Vladimir Dzhuvinov, profile picture
Uploaded byVladimir Dzhuvinov
1,237 views

Protecting web APIs with OAuth 2.0

The document provides an overview of protecting web APIs using OAuth 2.0, focusing on the use of bearer tokens to authenticate requests. It details the handling of token statuses such as missing, invalid, or insufficient privileges, and outlines two types of token encodings. Additionally, it covers the OAuth 2.0 grant types, the role of authorization servers in issuing tokens, and introduces OpenID Connect as an identity layer on top of OAuth 2.0.

Embed presentation

Downloaded 25 times
Protecting web APIs with OAuth 2.0 Vladimir Dzhuvinov
Bearer Token Your cool web API
HTTPS request with a bearer token GET /client-reg HTTP/1.1 Host: c2id.com Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6 type token value
Successful HTTP response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { … }
On missing token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer
On invalid / expired token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error=”invalid_token”
On token with insufficient privileges HTTP/1.1 403 Forbidden WWW-Authenticate: Bearer error=”insufficient_scope”
To learn more about bearer token usage See RFC 6750 [ http://tools.ietf.org/html/rfc6750 ]
How does your web API decode the access tokens? Your W eb API
Typical authorisation attributes associated with an access token ● Scope: e.g. read, write, admin... ● Expiration time ● User ID ● Client ID ● Issuer
The 2 possible token encodings ● Self-contained: – Require RSA signature verification, < 1 ms – Scale extremely well ● Identifier-based: – Require web API lookup, ~100+ ms – Don't scale well, avoid
JSON Web Tokens (JWT) eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm 9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRw OlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2l kIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkw mDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hop e7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU Syntax: BASE64URL(header) + “.” + BASE64URL(JSON-claims) + “.” + BASE64URL(RSA-signature)
JSON Web Tokens (JWT) Header { "alg": "RS256", "kid": "1" } Claims { "sub": "alice", "cid": "000123", "iss": "https://connect2id.com", "exp": 1414065134, "iat": 1414064534, "scp": [ "read", "write", "admin" ] } Signature (RSA) fBZW6U9r7M53fwh­oEtC9 Bxi8U1ytQvpy8pmHylvvvhEZimlu­NkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo­3wDpGNM9UtOo8Cc
To learn more about JWT See draft-ietf-oauth-json-web-token-29 [ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]
The ultimate Java library for JWT http://connect2id.com/products/nimbus-jose-jwt Thousands of deployments, tens of reviewers and contributors Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk, CertiVox, Harvard Medical Schools, unnamed banks, etc.
Who issues the access tokens?
Your authorisation server Authenticates users and clients, issues tokens OAuth 2.0 server mobile app web app native app Web API Web API Web API Web APIs service requests, need only understand access tokens
The OAuth 2.0 grants ● Authorisation code – require browser for end-user interaction ● Implicit – for browser (JS) based apps ● Password – for native apps ● Client credentials – for clients acting on their own behalf ● Assertions: – SAML 2.0 Bearer – JWT Bearer
To learn more about OAuth 2.0 See RFC 6749 [ http://tools.ietf.org/html/rfc6749 ]
OpenID Connect ● Identity layer on top of the OAuth 2.0 framework ● The server issues an ID token in addition to the access token: – The ID token is a signed JWT with claims: ● Subject – the end-user ID ● Issuer – the authority ● Issue and expiration date ● Audience – the intended recipients ● Authentication strength and methods
ID token claims { "sub" : "alice", "iss" : "https://connect2id.com", "iat" : 1414076589, "exp" : 1414077489, "aud" : [ "000123" ], "ip_address" : "10.20.30.40", "acr" : "1", "amr" : [ "ldap" ] }
To learn more about OpenID Connect See OpenID Connect 1.0 Core OpenID Connect 1.0 Discovery OpenID Connect 1.0 Dynamic Registration OpenID Connect 1.0 Session Management [ http://openid.net/connect/ ]

More Related Content

PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PPTX
OAuth2 & OpenID Connect
byMarcin Wolnik
 
PDF
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
PDF
OAuth 2.0 and OpenID Connect
byJacob Combs
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
byHermann Burgmeier
 
PDF
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
PDF
Full stack security
byDPC Consulting Ltd
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
OAuth2 & OpenID Connect
byMarcin Wolnik
 
CIS14: Working with OAuth and OpenID Connect
byCloudIDSummit
 
OAuth 2.0 and OpenID Connect
byJacob Combs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
byHermann Burgmeier
 
Single Sign On with OAuth and OpenID
byGasperi Jerome
 
Full stack security
byDPC Consulting Ltd
 

What's hot

PDF
CIS14: OAuth and OpenID Connect in Action
byCloudIDSummit
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
PDF
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PDF
Json web token api authorization
byGiulio De Donato
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
byCloudIDSummit
 
PPTX
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
PDF
2016 pycontw web api authentication
byMicron Technology
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
PDF
Spring security oauth2
byaxykim00
 
PDF
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PDF
Authentication and Authorization Architecture in the MEAN Stack
byFITC
 
PPTX
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
CIS14: OAuth and OpenID Connect in Action
byCloudIDSummit
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
Single-Page-Application & REST security
byIgor Bossenko
 
OAuth 2.0
byUwe Friedrichsen
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
Stateless Auth using OAuth2 & JWT
byGaurav Roy
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
Json web token api authorization
byGiulio De Donato
 
An Introduction to OAuth2
byAaron Parecki
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
byCloudIDSummit
 
JWT SSO Inbound Authenticator
byMifrazMurthaja
 
2016 pycontw web api authentication
byMicron Technology
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
byManish Pandit
 
Spring security oauth2
byaxykim00
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
byProfesia Srl, Lynx Group
 
An Authentication and Authorization Architecture for a Microservices World
byVMware Tanzu
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
Authentication and Authorization Architecture in the MEAN Stack
byFITC
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
byscotttomilson
 
OAuth2 + API Security
byAmila Paranawithana
 

Similar to Protecting web APIs with OAuth 2.0

PDF
Secure your APIs using OAuth 2 and OpenID Connect
byNordic APIs
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PDF
RFC6749 et alia 20130504
byMattias Jidhage
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
PDF
CIS13: Introduction to OAuth 2.0
byCloudIDSummit
 
PPTX
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
byJason Robert
 
PDF
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
PDF
REST API Authentication Methods.pdf
byRubersy Ramos García
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PPTX
Y U No OAuth?!?
byJason Robert
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
PPTX
Wso2 is integration with .net core
byIsmaeel Enjreny
 
PDF
Launching a Successful and Secure API
byNordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
byNordic APIs
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Demystifying OAuth 2.0
byKarl McGuinness
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
RFC6749 et alia 20130504
byMattias Jidhage
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
byVladimir Bychkov
 
CIS13: Introduction to OAuth 2.0
byCloudIDSummit
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
byJason Robert
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
REST API Authentication Methods.pdf
byRubersy Ramos García
 
Securing Web Applications with Token Authentication
byStormpath
 
OAuth and why you should use it
bySergey Podgornyy
 
OAuth Base Camp
byOliver Pfaff
 
Y U No OAuth?!?
byJason Robert
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
Wso2 is integration with .net core
byIsmaeel Enjreny
 
Launching a Successful and Secure API
byNordic APIs
 

More from Vladimir Dzhuvinov

PDF
Криптография за уеб и мобилни разработчици
byVladimir Dzhuvinov
 
PDF
New money
byVladimir Dzhuvinov
 
PDF
Mind patterns and anti-patterns
byVladimir Dzhuvinov
 
PDF
Cross-domain requests with CORS
byVladimir Dzhuvinov
 
PDF
JSON Web Tokens (JWT)
byVladimir Dzhuvinov
 
PDF
Plovdev 2013: How to be a better programmer, beyond programming
byVladimir Dzhuvinov
 
PDF
Binding components, events + data sources in HTML + JS
byVladimir Dzhuvinov
 
Криптография за уеб и мобилни разработчици
byVladimir Dzhuvinov
 
New money
byVladimir Dzhuvinov
 
Mind patterns and anti-patterns
byVladimir Dzhuvinov
 
Cross-domain requests with CORS
byVladimir Dzhuvinov
 
JSON Web Tokens (JWT)
byVladimir Dzhuvinov
 
Plovdev 2013: How to be a better programmer, beyond programming
byVladimir Dzhuvinov
 
Binding components, events + data sources in HTML + JS
byVladimir Dzhuvinov
 

Recently uploaded

PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 

Protecting web APIs with OAuth 2.0

  • 1.
    Protecting web APIswith OAuth 2.0 Vladimir Dzhuvinov
  • 2.
    Bearer Token Yourcool web API
  • 3.
    HTTPS request witha bearer token GET /client-reg HTTP/1.1 Host: c2id.com Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6 type token value
  • 4.
    Successful HTTP response HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { … }
  • 5.
    On missing token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer
  • 6.
    On invalid /expired token HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer error=”invalid_token”
  • 7.
    On token withinsufficient privileges HTTP/1.1 403 Forbidden WWW-Authenticate: Bearer error=”insufficient_scope”
  • 8.
    To learn moreabout bearer token usage See RFC 6750 [ http://tools.ietf.org/html/rfc6750 ]
  • 9.
    How does yourweb API decode the access tokens? Your W eb API
  • 10.
    Typical authorisation attributes associated with an access token ● Scope: e.g. read, write, admin... ● Expiration time ● User ID ● Client ID ● Issuer
  • 11.
    The 2 possibletoken encodings ● Self-contained: – Require RSA signature verification, < 1 ms – Scale extremely well ● Identifier-based: – Require web API lookup, ~100+ ms – Don't scale well, avoid
  • 12.
    JSON Web Tokens(JWT) eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiwiZW1haWwiLCJwcm 9maWxlIl0sImV4cCI6MTQxNDA2NTEzNCwic3ViIjoiYWxpY2UiLCJpc3MiOiJodHRw OlwvXC9sb2NhbGhvc3Q6ODA4MFwvYzJpZCIsImlhdCI6MTQxNDA2NDUzNCwiY2l kIjoiMDAwMTIzIn0.fBZW6U9r7M53fwhoEtC9Bxi8U1ytQvpy8pmHylvvvhEZimluNkw mDXWIoHuXIgX9ZfqMp9layftbFE7DVeo3wDpGNM9UtOo8Ccpv7rKrcN60ai6G2hop e7sCRvWTqYx2g8Mk7UOT061Feei7RMYFekO5pFPxSDiKyHCQjbkU Syntax: BASE64URL(header) + “.” + BASE64URL(JSON-claims) + “.” + BASE64URL(RSA-signature)
  • 13.
    JSON Web Tokens(JWT) Header { "alg": "RS256", "kid": "1" } Claims { "sub": "alice", "cid": "000123", "iss": "https://connect2id.com", "exp": 1414065134, "iat": 1414064534, "scp": [ "read", "write", "admin" ] } Signature (RSA) fBZW6U9r7M53fwh­oEtC9 Bxi8U1ytQvpy8pmHylvvvhEZimlu­NkwmDXWIoHuXIgX9ZfqMp9layftbFE7DVeo­3wDpGNM9UtOo8Cc
  • 14.
    To learn moreabout JWT See draft-ietf-oauth-json-web-token-29 [ http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-29 ]
  • 15.
    The ultimate Javalibrary for JWT http://connect2id.com/products/nimbus-jose-jwt Thousands of deployments, tens of reviewers and contributors Connect2id, Mitre Corp, Microsoft, EA, Square, Zendesk, CertiVox, Harvard Medical Schools, unnamed banks, etc.
  • 16.
    Who issues theaccess tokens?
  • 17.
    Your authorisation server Authenticates users and clients, issues tokens OAuth 2.0 server mobile app web app native app Web API Web API Web API Web APIs service requests, need only understand access tokens
  • 18.
    The OAuth 2.0grants ● Authorisation code – require browser for end-user interaction ● Implicit – for browser (JS) based apps ● Password – for native apps ● Client credentials – for clients acting on their own behalf ● Assertions: – SAML 2.0 Bearer – JWT Bearer
  • 19.
    To learn moreabout OAuth 2.0 See RFC 6749 [ http://tools.ietf.org/html/rfc6749 ]
  • 20.
    OpenID Connect ●Identity layer on top of the OAuth 2.0 framework ● The server issues an ID token in addition to the access token: – The ID token is a signed JWT with claims: ● Subject – the end-user ID ● Issuer – the authority ● Issue and expiration date ● Audience – the intended recipients ● Authentication strength and methods
  • 21.
    ID token claims { "sub" : "alice", "iss" : "https://connect2id.com", "iat" : 1414076589, "exp" : 1414077489, "aud" : [ "000123" ], "ip_address" : "10.20.30.40", "acr" : "1", "amr" : [ "ldap" ] }
  • 22.
    To learn moreabout OpenID Connect See OpenID Connect 1.0 Core OpenID Connect 1.0 Discovery OpenID Connect 1.0 Dynamic Registration OpenID Connect 1.0 Session Management [ http://openid.net/connect/ ]