The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
64. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard entries such as expiration
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone
89. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG HTTP Signatures
• No “secret” ever hits the wire
• Signs the message itself
• Proves identity
• Prevents message tampering
• Symmetric or Asymmetric signatures
• IETF Draft
• https://tools.ietf.org/html/draft-cavage-http-signatures
• Extremely simple
• Does NOT eliminate benefits of JWT
90. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Take the full http
message
91. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
POST /painter/color/palette HTTP/1.1
Host: api.superbiz.io
Date: Mon, 19 Sep 2016 16:51:35 PDT
Accept: */*
Content-Type: application/json
Content-Length: 46
{"color":{"b":0,"g":255,"r":0,"name":"green"}}
Select the parts
you want to protect
92. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
(request-target): POST /painter/color/palette
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Create a
Signing String
93. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
(request-target): POST /painter/color/palette
host: api.superbiz.io
date: Mon, 19 Sep 2016 16:51:35 PDT
content-length: 46
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Hash the string
(sha256 shown)
94. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
Aj2FGgCdGhIp6LFXjxSxBsSwTp9i
C7t7nmRZs-hrYcQ
Encrypt the hash
(hmac shown)
j050ZC4iWDW40nVx2oVwBEymX
zwvsgm+hKBkuw04b+w=
95. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Signing a Message
Signature
keyId=“orange-1234",
algorithm="hmac-sha256",
headers="(request-target) host date content-length”,
signature="j050ZC4iWDW40nVx2oVwBEymXzwvsgm+hKBkuw04b+w="
Put it all together
110. @dblevins @tomitribe#RESTSecurity @dblevins @tomitribetribestream.io/denverjug2018
DenverJUG Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Identity Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implications
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future
111. Thank You
Slides & Gateway Sign-up
https://tribestream.io/boulderjug2018
#RESTSecurity
Boulder JUG