pair • Access Token 6Fe4jd7TmdE5yW2q0y6W2w • Refresh Token hyT5rw1QNh5Ttg2hdtR54e
- 30. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"r":0,"g":255,"b":0,"name":"green"}}
- 31. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/select HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 44 {"color":{"r":255,"g":0,"b":0,"name":"red"}}
- 32. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Message POST /painter/color/fill HTTP/1.1 Host: api.superbiz.io Authorization: Bearer 6Fe4jd7TmdE5yW2q0y6W2w User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 49 {"color":{"r":0,"g":255,"b":255,"name":"yellow"}}
- 33.
- 34. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Ahoratenemos más passwords (al menos tus dispositivos los tienen)
- 35. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Terminologíade nuevo… • Password Grant??? • Logging in • Token? • Un password ligeramente ofuscado • Equivalente a un HTTP session ID mejorado levemente
- 36. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 Request enviados (Authorization: Bearer …) 3000 TPS (HTTP+SSL) 3000 TPS (Verificaciones de tokens) Password enviados (post oauth2/token …) 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 saldos 12000 TPS backend
- 37.
- 38. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Quiénes 6Fe4jd7TmdE5y W2q0y6W2w ???????” “No tengo idea. Pregúntale al servidor de tokens.”
- 39. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend
- 40. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 3000 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 12000 TPS (token checks) 8 hops 24000 TPS backend 55% of all traffic
- 41. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0 TPS (token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 0 TPS (token checks) 0 hops 0 TPS backend
- 42. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 Pointer Pointer State
- 43. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 AccessToken Access Pointer? Access Primary Key?
- 44. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 High Frequency Password Exchange Algorithm?
- 45. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Hashing,Signing Symmetric and Asymmetric
- 46. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Hashing Data Tiene como entrada un conjunto de elementos, que suelen ser cadenas, y los convierte en un rango de salida finito, normalmente cadenas de longitud fija.
- 47. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018More Bits the Better digests (hash values)
- 48. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 99Bottles of Beer mingus:~/bar 04:16:42 $ hashes all /tmp/party-time.txt XxHash32 9237490d XxHash64 81c4196cc7a01049 MD5 963462e4849e7c266df928b44b004190 SHA-1 b3be8c8879b31e7af4067f2769e4df37e6dd7690 SHA-256 0ef285da8792e1b78825f14ffc485a3843c66c4f481411978d0b4612be963383 SHA-512 376a589fd4b7f070119a8193e6d922df05d2f200c96927351bef66b688bffcca 3e990aa2f720494e95967bcbbfc804e86ec2eefea2f820e9a1aa2f3da5146fe7
- 49. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 99Bottles of Water? mingus:~/home 04:27:14 $ hashes all /tmp/party-time.txt #modified XxHash32 2045608c XxHash64 774507c9e384ea35 MD5 662028bba25e1e398ff8538cae9cd7c6 SHA-1 e11c127c072e09119fd7b3f35bc7ce1fd52b9b7a SHA-256 671d8e4af11d7ee65c1d51ab29303a1afc7439402c2eb61505cfb5c698ff419c SHA-512 fe0674683808e37bcad624d98426977c0936c15280922b2057efc33e4ca28127 8ea852d5450181fae726807e9c6e5e36a6823e7750948df89c6095ddbdaa4816
- 50. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Protegiendo el Hash HMAC (Symmetric) RSA (Asymmetric) (public key)
- 51. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Asymmetrickey: https://youtu.be/E5FEqGYLL0o
- 52. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 + JSon Web Tokens (JWT)
- 53. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 JSonWeb Token • Pronunciado “YOT” • JSON map con data de usuario • Base64 URL Encoded • Digitally Signed (RSA-SHA256, HMAC-SHA512, etc) • Mecanismo de expiración
- 54. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Previamenteun Access Token • 6Fe4jd7TmdE5yW2q0y6W2w
- 55. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 AccessToken ahora (JWT) • eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi 10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hbWUiOiJzb m9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRw czovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoMi90b2tlbiI sInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaW VuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6MTQ3NDI3O TE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMz IIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8 DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1Ta Elxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct0 98ocefuv08TdzRxqYoEqYNo
- 56. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 AccessToken Now • header (JSON > Base64 URL Encoded) • Describe como la firma (signature) del token puede ser verificada • payload (JSON > Base64 URL Encoded) • Json map de información que desees incluir • Campo estándar como el de Expiración • signature (Binary > Base64 URL Encoded) • La firma digital • Hecha exclusivamente por el endpoint: /oauth2/token
- 57. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018• { "alg": “RS256", "typ": “JWT" } • { "token-type": "access-token", "username": "snoopy", "animal": "beagle", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": [ “twitter”, "mans-best-friend" ], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } • DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv 0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzl LJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo
- 58.
- 59.
- 60. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Ligeropero con alto impacto en la arquitectura
- 61. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 ¿Quétenemos hasta el momento? (repaso)
- 62. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Datacompleta del usuario desde ldap
- 63. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Generaciónde Access Token (pointer)
- 64. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Ambosse insertan en la BD
- 65. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Envíodel Access Token (pointer) hacia el cliente
- 66. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Resultadofinal cliente permanece con el Pointer Server almacena State
- 67. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 ¿Quépodemos hacer ahora? (Hello JWT!)
- 68. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Datacompleta del usuario desde ldap
- 69. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Ladata se representa en JSON
- 70. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) JSONes firmado RSA-SHA 256
- 71. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Seinserta solamente el pointer en la DB (para revocaciones)
- 72. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 (LDAP) Envíodel Access Token (estado) hacia el cliente
- 73. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Clientepermanece con State Server almacena el Pointer Resultado obtenido
- 74.
- 75. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verifica Password Genera Token Firmado (Signed)
- 76. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Password Grant (LDAP) (Token ID Store) Verify Password Generate Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29tL29hdXRoM i90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0 LWZyaWVuZCJdLCJleHAiOjE0NzQyODA5NjMsImlhdCI6M TQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ 9.DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8 OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaO EUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadh VDaiqmhct098ocefuv08TdzRxqYoEqYNo", "expires_in":3600, "refresh_token":"eyJhbGctGzv3JOkF0XG5Qx2TlKWIAkF0X. eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5hb WUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3M iOiJodHRwczovL", }
- 77. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 MensajeOAuth 2.0 con JWT POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXR va2VuIiwidXNlcm5hbWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJ iaXouY29tL29hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQy ODA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdYO1GaMGl 6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZ vzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo User-Agent: curl/7.43.0 Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
- 78. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 + JWT Tokens enviados 3000 TPS (HTTP+SSL) 0.55 TPS (Verificaciones refresh token) OAuth 2 (LDAP) 4 saltos 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification) Password enviados (post oauth2/token …) 1000/daily (HTTP+SSL)
- 79. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “No!” “Dametoda la información del salario de José.”
- 80. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Claro!” “Dametoda la información del salario de José.”
- 81. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 + JWT Valid Tokens Sent 3000 TPS (HTTP+SSL) IP whitelisting 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) (LDAP) 4 hops 12000 TPS backend 9000 TPS (signature verification) 12000 TPS (signature verification) Invalid Tokens Sent 6000 TPS (HTTP+SSL)
- 82. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 https://connect2id.com/products/nimbus-jose-jwt LibreríaJWT https://github.com/jwtk/jjwt https://github.com/auth0/java-jwt
- 83.
- 84. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 HTTPSignatures (Amazon EC2 style API Security)
- 85. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 HTTPSignatures • Ningún “secreto” toca el cable • El firmar el mensaje completo • Provee identidad • Previene el compromiso o alteración del mensaje • Soporta firmas Symmetric or Asymmetric • IETF Draft • https://tools.ietf.org/html/draft-cavage-http-signatures • Extremadamente simple • No eliminate el beneficio del JWT
- 86. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 SignatureMessage POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Signature keyId=“El-Nombre-De-Mi-Llave”, algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
- 87. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Signaturecloseup Signature keyId=“my-key-name", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=
- 88. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Signature Auth Passwords enviados 0 TPS (HTTP) Signature (no auth) 3000 TPS (LDAP o Keystore) 12000 TPS (HTTP)
- 89. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018Signature Auth Signature Signature 3000 TPS (LDAP o Keystore) 12000 TPS (HTTP) Passwords enviados 0 TPS (HTTP)
- 90. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 “Hola,Larry! Claro!” Issue Returns (bad) “Dame toda la información del salario de José.”
- 91.
- 92. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2.0 Con prueba de posesión (JWT + HTTP Signatures)
- 93. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 KeyValue Información de Identidad (JWT) Key ID Prueba de identidad (HTTP Signature)
- 94. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 {"alg": “RS256", "typ": “JWT" } { "token-type": "access-token", "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
- 95. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 {"alg": “RS256", "typ": “JWT" } { "token-type": "pop", "cnf":{ "kid": "green-1234" } "username": "snoopy", "iss": "https://demo.superbiz.com/oauth2/token", "scopes": ["twitter”, "mans-best-friend"], "exp": 1474280963, "iat": 1474279163, "jti": "66881b068b249ad9" } DTfSdMzIIsC0j8z3icRdYO1GaMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc 0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaElxc43_Ocxm1F5IUNZvzlLJ_ksF XGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Access Token
- 96. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Password Grant (LDAP) (Token ID Store) POST /oauth2/token Host: api.superbiz.io User-Agent: curl/7.43.0 Accept: */* Content-Type: application/x-www-form-urlencoded Content-Length: 54 grant_type=password&username=snoopy&password=woodstock Verifica Password Generate Signed Token Genera HMAC Key (Key Store)
- 97. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 OAuth2 - Password Grant (LDAP) (Token ID Store) Verifica Password Genera Signed Token HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImV4cCI6M TMxMTI4MTk3MCwiaWF0IjoxMzExMjgwOTcwLCJjbmYiOnsia2", "token_type":"pop", "expires_in":3600, "refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc 3MiOiJodHRwczovL2FzZGZhc2RzZGZzZXJ2ZXIuZXhhbXBsZS5 jb20iLCJleHAiOjEzMTEyODE5NzAsImlhdCI6MTMxMTI4MDk3M", "key":"eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ 2UteXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1 MFdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZWlS ci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQRVd5W WFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53NXhzczhOajZ PeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2NidkRocmFzMzljd 2ZzIiwiYWxnIjoiSFMyNTYifQ" } Genera HMAC Key (Key Store)
- 98. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 JSONWeb Key (encoded) eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJraWQiOiJvcmFuZ2Ut eXlqOUQwZWgiLCJrIjoiVlotMFFHTFoyUF9SUFVTVzEwQ0l1M FdNeVhxLU5EMnBtRFl6QTBPVEtXVEhscDVpYWM1SzRWZ WlSci1fQk9vWEo0WDJmU1R0NG5Id29fcXV0YTdqSkpLVDRQ RVd5WWFuQlNGc2kwRFc3b3dULUhFeEFHRHlKdEhVdE53N XhzczhOajZPeE5QdjZyUk9FLWtldmhMMndCOWNxZ2RJc2Nid kRocmFzMzljd2ZzIiwiYWxnIjoiSFMyNTYifQ
- 99. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 JSONWeb Key (decoded) { "kty": "oct", "use": "sig", "kid": "orange-1234", "k": "VZ-0QGLZ2P_RPUSW10CIu0WMyXq-ND2pmDYzA0OTKW THlp5iac5K4VeiRr-_BOoXJ4X2fSTt4nHwo_quta7j JJKT4PEWyYanBSFsi0DW7owT-HExAGDyJtHUtNw5xs s8Nj6OxNPv6rROE-kevhL2wB9cqgdIscbvDhras39c wfs", "alg": "HS256" }
- 100. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 SignedOAuth 2.0 Message POST /painter/color/palette HTTP/1.1 Host: api.superbiz.io Authorization: Signature keyId=“orange-1234", algorithm="hmac-sha256", headers="content-length host date (request-target)”, signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w=" Bearer: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbi10eXBlIjoiYWNjZXNzLXRva2VuIiwidXNlcm5h bWUiOiJzbm9vcHkiLCJhbmltYWwiOiJiZWFnbGUiLCJpc3MiOiJodHRwczovL2RlbW8uc3VwZXJiaXouY29t L2 9hdXRoMi90b2tlbiIsInNjb3BlcyI6WyJ0d2l0dGVyIiwibWFucy1iZXN0LWZyaWVuZCJdLCJleHAiOjE0NzQyO DA5NjMsImlhdCI6MTQ3NDI3OTE2MywianRpIjoiNjY4ODFiMDY4YjI0OWFkOSJ9.DTfSdMzIIsC0j8z3icRdY O1GMGl6j1I_2DBjiiHW9vmDz8OAw8Jh8DpO32fv0vICc0hb4F0QCD3KQnv8GVM73kSYaOEUwlW0k1TaEl xc43_Ocxm1F5IUNZvzlLJ_ksFXGDL_cuadhVDaiqmhct098ocefuv08TdzRxqYoEqYNo Date: Mon, 19 Sep 2016 16:51:35 PDT Accept: */* Content-Type: application/json Content-Length: 46 {"color":{"b":0,"g":255,"r":0,"name":"green"}}
- 101. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018OAuth 2 + JWT + Tokens Sent 3000 TPS (HTTP+SSL) 0.55 TPS (refresh token checks) Password Sent 1000/daily (HTTP+SSL) OAuth 2 (LDAP) 4 hops 12000 TPS backend 3000 TPS (signature verification) 12000 TPS (signature verification)
- 102.
- 103. #RESTSecurity @CesarHgt @tomitribe JaverosdeColombia2018 Observations •HTTP Signatures the only HTTP friendly approach • Signatures does not solve the “Identity Load” problem • OAuth 2 with JWT significantly improves IDP load • Plain OAuth 2 • HTTP Session-like implications • OAuth 2 with JWT • Signed cookie • Signing key to the future
- 104. Gracias Diapositivas y GatewaySign-up https://tribestream.io/join-tag-guatemala-jug/ #RESTSecurity Javeros de Colombia